Skip to content

Intermediate Lab red team icon   Azure

Gain Initial Access via Social Engineering

In real-world breaches, threat actors frequently sidestep hardened network and IAM defenses by targeting people instead, leveraging social engineering tactics like phishing or vishing to gain initial access.

Overview
This fun, intermediate-level lab explores a scenario where social engineering is used to gain access to a target environment. This lab simulates techniques that real attackers use to bypass hardened perimeters by targeting the human layer and chaining together often overlooked paths to compromise. This lab also helps defenders to harden their environments against such attacks.
Scenario

You are conducting a red team engagement for a global financial services firm. The engagement's authorized scope includes both their infrastructure and that of their trusted Managed Security Services Provider (MSSP). You begin your assessment from an external perspective, starting with the MSSP's public-facing website to identify potential entry points.

Lab prerequisites
  • Familiarity with the command line
  • Basic cybersecurity knowledge
  • Familiarity with Azure concepts
Learning outcomes
  • Finding the Tenant ID of a company externally
  • Leverage support chat for social engineering
  • Abuse the Self-Service Password Reset functionality to gain access
  • Leverage Azure DevOps to move across tenants
  • Perform data decryption using Azure Key Vault
Real-world context

In real-world breaches, threat actors frequently sidestep hardened network and IAM defenses by targeting people instead, leveraging social engineering tactics like phishing or vishing to gain initial access. Instead of sending a malicious document or relying on credential stuffing, attackers may choose to abuse a permissive Self-Service Password Reset (SSPR) policy. Because SSPR is seen as a helpful, legitimate feature, its risks are often overlooked. When abused, it allows threat actors to gain valid credentials to an environment. The lab also explores how the well-adopted Azure DevOps offers a rich surface for lateral movement and privilege escalation, and how access via compromised third parties like MSSPs can result in a breach.

In April 2025, Marks & Spencer (M&S), one of the UK’s major retail chains, suffered a significant cyberattack that disrupted online clothing orders and gift card services. What was first believed to be a technical fault was potentially traced back to a compromise of a third-party vendor. The attackers reportedly used social engineering to gain access, highlighting the risks posed by indirect paths into well-defended environments. The cyber attack resulted in approximately £300 million ($403 million) in lost operating profit and an estimated $1 billion drop in their valuation.

platform mock(1)

Cloud Security Training To Protect Your Business

Pwned Labs for Business gives your team access to dedicated business content, including labs and cyber ranges.

We also offer in-person or remote workshops, and our cloud penetration services are helping businesses become more secure!