CrowdStrike's investigation into a phishing scam targeting a healthcare sector client revealed the challenges of analyzing cloud-based intrusions, requiring data fusion across multiple networks to create a comprehensive event timeline. Despite the attack's technical simplicity, the adversary effectively used anti-forensic techniques by logging into victims' email accounts with legitimate credentials, erasing evidence, and leveraging each inbox as a platform for further attacks. The investigation employed pattern-of-life analysis and least frequency of occurrence methodologies to distinguish between legitimate and attacker activities, focusing on anomalies in logon times and device usage. Key data sources included Google's administrative and account logs, which provided insights into suspicious logins and corroborated findings with metadata on unusual account activities. The investigation concluded with high confidence that the attacker accessed the account, conducted clean-up operations, and did not propagate the attack by sending emails during the breach period. This case underscores the importance of utilizing multiple log sources to reconstruct a high-confidence timeline of events in phishing campaigns.