Looking for software development? We've movedGrassFed.dev

Phishing-to-Privilege Test

A realistic external attack showed how employee response and weak access controls could expose critical business systems, giving the client clear priorities for reducing risk.

Phishing-to-Privilege Test

Industries

Telecommunications

Services

Security Awareness Testing,
Vulnerability Assessment,
Penetration Testing

About the project

A telecommunications provider needed an outside-in view of whether its public-facing systems, email defenses, and staff response could stop an attacker with no internal knowledge. The goal was to determine whether an internet-based attacker could obtain valid credentials or establish a foothold.

The stakes extended beyond a single inbox. If one account could be turned into access across administrative and operational services, weak passwords, broad privileges, and gaps in sign-in monitoring could magnify the impact. The client needed evidence of the full attack path and practical priorities for strengthening people, processes, and technology.

What we did

  • We began with a black-box assessment using no client-provided information. Following NIST SP 800-115 and the OWASP Web Security Testing Guide, we mapped public-facing assets, reviewed exposed services, and performed network and web discovery. When the initial technical review did not reveal an obvious entry point, we focused on the most credible remaining path: email.
  • Using public information about the organization and its staff, we built a tailored, controlled phishing scenario and a convincing login experience. The test measured whether the message reached employee inboxes, whether recipients recognized and reported it, and whether existing safeguards could prevent captured credentials from becoming working access.
  • The exercise showed that a recipient could submit credentials and approve an unexpected multifactor authentication request. Within the authorized scope, we used that access to confirm that a compromised mailbox could lead to administrator-level access across several critical business platforms. Suspicious sign-ins also failed to produce an observed response during the test.
  • We documented the control gaps that made the attack chain possible: weak, reused, and shared passwords; excessive account privileges; inconsistent multifactor authentication; permissive email filtering; and limited sign-in detection. The final recommendations called for awareness training, stronger password controls, least-privilege access, broader multifactor authentication, tighter anti-phishing policies, and improved anomaly monitoring.

Technologies Used

NIST

NIST

OWASP

OWASP

N map logo

N map

Digital Ocean

Digital Ocean

HTML

HTML

CSS

CSS

Java Script

Java Script

PHP

PHP

Microsoft 365 logo

Microsoft 365

Browse more projects

Connected Vessel Risk Review

Connected Vessel Risk Review

Account-to-Server Takeover Test

Account-to-Server Takeover Test

Contact Us