I’m Just Asking Questions: Social Engineering as a Reporter
Introduction
Hacking is hard work. Organizations are investing significant resources to ensure that every avenue an attacker might try ends in failure. So, when tasked with gaining privileged access at a large organization, why spend all that effort trying to outsmart the defenses? Why not just ask some questions?
During social engineering assessments, our testers attempt to gain access to sensitive information and accounts by any means authorized by the client. This could include emails, phone calls, and other communication channels. The goal is not to generate a “gotcha” moment, but rather to surface systemic weaknesses in policy and training that a real attacker could exploit.
The Mission
A client wanted to understand how vulnerable their executive leadership team would be to targeted social engineering. The scope was broad by design, since high-level executives are not easy targets. They are constantly in the crosshairs of phishing campaigns, so a generic “password reset” email was unlikely to work. We needed a pretext compelling enough to lower a practiced executive’s guard. Something tailored that felt real, urgent, and important enough to elicit compliance.
Preparation
Reconnaissance
There is no better way to establish credibility than to anchor a conversation in something the company is already talking about. Corporate blogs, social media, and news articles are good starting points for OSINT gathering.
A thorough review of the client’s website gave us a baseline idea of the information they were willingly sharing about themselves. Their contact pages and leadership bios helped us build profiles of the people we’d be reaching out to, and a press release revealed that they recently announced plans to construct a new facility. This significant office expansion was certainly a topic that the entire leadership team would be aware of, or directly involved in.
” I’m Just Asking Questions “
Bad Press and a Fake Anonymous Tip
The idea was a relatively new approach for NetSPI. What if..… we posed as a journalist asking for a comment on an anonymous tip alleging that the company was improperly disposing of hazardous waste at their active construction site?
Now, I feel like this deserves a disclaimer as NetSPI’s policy is to avoid any pretext that could be illegal, unethical, or has the potential to cause emotional harm. The level of urgency is the number one factor in a successful phish interaction, and environmental controversy during a high-profile expansion is the last kind of press any organization wants.
However, this scenario was clearly walking a fine line. We had to be extremely careful not to single out any individual, as accusing a specific construction project manager or naming a specific incident could have caused an unwanted impulsive reaction. Framing it as a series of events across a longer timespan would diffuse the impulse to blame individuals, yet maintain a sense of urgency.
With the pretext decided, we built the necessary infrastructure:
- We researched journalists and local news outlets using Google, Google Maps, and LinkedIn to identify a reporter we would impersonate.
- A ProtonMail account was created in that journalist’s name. The choice of ProtonMail was deliberate: privacy-focused email providers are strongly associated with journalists and whistleblower communications, lending passive credibility to the persona.
- We registered a lookalike domain and stood up an Evilginx server pointed at the client’s real Microsoft login flow. Evilginx is an adversary-in-the-middle framework that replicates a legitimate login page, capturing username, password, MFA tokens in real time and harvesting the authenticated session cookie.
Execution
We manually composed an email template to each member of the C-Suite with a request for comment on the alleged environmental incidents.
Two elements were critical to making these emails land:
- The message made clear that this story was being written with or without the company’s response. A comment from the company would give them the opportunity to set the record straight.
- We did not include a link. Sending a link immediately would have triggered every alarm in a security-conscious executive’s brain. Instead, we asked recipients to reply as to whether they were willing to comment. This implied that we weren’t a bot and, subtly, empowered them to take positive action.
Evaluation
Two members of the C-Suite had out-of-office replies active. While not directly impactful, it did act as an indicator that the leadership team could be sharing duties or have their attention divided.
Two others responded with a redirect pointing us to a fifth individual we’ll call Bob. Bob was the executive overseeing the new construction project.
Initially, Bob did what one would expect and supplied a Teams invite controlled by his organization. However, our goal was to get Bob to visit our landing page. Could we have joined a Teams call and shared the link in the chat? Yes, but that would have forced us to wait until the scheduled meeting time, giving Bob more time to question the situation and his actions.
