Skip to content

The one where we pulled off the holiday hangover heist

When employees return from holiday, help desks expect password reset requests. We exploited this expectation in a real social engineering attack that completely bypassed multi-factor authentication (MFA).

The setup

When one of our Swarm red team operatives rang this client’s internal support line, we weren’t pretending to be a sophisticated APT group.

We were pretending to be something far more dangerous: an employee who’d just come back from holiday and was asking for a little leniency to the rules.

The pretext was simple:

“I’m supposed to be logged in from home on my laptop… and I’m going to get in trouble if I don’t send this email.”

No drama, just the familiar pressure of someone trying to stay afloat in a normal workday. A touch of worry in the voice, the quiet scramble of a person who knows their manager’s already watching the clock. All we needed was “just a quick reset.”

The gatekeepers bite back

The client’s support team didn’t fold immediately.

We ran into a verification maze: some questions we answered correctly, some we bypassed entirely.

And then came the gem: “Who’s the bald guy in your team?”

We’ll be honest, even Google couldn’t save us on that one. But with a bit of conversational drift and a confident tone,  we managed to hop over that particular tripwire.

The fall of the MFA wall

With just enough trust achieved, the dominoes fell:

      •  Password reset issued
      •  MFA device changed
      •  Burner phone registered
      • Full mailbox access granted

This is the part where most real-world attackers disappear into accounts for months.
We only needed minutes.

From inbox to impact

With access secured, another Swarm operator joined the operation (we specialize in coordinated simulated attacks, after all).

Together, we quickly began enumerating:

    • Internal project data
    • Sensitive client information
    • Credentials and access tokens
    • Internal workflows ripe for exploitation

Our goal wasn’t to steal.  It was to show just how quickly an attacker could cause business-critical damage, simply by exploiting human trust and weak verification hygiene.

What we proved

This engagement validated a foundational truth: if your people can be convinced… your perimeter doesn’t matter.

Multi-layered checks only work when:

    • They’re applied consistently
    • Staff feel confident holding the line
    • And there’s a culture that’s comfortable saying “no”, even to an “employee in trouble”

The client now uses this case as internal training for why MFA procedures, identity verification, and refusal protocols exist.

 

What would an attacker find if they targeted you today?

Don’t wait for the attack that’s already in progress. Take control of your cybersecurity posture today with constant, targeted offensive security that outpaces your real adversaries.