Day 1–2: Launch phishing campaign (staggered sends to avoid bulk detection). - Day 3–5: Monitor for successful access. If phishing succeeds, establish initial persistence. - Day 5–7: If phishing fails, activate secondary vector (external exploitation). - Decision Point: Proceed to post-exploitation