
Disclaimer: The industry type and specific business domain of the target organisation have been purposefully obscured in this case study to maintain client privacy and honour contractual obligations. Certain operational details have been generalised. The information shared here is strictly for educational purposes - to help security professionals, organisations and students understand how nation-state style attacks are planned and executed and more importantly, how to defend against them.
Background
During one of my most challenging engagements, I had the opportunity to lead and orchestrate a large-scale Social Engineering (SE) operation that simulated a nation-state style attack against a major enterprise organisation.
What made this engagement exceptional was not just its scope - it was the target's security posture. The organisation, referred to here as "Organisation Alpha", had already invested heavily in its defensive capabilities. Over the preceding two years, they had commissioned five separate red team engagements from reputable security firms. Each engagement had identified vulnerabilities and Alpha had systematically remediated them. Their employees had undergone multiple rounds of security awareness training. Their SOC was mature. Their incident response playbooks were tested.
They believed they had raised the bar high enough.
They contracted us to prove whether that bar was truly high enough to withstand a persistent, patient, nation-state calibre adversary. The engagement lasted approximately 7-8 weeks.
Why This Was Different
Most red team and penetration testing engagements operate under tight timeframes - typically 1-3 weeks. Attackers in the real world, particularly nation-state actors and advanced persistent threat (APT) groups, do not operate under such constraints. They spend weeks or months in reconnaissance alone before making a single move.
Organisation Alpha understood this. Having already stress-tested their defences through conventional red teaming, they wanted to understand their exposure to a low-and-slow, multi-stage adversary - one that would invest time in building trust, gathering intelligence and exploiting the one vulnerability no patch can fix: human nature.
The Team and Rules of Engagement
We assembled a team of 3-4 specialists, each playing distinct roles throughout the operation:
- Lead Strategist / SE Operator (my role): Overall planning, orchestration and active participation in social engineering calls and pretexting
- OSINT Analyst: Deep-dive reconnaissance, target profiling and intelligence correlation
- Technical Operator: Infrastructure setup, phishing page development, credential harvesting and payload delivery
- Physical Assessment Specialist: On-ground reconnaissance and physical security testing
The client provided us with a list of specific flags - these were defined objectives such as gaining access to particular systems, exfiltrating specific categories of data, or compromising accounts with defined privilege levels. This flag-based approach was itself a testament to their security maturity - they weren't asking "can you get in?" but rather "how far can you get and through which paths?"
The rules were clear: gain access to every flag by any means necessary - technical exploitation, human manipulation, physical bypass, or any combination thereof.
Stage 1: OSINT and Reconnaissance (Weeks 1-2)

The first two weeks were entirely passive. No calls. No emails. No direct contact with the target. Pure intelligence gathering.
Open-Source Intelligence Collection
We systematically harvested information from:
- LinkedIn: Mapped the organisational hierarchy, identified key personnel by department, noted reporting structures and catalogued technology skills listed on employee profiles (which often reveal the internal tech stack)
- Social Media (Facebook, Twitter/X, Instagram): Personal interests, travel patterns, life events - all useful for building rapport during SE calls
- Corporate Website & Career Pages: Job listings revealed technologies in use, team structures and ongoing projects
- Wayback Machine: Historical snapshots of their website revealed previously published employee directories, old portal URLs and deprecated login pages that sometimes still resolved
- Public Records & Filings: Regulatory filings, partnership announcements and press releases provided context about internal operations
- Technical Footprinting: DNS records, certificate transparency logs, subdomain enumeration and email header analysis from publicly available correspondence
Target Profiling
From this intelligence, we built detailed profiles on approximately 40-50 employees across multiple departments. Each profile included:
- Full name, title, department and reporting manager
- Email format and direct phone numbers (where available)
- Social media presence and communication style
- Likely security awareness level (based on tenure, department and whether they'd been involved in previous red team exercises)
- Potential pretexts that would resonate with their role
We specifically identified individuals in the IT helpdesk, HR, finance and operations teams as primary targets - roles that naturally handle sensitive information and are accustomed to receiving calls from unfamiliar internal contacts.
Stage 2: Vishing - The Social Engineering Calls (Weeks 3-5)

This was the core of the operation and where our patience paid off. Knowing that Alpha's staff had been through multiple rounds of security awareness training and had prior experience with SE tests, we anticipated a high level of suspicion. A single poorly executed call could burn the entire operation.
