HydraWatch All articles
Phishing & Scam Awareness

One Bad Click: A Realistic Breakdown of What a Phishing Attack Does to You — and Your Network

HydraWatch
One Bad Click: A Realistic Breakdown of What a Phishing Attack Does to You — and Your Network

Photo by Photo by Bernd 📷 Dittrich on Unsplash on Unsplash

It was a Tuesday afternoon when Sandra, a project manager at a mid-sized logistics firm outside of Columbus, Ohio, received an email from what appeared to be her company's IT department. The subject line read: Action Required: Verify Your Microsoft 365 Account Before 5 PM. The sender address looked right. The Microsoft logo at the top looked right. The blue button that said Verify Now looked very, very right.

She clicked it.

What happened next unfolded across four hours and touched fourteen systems on her company's internal network. Sandra didn't know any of it was happening. She was in a two o'clock meeting about Q3 shipping projections.

Sandra is fictional. The attack she experienced is not. Scenarios like hers play out thousands of times each day across the United States — in corporate offices, home offices, school districts, and hospital systems. According to the FBI's 2023 Internet Crime Report, phishing remains the most frequently reported cybercrime category in the country, with losses in the billions annually.

Understanding what actually happens after that click — technically, sequentially, and concretely — is not just an academic exercise. It is the foundation of knowing how to respond.

The Moment of Contact: What the Link Is Actually Doing

When Sandra clicked the Verify Now button, her browser sent an HTTP request to a domain that looked plausible — something like microsoft-365-verify[.]net — but was controlled entirely by an attacker. This is the first stage of what security professionals call a phishing kit: a pre-built package of spoofed web pages, credential-capture scripts, and backend logging infrastructure that can be deployed in minutes.

Her browser loaded a page that was a near-perfect visual replica of Microsoft's legitimate sign-in portal. Every logo, font, and layout element had been copied from the real site. There was no obvious indication that anything was wrong.

When Sandra entered her username and password and clicked Sign In, two things happened simultaneously. First, the phishing kit's backend script captured her credentials and transmitted them — in real time — to the attacker's collection server. Second, Sandra was silently redirected to the actual Microsoft 365 login page, where her credentials worked normally. She saw a brief loading screen, then her inbox. She assumed the verification had completed successfully. She went to her meeting.

Stage Two: Session Hijacking and the MFA Problem

Here is where modern phishing attacks have grown considerably more sophisticated. Sandra's company used multi-factor authentication on its Microsoft 365 accounts — a security control that, in theory, should have stopped a stolen password from being immediately useful. The attacker anticipated this.

Many advanced phishing kits now function as what researchers call adversary-in-the-middle proxies. Rather than simply capturing credentials, the attacker's server acts as a real-time relay between Sandra's browser and Microsoft's actual servers. When Sandra entered her password, the proxy forwarded it to Microsoft, triggering the legitimate MFA prompt on her phone. Sandra approved the prompt — she was, after all, trying to log in — and the proxy captured not just her credentials but her authenticated session token: the cryptographic cookie that Microsoft's servers issued to confirm she had successfully completed login.

With that session token, the attacker had something more valuable than a password. They had a valid, authenticated session — one that would not require MFA again for hours or days, depending on the account's configuration. They imported it into their own browser and were inside Sandra's Microsoft 365 account within minutes of her clicking the link.

Stage Three: The Inbox as a Weapon

Access to a corporate email account is not the end of an attack. For a skilled attacker, it is the beginning of the most dangerous phase: lateral movement.

From Sandra's inbox, the attacker conducted rapid reconnaissance. They reviewed sent mail, calendar entries, and contact lists to understand her role, her relationships, and the financial and operational processes she touched. Within thirty minutes, they had identified Sandra's manager, the company's accounts payable coordinator, and an ongoing vendor payment thread involving a transfer of approximately $140,000.

Using Sandra's compromised account — with her actual name, her actual email signature, her actual writing style as a template — the attacker sent a message to the accounts payable coordinator requesting a change to the vendor's banking details. This technique, known as business email compromise, or BEC, is responsible for more financial losses than any other form of cybercrime tracked by the FBI.

Simultaneously, the attacker established email forwarding rules within Sandra's account, silently copying all incoming messages to an external address. Even if Sandra's password was later reset, the forwarding rule would continue to exfiltrate communications until someone noticed and manually removed it.

Stage Four: Malware and Network Spread

Not every phishing attack stops at credential theft. In more aggressive campaigns — particularly those targeting organizations rather than individuals — the initial phishing link may serve as a delivery mechanism for malware.

In Sandra's scenario, a second email arrived in her inbox twenty minutes after the initial compromise. It appeared to come from a colleague and contained a document attachment described as Updated Q3 Freight Projections. The attachment was a weaponized Office file. Had Sandra opened it, it would have executed a macro that downloaded a remote access trojan — a piece of software that gives the attacker persistent, covert control over the infected machine and, from there, a foothold into the broader corporate network.

This is the pathway through which ransomware deployments typically begin: a single phished credential or malicious attachment gives attackers a toehold, which they use to map the internal network, escalate privileges, and ultimately deploy encryption payloads across dozens or hundreds of systems simultaneously.

What to Do If You Think You've Been Phished

Time is the critical variable. The sooner you act after a suspected phishing click, the more damage you can contain. Here is a clear, prioritized response sequence:

1. Disconnect immediately. If you are on a work device or a corporate network, disconnect from Wi-Fi or unplug the ethernet cable. This interrupts any active malware communication and limits the attacker's ability to move laterally through the network. Do not shut the device down — this can destroy forensic evidence that your IT team will need.

2. Notify your IT or security team right away. If this happened on a work device, your organization's security team needs to know immediately. Do not wait to see if anything bad happens. The accounts payable scenario above can unfold in under an hour.

3. Change your password from a separate, clean device. Do not use the potentially compromised device to reset credentials. Use your phone or a different computer. Change the password for the affected account first, then any other accounts that share the same password.

4. Review and revoke active sessions. Most major platforms — Microsoft, Google, Apple — allow you to view all active logged-in sessions and terminate them remotely. Do this immediately after resetting your password to invalidate any stolen session tokens.

5. Check for unauthorized changes. Look for email forwarding rules, filters, or auto-reply settings you did not create. Review recent sent mail for messages you did not send. Check account recovery options — phone numbers and backup email addresses — for changes.

6. Enable MFA if it wasn't already active — and consider upgrading it. Standard SMS-based MFA is better than nothing, but hardware security keys or passkey-based authentication are significantly more resistant to the adversary-in-the-middle attacks described above.

7. Run a malware scan. If you clicked a link and then opened any file or download from the suspicious session, run a full system scan using reputable security software before reconnecting to any network.

The Takeaway

Phishing works because it exploits human cognition, not software vulnerabilities. The emails are designed to create urgency, mimic trusted sources, and compress the time between stimulus and response. Sandra did not fail a security test. She responded the way any busy professional might when presented with a convincing, time-pressured message from what appeared to be her IT department.

The defense is not paranoia. It is a set of practiced habits: slowing down before clicking, verifying sender addresses through independent channels, and knowing exactly what to do in the first five minutes after a suspected compromise. Those five minutes can be the difference between an inconvenient password reset and a six-figure wire fraud loss.

All articles

Related Articles

Operation Dark Hydra: Inside the $25 Million Bust That Rewrote the Rules of Darknet Enforcement

Operation Dark Hydra: Inside the $25 Million Bust That Rewrote the Rules of Darknet Enforcement

The Vault Problem: When Your Password Manager Gets Hacked and What You Can Do About It

The Vault Problem: When Your Password Manager Gets Hacked and What You Can Do About It