Case Study: Spear-Phishing Campaign Targeting Automotive Supplier — 200 Employees in the Crosshairs

An automotive supplier became the target of a targeted spear-phishing campaign. The attackers imitated a real supplier – thanks to security awareness training, 94% of recipients recognized the attack.

TL;DR

An automotive supplier with 3,500 employees became the target of a targeted spear-phishing campaign. The attackers imitated a real supplier and sent manipulated PDF invoices to 200 employees in the finance department. Thanks to security awareness training and email security, 94% of recipients recognized the attack.

Initial Situation

The company produces electronic components for several German automakers. As a Tier-1 supplier, it processes hundreds of invoices via email daily. The attackers apparently had insider knowledge of the supplier relationships.

The Attack

The phishing emails were unusually professional:

Sender address: slightly altered domain of a real supplier (typosquatting)
Content: reference to real order numbers and projects
Attachment: PDF with embedded JavaScript that opened a reverse shell
Timing: Monday at 8:30 AM, when the inbox is full and attention is low

Detection

The email security solution detected the manipulated PDF attachment in 160 out of 200 emails and moved them to quarantine. The remaining 40 emails reached the inboxes.

Of these 40 recipients:

32 recognized the phishing email and reported it via the report button
6 ignored the email
2 opened the attachment

Response and Containment

The two compromised endpoints were automatically isolated within 12 minutes by the EDR. The reverse shell could not establish a connection to the C2 server because egress filtering blocked unknown outbound connections.

Total damage: Zero. No data loss, no lateral access, no encryption.

Success Factors

Security Awareness: Quarterly phishing simulation training for 18 months
Layered Defense: Email security + EDR + egress filtering as a triple safeguard
Reporting Culture: Employees knew that reports were desired – no blame culture
Quick Escalation: The first report led to the quarantine of all remaining emails within 5 minutes

Key Facts

Industry: Automotive supplier (Tier-1)

Attack Type: Spear-phishing with manipulated PDF

Target Group: 200 employees in the finance department

Detection Rate: 96% (email security + employees)

Total Damage: Zero

Fact: According to the Verizon DBIR 2024, 36 percent of all successful cyberattacks begin with a phishing email.

Fact: Sophos reports that the number of ransomware attacks in the automotive industry increased by 41 percent in 2024.

Frequently Asked Questions

What should the detection rate be for phishing simulations?

A realistic goal after 12 months of training is a click rate of less than 5%. More important than the click rate is the reporting rate – that is, how many employees actively report suspicious emails to IT.

Is security awareness training sufficient for phishing protection?

No. Training is one layer in the defense-in-depth model. Email security, EDR, and egress filtering are technical layers that protect independently of the human factor.

How effective are phishing simulations in raising employee awareness?

Studies show that regular phishing simulations can reduce the click rate on malicious links by up to 70 percent. It is crucial that each simulation is followed by direct feedback with concrete learning points and that the exercises are repeated at least quarterly.

NIS2 Directive: What Companies Need to Know

Cyber Insurance 2026

Zero Trust: The 7 Most Common Mistakes