Tier-1 Telecommunications Carrier
Goal-oriented red team against a national mobile carrier's customer-care environment, with explicit objectives around SIM-swap fraud and porting workflows.
Achieved unauthorized SIM-swap of a test subscriber line within nine days via a phishing-to-VPN-to-CRM chain. Detection gaps in the customer-care SIEM were closed within the engagement, and the carrier deployed step-up MFA on all porting actions within 60 days.
The client wanted a real adversary-emulation engagement, not a checklist test. The objective: replicate the attack chain a fraud crew would use to take over a high-value subscriber's phone number, and identify the detection and prevention gaps along the way.
Initial access was obtained through a targeted phishing campaign against a regional customer-care office. From there we pivoted through the office VPN, identified an over-permissioned service account on the CRM, and demonstrated end-to-end SIM-swap on a pre-authorized test line.
Throughout the engagement we worked with the carrier's blue team in a purple-team configuration during the second half. The debrief produced a prioritized list of detection rules — including several SIM-swap-specific behavioral signals — that were tuned in their SIEM before the engagement closed.