The modern workplace has expanded beyond email. Attackers now exploit collaboration tools, supplier relationships and human trust to bypass defenses and compromise accounts. This five-part blog series raises awareness around these shifting attack tactics. And it introduces our holistic approach to protecting users.
In this first blog, we follow the process of a determined attacker named Alex as he targets unsuspecting victims in today’s evolving digital workplace.
Meet the attacker: a persistent threat actor who won’t stop. Let’s call him Alex. He’s part of a cybercrime organization that runs like a business—organized, patient and highly experienced. They don’t rely on quick wins; they play the long game, knowing that one compromised account can unlock valuable access to sensitive systems, financial data and corporate networks.
His latest target? A financial services firm where, like most modern organizations, employees, partners and customers communicate and collaborate across multiple channels including Slack, Teams, SMS and Zoom.
Digital workspaces at risk.
The people within this business ecosystem trust the collaboration tools that they use every day. Alex knows exactly how to exploit this trust. Frustratingly for him, he knows that email security at many organizations has never been stronger.
Organizations, particularly those that are Proofpoint customers, enjoy the benefits of AI-driven threat protection, which includes advanced language analysis, complex data analysis, anomalous user behavior detection, and adaptive machine learning. This makes traditional email phishing attacks much less effective than they used to be. Alex knows that to be successful he must evolve his strategy. Instead of email, he sets his sights exploiting Microsoft Teams. If he can lure just one high-value person into a trap, he can steal credentials, bypass MFA and move laterally inside the organization.
This is why a layered security approach is critical—because, as we’ll see, no single security control is enough to stop a persistent attacker like Alex.
Step 1: Finding the perfect target (reconnaissance)
Alex does his homework. Using LinkedIn, social media, ChatGPT, press releases, job postings and regulatory filings, he identifies an organization, maps out its structure to find potential gaps and then picks the ideal person to target.
After some research, Alex finds a perfect scenario:
- From a partner’s press release he learns that the organization has partnered with a third-party human resources (HR) vendor to outsource this department.
- He identifies a target: Rachel, the senior finance director. She has authority and access to sensitive data.
Step 2: Crafting the perfect lure (impersonation and weaponization)
Alex knows that email won’t work at this organization because they are protected by Proofpoint email security. So, he sets up a fake Microsoft 365 tenant and creates a fake HR vendor account that impersonates their vendor. He sends Rachel a Teams message from what appears to be from their HR vendor, claiming that she must approve her tax file adjustment before a deadline.
The message looks trustworthy:
- It uses the company’s branding and a lookalike domain like the real HR vendor.
- It references a real tax deadline.
- It includes a malicious link that is disguised as a secure document.
Fraudulent Teams message.
Rachel, who’s busy with quarterly reporting, clicks the link and enters her Microsoft 365 credentials as prompted into a fake login page.
Step 3: Gaining control (account compromise)
Rachel’s organization enforces multifactor authentication (MFA). But Alex has a tool to get around it. While the phishing page captures Rachel’s login credentials, Alex still needs to bypass MFA to complete the account takeover. Fortunately (for him), he is using a well-known adversary-in-the-middle (AitM) phishing kit powered by Tycoon 2FA. This enables him to intercept Rachel’s credentials and to steal the MFA token as she enters them. Rachel, thinking she just verified her login and properly submitted the form, moves on with her day. Unbeknownst to her, Alex now has full access to her Microsoft 365 account.
Step 4: Completing the attack (privilege escalation, lateral movement and impact)
Now that Alex controls Rachel’s account, the real damage begins. Gaining initial access is only step one. His goal is to escalate privileges, expand access, gain persistence, commit fraud, steal money and exfiltrate high-value data. Alex next uses her identity to deceive other employees. He sends messages to her accounts payable colleagues, requesting urgent vendor payments via email.
Example of a phishing message used by a threat actor.
Because the message is coming from a trusted colleague, the finance team member who receives the email doesn’t hesitate. They process the transfer, unknowingly sending funds directly to Alex’s offshore account.
