A hacker pulled a succesfull phishing attack on an employee, what can he really do after?
Posted by WhateverHowever1337@reddit | sysadmin | View on Reddit | 26 comments
something I don’t understand (im just a CS student not a professional) is company phishing attacks.
normal personal phishing attacks are simple enough, you are targeting facebook if you get the login info you can go to facebook.com and use them
but what about phishing attacks on organisations? its not like there is a companyname.com/employee-login, how do they make use of the credentials? how do they even build a phishing page if they don’t know how the employee login looks like? I would also assume all internal services are behind a firewall/ need a vpn
if they download malware thats another thing, but why a phishing attack is even a vector risk?
jcamdenlane@reddit
Direct deposit redirection for low level staff. Identify the HR contact and request a bank account change as the employee. Or if a payroll service is used, many use the primary corporate email for “multi factor” checks. Gain access to the employee’s corporate email account and use it to reset the payroll account password and just make the necessary bank account changes themselves.
ADynes@reddit
Because they log into their webmail and then send something out to all their contacts telling them to click on some link either to get more logins or to download malware.
WhateverHowever1337@reddit (OP)
How can they even access the webmail? If its only accessed through a VPN, there is no risk even if the password is 1234, if I give you a key to a house that has a billion dollars and that house is on the moon is it worth anything really? Thats what i fail to understand
Grantsdale@reddit
Most companies don’t use internal or self hosted email. It’s pretty much all MS365 and Google Workspace, with some using other services. But almost no one self hosts.
InsaneChaos@reddit
Conditional access is very seldomly implemented too.
But if I had theoretically phished someone's email credentials, I am definitely going to immediately try both login.microsoftonline.com and mail.google.com logins.
moffetts9001@reddit
Because 99% of orgs do not have their webmail behind a VPN. The goal of phishing a user is to become that user and hopefully they have high level permissions that can be exploited through horizontal movement. Can the user access Citrix/RDS, can it log into the M365 admin portal, can it access webmail, is it a domain admin, etc. Sometimes the attacker gets lucky with a high privilege user, other times they specifically target certain people in the org.
There are obviously a lot of ways to mitigate these risks, but there's also continual development on the offensive side, too.
fatalicus@reddit
If you school is teaching you that most companies are using VPN to access company email, they are either lying or incompetent.
ConsciousIron7371@reddit
Your VPN by definition has to be public facing. Most corporations and institutions are using a small handful of different vpn providers. There’s a pretty good chance an attacker can brute force and find the vpn then use the credentials to log in there and get access to webmail. Which is almost never hosted behind a vpn.
Most companies are using SSO and most of them have a web portal listing many apps that users utilize in one place. So if you get someone’s credentials you can get a list of apps that those credentials let you access and get into all of them. So phishing someone gives you access to their mail, then their HR system and payroll, and then all of the actual business apps so the attacker can just export as much data as possible then ransom the company to not leak that information.
ADynes@reddit
Using a VPN and using Webmail are two very different things.
MushyBeees@reddit
Phish user, obtain users username, password and MFA token.
They effectively become the user.
Credentials can then be used in about 99% of cases to either:
1) business email compromise - they log on to the users email service (I read your other replies… it’s 99.9% of the time public, not behind a vpn). From here they either obtain info on the company staff structure, who authorises/makes payments etc, then try to trick somebody into sending the hacker a bunch of money.
Or if the user isn’t useful, they’ll probably email all their/the companies contacts trying to phish more users
Or
2) ransomware. They’ll use the stolen credentials to log on to the company network (usually vpn or RDS - these will use the same credentials). From here they will typically use exploits to shut down any security services (BYOVD, google it), pivot to a privileged account (LSASS hack or other), exfiltrate the companies data then encrypt everything.
Agreeable-Buy-999@reddit
imo you're overestimating how much is actually behind the firewall these days. A huge amount of corporate infrastructure is cloud-hosted with public login pages. Phish the SSO creds and you potentially have access to email, file shares, internal wikis, all of it.
Jrreid@reddit
Sending spam or more phishing attempts to internal targets that would bypass most content filters
Data exfiltration from cloud services (SharePoint, etc)
Accessing company portal and changing payroll details to send to the scammers (or a mules) accounts
That's just the start of the list.
WhateverHowever1337@reddit (OP)
How would they access the company portal? They don’t even know where is it, and even if they do I really don’t think in 2026 there are still companies that don’t filter incoming traffic to internal services
that_star_wars_guy@reddit
You should not assume that. You should not assume that companies will follow best practice. You should not assume that the "correct" or "logical" implementation in your specific corpo env.
