Why are organisations being compromised despite heavy investment in cyber security? An analysis of around 350 incident response cases from the past year shows that successful cyber attacks do not begin with unknown zero-day vulnerabilities or Hollywood-style hacking. Instead, they combine known vulnerabilities, organisational gaps and a lack of transparency. The same pattern repeats itself time and time again: attackers take the path of least resistance. Three recent attack scenarios from incident response practice highlight typical vulnerabilities and effective protective measures.

Cybersecurity rarely fails because a single tool is missing somewhere. Far more often, the causes lie in established structures, unspoken assumptions, and blind spots that no one has questioned for years. We’ve explored why visibility is crucial in this regard in another article on the topic. What is considered logical, efficient, or historically established in everyday operations can become a gateway for attackers in an emergency. Three scenarios illustrate where companies remain particularly vulnerable—and how the greatest risks can be specifically mitigated.

Scenario 1: Ransomware via VPN Access and Stolen Login Credentials

An employee has been using the same login credentials for years, both for personal and business purposes. Although the password for work is changed regularly in accordance with internal guidelines, the core of the password remains the same; only the numbers are altered slightly each time.

It’s common for the employee to check work emails from time to time on their personal computer, and for convenience, the password is saved in the browser so they don’t have to retype it every time. The employee accidentally downloads an info stealer from the internet and installs it. The info stealer is part of a legitimate piece of software that the employee intends to use for personal purposes.

Completely unnoticed, this info stealer can run successfully, transmitting all stored passwords to cybercriminals. These cybercriminals then offer these login credentials for sale on cybercrime marketplaces for just a few dollars.

Ransomware affiliates rely on corporate access, and to this end, they often turn to cybercrime marketplaces, where—by reviewing the latest stealer logs—they identify a lucrative target: email access to a well-known company that was previously stolen from the employee’s personal device.

With little effort, the attacker identifies the company’s VPN entry point and tries out the previously obtained credentials: Lo and behold, no two-factor authentication is required, and the ransomware affiliate has secured access to their next ransomware victim with minimal effort.

After successfully logging in, the attacker finds:

a flat network without segmentation
administrative permissions
central file servers
backup systems
hypervisor management
Additional privileged accounts

Within a matter of hours, a single VPN login can escalate into a company-wide ransomware incident.

3 Key Measures to Prevent Ransomware Incidents

Strengthen identities

◾MFA for all remote access
◾Prioritize phishing-resistant MFA methods
◾Conditional access and risk-based logins
Monitor external attack surfaces
◾Visibility into exposed corporate entry points
◾Continuous monitoring of stealer logs
◾Continuous vulnerability management
Limit lateral movement
◾Network segmentation
◾Separation of user, server, and management zones
◾Separate access to hypervisors and backups

Scenario 2: Supply Chain Attack via Compromised Software

An administrator is managing his server environment and wants to update all systems to the latest version. To do this, he downloads the necessary updates directly from the Internet, installs them, and moves on to the next server.

While searching for the latest security patches, they land on a threat actor’s website advertised via Google Ads. Several business applications are offered for download there. In reality, they are bundled with a remote management solution that, once installed, enables direct remote access to the server.

Since the installation is performed by an authorized administrator, many security controls initially go unnoticed:

The updated software is up to date
The antivirus software did not detect the legitimate remote management solution
The proxy server allowed the download without any warning.

Numerous recent campaigns have exploited precisely these mechanisms:

compromised open-source components
compromised developer software and plugins
infected software packages/operating system images

The danger of this type of compromise is that the attacker gains privileged and persistent access to the company. Depending on the compromised system, the attacker may also be able to directly access and exfiltrate critical business data. Few additional attack techniques are needed, which is precisely why the incident often goes undetected by security monitoring for a long time. If the data exfiltration is detected, it is usually already too late under realistic conditions: critical information has long since left the company.

We observe such attack patterns among nation-state actors as well as initial access brokers and ransomware groups. They are increasingly using these techniques because they are efficient, difficult to detect, and highly effective.

4 Key Measures Against Supply Chain Attacks

Reduce privileged access
◾Consistently implement the principle ofleast privilege
◾Use separate administrative accounts
◾Privileged Access Management
Secure the software supply chain
◾Verify the origin of software
◾Validate critical updates beforerollout
◾Use a Software Bill of Materials (SBOM)
Monitor behavior instead of signatures
◾EDR coverage on all critical systems
◾Monitoring of build servers
◾Monitoring of developer workstations
◾Detection of unusual network communication
Isolate critical systems
◾Segmentation of management and production systems
◾Restriction of direct Internet access
◾Controlled software distribution

Assess the relevant cyber risks for your company and prioritize the appropriate protective measures. The white paper “InfoGuard Threat Intelligence Insights 2025” provides the expertise you need to conduct a reality check.

