Last week, we detected some suspicious activity on the network from outside actors seemingly targeting our servers. We received a ransom email over the weekend, but IT didn't open it up until Tuesday afternoon and verified the stolen data as authentic. We thought the attackers were bluffing since we ignored the email for days, but lo and behold, our systems were indeed encrypted Wednesday afternoon!
How did the attackers know when we opened up the email?
By: skat
Handout:
Flag: irisctf{h0neyt0kens_4rent_0nly_us3d_by_th3_wh1te_hat5}