How we did it

  • Social engineering tactics were used to craft convincing phishing emails targeting support engineers.
  • The attack exploited weak initial access controls, specifically AnyConnect/OVPN.
  • The phishing payloads executed commands on the engineer’s workstation, demonstrating a critical gap in endpoint detection.
  • SOC response was monitored to evaluate reaction time and effectiveness in containment.

Conclusion

The test revealed a significant gap in phishing detection and response mechanisms for the support team. The lack of alerts allowed the attacker to gain initial access undetected. The SOC team demonstrated a better response time but still had areas to improve.

Recommendations included:

  • Enforcing two-factor authentication (2FA) on all remote access solutions.
  • Strengthening endpoint detection (EDR) to flag unauthorised command execution.
  • Improving phishing awareness training for all employees.