top of page
Search

Phishing To Expanding Privileges

I do not need to be a genius to get inside your network. I need one person to be human for a moment. So I send one believable email. Not a clumsy prince offering millions but a note that looks like it came from your CFO, your vendor, or your help desk. Someone clicks. That click does not hand me the kingdom. It hands me a single chair in a single room.


What I do next is what separates a contained incident from a catastrophe. I am now sitting inside the trust boundary your whole organization was built on. From that one chair I listen. I learn how your people talk, which systems matter, where the shared drives live, and who holds the keys. (The average breach takes roughly eight months to fully detect and contain, which is most of a year I get to spend learning your business.) Then I move. Not loudly. I am in no hurry, because time is the one advantage a patient intruder always has. I borrow credentials left lying around and reuse passwords nobody rotated. 


One of my favorites is to email the help desk and request new privileges for myself, the user, based on a project I have gleaned from your email traffic. This one is always particularly embarrassing for IT. The help desk assumes that because it comes from an internal email or a ticket from that user, it is legit. Then I quietly re-route the help desk replies to deleted items so the real user never sees them.


Every step I take looks legitimate because it uses legitimate access, and nothing screams alarm. I am not interested in the first machine. I want the account that controls all the others. Once I reach administrative control I no longer need to break anything. I simply manage your environment the way your own team does, except my objective is theft, disruption, or ransom. This is why the phishing email was never really about the email. It is about everything that email is allowed to reach.


You spend fortunes on the perimeter and almost nothing on the assumption that someone is already inside. Flat networks, over permissioned identities, dormant admin accounts, and unmonitored internal traffic turn a single mistake into a full takeover. The thing that stops me is not a smarter spam filter. It is an organization that treats internal trust as something earned and verified continuously, that segments what matters, that watches how identities actually behave, and that assumes the click will eventually happen. Because it will.


The question was never whether someone opens the wrong message. The question is how far I get once they do.


Reach out if you want to discuss your risk profile.

 
 

Recent Posts

See All
The Ninety Day Window Your Backups Don’t Survive

When I run red team engagements against mid market companies, the playbook is consistent and the outcomes are predictable. Get in, escalate to domain admin, find the backup infrastructure, and quietly

 
 

Timcke Risk Management, LLC

660 Massachusetts Ave

6th Floor, Boston, MA 02118

 

© 2025 by Timcke Risk Management, LLC

 

bottom of page