Ex-FBI Agent: One Phone Call Gave Hackers Full Network Access

A threat actor called the IT help desk of a recent client of Devon Ackerman's and said his new laptop wouldn't connect to the VPN. The rep could see failed login attempts on screen, which lent credibility to the story, and asked for a date of birth to verify the caller. He had one ready. Password reset, done. Then came the follow-up: this new device hasn't been enrolled in MFA yet. “Could you temporarily disable it until I'm in?” Of course.

Once inside, the attacker scanned for installed software and found a legitimate remote access tool the IT team already used across the environment. From there, he operated as a regular user, on credentials the help desk had handed him, through infrastructure no security tool would flag as suspicious. He disappeared into the noise of a normal working day.

That is the shape of modern intrusion, and it's the throughline of the latest episode of Full Metal Packet.

Co-hosts Yegor Sak and Alex Paguis sit down with Devon Ackerman, Global Head of Digital Forensics and Incident Response at Cybereason and a former FBI Supervisory Special Agent, to walk through identity-based attacks, the shrinking window between vulnerability disclosure and active exploitation, phishing-resistant MFA bypass, and the increasingly automated cat-and-mouse game that AI is forcing on both sides.

TL;DR

• Threat actors are going to get in. What matters now is containing the blast radius.
• Identity is now the primary attack surface. Legitimate logins don't set off the alarms that catch malware.
• Disclosure-to-exploitation has collapsed to hours. One client pushed a 24-hour patch, but the threat actor was already inside 12 hours after disclosure.
• Phishing-resistant MFA still gets beaten by adversary-in-the-middle kits. Hardware keys are where the kill chain reliably stops.
• AI is accelerating both sides, and the five-to-10-year horizon for fully automated cyber operations is closer than most industry professionals will admit.

Why DFIR Is One Discipline

Some vendors still split digital forensics from incident response. Devon doesn't, and his explanation for why is worth listening to.

Digital forensics is a branch of forensic science. It governs how you acquire data, how you verify it, how you analyze it, and how you present those findings, typically with an end goal of standing up in court. Incident response is what it sounds like: detecting, containing, and recovering from a cyber event.

You can’t do the second without the first.

"It's one thing to look at a log and say, well, in the log, I think this thing happened," Devon explains. "It's another based on training, education, and experience to say, actually, the tool that was used creates this artifact in the log, which allows us to reach the following conclusion."

That distinction matters because every incident is a potential legal event. The story you tell about what happened needs to survive scrutiny from regulators, insurers, and counsel. The forensics piece is what makes the story defensible.

Why Malware Is on the Way Out

For years, the offensive playbook was simple. Find a target, drop malware, escalate, exfiltrate. Endpoint Detection and Response technology was built to catch exactly that pattern. It baselines what an endpoint normally does, then watches for anomalies.

Threat actors adapted. If you don't want to trigger the baseline, the cleanest way to operate is to look identical to a legitimate user. Steal a credential. Impersonate someone on the help desk. Convince a third-party support agent to disable MFA. Then log in as that person and use the tools that are already installed.

No malware. No anomaly. No alert.

This is the structural reason identity has become the primary attack surface. Identity attacks succeed because they don't trip the wires that everyone has spent the last decade building.

The 12-Hour Window

The other shift Devon covers is speed.

Five years ago, the timeline from CVE publication to in-the-wild exploitation was measured in weeks, sometimes months. Threat actors needed to read the bulletin, understand the vulnerability, develop or acquire a working exploit, and find vulnerable targets. Defenders had time to patch.

That timeline has collapsed.

In a recent case, Devon's team responded to a client running a popular internet-facing remote management platform. A CVE was published 30 days before the engagement. A proof-of-concept exploit dropped a day later. The client did everything right: they read the bulletin, prioritized the patch, and pushed it within 24 hours. That is genuinely fast.

The threat actor was inside within 12 hours, via a web shell that gave them backdoor access independent of the patched vulnerability.

