Social Engineering Is an Attack Chain, Not a Single Event

I have spent most of my career arriving “after the fact.” Most of what I have built (the SOCs, the incident response and threat intel teams, the analysis and reporting pipelines behind them) exists to make sense of an attack after it has already occurred. The longer I did that work, the harder one pattern was to ignore. By the time anyone in the company saw or started looking at the thing we all called “the attack,” the threat actor had already been working for days, sometimes weeks or months. We were studying the endgame of a match we never saw begin.

That is the core problem with how the industry still talks about social engineering. We treat it as a singular event. A bad email. A scam call. A spoofed login page. A text message from your “CEO.” Something that happens in a moment, to one person, on one channel. But the message in the inbox is not the attack. It is the visible end of a long chain of events.

Social engineering is not a single event. It is a chain.

The Message is Where the Work Becomes Visible, Not Where it Happens

When you treat a phishing email as the attack, you have quietly accepted a very specific claim: that the attack began the instant it touched your environment. Almost nothing about how these attack operations actually run supports that.

Before a lure ever lands, an attacker has usually registered infrastructure, stood up a believable identity, studied how your organization communicates, and chosen the moment and the channel that give the malicious message its best chance of being believed and acted on.

The email is not where the work happens. The email is where the work becomes visible to you. We have gotten very good at inspecting the one artifact that reaches us, and in the process, we have trained ourselves to miss the operation that produced it.

The Five Stages

This shift from email-only attacks to a multi-channel campaign is what Doppel talked about in the Social Engineering Attack Chain, published earlier this year. It’s a way to describe the full lifecycle of a modern social engineering operation instead of the fragment that lands in front of a user.

The attack happens in five stages:

• Setup: The attacker builds the conditions for success. Infrastructure, lookalike domains, personas, cloned brands, phone and messaging assets, and research on optimal timing and context.
• Launch: The weaponized communication goes live and is put into motion.
• Contact: The attack reaches the target and crosses whatever perimeter stands between the two.
• Engagement: The target is drawn into an exchange. This is the stage that breaks much of our existing defensive logic, and I will come back to this.
• Compromise: The attacker gets what they came for. Credentials, a session, a wire, standing access, a workflow exception, or simple human cooperation.

If that progression feels familiar, it should. Lockheed Martin made the same move with the Cyber Kill Chain, and MITRE made it with ATT&CK. The thinking is to stop treating an intrusion as a single moment and to start treating it as a sequence you can interrupt at any stage. Those frameworks mapped the technical intrusion, the exploited vulnerability, the malware, and the movement from machine to machine.

Doppel’s philosophy around the social engineering attack chain maps the part they were never built to cover: the attack on the person, where the adversary does not break in so much as talk their way in.

Why the Engagement Stage Breaks Older Defenses

One stage in that chain deserves singling out, because it is the reason so much of our existing defensive logic comes apart. For most of the history of this field, the payload was a tangible “thing.” A file. A link. A macro. Something static you could fingerprint, detonate in a sandbox, and write a signature against.

In the modern chain, the payload is increasingly the conversation itself. Doppel’s name for that transition, from a static lure to a live, multi-channel exchange, is the Interactive Payload, and it earns a full piece later in this series. The point for now is structural. You cannot sandbox a conversation. You cannot write a signature for rapport. When the exchange is the weapon, every defense built to inspect a discrete artifact is hunting for an object that is no longer there.

Why Defenders Miss the Full Chain

Here is how the chain usually looks from the defender’s side, and it is the heart of the problem:

1. A brand team sees a suspicious lookalike domain
2. The SOC sees a reported message
3. Someone files a takedown request for a fake executive profile
4. A fraud analyst flags an unusual wire transfer request
5. Months later, an incident responder reconstructs an account takeover

Five teams. Five tickets. Five tools. One threat campaign.

The attacker ran a single coordinated operation across all five stages. The defender experienced it as five unrelated artifacts, each one landing on a different desk, each one opened and closed on its own.

Incident response teams are organized to respond to fragments, and the adversary is organized to run campaigns. That asymmetry is not a tooling problem. It is a model problem, and you cannot buy your way out of a model problem.

What Changes When You Can See the Operation Instead of the Fragment

Naming the chain is not an academic exercise. It changes what a defender can actually do. When you can see the whole operation instead of just the current fragment, you can:

• Detect earlier, in Setup, while infrastructure is still being staged, instead of at Contact, when the message is already in front of an employee.
• Correlate faster, treating the domain, the profile, and the message as one actor instead of three tickets on three desks.
• Prioritize honestly, because a signal that connects to a live campaign matters more than one that stands alone.
• Disrupt, going after the infrastructure and identities behind the operation rather than swatting the single message that happened to reach you.

That last one matters most. Connecting scattered signals into one campaign-level view is the work that makes disruption possible, and it is exactly the job Doppel built the Threat Graph to do. The whole point of seeing the chain is to act on the part of it that the attacker did not expect you to see.

This is the difference between defending against events and defending against an operation. We have gotten very good at responding to the individual artifact. We have been much slower to organize around and address the campaign behind it.

The Takeaway

The five-stage chain is not just a cleaner picture of how these attacks work. It is a better operating model for stopping them, because it tells you the attack started long before the message arrived, and it tells you where to look.

In 25-plus years of building defenses against this, the most consequential shift I have seen is not a new control. It is the decision to stop treating social engineering as the moment we noticed, and start treating it as the chain it always was.

What leaders should take away

• The message is the symptom, not the attack. If your program’s first meaningful detection is an email or a phone call, you are entering the fight at the last stage, on the attacker’s terms.
• Fragmented response is the real exposure. Five teams closing five tickets on one campaign is not coverage. There are five separate chances to miss the pattern.
• Earlier is cheaper. Every stage you push detection upstream, toward Setup, is a stage where the attack costs the adversary more and costs you less.

The rest of this series walks the chain one stage at a time, from how attackers build the conditions for success before you ever see a message, through what they actually do once they have what they came for. The goal is not a new vocabulary. It is a better operating model for interrupting these attacks before they scale.