Great story based on a true hacking attempt.
Except for the last bit which was dramatized, the author gave a fairly good first-person account of an internal pentesting being carried out. It involves everything from impersonation, social engineering, physical theft, wits and a good amount of luck.
“Good afternoon, Pam. I’m Josh from IT. We’re about to migrate your Citrix instance to a new server. I’m going to send you a 6 digit number. I’ll need you to read that off to me. As a reminder, IT will never ask for your password.”
I already had her password.
She gave a hesitant, “Okay…”
I clicked on the “Click for MFA token” button and stated, “Alright, I’ve sent you the number. You should get a text. Please read it to me.”
She said, “Umm, alright. Got it. It’s 9-0-5-2-1-2.”
Source: A thread written by @TinkerSec