I hacked a large company (70k+ employees) through social engineering. Legally of course.
• I set up the infrastructure
• Scraped names & emails with LinkedIn
• Sent 200 phishing emails.
I had access to their AWS console within 2 minutes.
And much more:
• I set up the infrastructure
• Scraped names & emails with LinkedIn
• Sent 200 phishing emails.
I had access to their AWS console within 2 minutes.
And much more:
1/ I used Evilnginx2 to bypass MFA (Okta & Duo)
From Okta, I could access Outlook, Sharepoint, Github, & many more services on behalf of the 50+ employees that fell for the phish.
I was blown away by how easy it was to pull off this "hack" that could've impacted 60M+ people.
From Okta, I could access Outlook, Sharepoint, Github, & many more services on behalf of the 50+ employees that fell for the phish.
I was blown away by how easy it was to pull off this "hack" that could've impacted 60M+ people.
2/ Phishing attacks are on the rise and are becoming more sophisticated.
Last year we saw Uber, Dropbox, Twilio, Axie Infinity ($625M theft), and more compromised through phishing.
People argue that humans are the "weakest link", yet, companies of all sizes still rely on:
Last year we saw Uber, Dropbox, Twilio, Axie Infinity ($625M theft), and more compromised through phishing.
People argue that humans are the "weakest link", yet, companies of all sizes still rely on:
3/ Forcing the consumption of cartoon training videos twice a year & hoping their SEG works.
While some organizations are moving towards FIDO2, many aren't & can't.
Companies aren't effectively equipping their employees to recognize & avoid the latest real-world threats.
While some organizations are moving towards FIDO2, many aren't & can't.
Companies aren't effectively equipping their employees to recognize & avoid the latest real-world threats.
4/ We aren't the weakest link.
Humans are the greatest asset and can be the most effective security measure – if you empower them.
This is what inspired me to build @BreachlessAI – a more effective way to empower security awareness:
Humans are the greatest asset and can be the most effective security measure – if you empower them.
This is what inspired me to build @BreachlessAI – a more effective way to empower security awareness:
5/ Breachless detects & explains email threats in real-time, without becoming completely dependent on email filtering.
Imagine having a security expert that explains why an email is suspicious. That's what @BreachlessAI is!
My phish could've been thwarted if Breachless was used
Imagine having a security expert that explains why an email is suspicious. That's what @BreachlessAI is!
My phish could've been thwarted if Breachless was used
6/ If you'd like to try it, please join the waitlist!
If not, I'd love to hear why not.
breachless.ai
If not, I'd love to hear why not.
breachless.ai
I thought I mentioned it in this thread, but I was consulting with this company so it was completely legal.
DO NOT try this if you do not have permission as it would be illegal.
DO NOT try this if you do not have permission as it would be illegal.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
