Listen to this Post
Cybersecurity Starts on Day One — Literally
Every time a new hire joins your company, a window opens. That window is opportunity — for attackers. In today’s world of sophisticated email phishing, the timeline between a newly created corporate email address and the first wave of phishing attempts has become frighteningly short. In this revealing case study by cybersecurity expert Christopher Crowley, we dive into a real-life experiment showing how quickly threat actors pounce on new targets. This story serves as a crucial wake-up call for organizations to implement robust onboarding security practices, including email security, phishing awareness, and identity protection, starting from the very moment a digital identity is created.
Phishers Attack in Less Than Two Weeks
On May 16th, Christopher Crowley created a new email account on his Google Workspace domain, montance.com. This was no ordinary inbox — it was carefully monitored, part of a test to observe when, not if, phishing attempts would begin. The domain itself was set up with a catchall account, meaning any email address under the domain would route to a valid inbox. This is crucial: it makes it easier to see unsolicited emails directed at even unannounced usernames.
By May 28th — just 12 days later — phishing emails started flooding in. These weren’t generic spam messages. Instead, they used psychological tricks, mimicking urgency and authority. Senders had subject lines such as:
“EMERGENCY: PROVIDE YOUR CELL NUMBER IMMEDIATELY”
“GET BACK TO ME IMMEDIATELY”
“Quick Response”
“RESPONSE REQUIRED”
The senders appeared to be exploiting urgency to force action, a common social engineering tactic. Most of these messages landed in the spam folder initially, but on June 10th, a few slipped through. Even more troubling, a text message followed that same day — marking a clear escalation in the attack strategy.
The attacker used a set of Gmail addresses that appeared hastily created but strategically named to reinforce urgency. Examples include:
[[email protected]](mailto:[email protected])
[[email protected]](mailto:[email protected])
[[email protected]](mailto:[email protected])
Another noteworthy point: the emails addressed Crowley using his LinkedIn name — which includes professional certifications. This confirms some level of data correlation. However, the email used for the phishing messages wasn’t published anywhere publicly, and it was distinct from the one listed on his LinkedIn account. That indicates the attackers are using more than just surface data scraping; they’re leveraging either scripts or active enumeration tools to identify new addresses.
Despite these targeted attempts, Crowley had strong defenses in place: multi-factor authentication (MFA) was active, and he remained vigilant throughout. But not every organization is this lucky. Had this email belonged to a new employee unaware of these threats, the outcome might have been very different.
Crowley closes with a question for the community: is there a tool, perhaps a variant of Invoke-MSOLSpray, that targets Google Workspace to discover new accounts? Because the behavior suggests that attackers are running automated scans and alerting themselves as soon as fresh prey appears.
This isn’t just a case study — it’s a stark reminder that the moment a new digital identity is born, it becomes a target. And attackers are always watching.
What Undercode Say:
The Phishing Clock Starts Ticking Instantly
From a cybersecurity standpoint, this scenario confirms a troubling but increasingly evident truth: attackers are deploying automated systems to discover and exploit newly created corporate email addresses within days. The average organization may assume that phishing is opportunistic and random. But this case study reveals a highly systematic, almost industrial approach to digital reconnaissance.
Automation Is the Phisher’s Best Friend
The precision and speed of the phishing campaign suggest the use of automated scanning tools that detect new MX (Mail Exchange) entries or monitor DNS updates to identify fresh domain configurations. When a new user account appears, it likely triggers a botnet-driven campaign to test inbox accessibility.
Catchall Domains Are Double-Edged Swords
Crowley’s use of a catchall domain helped reveal the volume and content of the phishing attempt. But in a real-world scenario, this setup can be risky. While catchalls allow visibility, they also confirm that every potential email variation under a domain exists — making brute-force username enumeration much more rewarding for attackers.
LinkedIn: A Phisher’s Playground
The use of Crowley’s LinkedIn name and its professional credentials shows that attackers are scraping public data to personalize phishing lures. This increases the chances of victim compliance, particularly with new employees who want to appear competent and responsive.
Urgency: The Most Powerful Weapon in the Attacker’s Arsenal
The wording in the email subjects reveals a deep understanding of human behavior. By simulating authority and urgency, attackers pressure targets to act without thinking. This “compliance-through-panic” model is especially effective on new hires who may fear consequences for delayed action.
SMS as a Secondary Attack Vector
The evolution from email to SMS within this short timeframe illustrates a well-orchestrated multichannel phishing campaign. SMS phishing (smishing) remains a significant threat, especially when combined with email phishing to create pressure from multiple angles.
MFA Helps, But Awareness Is Key
Multi-factor authentication played a key role in preventing account compromise in this instance. However, MFA is not a silver bullet. Phishing campaigns now frequently include MFA bypass strategies, including token theft and real-time proxy attacks. The first line of defense remains the human behind the screen.
The Training Gap for New Hires
This scenario underscores the need for security awareness training to be included in the onboarding process — not as a checklist item weeks later. A new employee is at their most vulnerable in the early days, unfamiliar with internal protocols and more likely to act impulsively in the face of perceived authority.
Cyber Hygiene Requires Continuous Vigilance
The article’s events are not shocking to seasoned professionals, but they reflect the reality that attackers are growing more adaptive. They’re not only watching — they’re learning. Each new tactic adds to their playbook, and every untrained user gives them an opportunity.
Attackers Are Acting Faster Than Ever
Twelve days might sound like a buffer, but in digital terms, it’s lightning fast. If malicious actors are using detection scripts to target new mailboxes, the actual identification phase may be even shorter. The attack window is shrinking, and preparation must begin even before a new hire receives access credentials.
🔍 Fact Checker Results:
✅ MFA was active and correctly blocked deeper compromise
✅ No public exposure of the new email suggests internal enumeration
❌ Most employees would not detect these phishing attempts without training
📊 Prediction:
🚨 Phishing attempts against new corporate emails will become near-instantaneous
🕵️♂️ Attackers will increasingly use LinkedIn metadata to personalize lures
💡 Expect future phishing to leverage AI for even more convincing messages
References:
Reported By: isc.sans.edu
Extra Source Hub:
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
