For the first scenario, we will use a machine that got compromised after the end user opened a phishing email that looks like following:
This end user was located in the Brazilian branch office, hence the email in Portuguese. The content of this email is a bit concerning, since it talks about an ongoing law process, and the user was curious to see if he really had anything to do with it. After poking around within the email, he noticed that nothing apparently happened. He ignored and continued working. A couple of days later, he receiving an automated report from IT saying that he accessed a suspicious site and he should call support to follow up on this ticket.
He called support and explained that the only suspicious activity that he remembers was to open an odd email, he than presented this email as evidence. When questioned about what he did, he explained that he clicked the image that was apparently attached in the email thinking that he could...