The one where a fake email proved the risk was real

A new hire’s first week is meant to be about learning, not defending.

For one of the world’s largest B2C retailers, it became the starting point of a simulated breach that revealed how a single overlooked detail could open the entire network.

Their defenses were mature, with a global SOC, internal red teams, and certified processes built around ISO 27001.

However, maturity alone doesn’t equal immunity. They wanted to know if their systems could withstand an attack from the outside, one that mirrored the persistence of a real adversary.

This is the story of how a single phishing email exposed the hidden gap between perceived and actual security.

The setup

Our brief was clear: act as an external APT with no insider knowledge and see how far we could get.
No code access. No architecture documentation. No hints.

Our approach mirrored how a genuine threat actor would operate, testing not just technology but human response.

A new employee, still in the onboarding process, received a CovertSwarm phishing email. Believing it to be part of an internal workflow, they clicked. In that moment, we captured valid credentials and MFA tokens.

The discovery

The employee realised their mistake quickly and reported it. The organisation responded in line with procedure. Accounts were locked and credentials reset.

But one small oversight remained.

The VPN session established during the phishing attack stayed active, giving us an open channel into the network. From there, we moved laterally and explored deeper.

When we reached the company’s Citrix environment, an unauthenticated application revealed a weakness that allowed remote code execution. Within moments, our Command and Control infrastructure was active inside their estate, operating silently and unseen.

The breach

From a single phishing click, we had reached critical systems without detection.
The client’s defensive tools were in place but not fully aligned to catch this type of intrusion.

Our activity went unnoticed, showing that even well-structured incident response plans can falter when a live attack behaves differently from the model they were built to counter.

The lesson wasn’t about a single misstep, but about how complex systems can create blind spots that only constant, real-world testing can uncover.

The call to action

This global retailer discovered that no security strategy is complete without ongoing validation. A single phishing email can bypass even the most advanced systems if assumptions are left untested.

Every organization faces the same truth. If we can find the gap, a real attacker eventually will.

Make our attack your best defense.
Contact CovertSwarm today and see your security through an adversary’s eyes.