From One Inbox to the Whole Network

The inbox is just the door

When most people think about email compromise, they think about the immediate risks: stolen contacts, impersonation, fraudulent invoices. Those risks are real. But they are not the worst-case scenario.

The worst-case scenario is that the attacker uses your compromised inbox as a stepping stone into your entire network. A single email account often contains everything an attacker needs to move laterally across an organization's infrastructure: credentials, connection details, internal documentation, and trust relationships that take months to build.

What attackers find in your inbox

A compromised email account is an intelligence goldmine. Attackers systematically search through mailbox contents for specific types of information:

• Passwords in email threads.IT helpdesk tickets, onboarding emails, password reset confirmations, and "here are your new credentials" messages. A surprising number of organizations still send passwords via email during employee onboarding or system provisioning.
• VPN configurations. Emails containing VPN setup instructions, connection URLs, or configuration file attachments give the attacker direct access to the internal network without needing to be physically present.
• Shared credentials. Service account passwords shared between team members, database connection strings in deployment notifications, and API keys in automated alert emails. These credentials often have broader access than any single user account.
• Network diagrams. Architecture documents, infrastructure runbooks, and data center migration plans sent as attachments. These give the attacker a complete map of the internal environment before they even connect to it.

Lateral movement: from inbox to network

Armed with information harvested from the compromised inbox, the attacker begins moving laterally through the network. In a typical breach, the attacker touches an average of six hosts via RDP before reaching their objective. Each step builds on the last.

RDP to other hosts

If the attacker finds VPN credentials or discovers that Remote Desktop Protocol (RDP) is exposed, they establish a direct connection to internal systems. From an RDP session on one workstation, the attacker can pivot to file servers, database hosts, and domain controllers. Each hop is a new source of credentials and a new vantage point for further enumeration. In the average breach, the attacker moves through six separate hosts before being detected.

Credential harvesting: SAM database and LDAP enumeration

Once on a host, the attacker extracts credentials from the local Security Account Manager (SAM) database. The SAM stores hashed passwords for local accounts on every Windows machine. With administrative access to a single workstation, the attacker can dump these hashes and crack them offline, often within minutes for weak passwords.

Simultaneously, the attacker queries Active Directory via LDAP to map the entire organizational structure: every user account, every group membership, every computer object, every service principal. This enumeration reveals which accounts have elevated privileges, which servers host sensitive data, and which service accounts have weak or default passwords.

AS-REP roasting

AS-REP roasting targets accounts that have Kerberos pre-authentication disabled. For these accounts, the attacker can request an encrypted ticket from the domain controller without providing any password. The encrypted ticket can then be cracked offline using dictionary and brute-force attacks. Because this attack does not require any special privileges, any domain user (including the compromised email account) can execute it.

The output is plaintext passwords for every vulnerable account. In many environments, service accounts and legacy accounts have pre-authentication disabled, and their passwords have not been changed in years.

Escalation to domain admin

Using the credentials gathered through SAM dumps, LDAP enumeration, and AS-REP roasting, the attacker targets accounts with administrative privileges. Common escalation paths include exploiting misconfigured group policies, abusing Kerberos delegation settings, extracting credentials from memory on compromised workstations using tools that read the LSASS process, and exploiting unpatched vulnerabilities in internal services.

The attacker's objective is domain administrator access. With domain admin credentials, the attacker controls every computer, every user account, and every resource in the Active Directory domain. They can create new accounts, disable security tools, deploy ransomware to every endpoint simultaneously, and exfiltrate data from any system.

KRBTGT reset: the nuclear remediation

If the attacker has compromised the KRBTGT account (the Kerberos Ticket Granting Ticket account that underlies all authentication in Active Directory), the only reliable remediation is a double KRBTGT password reset. This is sometimes called the "nuclear option" because it invalidates every Kerberos ticket in the domain, forcing every user and every service to re-authenticate.

It causes significant operational disruption and requires careful planning to execute without breaking critical services. The alternative is worse: leaving the attacker with the ability to generate Golden Tickets that grant unlimited, undetectable access to any resource in the domain for as long as the KRBTGT password remains unchanged. In a network of any meaningful size, a KRBTGT reset affects every employee, every service account, and every automated process. It is the last resort, and it starts with a single compromised inbox.

Why early email detection stops the chain

Every step of the lateral movement playbook depends on the initial email compromise going undetected. The attacker needs time: time to search the inbox for credentials, time to establish forwarding rules for ongoing access, time to test harvested credentials against internal systems, and time to move through the network. On average, an attacker operates undetected for six days before triggering an alert.

If the email compromise is detected early, the entire chain breaks. The attacker loses access to the inbox before they can harvest credentials. The forwarding rules that provide persistent access are removed. The VPN credentials are rotated. The internal phishing emails are never sent.

The specific indicators that precede lateral movement are detectable at the email layer: new forwarding rules that copy messages to external addresses, rogue MFA device enrollments, OAuth applications with excessive permissions, and sign-in patterns from unexpected locations. These are the first moves in the attacker's playbook. Catching them at the email layer means the attacker never reaches step two.

InboxWatch monitors for exactly these indicators. It scans your Gmail and Microsoft 365 accounts for hidden forwarding rules, unauthorized delegates, suspicious OAuth applications, and anomalous sign-in activity. If someone establishes persistence in your email account, you will know within minutes, not six days.