In the world of cybersecurity, most breaches don’t begin with sophisticated zero-days or nation-state hackers. They often start with something far more ordinary: a single, well-crafted email.

This is the story of how one phishing message slipped through the cracks and brought a mid-sized manufacturing company to its knees. The details have been anonymized, but the events are drawn directly from real-world incidents.

A Normal Morning

It was a regular Tuesday at Westforge Components, a growing manufacturer supplying parts to automotive clients across Europe. Maria, a purchasing assistant juggling emails and spreadsheets, opened a message that looked completely routine.

It appeared to come from one of their trusted suppliers in the Czech Republic. The logo was correct. The sender’s name matched previous correspondence. The subject line read: “RE: Urgent update to invoice #88513” — referencing a real invoice from just last week.

In the email body, the supplier claimed there had been an error in the original invoice and asked Maria to view the updated version through a secure link. It wasn’t unusual. She clicked.

What opened looked like a Microsoft 365 login page. It was nearly identical to the one she sees every day. Her session had expired earlier, so she entered her email and password, then hit enter. The page refreshed, showed a vague error, and she closed the tab, assuming the link was just broken.

She didn’t realize she had just handed over her login credentials to an attacker.

Quiet Infiltration

By early Wednesday morning, someone was inside Westforge’s email system.

The attacker logged into Maria’s account using a virtual private server registered in Eastern Europe. Since multi-factor authentication hadn’t been enabled for non-executive users, they encountered no barriers.

The attacker quietly combed through weeks of email threads. They found active conversations with suppliers, internal communications, and—critically—email chains with the finance department discussing outgoing payments.

They didn’t rush. Over the next 48 hours, the attacker began forwarding real emails from Maria’s inbox to the company’s accounting staff, slightly altering documents and links. One message included an updated invoice that required “macro-enabled access” in Excel. Another message impersonated Maria, requesting urgent approval for a payment.

No alarms were raised. Everything seemed legitimate.

Until Friday afternoon.

The Lockdown

Around 2:30 PM, employees began experiencing strange behavior on their machines. Files became inaccessible. Desktop backgrounds changed. A pop-up appeared:

Your network has been encrypted. Do not attempt to restart. Instructions will follow.

The ransomware had been deployed through a malicious Excel file that executed PowerShell scripts once macros were enabled. From there, the malware moved laterally across the network. Internal backups, still online and accessible, were also encrypted. The attackers had been watching long enough to know exactly where the company stored its recovery files.

Within minutes, the production planning system, the customer portal, and internal ERPs all went offline.

Westforge was paralyzed.

The Aftermath

The ransom note demanded the equivalent of $600,000 in Bitcoin. The attackers promised a decryption key and claimed no data would be leaked if payment was made within 72 hours.

Westforge didn’t have cyber insurance. They had an IT provider, but no dedicated cybersecurity team. Recovery from the incident took over three weeks. Production was disrupted, customers were lost, and reputational damage lingered for months. The total cost—after downtime, consulting fees, legal support, and lost revenue—was estimated at just over $1.1 million.

All because of a single phishing email.

What Went Wrong

Westforge didn’t lack IT infrastructure. They had email filtering, antivirus software, and nightly backups. But these defenses weren’t enough to stop the type of attack that relies on trust, routine, and human habits.

Here’s where things broke down:

• No Multi-Factor Authentication (MFA): Maria’s credentials should not have been enough to access company resources.
• Lack of User Awareness: Maria had never received phishing simulation training or real guidance on what suspicious links look like.
• Overreliance on Email Filters: The phishing email bypassed spam detection because it was crafted to mimic an ongoing conversation.
• Flat Network Design: Once the attacker landed on one endpoint, lateral movement was too easy.
• Online Backups: Backups were directly accessible from the production environment and were encrypted alongside everything else.

What Should Have Been in Place

Incidents like this are preventable. Here’s what would have made the difference:

• Enforce MFA for All Users: Even if a password is compromised, a second factor stops an attacker cold.
• Regular Phishing Simulation and Training: Employees don’t need to become security experts — but they do need to recognize red flags.
• Endpoint Detection & Response (EDR): EDR tools detect unusual behavior, lateral movement, and suspicious scripts in real time.
• Network Segmentation: Critical systems should be isolated to limit attacker movement.
• Offline or Immutable Backups: Ransomware can’t touch what it can’t see or alter.
• A Tested Incident Response Plan: The first few hours of a breach are chaos without a plan. Have one, and rehearse it.

Final Thoughts

Cyberattacks don’t always come through brute force or clever exploits. More often, they walk in through the front door because someone let them in — unintentionally.

Westforge never thought they’d be a target. Most companies don’t. But in today’s digital landscape, size doesn’t matter — opportunity does.

Don’t wait for the story to be about your company.