What happens when one phishing email opens sixteen different doors into a target’s environment?
In this real-world red team operation, our experts used minimal resources to simulate how an attacker could move from a single email to full domain takeover, without triggering a single alert.
This isn’t your average “we got in” story. It’s a step-by-step breakdown of how trust was exploited, certificates were abused, and identities were hijacked—all under the radar of traditional defenses. It’s a cautionary tale but also a blueprint for how defenders can start thinking like attackers before the real ones do.
Whether you’re in the SOC, on the blue team, or leading strategy, you’ll walk away with practical insights into what modern threats actually look like and how to close the doors before someone else walks through them.
Disclaimer: The scenarios and examples in this article are illustrative and may be fictional. Or they may not be.
Stay Ahead of Threats with Pentest Services
Get the most comprehensive penetration testing report covering all your vulnerabilities
Chapter 1: It All Began With a Forgotten Subdomain
You’d be surprised how often the story starts like this.
It was just a dusty old subdomain — feedback-old.financecorp.com. A relic of an internal tool, long forgotten, but still alive and humming quietly in the background. Hidden in its depths was a small misconfiguration — a developer’s .env file accidentally left exposed. Inside? A set of credentials.
It felt like we struck gold. An Office365 email account with what looked like valid access. Our adrenaline kicked in. But the excitement faded as fast as it arrived — it was only a shared inbox. No login access. No admin privileges.
Still, it gave us an idea.
MITRE Techniques:
- TA0001 – Initial Access
- T1190 – Exploit Public-Facing Application
Chapter 2: The Phishing Pivot — Meet “Rachel”
“When credentials give you lemons, make phishing emails.”
We created a convincing scenario: a financial director named “Rachel” sharing a sensitive internal file about changes to bonuses and payouts. We made the message look like a standard Office365 sharing email, using the [email protected] address to send it.
145 employees received the message.
Only 16 responded.
But 16 was more than enough. We now had access to inboxes, documents, and calendar events. Some users even left helpful breadcrumbs, like VPN credentials, passwords reused across services, and unencrypted notes with sensitive information.
From just one crafted email, we now had real control.
Fake Office365 share screenshot
MITRE Techniques:
- T1566.002 – Spearphishing via Service
Chapter 3: From Cloud to Ground — The VPN Gateway
Here’s where things got interesting. Several of the compromised accounts also worked for VPN access. That meant one thing:
We were in.
From outside to inside — no firewall bypasses, no 0days, just human error and a good story. We were now inside the network, looking around. Old servers, a tangle of domain names, stale credentials, and wide-open internal services.
The doors weren’t locked. We just had to find the right hallway.
When your O365 creds unlock the castle gate
MITRE Techniques:
- T1133 – External Remote Services
- T1078 – Valid Accounts
Chapter 4: The Crown Jewel — Certificates and Silent Control
Somewhere deep in the network, a quiet service had been left alone for too long: the Certificate Authority. More specifically, Active Directory Certificate Services (ADCS).
What we discovered next changed everything.
One of the templates used for issuing certificates had a fatal flaw. It allowed any regular user to request a certificate pretending to be someone else — even a domain admin. And not just request — get it instantly, without approval.
It was like printing your own access badge… to the CEO’s office.
We used the access we had to impersonate a privileged account. With this new certificate, we quietly walked into places no one ever expected us to reach — the domain controller, the heart of the company’s digital identity.
SOC watching 3389, while we use certificates to walk in
MITRE Techniques:
- T1550.003 – Abuse Authentication Certificates
- T1482 – Domain Trust Discovery
Let’s Build Your Proactive Security Strategy
With human-led MDR and fully managed SOC support, we help you stop ransomware before it spreads—and stay in control 24/7
Chapter 5: Why Fixing One Thing Wasn’t Enough
Just as we thought the excitement was over, we found another certificate template — different name, same issues. But this time, we could modify it ourselves.
We didn’t just find a vulnerability. We made our own.
By tweaking a few settings, we created a brand-new backdoor that looked legitimate. No alerts. No flags. Just more silent power.
If you can’t find a vulnerable template, just create one
MITRE Techniques:
- T1068 – Exploitation for Privilege Escalation
Chapter 6: Lessons From the Shadows
This story isn’t about one big hack. It’s about how small, forgotten things — a subdomain, a shared inbox, a certificate template — can combine into something much bigger.
What started with a feedback form ended with full domain control. No malware. No exploit kits. Just strategy, and understanding how people and systems really work.
But there’s a deeper takeaway here — even more important than the technical path.
Despite having a well-funded security program, the client also had:
- A modern SOC
- Industry-leading EDR
- Strong identity controls
…and yet we still walked in silently.
The reason? Not the tools — but how they were used. Alerts weren’t tuned for certificate abuse. Legacy assets weren’t tracked. Controls assumed that passwords were the only path to privilege.
This engagement showed why regular red team testing isn’t just helpful — it’s essential. It also highlighted the growing need for Managed Detection & Response (MDR) services and operators who truly understand attacker behavior, not just dashboards.
Security isn’t about collecting tools. It’s about having the right people behind them — the kind who can see beyond alerts, understand the tactics attackers use, and respond before real damage is done. That’s where a trusted MDR provider makes the difference. Our job isn’t just to plug in tools — it’s to operationalize them. To help you see what matters. To tune detections to your real risk. Otherwise, you don’t have security — you have a dashboard full of noise and a castle full of locks… with all the keys lying around.
What You Should Do Now
- Review all certificate templates. Remove those you don’t use.
- Disable the ability for regular users to impersonate others.
- Require manual approval for sensitive certificate issuance.
- Keep an inventory of exposed assets. Even the old ones.
- Invest in MDR or expert-led blue teams who understand threats.
- Validate your defenses with regular offensive simulations.
Stay tuned for part two: how we moved laterally, built persistence, and exfiltrated data undetected.
1. What is a phishing attack?
A phishing attack is a form of cybercrime where attackers impersonate legitimate entities—usually via email, messaging apps, or fake websites—to trick individuals into revealing sensitive information such as passwords, credit card numbers, or login credentials.
2. How can I recognize a phishing email?
Look for red flags such as unexpected requests for personal information, urgent or threatening language, misspellings, unfamiliar email addresses, and suspicious links or attachments.
3. Are phishing attacks only carried out through email?
No. While email is the most common vector, phishing can also happen via SMS (smishing), phone calls (vishing), social media messages, and fake websites.
4. What should I do if I clicked a phishing link?
Do not enter any details on the page. If you already did, change that password right away and turn on MFA. Run a malware scan and tell your IT/security team so they can block the link and watch for any misuse.
5. Can phishing lead to ransomware attacks?
Yes. Many ransomware infections begin with phishing emails that trick users into downloading malicious attachments or clicking harmful links.