Building the Pretext: Gaining Internal Intelligence
Rather than directly targeting high-value accounts, we started at the edges.
Call 1 - The Reception: We called the main reception line, posing as a recently onboarded contractor who needed to reach the IT helpdesk for laptop provisioning issues. The receptionist was professional and reasonably cautious - she asked for our employee ID. We explained we hadn't received one yet as the onboarding was still in progress and that our manager had asked us to call the helpdesk directly. After a brief hesitation, she transferred us.
Call 2 - The IT Helpdesk: Speaking with the helpdesk, we maintained the new-joiner persona and carefully extracted critical operational intelligence during what appeared to be a routine support call:
- Names of helpdesk team members and their shift patterns
- The VPN solution in use and its authentication method
- Names of internal portals and applications
- Details of an ongoing system migration that was causing widespread access issues for staff
- The helpdesk's standard troubleshooting procedures and escalation paths
This migration detail was gold. It gave us a legitimate, time-sensitive pretext that every employee in the organisation would recognise and believe.
Executing the Attack Calls
Armed with helpdesk personnel names, internal system names and knowledge of the ongoing migration, we began targeting staff members directly.
Call infrastructure:
- Used VoIP services with virtual numbers, enabling caller ID manipulation
- Employed number masking techniques to display internal-looking numbers
- All conversations were recorded as engagement evidence (per the rules of engagement)
The pretext: Impersonating IT helpdesk personnel by name, we called targeted employees to inform them about a mandatory Single Sign-On (SSO) migration that was being rolled out in phases. The narrative was carefully crafted:
-
"Hi [Name], this is [Helpdesk Person] from IT. We're reaching out to your department today as part of the SSO migration - you might have heard about the access issues some teams have been experiencing." (Establishes legitimacy using known details)
-
"To complete your migration, we'll need to initiate a password reset on your account. You'll receive an authentication notification on your phone - please approve it and then read back the verification code so we can confirm the migration completed successfully." (The actual attack - harvesting MFA codes)
-
"Once it's done, please use the new password we'll set for you and avoid changing it for the next 48 hours while the migration syncs across systems." (Maintains access window)
The Results
Over the course of two weeks, we successfully compromised multiple staff accounts across different departments. The success rate was remarkably high because:
- The pretext aligned perfectly with a real ongoing event (the migration)
- We used real helpdesk names and demonstrated knowledge of internal systems
- The request was framed as routine IT support, not anything unusual
- We approached targets who had not been specifically targeted in previous red team exercises
What We Gained Access To
With compromised credentials and active sessions, we had access to:
- The complete O365 suite - email, SharePoint, OneDrive, Teams
- Internal SharePoint sites containing sensitive operational documents, project plans and internal policies
- Email archives, including instances where credentials had been shared via email (a disturbingly common practice)
- Finance and HR department communications, including payment templates, approval workflows, internal memo formats and individual writing styles with signature blocks
The last point was critical for the next phase.
Stage 3: Lateral Movement via Internal Phishing (Weeks 5-7)

One of the compromised accounts belonged to a member of the finance team. We studied their email history, communication patterns, writing style and signature format meticulously. Then we weaponised it.
The Internal Phishing Campaign
Using the compromised finance account, we crafted a phishing email that was indistinguishable from a legitimate internal communication:
- Written in the exact tone and style of the account owner
- Used the correct email signature, including department, title and phone extension
- Referenced a real internal process (payroll portal update)
- Included a link to a phishing page hosted on a domain visually similar to the organisation's actual domain
The email informed recipients that the finance portal was being updated and that they needed to verify their login credentials to ensure their payroll details would process correctly for the upcoming cycle.
Technical Execution
- Domain: Registered a lookalike domain with a subtle character substitution
- Phishing Page: Replicated the organisation's SSO login page with high fidelity
- Post-Login Flow: After credential capture, users were redirected to the legitimate portal with a confirmation message, creating no suspicion
- Anti-Detection: We created an O365 mail rule on the compromised account that automatically moved any replies to the phishing email into a hidden folder - preventing the real account owner from noticing responses from confused colleagues
Why It Worked
Because the phishing email originated from a legitimate internal email address, it:
- Bypassed all email security filters and gateway protections
- Appeared in recipients' inboxes without any warning banners or flags
- Carried the implicit trust of internal communication
- Was sent from someone recipients actually knew and worked with
This phase yielded credentials from multiple additional departments, significantly expanding our access across the organisation.
