From Email to Outage: How the Shadow Current Starts in IT

According to the FBI, phishing represented 22.5% of all internet crimes in 2024, making it the most reported cybercrime. And when that phishing email lands in an industrial environment, it becomes the first trickle of what could become a devastating flood through your operational systems.

Let's trace the shadow current from inbox to industrial shutdown.

The SANS Institute reports that 18.6% of OT and industrial control system incidents begin with spear-phishing emails containing malicious attachments. These aren't random spray-and-pray campaigns. Sophisticated threat groups like GRAPHITE, which overlaps with state-sponsored APT28, specifically target industrial organizations with carefully crafted messages designed to harvest credentials.

When an employee clicks that link or opens that attachment, they've just opened a channel. The shadow current begins flowing immediately.

What happens in that first hour determines everything that follows. Modern attackers move with shocking speed once inside your network.

According to Palo Alto Networks' Unit 42, sophisticated threat actors like Muddled Libra can compromise domain-privileged accounts within 40 minutes of initial access. In 20% of 2024 incidents, attackers achieved data exfiltration in under one hour. Tools like Mimikatz, which appeared in 15% of attacks in 2024 according to Sophos, make credential extraction trivially easy for anyone with basic technical skills.

The phishing email gave attackers their first valid credential. Now they're collecting every other credential they can find, mapping trust relationships, and identifying which accounts have the deepest access.

With credentials in hand, the shadow current accelerates. Attackers move laterally through your IT network, jumping from system to system using the very authentication protocols designed to make your organization function.

ReliaQuest found that attackers achieve lateral movement in as little as 27 minutes, with an average of 48 minutes. They're not breaking down doors; they're using keys you didn't know they had. Service accounts, administrator credentials, domain controller access—each becomes another channel the shadow current flows through.

During this phase, attackers are mapping your infrastructure. They're discovering which systems connect to which, which accounts have elevated privileges, and where your operational technology lives. Zero Networks' 2025 OT Security Trends Report confirms what defenders have learned the hard way: 75% of OT attacks begin as IT breaches.

The shadow current always flows toward the most valuable target. In industrial environments, that's your operational systems.

Now attackers know your network better than many of your own staff do. They've found the engineering workstations that connect to both IT and OT networks. They've identified the historians pulling data from SCADA systems. They've discovered the HMI terminals running on Windows operating systems with IT network access.

According to the 2025 OT Cyber Threat Report by Waterfall Security and ICS STRIVE, 90% of attacks caused physical or operational impact indirectly through IT systems, even when attackers never directly touched OT infrastructure. The shadow current doesn't need to reach the PLC directly if it can disrupt the systems that manage it.

Take Anton Paar, the Austrian manufacturer hit by ransomware in 2023. The attack began with a phishing email. Within days, attackers had encrypted systems across multiple manufacturing sites, forcing a complete operational shutdown. The company publicly stated that production remained suspended while they rebuilt systems from backups.

The IT–OT boundary that organizations assume protects them becomes just another channel for the shadow current. Workstations that connect to both networks, historians that aggregate data, remote access solutions installed for "temporary" troubleshooting—all become bridges.

The 2024 Dragos OT Cybersecurity Year in Review documented sophisticated threat groups exploiting vulnerable routers for proxy infrastructure and spear-phishing operations targeting industries relying on OT and industrial control systems. These were campaigns designed to reach operational systems through IT infrastructure.

When ransomware spreads from IT into OT environments, it doesn't discriminate. Engineering workstations running HMI software get encrypted. Historians storing critical process data get locked. Backup systems protecting production data become unusable.

The Sophos State of Ransomware in Manufacturing and Production 2025 report found that 23% of manufacturing ransomware attacks originated via email. Those attacks didn't just affect IT systems—they forced operational shutdowns. The report documents that 88% of organizations hit by email-based threats subsequently faced ransomware attacks.

When the shadow current reaches your operational systems, the impact is measured in halted production, missed shipments, and financial losses that compound by the hour. The 2025 OT Cyber Threat Report documented 1,015 sites experiencing operational disruption in 2024, a 146% year-over-year increase, with manufacturing as the most heavily targeted sector.

Recovery takes weeks. Systems must be rebuilt from backups, verification procedures completed, and production carefully restarted. Each day of downtime represents millions in lost revenue and damaged customer relationships.

Let's put those phases together:

• Initial compromise: One email, one click
• Credential harvesting: 40 minutes to one hour
• Lateral movement: 27 to 48 minutes
• Reconnaissance: Hours to days
• OT access: Days for persistent access
• Operational impact: Minutes once ransomware deploys

From email to outage: Less than one week in many documented incidents. Colonial Pipeline saw eight days from initial access to discovering the ransom note. Anton Paar experienced complete multi-site operational shutdown within days of the initial phishing compromise.

The shadow current from email to outage flows through the same channels in organization after organization because those channels are built into how industrial environments operate. Email systems connect employees. Credentials enable access. IT networks link to OT networks because operational visibility requires that connection. Service accounts run continuously because processes can't stop for password rotations.

Attackers don't need to be creative. They just need to follow the shadow current you've unknowingly created through normal business operations.

The question isn't whether this path exists in your environment. According to the 2025 OT Cyber Threat Report by Waterfall Security and ICS STRIVE, only 13% of attacks directly touched OT systems, yet 90% still caused operational impact. The shadow current doesn't need to reach your PLCs if it can paralyze the IT systems that manage them.

The question is whether you've mapped these flows before attackers exploit them.

Every stage of this attack relied on one thing: stolen credentials. The shadow current flows strongest through authentication channels because they're designed to provide access. A single set of compromised credentials can open channels from IT deep into operational technology.

That's what makes credential theft so dangerous—and that's what we'll explore in our next post. We'll examine why stolen credentials create the fastest, deepest shadow currents through your infrastructure and why these credential-based paths are nearly impossible to detect using traditional security tools.

The email has been sent. The shadow current is flowing. The question is whether you'll chart these flows proactively or discover them after they've carried attackers to your critical systems.