7MS #705: A Phishing Campaign Fail Tale

In episode 705 of the 7‑Minute Security podcast, host Brian Johnson shares a rare "fail" story: a phishing campaign that unraveled because the client’s expectations, pricing discussions, and technical scope were never aligned. He recounts how a partner‑driven engagement spiraled from a full‑stack assessment request into a rushed, misunderstood test, highlighting that even seasoned consultants can stumble when communication gaps persist. The narrative serves as a reminder that security projects, especially social‑engineering exercises, demand crystal‑clear contracts and realistic deliverables before any email is sent.

A central theme of the conversation is the distinction between a vulnerability assessment and a true penetration test. Johnson points out that many vendors label a simple Nessus scan as a "pen test," when it merely reports missing patches and exposed services. He explains that a genuine internal penetration test should focus on privilege escalation, Active Directory exploitation, and post‑exploitation tactics, while a vulnerability assessment provides a baseline patch‑level view. This nuance directly impacts pricing, client education, and the perceived value of the service, as the client in the story mistook a basic scan for comprehensive testing and balked at the higher cost of a real engagement.

The episode concludes with practical lessons for security professionals and business leaders. Clear scoping documents, agreed‑upon success criteria, and transparent communication about what will be tested—and what will not—can prevent the kind of last‑minute abort Johnson experienced. Managing client expectations, especially around email allow‑listing in Microsoft 365 and the use of cloned domains, protects both reputation and revenue. By sharing this failure, Johnson encourages the industry to treat missteps as learning opportunities, reinforcing that robust client relationships and precise service definitions are as vital as technical expertise.