Most organisations are familiar with phishing and spear-phishing tests as part of their annual penetration testing. And while these simulations are still useful, traditional phishing only tells part of the story.
Although we often yield a great degree of success with these attacks, we think outside the box and do things differently at Nexon when it comes to pen tests, to really give our clients a true threat assessment and understanding of their risk profile. Phishing is a must, but it only presents 50% of the picture.
Why conventional phishing isn’t enough
Conventional phishing simulations, which rely on email delivery, are no longer sufficient in today’s threat landscape. Modern security stacks, layered with tools like Microsoft Defender, Proofpoint, and robust protocols such as SPF, DKIM, and DMARC, are effective at blocking suspicious emails before they ever reach end users. At the same time, employees have grown more adept at spotting common phishing cues, thanks to awareness training and built-in email warnings.
Meanwhile, attackers have evolved. They now exploit external-facing services, cloud platforms, and even collaboration tools to deliver malicious payloads and bypassing traditional filters entirely. To accurately assess an organisation’s resilience, testing must extend beyond the inbox and simulate the various factors in play when it comes to phishing.
What Is PTS and why it works?
Phishing Through Services (PTS) encompasses the same features of targeted phishing attacks, in that we still generate documents or payloads (files), containing a payload that either connects our custom malware to our Command and Control Infrastructure (C2) (to facilitate access) or harvest data such as credentials, tokens or hashes, but instead of trying to bypass email filtering, we distribute our attack through the organisations own external services, such as cloud services that face the outside world.
PTS is effective because it targets what’s trusted yet often unmonitored. Most organisations allow email notifications and file uploads from their cloud platforms without applying the same scrutiny as they do with standard email security gateways. Unlike phishing emails, these payloads are delivered through business-critical tools, making them more believable, less filtered, and frequently invisible to Security Operations Centre (SOC) monitoring.
In one recent case, we harvested multiple user password hashes through a legitimate external service without triggering a single alert. The SOC was focused solely on Microsoft 365, data centres, and internal network monitoring, leaving cloud-based activity unchecked.
Common Services Targeted in PTS Testing
- Recruitment platforms: CV or portfolio uploads
- Permit/OHS systems: Safety or access documentation for on-site requirements
- Survey tools: Hosts post surveys and often have file upload functionality
- Portfolio/showcase platforms: Used by creative professionals to share their work and developed contents
- Journalism/Citizen reporting platforms: Where news or public media organisations provide a secure way for the public to submit documents, photos, or videos related to a story
- Competitions platforms: Hosts online contest that allows users to register and upload their entries.
- Fan fiction & writing communities: Platforms where writers can publish and share their written works, such as Wattpad
- Crowdsourcing/Citizen science platforms: Allows public contributions of data or document submissions
- Standard file request & secure drop-off services: For file transfer services, such as Dropbox, ShareFile, and Google Forms
- E-commerce platforms & customer service platforms: For support/order tickets or complaints
- Local council request platforms: Used for reporting maintenance issues and public safety hazards
What happens after a PTS test and why it matters?
Phishing Through Services exposes the gaps, challenges assumptions about trusted platforms, and puts your people, processes, and systems to the test. Receiving your PTS results is just the starting point.
These results and insights bring to light overlooked vulnerabilities and help you better understand how attackers could potentially exploit your external-facing services. The value lies in translating these findings into action such as enhancing internal policies, closing technical gaps, and strengthening staff awareness to build lasting cyber resilience.
For organisations ready to strengthen their defences further, engaging with an experienced penetration testing or red team partner offers more visibility and strategic guidance. These experts simulate advanced threats, explore unconventional attack paths, and help you understand your threat profile at a far more granular level.
For further insight into a sample PTS campaign and the associated mitigation strategies, you may continue reading this article.
Blog 
5 minutes