So we pushed our luck and replied with a good old fashioned error message.
Bob was concerned about the environmental allegations and motivated to protect the company’s reputation. In his rush to get ahead of the story, he did something we hadn’t anticipated: he forwarded our phishing link to two separate contracting firms involved with the construction project.
In a single move, Bob had deputized himself as a social engineer, turning a targeted C-Suite engagement into a three-for-one attack against the organization and their trusted vendors.
Since the external firms were out of scope for this engagement, we immediately escalated to our point of contact and killed the phishing session to avoid capturing out-of-scope credentials; however, the implications of Bob’s action can easily be imagined.
Final Thoughts and Lessons
Social engineering attacks of this nature are genuinely difficult to prevent. Good email filtering is a start, but most organizations still need to receive external email. A back-and-forth conversation thread is significantly harder for automated systems to flag than a one-shot phishing blast.
It’s also worth reflecting on Bob’s actions. He wasn’t negligent. He was doing his job, trying to manage a potential PR crisis on behalf of his organization. The vulnerability we exploited wasn’t a flaw in a person – it was the absence of clear policy around how executives should handle unsolicited media inquiries tied to sensitive operational topics.
As with most social engineering engagements, the lesson isn’t “don’t talk to reporters.” Rather, define a clear simple process which employees can consistently follow.
What Users Can Do
There are practical guardrails which can make these attacks significantly harder to execute:
- Always be suspicious of urgency.
Pressure to act quickly is the social engineer’s most reliable tool. Requests that demand speed deserve a slower, more deliberate response. - Scrutinize URLs before clicking.
Misspelled company names, excessive hyphens, and uncommon domain extensions (e.g., acme.biz instead of acme.com) are common ‘tells.’ - Be wary of external links to internal platforms.
A link from an outside party directing you to your company’s Microsoft login page or internal portal is a significant red flag.
Legitimate external parties shouldn’t have that URL. - Avoid clicking on links sent from untrusted sources to continue conversations.
Keep conversations on company infrastructure. - Verify through the source.
If you receive outreach claiming to be from a journalist or public official, look them up independently, then reach out through a verified channel. Do not use the contact information in the original message.
What Organizations Can Do
Beyond individual vigilance, organizational controls can make a meaningful difference:
- Deploy and tune email security tooling, including domain impersonation detection and clear external sender warnings.
- Run ongoing phishing simulations that go beyond the classic password-reset scenario. Reporter impersonation, vendor outreach, and executive spoofing are all used by real attackers.
- Establish clear protocols for how employees, especially senior leaders, should handle unsolicited media inquiries. A simple “forward to Communications” policy would have materially changed the outcome of this engagement.
- Consider organizational login restrictions and conditional access policies that limit where credentials can be authenticated, making session cookie replay attacks harder to operationalize.
Ready to find out how your organization holds up?
Work with NetSPI on a social engineering penetration test customized for your specific infrastructure and company culture.
Authors:
Explore More Blog Posts
Beyond the Hype: What Regulated Industries Need to Know Before Trusting AI Security Tooling
AI security tools can build an attack, but enterprise security teams in regulated industries need consistency, auditability, and predictable costs before they can trust one. Learn why the surrounding infrastructure is where most AI security vendors are still falling short.
Splunk Enterprise Unauthenticated Arbitrary File Operations/RCE (CVE-2026-20253): Overview and Takeaways
Splunk disclosed CVE-2026-20253 on June 10, 2026, affecting Splunk Enterprise versions in the 10.0.x and 10.2.x branches. The flaw stems from a PostgreSQL sidecar service endpoint that completely lacks authentication controls (CWE-306), allowing any network-reachable attacker to invoke arbitrary file creation or truncation operations without credentials.
Legacy Meets Modern: Breaking AD Through NIS & MFA Infrastructure
Walk through the path of an internal network test: from a constrained foothold to full domain compromise, and how an overlooked integration point became the weakest link.