CASE STUDY

How 10,000 Employees Responded to an Attack Simulation: Exposing Human and Technical Gaps

Background

Our client is a leading food production company in the United States. With 10,000 employees on board, they generate $6 billion in annual revenue. As one of the largest healthy food producers, they export worldwide and hold a strong reputation in the market.

The business cares about trust and must protect its operations to stay ahead of the competition. The leaders understand that even the smallest cybersecurity gap can result in severe consequences, including reputational damage and financial losses. To reinforce their security posture, they hired our red team to cooperate with their blue team to conduct a purple team assessment.

Given the size of the company, they also wanted to assess the cybersecurity awareness of their employees. The client asked us to simulate real-world phishing attacks to uncover any human-factor risks and technical vulnerabilities.

The Challenge

The client wasn’t sure about their defense strategies and needed to check whether their system could withstand a cyberattack. Even though they had implemented advanced network security, endpoint protection, and SOC, they still had concerns that sophisticated tactics might compromise the system.

Our penetration testing specialists simulated an insider threat scenario by getting access to the client’s workstation through a standard user account. Pretending to be hackers, we needed to:

Bypass security mechanisms without triggering alarms.
Identify weaknesses in detection and response capabilities.
Evaluate SOC readiness under a real-world attack scenario.

On top of that, the client needed to check the security awareness of their employees. With the help of a simulated social engineering attack, they wanted to test:

How likely employees were to click on malicious links.
Whether the team follows security policies when handling sensitive information.
The gap between the current security level and industry best practices.

About the client

Headquarters:

Los Angeles, California

Industry:

Food Production

Company Size:

10,000 employees

Key Results

Advanced attack methods slipped through the client’s defenses undetected.
The SOC overlooked critical issues, exposing weaknesses in monitoring and response.
107 employees clicked on phishing messages.
Email security tools failed to filter out malicious messages.
40 workers unknowingly submitted their credentials to fake websites.
Our team provided recommendations to address these vulnerabilities and prevent real breaches.

The Solution

We executed a full-scope purple team assessment to emulate a targeted cyberattack. Here’s how we managed to bypass the client’s defenses and access their data:

Initial Access

Gained access to a domain-joined Windows workstation using a standard user account. Accessed the environment via VPN, simulating an insider threat scenario.

Bypassing Network Protections

Cloudflare was used to bypass proxy and NGFW filtering by tunneling traffic through HTTPS. This activity remained undetected by existing security systems.

Sandbox and Static Analysis Evasion

Cortex XDR or Palo Alto Wildfire didn’t block known and custom tools. Even when behavioral alerts were generated, the files were not quarantined or removed.

Command & Control (C2) Channel

A C2 channel was established over HTTP and remained active for six days without any response from the SOC or network monitoring tools.

Privilege Escalation

An Active Directory Certificate Services (ADCS) ESC1 vulnerability was exploited to issue certificates with Domain Admin privileges.

Lateral Movement

Standard tools triggered alerts, but custom tools successfully moved laterally within the network without detection.

Data Exfiltration

A 10GB file was exfiltrated to Dropbox over HTTPS, bypassing detection and without any restrictions.

Ransomware Simulation

A custom ransomware payload encrypted over 500 files and exfiltrated the encryption key—no alerts were triggered by Cortex XDR or the SOC.

For a social engineering assessment, our specialists simulated a real-world phishing campaign.

Employees received emails that mimicked internal communication.

Each email contained links to phishing pages designed to mimic the Microsoft Login interface, where credentials were collected. Out of 331 emails in total, 43 employees clicked the malicious links.

Next, 529 employees received a message allegedly from the internal training platform, reminding them to complete a course. Of these, 64 users clicked the links and were redirected to a fake login page, while 40 entered their credentials.

All emails successfully passed through mail gateways and were not blocked by anti-spam or phishing filters. Phishing pages were hosted on external domains with names similar to the corporate, making detection more difficult.

Users who clicked “Open” were redirected to a fake Microsoft login page. If credentials were entered, they were collected and stored for further analysis. After entering the password, users were shown a blank page or an error message to avoid suspicion.

Outcomes of Penetration Testing

As a result of our penetration testing, we identified the following vulnerabilities in the client’s system:

10 GB of information was exfiltrated via Dropbox.
500+ files were encrypted because of detection issues in the SOC team.
Misconfigurations in ADCS opened a direct path to full infrastructure compromise.
6 days of silent C2 activity undetected by SOC and monitoring tools.

Business risks if left unaddressed:

Long-term, undetected attacker presence within the network.
Full domain compromise with administrative control.
Data loss and potential non-compliance with security regulations.

Our Recommendations

Upgrade SOC Maturity. Reestablish response procedures and implement automated triage and incident prioritization.
Improve Detection Process. Correlate telemetry across endpoints, network, and authentication layers for deeper system analysis. Implement anomaly-based detection, including beaconing, large data transfers, and certificate misuse.
Strengthen Infrastructure. Patch ESC vulnerabilities in ADCS and enforce LDAP signing and encryption (LDAPS) to secure authentication flows.
Test System Performance Regularly. Schedule purple team exercises and simulate incidents to validate SOC preparedness.

Outcomes of Social Engineering Testing

Our assessment revealed these vulnerabilities for the client to address:

107 employees interacted with phishing emails, showing susceptibility to social engineering.
Security filters failed to block phishing emails.
40 employees entered their credentials on malicious websites.

Business risks if left unaddressed:

Compromise of user accounts, including access to internal systems.
Loss or leakage of confidential information.
Potential hacker access to internal resources via harvested credentials.

Our Recommendations

Run practical training sessions for employees. Educate the team on how to recognize phishing attempts and handle suspicious emails safely.
Enable spam filters. Set the highest protection level in the email settings.
Use anti-phishing tools. Install browser extensions or use built-in features.
Improve SOC visibility. Develop new response procedures to avoid credential theft.

Our Managed SOC Services

Every system has vulnerabilities, and it’s better to detect a threat on time and remove it than deal with the aggravating consequences of a breach. With our SOCaaS, businesses get:

Up to 80% lower annual cost compared to running an internal SOC
AI-powered SOC that reduces alert fatigue and accelerates response time
Rapid onboarding in just 1 week for full-scale monitoring and response
96% threat containment rate before threats could harm your business
Unified visibility across cloud, on-premises, and your security tools
24/7 access to top-tier SOC analysts

Do you know your weak spots?

Our pen testing and social engineering services can expose hidden risks before they turn into real breaches.

Talk to Our Expert