We host our email on Office 365 with MFA. We have extensive custom rules setup to further filter our email beyond the built in protection Microsoft offers.
I was reviewing the quarantine this evening, and I found an email purporting to be from the CEO, coming from an obviously fake Gmail address, addressed to an employee that started 10 days ago.
The recipient address was wrong (it was jsmith@company.com instead of joe.smith@company.com) but the badies knew that we had a new employee on our system within 10 days of hire, and tried to email them while pretending to be the CEO.
There is a plethora of tactics that bad actors use to get users data. I’m sure there was either a phishing attempt, malware or data breach in your org that exposed that user and your org.
It doesnt matter whether your business is on Linkedin or not. The employees are on Linkedin and that is where they find them.
Have you checked if that particular new hire is on Linkedin?
I did log into Linkedin and found that our new hire does have a profile there and did announce their new position at my organization, so that does seem like a plausible knowledge acquisition vector.
This is happening all the time: people are proud about the new job and announce it on linkedin. Looking out for these is so much more easier than putting malware in place and then making it search for (email) activity about a new job.