Hi all

Has anyone encountered something like this?

Around 100 users received a poorly constructed phishing email. The header shows the CEO’s name, but the envelope sender is a random generic email address. Our impersonation policy caught it, as it always does, so no harm done this time.

What’s troubling is that the attacker used both personal and company email addresses for each recipient in the "To" field. How could they have this information? Could it indicate a breach in our HR system?

What’s the goal here? Are they hoping someone responds so they can escalate to a money request?

I checked several users’ email addresses on “Have I Been Pwned,” and most were compromised in the massive 2019 PDL breach involving 1.2 billion records. Still, I can’t figure out how they’re matching personal and company email addresses like this.

Is this just better-organized data mining or the start of more advanced, AI-driven attacks?

Here’s what the email looked like:
From: "CEO Name" randomnumbers*@domain.co.uk
To: personalemail@gmail.com, companyemail@companydomain.com, previouscompanyemail@domain.com
Subject: [Company Name]

Body:
Hi [First Name],

Are you available now?

Kind regards

Would love to hear if others have faced this and what steps you took to investigate further.