Alex also knows that once the organization realizes something is wrong, they’ll cut off his access. To ensure he can stay inside the network longer, he creates new authentication methods, adding his own device as a trusted login. He also uses Rachel’s account to gain control of other internal accounts. This is where many security teams fail. While they may eventually detect the initial malicious login, without deeper behavioral analytics they can’t see the full scope of the attack. So they remain one step behind Alex.
The takeaway: today’s expanded workspace creates more opportunities for cybercriminals
Cybercriminals like Alex know that modern businesses communicate and collaborate across multiple channels—email, Microsoft Teams, Slack, cloud apps and beyond. Their goal isn’t just to send one email phishing attempt and hope for the best. They understand that if one attack fails, another entry point will eventually succeed. Also, to increase their chances, they’ve expanded their tactics. They use impersonation and compromised supplier accounts to exploit trust. Plus, they rely on tried-and-true tactics like social engineering to manipulate human behavior.
Multilayered email security remains a key element of protecting people and organizations. However, it must be expanded with a holistic human-centric solution that address all human risk challenges:
- Extended user protection beyond email. Threat prevention must cover all digital communication channels—Microsoft Teams, Slack, Zoom, social media and SMS. By blocking threats before they reach users, you can reduce the burden on employees who don’t have time to scrutinize every message that they receive.
- Holistic brand and supplier defense. Successful attacks rely on trust. You must safeguard your organization’s reputation and digital trust. This means that you need to eliminate spoofed domains, fraudulent supplier emails and impersonation attacks that target your customers, partners and employees.
- Empowered employees motivated to recognize and report threats. Even if you have cutting-edge threat protection that can block most attacks, some threats will still make it through. When that happens, your people are a critical line of defense. Security awareness education must be continuous and adaptive. This ensures your employees stay resilient against evolving threats.
- Early detection and response of compromised accounts. Finally, as cybercriminals see their email-based attacks breakdown, they will persist. They still have other options to compromise accounts like using adversary-in-the-middle, brute force attacks or helpdesk social engineering. In these cases, early detection and response is essential to mitigate the impact.
Conclusion
In summary, security teams need to ask themselves:
- Are we stopping threats before they reach our employees across all digital communication channels?
- Are we maintaining trust within our business communications ecosystem?
- Are we ensuring that our people are equipped to recognize and report attacks?
- Are we detecting and responding to compromised accounts before they cause major damage?
If the answer isn’t a confident “yes”, now is the time to re-evaluate your strategy. In our upcoming five-part blog series, we’ll break down the essential layers of extended threat protection, impersonation defense, user resilience, and account takeover protection showing how organizations can stay ahead of attackers.
Protect your people with human-centric security
As digital workspaces expand, attackers continue to target people. While email remains the primary threat vector, cybercriminals are exploiting new channels like messaging collaboration platforms, cloud apps and file-sharing services. This has created a fragmented security landscape with disconnected point products, resulting in higher operational costs, and increasing security gaps. This is where Proofpoint can help.
Proofpoint Prime Threat Protection provides a single, comprehensive solution to defend against all human-centric threats, both current and emerging. It combines a wide range of security protections to help you maximize threat prevention. It features:
- Accurate threat detection—Prevents the widest variety of threats
- AI-powered account protection—Defends against account takeovers and compromised supplier accounts
- Risk-based targeted training—Guides users to make safer choices when faced with threats
- Phishing protection across platforms—Blocks malicious links from multiple platforms
- Impersonation protection—Protects your brand reputation from being abused
- Human risk management—Identifies high-risk users and automates adaptive security controls
With Proofpoint Prime, you can better protect your people and your business. Prime reduces alert fatigue with highly accurate threat detection, improves efficiency through detailed risk insights and automates security workflows. Combined with pre-built integrations and shared threat intelligence, your security and IT teams can accelerate deployments while reducing costs by eliminating fragmented point solutions across your organization.
To learn more about Proofpoint Prime, check out our web page on Prime Threat Protection.
Stay tuned to learn more
In our next blog, we’ll take a closer look at why platforms like Microsoft Teams, Slack and Zoom are the new front line for cyberattacks—and what you can do to protect them.