Don't assume. It's the single best advice you can internalize while working...well in any capacity whatsoever.
Quinnlos@reddit
You're thinking of a best case scenario where a company is appropriately hardened.
This is the student mindset and is understandable.
In the real world you're going to encounter companies that don't want any form of device or general anti-virus, xyz. if you're lucky, previous IT got them to acquiesce on that stupidity, but most times they will have one or two very bad security postures because someone in C-Suite or elsewhere got their way.
For most folks, if their email gets compromised, it just takes a quick download of the inbox and then perusing through to fully map how the typical employee accesses company data and resources, and then if you're not caught while researching there you press forward, if not you just spear phish someone else using the contacts list you now have.
Jrreid@reddit
Usually from some quick research. Especially with any decent sized organization they often have an employee section of their website with links to their internal portal.
And with most things being cloud based these days organizations rely more on SSO and conditional access policies than firewalls and VPNs for protecting a lot of services. And many of those cloud services use generic login portals that redirect based on your credentials to your organizations specific instance.
mcfc9320_@reddit
Phishing is 99% socially engineered and is very successful because humans are very predictable. The big danger in most phishing is credential capture because humans are dumb and often use the same password for everything. Do once they have one known password and a user's name, they start spamming a million sites hoping some combination of username and known good password, works.
Also, even professionals are stupid. They will use the same technique above only with common admin names. If the user is too low-level for that, the hope is they will spread the message to users in the company with greater privilege but maybe now more trusting because the email came from a known source.
TL; DR: What can a bad actor do with phished credentials? A whole hell of a lot.
Th3Sh4d0wKn0ws@reddit
These days most phishing pages I encounter look like a Microsoft login page and dynamically clone the actual organization login page based on the domain in the email.
The attacks we receive are geared towards Office 364 users so they talk about things like OneDrive and Sharepoint and then give you a very authentic looking Microsoft login page.
When they succeed they now have credentials to login as that user. That's access to their email, OneDrive, SharePoint and so on. Typically they send out more phishing attacks from the compromised account since the emails will look like they're coming from a trusted source. There's no telling what access an org might be exposing with just one account. They get the right account they could ask a coworker to verify a large wire transfer.
WhateverHowever1337@reddit (OP)
Thank you that makes sense, so they basically target logins to common services that most companies use. I thought they target access to stuff like internal dashboards
CoolJBAD@reddit
You generally have to understand the hacker's or hacker group's purpose.
Internal dashboards? Nah, that won't really get you anything in the market.
Identities, credentials, infra. Those things can be sold or used to get access to more of the same.
One group wants W-2s in the US for identity fraud, another may want to figure out your invoicing processes to send a fake invoice that might get paid. Others want to intercept direct deposits or find your database and blackmail you/hold you hostage for payment like what happened with Canvas.
Th3Sh4d0wKn0ws@reddit
I don't think I explained it well enough. If they get an Office365 login, something like john.doe@company.com that's likely the authentication mechanism used for everything at the org. This is called SSO. So at the surface it might seem like they just got a user's email password but that's also how they login to computers, 3rd party services, remote access services etc.
pcr3@reddit
A phishing attack generally collects privileged information and/or sometimes login tokens. With the login tokens, depending on environment, they can also download all the documents that that user has access to.
This information later be used to spear phish someone internally in the organization, or use that account to send out more external attempts to collect more information from the business's client base.
WhateverHowever1337@reddit (OP)
Do employees that fall for it usually get fired?
nakfil@reddit
At bad companies they get fired. At good companies it’s used as a learning experience and the victim is not punished (barring some extremely gross negligence or policy violation)
Gunny2862@reddit
It's kind of genius because scammers rely on employees' fear of/need to please their highgups. They send a lowly employee a message from upper management asking them to do something and a good percentage of them will just do whatever they ask out of instinct.
Triairius@reddit
Something I’ve seen a few times at my workplace is compromised vendor accounts. They’ll get into an email, create inbox rules to hide what they send and receive, and they’ll try to get invoices paid to a different account, claiming to be changing banks. They’ll use the same signatures but change the phone number in it. They’ll create fake accounts that look similar to their colleagues that were CC’d in previous emails to make it look more legit. It can get pretty convincing until you talk to the real vendor and they have no clue about these requests.