By Lewis Pack, Head of Cyber Defence, CyberOne
Welcome back to Stories from the SOC, where we lift the lid on real cyber threats, responses and lessons learned inside CyberOne's 24x7 Security Operations Centre. This month, our story starts with an unexpected source: a kebab order. Yes, really.
This isn’t a cautionary tale about late-night cravings. It’s a case study of how seemingly trivial supply chain elements can become entry points for attackers. What follows is a comprehensive walkthrough of our incident response, complete with detection, escalation, cross-functional communication, open-source intelligence gathering and containment—all in pursuit of protecting our clients, their supply chains and their reputations.
The Unexpected Caller
For our client, this story begins with a suspicious phone call to a former employee. The caller claimed they could help recover access to a crypto wallet. Disturbingly, they had three specific pieces of information: their full name, personal mobile number and an old corporate email address. Having maintained a strong relationship with their former employee, our client was luckily made aware that this call had occurred.
Our client flagged the event to us immediately. They knew the former employee wasn’t assigning blame — just showing caution. That first alert was enough for us to begin a structured assessment with the client. It quickly became clear that the attacker had used an email domain that the client had retired five years ago.
The risk looked limited initially. However, another individual from the same client received a similar call shortly after.
Suddenly, what looked like an isolated incident was clearly part of a pattern. I recognised the same red flags — outdated data, urgency and a too-good-to-be-true crypto narrative. This triggered immediate escalation.
Reassessing The Risk
We reopened the case and are inputting the newly available details. The overlap in data points led us to suspect a potential third-party exposure, so we initiated a war room with the client.
What is a War Room in Cyber Security?
A war room is a dedicated, often virtual, space where cross-functional teams assemble during a security incident to coordinate rapid, decisive action.
It includes key personnel from the SOC, incident response, IT, legal and communications teams. The purpose is to centralise decision-making, reduce response time, assign roles, manage containment and ensure consistent messaging.
Think of it as a digital emergency operations centre — where speed, collaboration and clarity are essential.
In the midst of this, we received an unusual but timely tip: one of their local kebab shops — one that the client team had ordered from — reached out about a breach involving a third-party data processor.
It seemed unrelated (and perhaps a little far-fetched) at first. But when we reviewed it, everything lined up. The breach exposed names, phone numbers and email addresses. The timing, target list and available data for the threat actors clearly identified this breach as the source.
Using OSINT tools like Have I Been Pwned, we verified the data exposure. That Friday night order unwittingly exposed customer data that fed into a socially engineered attack.
Third-party data risks can be challenging to manage. In this instance, stakeholders were briefed and staff were issued security guidance. The specifically targeted users (and those we expected to be targeted) were contacted directly and advice and guidance on how to keep themselves safe was given.
The vector discussed here is one we see more commonly attempted by threat actors. They rely on humans being the weakest link in the chain to further their attacks. In this instance, the diligence of those targeted prevented any damage to the organisation from occurring (see section “Layered Defence in Action” to understand how to protect yourself from this type of attack).
The Attacker’s Playbook
The threat actor’s sophistication elevated this from anecdotal to alarming. They didn’t rely on malware. They exploited trust.Using Gmail accounts and Google Meet, the attackers followed phone calls with legitimate calendar invites. There was no spoofing, no payload, just precision-crafted social engineering.
The objective? Remote access. Once inside, they would’ve likely:
-
Accessed or exfiltrated files
-
Moved laterally within the environment
- Targeted privileged accounts for broader access
They were deliberate and coordinated. This wasn’t a lone wolf. It reflected a modular attack model in which data brokers, phishing agents and exploit crews each played a role.
What We Learned
1. Cybercrime is a Business With Divisions
Threat actors now work in specialisms. Access brokers, phishing creators and execution teams are often separate entities. Each plays a part in a seamless criminal supply chain.
2. Supply Chains Can Be Attack Vectors
Risk extends beyond your environment. A vendor’s vendor — in this case, a takeaway’s payment processor — created the entry point.
3. Retired Domains Are Still Vulnerabilities
Legacy domains, even dormant ones, can legitimise phishing attempts. If you’re rebranding or retiring, secure and monitor your old assets.
4. Dark Web Monitoring is Essential
We used dark web intelligence to correlate data exposure with timing and tactics. These insights helped us quickly confirm and isolate the threat vector.
5. People Matter Most
Awareness was the first line of defence. The clients former employee’s caution and a well-informed team enabled us to move quickly. Human vigilance prevented a potential compromise.
How We Responded
- War Room Activated: Real-time coordination across CyberOne and client teams.
- Third-Party Review: We worked with the client to assess historic supplier relationships
- Communications Plan: Stakeholders were briefed and staff were issued security guidance
- OSINT and Threat Intelligence: Used to verify exposure sources and attacker tactics
- Security Enhancements: Post-incident training, phishing simulations and domain governance
Layered Defence in Action
Here’s what helped limit the exposure:
-
Email Filtering & Gateway Controls (though bypassed via legitimate tools)
-
Privileged Identity Management (PIM): Prevented escalation of access
-
Awareness Training: Staff recognised the social engineering attempt
-
Dark Web Monitoring: Confirmed breach origins
-
Rapid Incident Response Coordination: Enabled timely containment
Final Thoughts
This story is about vigilance, relationships and how something as ordinary as a kebab order can lead to an extraordinary security lesson.
While we’re always braced for ransomware or nation-state campaigns, the simplest things—legacy emails, exposed phone numbers, everyday tools—often catch us off guard.
This case reinforced a core truth: cyber resilience starts at the edges. It begins with the people, the processes and the partners — all working together.
Stay sharp. Stay connected. And remember, cyber resilience is everyone’s job.