Phishing-to-Privilege Test
A realistic external attack showed how employee response and weak access controls could expose critical business systems, giving the client clear priorities for reducing risk.

Industries
Telecommunications
Services
Security Awareness Testing,
Vulnerability Assessment,
Penetration Testing
About the project
A telecommunications provider needed an outside-in view of whether its public-facing systems, email defenses, and staff response could stop an attacker with no internal knowledge. The goal was to determine whether an internet-based attacker could obtain valid credentials or establish a foothold.
The stakes extended beyond a single inbox. If one account could be turned into access across administrative and operational services, weak passwords, broad privileges, and gaps in sign-in monitoring could magnify the impact. The client needed evidence of the full attack path and practical priorities for strengthening people, processes, and technology.
What we did
- We began with a black-box assessment using no client-provided information. Following NIST SP 800-115 and the OWASP Web Security Testing Guide, we mapped public-facing assets, reviewed exposed services, and performed network and web discovery. When the initial technical review did not reveal an obvious entry point, we focused on the most credible remaining path: email.
- Using public information about the organization and its staff, we built a tailored, controlled phishing scenario and a convincing login experience. The test measured whether the message reached employee inboxes, whether recipients recognized and reported it, and whether existing safeguards could prevent captured credentials from becoming working access.
- The exercise showed that a recipient could submit credentials and approve an unexpected multifactor authentication request. Within the authorized scope, we used that access to confirm that a compromised mailbox could lead to administrator-level access across several critical business platforms. Suspicious sign-ins also failed to produce an observed response during the test.
- We documented the control gaps that made the attack chain possible: weak, reused, and shared passwords; excessive account privileges; inconsistent multifactor authentication; permissive email filtering; and limited sign-in detection. The final recommendations called for awareness training, stronger password controls, least-privilege access, broader multifactor authentication, tighter anti-phishing policies, and improved anomaly monitoring.
Technologies Used
NIST
OWASP
N map
Digital Ocean
HTML
CSS
Java Script
PHP

Microsoft 365

