No spoofed domains. No fake IT support. Just a contact form, a plausible pretext, and a Business Development Director doing his job. This is what a successful phishing engagement looks like when the entry point is your sales process.
Most phishing campaigns start with the attacker reaching out. This one started with a contact form.
Using the target’s own contact form wasn’t random. Their platform sends the message, delivery almost guaranteed. And if anyone replied, they’d be the ones initiating the conversation. Harder to flag. Easier to trust.
The pretext: a construction company looking to expand, needing consultancy on fund administration and servicing. The kind of enquiry that looks like someone did their homework. Polite. Specific. Unhurried.
Their Business Development Director replied via email, introduced himself, and asked to arrange a meeting.
We replied saying our partnership requirements were specific and it would be worth reviewing them before going further. We sent the link.
He clicked it. Entered his credentials. Session hijacked.
His next message: “The link didn’t work. Can you send an attachment instead?”
He still doesn’t know.
No elaborate infrastructure. No impersonation of internal staff. No pretending to be IT support.
Just a contact form, a plausible story, and a Business Development Director doing exactly what his job description says: following up on a lead.
The entry point wasn’t a vulnerability in their technology. It was a feature of their sales process.
Your public-facing channels aren’t just marketing tools. In the wrong hands, they’re an invitation.
The Business Development Director is still following up on leads. He doesn’t know one of them was us.
Contact CovertSwarm to find out.