“ yet again proving that the real hackers go after people - Social Engineering 101”
Rarely a truer word said. 99% of external infrastructure engagements we do result in breach (ie access to the internal network). The other 1% refuse to include O365, S4B, Outlook Web Access, VPN endpoints etc in the scope :)
Its not about 0-days. It’s a numbers game. Someone in your organisation has a $#!% password. Just a matter of finding who. A bit of OSINT, a bit of time (usually a few hours, occasionally a day or two) and you’ve got shell. Bit slower if you care about not being detected.
Plenty of talk of encryption etc to fix this problem, when mandating MFA and a half decent password policy + training will make the attacker’s job hundreds of times more difficult.