The one where a fake email proved the risk was real
A fake onboarding email opened a real security gap, showing how even mature defences fail when assumptions go untested.
A new hire’s first week is meant to be about learning, not defending.
For one of the world’s largest B2C retailers, it became the starting point of a simulated breach that revealed how a single overlooked detail could open the entire network.
Their defenses were mature, with a global SOC, internal red teams, and certified processes built around ISO 27001.
However, maturity alone doesn’t equal immunity. They wanted to know if their systems could withstand an attack from the outside, one that mirrored the persistence of a real adversary.
This is the story of how a single phishing email exposed the hidden gap between perceived and actual security.
The setup
Our brief was clear: act as an external APT with no insider knowledge and see how far we could get.
No code access. No architecture documentation. No hints.
Our approach mirrored how a genuine threat actor would operate, testing not just technology but human response.
A new employee, still in the onboarding process, received a CovertSwarm phishing email. Believing it to be part of an internal workflow, they clicked. In that moment, we captured valid credentials and MFA tokens.
The discovery
The employee realised their mistake quickly and reported it. The organisation responded in line with procedure. Accounts were locked and credentials reset.
But one small oversight remained.
The VPN session established during the phishing attack stayed active, giving us an open channel into the network. From there, we moved laterally and explored deeper.
When we reached the company’s Citrix environment, an unauthenticated application revealed a weakness that allowed remote code execution. Within moments, our Command and Control infrastructure was active inside their estate, operating silently and unseen.
The breach
From a single phishing click, we had reached critical systems without detection.
The client’s defensive tools were in place but not fully aligned to catch this type of intrusion.
Our activity went unnoticed, showing that even well-structured incident response plans can falter when a live attack behaves differently from the model they were built to counter.
The lesson wasn’t about a single misstep, but about how complex systems can create blind spots that only constant, real-world testing can uncover.
The call to action
This global retailer discovered that no security strategy is complete without ongoing validation. A single phishing email can bypass even the most advanced systems if assumptions are left untested.
Every organization faces the same truth. If we can find the gap, a real attacker eventually will.
Make our attack your best defense.
Contact CovertSwarm today and see your security through an adversary’s eyes.
Insights from the SWArm mind
Radical thinking and constant research inform all we do. Think ahead with shared intelligence from the CovertSwarm experts.
SOC Testing: Turning Your Security Operations Centre into a Continuous Learning Engine
SOC testing isn’t just about finding vulnerabilities. It’s about building collaboration, sharpening human judgment, and turning your SOC into a continuous learning engine.
Why I founded CovertSwarm after annual pen tests failed me
Almost every business I worked for got breached. Our teams did the same thing each time: an occasional pen test, a thick report full of findings,…
When a former UK Government cyber operations chief says AI is “limitless” in Offensive Security, we should pay attention
Jim Clover says AI has made offensive cyber “limitless.” Attackers are using it now. The horse has already bolted. And if your red team isn’t keeping…