First and foremost, attackers appear to favor spear-phishing individual targets, preferring to collect credentials and then entering accounts without utilizing malware for establishing an initial foothold.
“We have observed spear-phishing campaigns that target human resources and hiring managers, IT staff, and internal information security staff, which are generally very effective,” 401TRG experts said about the 2017 campaigns.
Hackers focus on collecting network credentials and then spreading laterally inside a company.
Attackers then use a technique known as “living off the land,” which refers to the use of locally installed apps for malicious purposes. Tools often used in these intrusions include standard Windows utilities, but also penetration testing utilities such as Metasploit and Cobalt Strike. Malware is only deployed if necessary, attackers fearing detection, which often implies losing their foothold on a target’s network.
I like the phrase LotL (“Living off the Land”). I think, tho need to check, it translates well.
Tl;dr: Orgs with strong security & defense-in-depth can still harbor blind spots & inaccurate assumptions.