Sarah clicked the link on a Friday afternoon. It’s always a Friday. I know because I was watching the logs, eating takeout pad thai in a conference room we'd commandeered for the engagement. My colleague Dave had bet me twenty bucks she wouldn't fall for it. He lost.

The email came from their identity provider, Okta, or at least, from an Okta tenant. See, when the client wanted to test whether someone could access their credit card database earlier that month, they figured phishing was unlikely since they were using enterprise Okta and MFA. They didn’t realize that test Okta tenants could send real notification emails directly from Okta's own systems - getting official mail from the post office itself.

The subject line was boring: "Action Required: MFA Factor Expiring." The kind of email that could theoretically show up, and everyone half-heartedly clicks through in mild confusion.

Sarah's credentials, MFA token, and Okta session landed in our logs between bites of noodles. We were in.

One tile gave us access to a bastion host. Bastion hosts are like high-end apartment building lobbies. Looks like great security. Everyone has to badge in. Cameras everywhere. But once you're inside, you realize half the apartment doors are propped open because residents got tired of fumbling for keys.

We found six active SSH sessions on that bastion. Of course, for convenience, Sarah had sudo rights, full access to the system. Some had been running since the previous Monday. Sarah had the technical equivalent of a master key, and we found six other employees who'd left their sessions up. Not so different from leaving your computer logged in at a coffee shop, except these were to critical systems.

The way Linux handles terminal sessions, you can attach to someone else's active session relatively easily. Everything’s a file, and it’s a feature, not a bug. You don’t really have privacy on a multi-user system on an unhardened Linux box.

The developer whose session we hijacked, we’ll call him Tom, had beautiful access. Production database, read-write. His session had numerous SQL queries and creds. We didn't even need to try.

echo “SELECT COUNT(*) FROM CC;” | sqlplus

Four million rows. Dave stopped eating his pad thai.

The beautiful part about having database access is that you don't need to exfiltrate anything to prove impact. Screenshots work fine. But we're thorough, so we kept poking. Surely a multi-gigabyte outbound stream (of random data) to MegaUpload from this server would cause alarm. It did not.

The client took it well, considering. The CISO actually laughed when we showed the bastion host session hijacking. The SOC manager’s laugh was more of a cold-sweat, grimace style.

The fixes don’t necessarily need expensive tools or consultants, but do need some changes to Linux configurations and workflows. No blanket root access for one. SELinux for another. We told Okta about the email abuse on free accounts - that requires slightly more friction with a credit card now.

It took just a few days. We weren’t necessarily advanced persistent threat - just persistent threats. And these patterns repeat everywhere. People can be tricked into sharing access. Database admins need access. Test systems touch production.

The difference between a breach and a near-miss is typically whether someone on your side finds these issues before someone with different motivations does.

Sarah might actually still work there, and probably hasn’t fallen for a phish again. Nothing makes you take that seriously like being patient zero in a red team engagement.

Every company has a Sarah, a Tom, and a bastion host with too many permissions. The difference between the breached and the unbreached isn't typically superior technology or smarter employees. It's whether someone like us finds these issues before someone with a different business model does. We get paid to stop after safely proving impact. Others don't.

Names and places slightly modified to protect the guilty innocent.

‍