Stage 4: Physical Security Assessment (Week 7-8)

With extensive digital access already established, we turned our attention to the physical security perimeter. Using intelligence gathered from internal emails and documents, we:
- Identified office locations, floor plans referenced in facilities emails and visitor management procedures
- Crafted a cover identity as an external auditor scheduled for a compliance review
- Used email templates from the compromised accounts to send a pre-arrival notification to the reception team, establishing our visit as expected
The physical assessment revealed additional vulnerabilities in badge management, visitor escort procedures and the security of sensitive areas within the facility.
Adapting Under Pressure
These interactions were never scripted exchanges. Every call, every email, every in-person interaction required real-time adaptation. This is where years of experience become the differentiator between a successful SE operation and a burned one.
When a target expressed suspicion during a call, we never pushed. Instead, we:
- Validated their caution: "That's exactly the right attitude - we've been telling everyone to be careful with these calls given all the migration changes"
- Offered alternative verification: "Feel free to call the helpdesk directly to verify - ask for [name], they can confirm the migration schedule"
- Gracefully disengaged when necessary, ensuring the target didn't escalate to security or alert colleagues
This measured approach meant that even unsuccessful calls didn't compromise the broader operation.
Flags and High-Value Assets Acquired
Below is a summary of the flags (Crown Jewels) we were tasked to capture - and successfully obtained during the engagement.
| Category | Flag / Crown Jewel |
|---|---|
| Applications | |
| • Enterprise Resource Planning (ERP) - primary business application | |
| • Expense management portal linked to ERP backend | |
| • Internal project management and workflow platform | |
| Data / Shared Folders | |
| • Employee records including payroll and HR data | |
| • Compliance and regulatory filing directories | |
| • Senior leadership shared folders (board reports, strategy documents) | |
| • Finance reconciliation and audit trail archives | |
| Domain Admin / Global Privileges | |
| • Domain Administrator credentials (full Active Directory control) | |
| • Global Admin permissions across cloud tenancy | |
| High-Value Assets | |
| • Microsoft 365 tenant (Exchange, SharePoint, Teams, OneDrive) | |
| • Internal code repositories and CI/CD pipeline access | |
| • VPN gateway and remote access infrastructure credentials | |
| • Backup system administrative console |
Every single flag on the client's original target list was captured. Several additional high-value assets - not originally scoped as flags - were also discovered and accessed as a natural consequence of the lateral movement paths we established.
Final Results
We successfully captured every flag on the client's list.
Organisation Alpha - an enterprise that had invested significantly in security over two years, conducted five red team assessments, trained its staff extensively and hardened its technical infrastructure - was comprehensively compromised through patient, methodical social engineering.
The client was genuinely surprised. Not because they expected to be impenetrable, but because the depth and breadth of access we achieved exceeded what any of the five previous red team vendors had accomplished.
Key Takeaways
-
Previous red teaming does not equal resilience. Five assessments over two years had hardened the technical perimeter but had not adequately prepared the organisation for a patient, multi-stage human-focused attack.
-
Time is the attacker's greatest weapon. Compressed 1-2 week engagements cannot replicate what a nation-state adversary achieves over months. Organisations that only test with short engagements have a dangerously incomplete picture of their risk.
-
Internal trust is the softest target. Once a single account is compromised, the implicit trust within internal communications becomes a devastating force multiplier. Emails from known colleagues bypass every technical control.
-
Real-world pretexts are irresistible. When social engineering aligns with actual events (like an ongoing migration), even security-trained employees struggle to distinguish the attack from reality.
-
Security awareness training has limits. Training teaches employees to spot generic phishing and suspicious calls. It does not prepare them for a caller who knows their colleague's name, their internal systems and the specifics of an ongoing IT project.
-
Defence-in-depth must include the human layer. Technical controls, email gateways and MFA are necessary but insufficient. Organisations must also invest in processes that verify identity through out-of-band channels, limit the blast radius of compromised accounts and detect anomalous behaviour patterns.
Written by Debasis Mohanty (nopsled) - Based on a real-world engagement. The industry and business domain have been intentionally obscured to honour client confidentiality and contractual obligations.
Continue reading: Part 2 -- Phishing and Social Engineering Campaign covers the detailed attack narratives, credential harvesting infrastructure, MFA bypass techniques and individual account compromise walkthroughs.