What happens when a determined attacker targets your organisation across every layer simultaneously - your staff, your buildings, your email inboxes, and your internal network? We ran that scenario for a major UK operator. Here's what we found.
Background
Our client operates a large estate of consumer-facing venues alongside a central corporate infrastructure. They engaged Blackfoot to conduct a comprehensive red team exercise – not to tick a compliance box, but to answer a harder question: could a motivated, sophisticated attacker actually get in, move around, and cause damage?
Red teaming differs from conventional penetration testing. Rather than exhaustively cataloguing every vulnerability in scope, a red team engagement emulates a real threat actor working through a structured attack chain. Each phase is designed to enable the next – intelligence feeds weaponisation, delivery enables exploitation, and a foothold on the network opens the door to privilege escalation and, ultimately, data.
PHASE 1OSINT & Recon PHASE 2Weaponisation PHASE 3Delivery & Exploitation PHASE 4Privilege Escalation & Lateral Movement
Phase 1: OSINT & Reconnaissance
Every engagement begins before a single packet is sent. Our consultants built a detailed picture of the organisation using entirely open sources – mapping domains and subdomains, identifying employee profiles, enumerating IP ranges, and checking leaked credential databases.
This phase produced a rich external footprint: email address formats, key personnel in Finance, HR, and senior management, the identity providers in use, and the structure of the client’s web infrastructure. No significant direct exposures were discovered at this stage, but the intelligence gathered became the raw material for every phase that followed – informing which attack paths to pursue and which individuals to target.
Phase 2: Weaponisation
With a clear picture of the target, the team moved to building the tools and pretexts needed to exploit identified opportunities. This phase encompassed both technical and physical preparation.
On the technical side, lookalike domains were registered to impersonate the organisation’s real services, and phishing infrastructure was configured – including proxied login pages capable of capturing credentials and live session tokens, bypassing multi-factor authentication if a target completed the login flow. HTML email templates were crafted to closely mimic legitimate internal communications.
In parallel, physical access tools were prepared: proof-of-concept implant devices designed to establish a covert network foothold once inside a target building. A professional appearance was used to support a convincing cover story as an IT contractor.
Phase 3: Delivery & Exploitation
This phase put the weaponised capabilities to use across two distinct attack vectors: social engineering and physical intrusion.
A targeted spear phishing campaign was launched against a curated list of senior employees, using the lookalike domains and infrastructure built in Phase 2. Emails impersonated IT communications and familiar services, with both traditional links and QR codes used to direct targets to the credential-harvesting infrastructure. The campaign did not result in a single compromised account – a strong result, reflecting effective email filtering and genuine staff awareness.
Physical delivery proved far more successful. Our consultant visited two separate sites on the same day – a corporate head office and a staff area within a public venue. At both locations, access was gained without challenge. At the head office, the consultant walked through reception, sat at a desk in the main office, and planted two proof-of-concept network implants before exploring additional floors and a meeting room – all within fifteen minutes. At the second site, entry was made through a staff-only door, and an unattended, unlocked workstation was accessed in a back office.
“In both cases, a cover story of being an IT contractor was sufficient to deflect any informal questioning. The consultant was not formally challenged at either location.”
CCTV coverage and locked server rooms were noted as positive controls, but the absence of effective staff challenge procedures meant those controls could not compensate for unrestricted physical entry.
Phase 4: Privilege Escalation & Lateral Movement
The implanted devices provided the starting point for this phase: a foothold on the internal network, but no user account and no immediate privileges – the realistic position of an attacker following a successful physical intrusion.
Passive traffic analysis quickly revealed Active Directory domain information, the names of domain controllers, and the network protocols in use. Observation of the traffic showed that certain protocol stacks were susceptible to poisoning attacks. The team carefully targeted a limited scope – isolating the attack to a single machine – to minimise detection risk, using the captured authentication to enumerate domain objects including users, groups, and password policies.
This enumeration uncovered plaintext credentials stored in the description fields of two Active Directory user accounts – a surprisingly common misconfiguration. Those credentials were then used to perform a Kerberoasting attack, extracting encrypted service account hashes from the domain. One of the affected service accounts held Domain Admin privileges: had the underlying password been weak, this step alone would have handed the attacker full control of the domain.
The passwords resisted cracking within the engagement window, which is a genuine positive. However, the exposure – a path from a planted device to Domain Admin credentials – represents a critical finding regardless of current password strength.
Notably, the security team detected the rogue device and removed it in under an hour, simultaneously disabling the accounts with exposed credentials. The engagement continued beyond that point as a simulation, and subsequent attacks yielded no further access. Detection and response capabilities held.
FINDING SEVERITY DISTRIBUTION - 15 FINDINGS TOTAL Critical High Medium Low Info STRONGExternal perimeter
No exploitable vulnerabilities on public-facing systems. MFA consistently enforced on sensitive portals.
STRONGExternal perimeter
No exploitable vulnerabilities on public-facing systems. MFA consistently enforced on sensitive portals.
STRONGDetection & response
Rogue device identified and removed in under an hour. Affected accounts disabled promptly.
NEEDS ATTENTIONPhysical security
Both sites accessed without challenge. Staff awareness training and entry control procedures require immediate review.
NEEDS ATTENTIONInternal AD hygiene
Plaintext credentials in AD description fields. Service accounts with excessive privileges exposed to Kerberoasting.
NEEDS ATTENTIONNetwork segmentation
Legacy protocol exposure enabled lateral movement from a single planted device to domain-level reconnaissance.
Key takeaway
This engagement illustrates a pattern we see consistently: organisations invest heavily in perimeter defences and phishing controls – and those investments pay off. The attack surface facing the internet was well-hardened, and the phishing campaign was rebuffed.
But a single unlocked door – literally – created the conditions for a network-level attack chain that came within reach of full domain compromise. Physical security is an information security problem. An attacker with a laptop, a lanyard, and fifteen minutes of uncontested access can plant the seed for a breach that unfolds weeks later.
The good news is that detection worked. The clock started ticking when the device was planted, and the security team stopped it in time. The goal of further remediation is to make that scenario impossible to reach in the first place.
Is your organisation ready for a realistic test?
Our red team engagements go beyond vulnerability scanning. We simulate determined adversaries across physical, digital, and human attack vectors – and we tell you exactly how far we got.