The Menu Bites Back

Exploiting Routine Communications in the Corporate Environment

In cybersecurity, we often talk about advanced threats, zero-day exploits, and nation-state actors. But sometimes the most dangerous breach begins with a very ordinary email — one that no one questions, because it blends perfectly into the background noise of corporate life.

This is the story of how a fake canteen menu became a proof-of-concept for just how fragile those everyday routines can be.

The Everyday Pretext: Exploiting Operational Trust

The phishing email in question didn’t come dressed as an urgent IT notice or a fake invoice. It didn’t spoof a CEO or demand wire transfers. Instead, it posed as something much more pedestrian: a change to the office café’s opening hours.

Here’s the setup:

The email was plain and believable. It claimed that the café — referred to by its formal, internal name — was adjusting its service hours. A new seasonal menu was included as a Word document attachment.

That document, naturally, contained a payload.

The genius of the pretext wasn’t technical. It was psychological. It played on the rhythm of the workday, the trust people place in internal notices, and the complete absence of urgency — which is exactly what made it feel safe.

Why This Pretext Worked

The strength of this phish lies in its exploitation of low-friction trust:

• It mimicked a routine internal update, the sort that rarely triggers suspicion.

• It used the correct internal terminology, including the official name of the café.

• It arrived at a strategic time — just before lunch, when people are hungry and more likely to act without overthinking.

Most importantly, it did not ask for sensitive data or action. It simply offered information — which in turn encouraged curiosity and clicks.

The Broader Risk: Operational Messaging as Attack Surface

In many corporate environments, there is a false sense of security around internal operational messages. Staff notices, HR updates, and general admin emails are often treated as low risk — precisely because they are routine.

This creates a blind spot:

• These messages often bypass scrutiny from both users and automated security tools.

• They’re rarely considered phishing vectors in awareness training.

• They can be customised to the local language, habits, and naming conventions of a specific organisation, making them more effective than generic spam.

In short, attackers can weaponise the ordinary — and when they do, it works.

Lessons for Red and Blue Teams

This simulation revealed several key insights:

For Red Teams:

• Pretexts that blend into daily operations are more effective than dramatic lures.

• Timing matters — align with natural workflows (e.g. before lunch, Monday mornings).

• Mimic internal style guides and terminology for credibility.

• Avoid overengineering — the more mundane it feels, the better.

For Blue Teams:

• Treat operational emails as part of the attack surface — especially when they include attachments or links.

• Implement metadata tagging or watermarks for internal communications to signal authenticity.

• Educate staff on low-pressure phishing techniques — not just the obvious red flags.

• Consider reinforcing verification norms, even for "boring" messages.

Final Thought

The most dangerous phishing attempts aren’t always the loudest. Sometimes, they’re the ones that whisper quietly into the inbox with a message as simple as: “Here’s the new lunch menu.”

And if that doesn’t get you clicking, what will?

🔥 Tooling Roundup

Some interesting Tools to experiment and play with:

• Google Maps

  • What it does:
    Google Maps lets you explore places from above (with satellite view) or on the ground (with Street View). It includes tools to look at how places have changed over time.

  • Why it's useful:
    If you’re investigating something, the ability to go back in time is a game-changer. You can check what a street looked like last month—or five years ago. That’s perfect for verifying when buildings went up, spotting changes in a location, or proving someone’s version of events doesn’t match the timeline. You can also use Street View to get a boots-on-the-ground look without leaving your desk.

  • Link: https://www.google.com/maps

• Canarytokens

  • What it does: Canarytokens are small digital “tripwires” — like hidden files, links, or credentials — that silently alert you the moment someone accesses them. You can embed them in documents, folders, URLs, emails, binaries, DNS queries and more .

  • Why it’s useful: The key power of Canarytokens is time-based detection. As soon as someone pokes a token, you instantly get notified—with details like when it happened, which token was tripped, and the attacker's IP address. That timing info helps you build a clear timeline: what happened first, what followed, and who triggered what. It’s invaluable for incident response, timeline reconstruction, or verifying if, when, and where someone snooped where they shouldn’t .

  • GitHub / Official Site: https://canarytokens.org

Did You Know? When NASA open-sourced its codebase on code.nasa.gov, it included software that was used in actual space missions—like the Pleiades supercomputer scheduling software, Orion spacecraft simulation tools, and even code from the Apollo Guidance Computer.

One standout? The GMAT (General Mission Analysis Tool)—used for mission planning by real rocket scientists—is totally free to download and tinker with. So yes, you can literally run mission-grade trajectory simulations from your living room.

Till next time,

John