Executive summary

• This brief provides an anonymised account of an engagement where we investigated a series of phishing attacks targeting a company.

• That investigation was combined with an assessment of security risks emerging from the company’s online exposure.

• The combination of the investigation and the exposure assessment supported the company’s incident response and longer-term risk mitigation efforts.

Case description

This case study is an anonymised description of an engagement in which we investigated malicious cyber activity against a large company in the services sector. Alongside the investigation, we simultaneously assessed the online exposure of the company and its executives, and associated security risk.  

The company was involved in a contentious dispute. It was believed that the counterparty had hired a private military company to gain access to sensitive information. Several C-suite executives had received a series of phishing attacks and WhatsApp impersonation attempts. The attacks involved impersonation of real individuals and displayed detailed knowledge of the target organisation. These attacks had been identified in real time, but the phishing attempts persisted despite initial detection.

The company wanted to minimise their exposure and develop a thorough defensive position. This included investigation of infiltration attempts, hardening exposure, and disrupting the persistent campaign against them. 

Investigation

The investigation operated at multiple levels. We focused on detecting and identifying external infrastructure which appeared to be involved in targeting, in order to disrupt. In parallel, we developed a body of defensible evidential material to support potential legal action if the company decided to pursue this avenue. 

The investigation included rapid forensic examination of executives’ devices and broader enterprise estate targeted by the attackers. This yielded open-source cues to further attribution. Investigation also provided evidence to confirm or deny hypotheses about the attacker’s sources of information about the company. 

We operated closely with the client and external legal counsel throughout this phase: delivering accurate, clear, and timely intelligence under significant pressure. Complex technical findings were translated into decision-grade briefings for both senior executives and legal advisers. Briefings to senior leadership were important for building rapport and aligning the engagement with overall strategy.

Exposure assessment

In parallel with the active investigation, we undertook a structured assessment of the company’s external exposure. This extended beyond Internet-facing infrastructure to encompass executive digital footprint, family adjacency risk, and broader reputational surface area.

The assessment used our methodologies for rapid assessments of online exposure for individuals and companies. The approach combines technical and emotional intelligence, recognising that in crisis conditions, executive exposure (and that of their families) becomes a vector as much as a vulnerability. 

Working discreetly and in confidence with executives and their families, we reduced unnecessary exposure, guiding improvements and proactively making direct interventions, including the removal or suppression of data across global registries and online repositories where appropriate.

At corporate level, we identified impersonation domains, targeting indicators, and structural exposure requiring hardening. The company’s security function demonstrated strong awareness of core infrastructure, but monitoring of reputational exposure and wider threats had not been embedded. We implemented enhanced vigilance measures proportionate to the heightened threat environment.

The outcome was not solely an improved technical posture: it delivered increased executive assurance and psychological safety at a time of sustained pressure – restoring confidence that both the organisation and its leadership were appropriately protected, while we addressed the wider response strategy.

Resilience and disruption

A rapid uplift in organisational resilience was a priority given the persistent high level of directed threat and associated risk of compromise. Working with the client we identified the organisation’s ‘crown jewels’ and rapidly implemented additional security controls to protect these key assets. This added an additional layer of defence in the event of a compromise of the wider organisation. 

We also introduced or strengthened processes around incident management, focusing on the protection of crown jewels and the continuity of critical business functions. Together these measures made the company more resilient to security threats.

These defensive measures were coupled with a more proactive approach intended to introduce friction into the adversary’s operations. Measures included the introduction of deceptive assets into the client’s estate and into the wider digital environment. These assets led the adversary to waste effort on nugatory activities and simultaneously provided the company with tripwires to identify malicious activity.

Lessons identified

There are advantages to combining incident investigation and broader assessment. 

• The impulse to focus solely on investigation and remediation of the immediate problem is understandable, but risks leaving pre-existing vulnerabilities in place.

• A more holistic review of vulnerabilities enables an effective strategic response that strengthens the organisation’s overall security posture.

Investigative activities can be tailored to support multiple strategic objectives.

• Investigation of suspected malicious activity will provide immediate support to decisionmakers directing response and mitigation efforts.

• Investigations can also support downstream activities, for example by establishing a body of defensible evidence to support potential legal action. 

Assessing an organisation’s online presence requires appropriately resourced and structured monitoring processes.

• The company’s lack of external monitoring meant it had accrued unquantified risk. 

• The complexity of the information environment requires sustained investigation.

At Tyburn we conduct complex investigations to support decision-making and personal security for at-risk individuals.

To learn more, contact info@tyburn-str.com.