Picture this...
An employee receives a targeted phishing email and, without realizing what it is, downloads an “urgent update” for his computer. The attacker now has access to their device and is able to install a keylogger on the computer, learn more about the network, and gain domain admin access to dig even deeper.