by Jason Downey

The Aftermath Blog series isn’t about tools or exploits. It’s about what happens after the attack. We’re focusing on the business side: what was found, how it was fixed, and what impact it had.

Each post walks through part of a real attack path, based on techniques we’ve used at Red Siege. It didn’t all happen at once, but every step is something we’ve seen in real-world engagements.

Let’s dive right in with the first entry—The Phone Call.


The Phone Call

Making social engineering phone calls—aka vishing—continues to be my favorite and highest success rate method of compromising an organization. In my experience, it leads to some level of compromise in probably 90% of my engagements.

What Had Happened Was…

This particular engagement started off like normal. Using basic OSINT and some solid LinkedIn scrapers, I managed to pull together a strong list of employees I could impersonate when placing calls to the organization. Before the engagement started, I was warned that their help desk had undergone extensive security training and had a solid process in place. I quickly found out—they weren’t lying.

The help desk used an internal company directory containing an employee ID number different from their domain account. No matter what ruse I tried, no amount of coercion convinced a help desk employee to bypass that process.

Trying not to get discouraged, I began making calls to other departments to learn about their processes. This eventually led me to a support desk for their Human Resources portal, separate from the actual Human Resources department. I called this Human Resources support number, impersonated an HR employee, and was able to coerce employees into sharing internal employee ID numbers—including those of C-suite executives. Once I had those internal employee ID numbers, I successfully reset domain account passwords.

The Disclosure…

“What do you mean you were able to bypass our password reset process?! We worked so hard on it!”

They did work hard on it—and for what it’s worth, their help desk never broke protocol and performed admirably. I felt like I could have made 1,000 calls to that team over the next year, and not a single one would have slipped.

Once the initial shock wore off, we reviewed their process together to determine what could have been done to prevent this. We learned that they hadn’t done a great job establishing which departments had access to sensitive information. They had focused only on their help desk as a potential point of compromise and hadn’t considered other service-providing departments that could put them at risk.

Additionally, I always recommend that any actions related to account access involve a user’s manager. Having a mandatory third party with an additional layer of verification is extremely tough to bypass.

The Impact…

At this point, I had a set of valid credentials and was ready to begin accessing my client’s network. Fortunately, they had plenty of external-facing services for me to attempt authentication.

Let’s find out what happened next in The Condition.


About Jason Downey, Security Consultant 

Jason Downey has over ten years of professional experience in IT and information security ranging in a variety of roles in network security roles with additional experience in systems administration. Jason has spoken in front of various audiences ranging from youth initiatives to major security conferences, while creating informational content on SiegeCasts and forward-facing marketing channels. Jason excels at a variety of penetration testing tactics and is well known for his vishing and social engineering expertise.

Certifications:
CRTO, GPEN, GCIH, CCNA R&S, CCNA Security, CEH, CHFI

Authentication vs. Authorization in Web App Penetration Testing

By Red Siege | June 4, 2025

by Douglas Berdeaux Introduction Authentication and Authorization in web application penetration testing are so closely related, that it’s easy to confuse the two. This article aims to outline each process, […]

Learn More

Authentication vs. Authorization in Web App Penetration Testing

The Aftermath Part 4: The Vendor Requirement

By Red Siege | June 2, 2025

by Jason Downey The Vendor Requirement The final entry in The Aftermath blog series. At this point, I had successfully social engineered credentials, bypassed multifactor authentication, and established command and […]

Learn More

The Aftermath Part 4: The Vendor Requirement

The Aftermath Part 3: The Simple Stuff

By Red Siege | June 2, 2025

by Jason Downey The Simple Stuff So far in The Aftermath Blog Series, I had social engineered credentials, bypassed MFA, and gained access to a VDI environment. In this entry, […]

Learn More

The Aftermath Part 3: The Simple Stuff

Find Out What’s Next

Stay in the loop with our upcoming events.