Scenario 3: Ghost Sender – When Configuration Errors Become a Security Risk

During threat hunting, the analysis team discovers anomalies in the email logs. The analysis reveals several unusual email sender addresses that were used to send links to unknown websites to highly privileged accounts.

An in-depth analysis of the logs initially paints a puzzling picture: The emails appear to originate from within the organization itself. Suspicions of a compromise arise, so a task force is convened to investigate the matter.

Initial analyses show no compromise of the on-premises Exchange server. No compromised endpoints were identified, and there are no other suspicious logins that would explain the situation. The analysis team also determines that this situation has been ongoing for several months. Initially, however, only test messages, misdelivered emails, and isolated emails that seemed implausible were noticed, but these were not investigated further.

The task force is discussing the current findings. There are no indications of a compromise. The email configuration has not been changed for years and does not appear to have been tampered with. Nor is there any evidence of a third-party provider having been compromised. Then someone on the team hypothesizes that the email security gateway may have been bypassed.

How could this email misconfiguration have occurred?

The organization operates a modern email security architecture and has an established secure email gateway deployed upstream of Exchange Online. The company’s assumption? All emails must pass through these checkpoints. This is exactly how it was defined in the architecture.

However, the analysis shows that Exchange Online still allows direct deliveries from the internet. So the gateway is in place, the security controls for the defined email flow are implemented, and the corresponding processes are correctly established. Yet there is also an alternative path—one that may have been necessary at the time of implementation but does not appear in any architecture diagram and was never part of the threat model. This threat now has a name: “Ghost Sender.”

What lessons can be learned from this?

From a technical perspective, Ghost Sender is a misconfiguration; from an organizational perspective, it is a blind spot. In this case, no one acted negligently: the gateway is installed correctly, the environment is operated correctly, and the security personnel have fulfilled their duties. However, the architecture has become more complex over the years.

Spam filters were implemented, email archiving was integrated, various partner connections were established, cloud migrations were carried out, exception rules were defined, and temporary workarounds were implemented. Each of these changes is understandable. But every additional component increases the complexity of the overall system, and that is precisely where risks arise. Security architectures become outdated. That is why they must be regularly validated and critically scrutinized. After all, the most dangerous vulnerabilities are not the ones we know about, but those we are convinced simply cannot exist.

Complexity is not only a problem when it comes to identifying such vulnerabilities, but also when it comes to fixing them. For example, it has been observed in practice that some companies took several weeks to correct a misconfiguration, during which time they were vulnerable to corresponding phishing attacks.

3 Key Measures Against Ghost Senders

Establish configuration hygiene
◾Regularly check SPF
◾Implement DKIM correctly
◾Enable DMARC enforcement
Adopt an external perspective
◾Continuously monitor your own attack surface
◾Validate DNS and email configurations
◾Conduct regular exposure assessments
Establish processes for rapid response
◾Define responsibilities
◾Prioritize critical changes
◾Establish standardized risk analyses

The common attack pattern behind all three incidents

At first glance, these attacks appear completely different.

Ransomware via VPN
Supply chain compromise
Ghost sender misconfiguration

In fact, they share the same root cause

A lack of transparency regarding risks that lie outside the immediate field of view.

VPN access without MFA was exposed. The supply chain was treated as trustworthy without verification. The email infrastructure contained unknown vulnerabilities or misconfigurations. None of these attacks began with a highly complex technical exploit. They began with a security gap in visibility, control, or governance.

Identifying cyber risks before they become attack vectors

The crucial question today is no longer: “Do we have enough security products?” but rather: “Do we know what risks exist outside our current field of view?”
Those who protect their identities, monitor the software supply chain, and continuously assess and reduce external attack surfaces not only lower the likelihood of successful cyberattacks but also detect threats much earlier.

These three examples represent only a small fraction of current attack patterns.

In our latest InfoGuard Threat Intelligence white paper, we analyze:

the most significant attack vectors from the past year
current developments in ransomware, supply chain, and identity attacks
share concrete, real-world incident response insights
and prioritized protective measures for businesses and government agencies

Use the free white paper, “InfoGuard Threat Intelligence Insights 2025” as a reality check: Determine which attack patterns are particularly relevant right now and which measures should be a priority for your organization.

Don’t want to miss any important developments? Subscribe to our blog updates and benefit from regular insights into current threat trends, security risks, and relevant market developments.