The Admin Shadow
Why the executive assistant is the most powerful (and vulnerable) person in the building.
THE COUNTERMEASURE
Dispatch #034
Most attackers waste their time trying to spear-phish a CEO or a Founder. These high-level targets are surrounded by layers of security, assistants, and specialized software designed to filter out threats. Hackers like Niko Webb take a different path. He looks for the Executive Assistant (EA), the Office Manager, or the Junior Admin.
In the world of tradecraft, these roles have Horizontal Access. They might not have the “authority” to sign a multi-million dollar contract, but they have the “access” to see the CEO’s calendar, read their emails, and book their travel. If Niko can compromise the assistant, he effectively becomes the shadow of the executive.
The Tradecraft: The “Gatekeeper” Persona
Niko doesn’t always try to hack the assistant. Sometimes, he simply pretends to be one. He uses the hierarchy against itself through these three methods:
The Lateral Request: Niko calls a junior employee in the finance department. He identifies himself as “Marcus, the new EA for the VP of Operations.” He sounds stressed. He says the VP is in a meeting and needs a specific file or a “temporary” login code immediately. Because most people want to be helpful to the person who works for the “Boss,” they bypass the official security protocols.
The Calendar Snipe: By finding an EA’s name on LinkedIn, Niko can call the IT help desk. He claims he is the EA and that “the boss” is having trouble with their password while traveling. Because he knows the specific names of the executive’s family or their upcoming meetings (harvested from social media), the IT technician feels safe resetting the credentials.
The “Invisible” Authority: Administrative professionals are often treated as “invisible” in corporate environments. Niko can walk through an office with a stack of folders, looking like he is heading to a specific meeting. People assume he has already been vetted by the person he “works for.”
The “So What?”
You might think that your job title makes you an unlikely target. However, a professional hacker views every person in an organization as a potential “Pivot Point.”
The Chain of Trust: If a request comes from an assistant’s email address, it carries the weight of the executive. A single “Please review this” email from a trusted assistant can install malware on every computer in the C-suite.
The Personal Life Leak: Assistants often manage personal details like home addresses, family schedules, and private phone numbers. A breach of an assistant is a breach of the executive’s entire private life.
The “Small” Gatekeeper: This applies to your home too. Scammers often target “support” roles like your gardener, your contractor, or your housekeeper. If they can convince your contractor that they are “with the city” and need access to your backyard, the contractor will let them in because they don’t want to cause a problem for you.
The Countermeasure: Standardizing the Request
The “No-Exception” Policy: Security protocols must apply to everyone, regardless of who they work for. If your company requires a ticket for a password reset, the CEO’s assistant must submit a ticket.
Voice Verification: If you receive a sensitive request via email or chat from an assistant you don’t know well, pick up the phone. A thirty-second “voice check” can stop a lateral social engineering attack in its tracks.
The Privacy Shield for Support: If you employ people to help in your personal or professional life, give them their own “Security Briefing.” Teach them that it is okay to say “No” to strangers who claim to have your permission. Tell them to always call you directly to verify any unexpected visitors or requests.
The Sign-off
Power isn’t always found in a title. Sometimes, it is found in the person who holds the calendar. When you protect the people who support you, you protect yourself.
This concludes The Art of the Social Engineer. Next week, we are starting a brand new series: The Physical Vault. We will go back to the world of high-end industrial design and look at the “Invisible Intelligence” of modern secure spaces.
Stay dangerous,
Alex Holt