A breach does not need to originate inside your client's organization to cause material damage. That's the lesson emerging from recent reporting that Crunchyroll is investigating a cyber incident linked to a compromised customer support environment.
According to BleepingComputer, attackers allegedly accessed systems used by support agents, including Zendesk, Google Workspace, Jira Service Management, and Slack, and claimed to have extracted millions of support records, including millions of unique email addresses.
The expanding risk of outsourced operations
The mechanics of the breach are familiar. A single compromised account, likely tied to a support function, provided a pathway into systems containing sensitive customer data. What is changing is where those accounts sit, and a pattern that extends beyond any single incident.
The Crunchyroll case is not isolated. The same reporting references similar incidents affecting organizations such as Clorox, Discord, Marks & Spencer, and Co-op, where attackers leveraged third-party access or outsourced support environments.
And these are only the incidents that become public. In many cases, breaches involving third-party providers remain undisclosed or are only partially understood, particularly where attribution and responsibility are shared across multiple organizations.
For partners and service providers, this reflects a structural shift in how attackers approach your client's enterprise environments. Rather than targeting hardened corporate perimeters, they are increasingly looking for access through the extended workforce, contractors, support agents, and BPO environments that sit adjacent to core systems.
The Australian context, already tested
This is not a theoretical risk in Australia. Several high-profile organizations have experienced similar incidents where third-party or external environments were part of the attack path, including Telstra, Qantas, and Latitude Financial. While the specifics vary, the common theme is consistent. Sensitive data exposure did not always originate from a direct compromise of core infrastructure, but from the broader ecosystem surrounding it.
For Australian businesses, particularly those operating across distributed teams and outsourced functions, this reinforces a critical point. The traditional perimeter no longer defines risk.
The hidden trade-off in BPO-led scale
Outsourcing delivers efficiency. It enables organizations to scale customer support, streamline operations, and reduce internal overhead. But it also introduces a less visible trade-off.
Every external agent with access to your client's systems effectively becomes part of their security posture. Their devices, their credentials, their workflows, and their training all influence your client's exposure.
In practice, this means your client's risk profile is no longer contained within their own IT environment. It is distributed across every supply chain partner and provider that interacts with their data.
For IT partners, MSPs, and resellers, this presents both a challenge and an opportunity. Customers are often unaware of how much access their outsourced providers actually hold, or how those access pathways are secured.
From procurement exercise to operational discipline
Third-party risk management has traditionally been treated as a procurement step. Vendor assessments, compliance checklists, and contractual obligations. That approach is no longer sufficient.
The current threat environment requires continuous visibility and control. Questions that once sat in onboarding documents now need to be revisited regularly:
- What level of access do outsourced agents have, and is it segmented appropriately?
- Are sessions monitored and recorded, particularly for privileged access?
- What endpoint protections are enforced on third-party devices?
- How are credentials secured, rotated, and monitored for misuse?
- How quickly can anomalous behaviour be detected and contained?
For partners, these are no longer technical questions alone. They are business risk questions that require clear, executive-level answers.
Why email remains central to third-party risk
Many of these compromise paths still begin with email.
Support agents, BPO staff, and outsourced teams are frequent targets for phishing, credential harvesting, and impersonation attacks. They often operate under time pressure, with high volumes of communication and limited context, making them particularly susceptible to well-crafted deception.
Once compromised, these accounts provide a trusted entry point into internal systems.
This is where traditional security controls often fall short. If a malicious email reaches a third-party user and credentials are captured, the attacker inherits legitimate access. For partners, this reinforces the importance of layered protection over and above native email security. Not just for internal users, but across the extended workforce operating within the tenant.
A shift in how partners should position risk
For the partner community, this is a moment to reframe the conversation with customers.
The question is no longer, “Are you protected?” It's, “Who else has access, and how is that access secured?”
BPOs, outsourced service desks, and third-party providers are now embedded in day-to-day operations. They are part of the business. And as a result, they are part of the attack surface. Helping customers understand and manage that reality is fast becoming a differentiator for IT partners.
Securing the extended enterprise
In the current climate, organizations with BPO arrangements should be taking a closer look at how those environments are secured. Not as a one-time review, but as an ongoing discipline.
Because attackers are not constrained by organizational charts or contractual boundaries. They will take the easiest path available. And increasingly, that path runs through the extended enterprise.
Keeping Businesses Safe and Secure
Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a specialist AI-powered email threat detection solution like MailGuard.
For a few dollars per staff member per month, businesses are protected by MailGuard's specialist, AI-powered zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies your client’s intelligence, knowledge, security and defence.
MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your clients today to ensure they’re prepared and get in touch with our team to discuss fortifying your client’s cyber resilience.
Talk to us
MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993