Yegor's response on the podcast cuts to the heart of where this is going: that 12-hour window is itself a relic of an earlier era. As CVE feeds get scraped by automated agents, as liberated models on consumer-grade GPUs craft working exploits in minutes, and as Shodan-style infrastructure scanning becomes trivial to automate, the realistic exploitation window will shrink to single-digit minutes. For some classes of vulnerability, it already has.

The implication for defenders is unpleasant. Even a flawless patch process is no longer fast enough.

Where Phishing-Resistant MFA Stops Working

MFA bypass deserves its own section because the messaging in the industry has been muddled.

There is a meaningful difference between MFA and phishing-resistant MFA. Standard authenticator apps generate a six-digit code. That code can be socially engineered out of the user, intercepted by a man-in-the-middle phishing kit, or extracted via a fake authentication page that proxies the real one in the background. Phishing kits are cheap, easy to deploy, and effective at scale.

Phishing-resistant MFA raises the bar. The authenticator app itself becomes the second factor, the user can't read off a code and hand it to someone, and modern implementations bind the authentication to the device or to a hardware-rooted certificate.

Hardware security keys raise it again. A YubiKey, a properly configured conditional access policy in Microsoft's stack, or a similar mechanism that requires possession of a physical device is, in Devon's words, where the kill chain typically stops. Adversary-in-the-middle phishing kits strip the password and the software-based token. They don't strip the hardware key.

If you take one operational recommendation from this episode, make it this one. Put hardware keys on anything important. Devon has been recommending this for years. The data from real investigations continues to back it up.

The Threat Actor Ecosystem in 2026

Devon's breakdown of the threat reality is one of the cleanest framings of who you're actually defending against:

Hacktivists are ideologically motivated. They want to cause disruption, embarrassment, or damage in the service of a cause. Their economics are different since they don't need to monetize the attack.

Nation-states operate on intelligence collection requirements. They steal economic, military, or political information to serve a host nation's strategic interests. Targeting tends to be selective and patient.

Organized crime is financially motivated. Ransomware, business email compromise, data extortion: every play has a revenue model. This is the largest category by volume.

Initial access brokers sit alongside the others rather than within them. They specialize in finding vulnerabilities, exploiting them just enough to establish a foothold, and then selling that foothold to whoever wants to walk through the door. They are the wholesale layer of the cybercrime economy, and they are increasingly the explanation for why an environment sits compromised for weeks before anything obvious happens.

Understanding which of these you're facing changes your response. A nation-state actor in your environment is a different containment problem than an organized crime crew with a Bitcoin wallet.

What Devon Wants CISOs to Hear

The most important part of the conversation comes at the end, when Yegor asks what defenders should take away if they remember nothing else.

Devon's answer is the closest thing to a thesis statement the episode has.

"It's not about preventing the event or the incident. It's not about stopping the intrusion. You can make the castle walls a thousand feet high. You're not going to keep every attack out."

What follows from that is a different operating model. Accept that an incident will happen. Train your people to recognize and surface anomalies. Build the processes that let your security operations center escalate the odd ticket rather than close it in 60 seconds for a bonus metric. Invest in the tooling and the muscle memory that lets you contain a threat actor inside the four walls of where they got in, before they reach the part of your environment that matters.

The phrase Devon uses is blast radius. Boards and C-suites need to accept that zero incidents are no longer a realistic measure of a security program. What matters is how contained the damage stays when something does happen.

That reframing changes budget conversations, vendor selection, tabletop exercises, and the metrics security leaders bring to the board. It is the most important shift in the way modern security programs are designed, and it's the through line of everything else Devon talks about in the episode.

Devon Ackerman is Global Head of Digital Forensics and Incident Response at Cybereason, a former FBI Supervisory Special Agent focused on counterintelligence and cyber investigations, and the author of Diving In: An Incident Responder's Journey.

Listen to the full episode on Apple Podcasts, Spotify, YouTube, or wherever you get your podcasts.