The Inquisitor

Malmon Profile

Classification: Trojan / Social Engineering โญโญ
Origin: Community (Inver โ€” privacy lawyer, TTRPG publisher)
Contribution Date: 2026-02-10
Threat Level: Intermediate (Privacy compliance weaponization)

Malmon Card Reference

The Inquisitor

Trojan / Social Engineering
โญโญ
๐Ÿ‘น
Image Coming Soon

The Inquisitor is a coordinated social engineering attack that weaponizes privacy compliance obligations against organizations. By flooding targets with fraudulent Data Subject Access Requests, it overwhelms compliance teams while simultaneously extracting sensitive information through legitimate-looking channels. Some DSARs probe for system architecture; fulfilled responses become reconnaissance. The DSAR flood provides cover for secondary exfiltration payloads already positioned in the network.

๐Ÿ”ฅ ABILITIES
๐Ÿ”ฅ
Regulatory Camouflage
Attack traffic disguised as legitimate DSAR/privacy requests. Security tools don't flag it because it looks like normal compliance workflow. +3 to social engineering when impersonating data subjects.
โšก
Compliance Drowning
Floods privacy team with volume designed to force shortcuts. When staff skip identity verification steps due to time pressure, attacker gains access to legitimate data through 'their own' DSAR responses. Organizations may inadvertently SEND PII to attackers. +2 vs targets under regulatory deadline pressure.
๐Ÿ”ฎ
Reconnaissance Extraction
Some DSARs are crafted to reveal system architecture. 'Please provide all data you hold about me, INCLUDING WHAT SYSTEMS STORE IT.' Responses inadvertently map the data landscape for Phase 2 targeting. Revealed when players analyze DSAR content patterns.
โฌ†๏ธ EVOLUTION
โฌ†๏ธ
Coordinated Exfiltration
While compliance team is overwhelmed, a secondary payload begins actual data exfiltration. The Inquisitor's final form: it ASKED for your data, you GAVE it your data, and then it TOOK the rest. Triggers if DSARs distract defenders for 48+ hours.
๐Ÿ’Ž WEAKNESS
๐Ÿ’Ž
Cross-Functional Coordination
Defeated when security and compliance teams share intelligence and recognize the pattern. The attack relies on organizational silos. -3 when defenders establish unified incident command across legal and technical functions.
๐Ÿ“Š STATS
๐Ÿ”7
๐Ÿ”’6
๐Ÿ“ก8
๐Ÿ’ฃ8
๐Ÿฅท7
๐Ÿ”ฌ DISCOVERY
Discovered By:Inver (privacy lawyer, TTRPG publisher)
Habitat:Organizations subject to GDPR, CCPA, or other privacy regulations with mandatory response timelines
Property Icons:
๐Ÿ”Detection
๐Ÿ”’Persistence
๐Ÿ“กSpread
๐Ÿ’ฃPayload
๐ŸฅทEvasion

Technical Characteristics

Behavioral Patterns

The Inquisitor is a coordinated social engineering attack that weaponizes privacy compliance obligations against organizations. By flooding targets with fraudulent Data Subject Access Requests (DSARs), it overwhelms compliance teams while simultaneously extracting sensitive information through legitimate-looking channels. Some DSARs probe for system architecture; fulfilled responses become reconnaissance. The DSAR flood provides cover for secondary exfiltration payloads already positioned in the network.

โ€œI donโ€™t break down doors. I send formal requests and wait for you to open them yourself.โ€

The attack exploits the tension between regulatory compliance obligations and security vigilance. Privacy teams under deadline pressure make predictable errors โ€” skipping verification steps, answering questions outside DSAR scope, and prioritizing speed over scrutiny. The attack is particularly effective because it disguises reconnaissance as legal entitlement.

Abilities

๐ŸŽฏ Primary Ability: Regulatory Camouflage

  • Mechanism: Attack traffic disguised as legitimate DSAR/privacy requests
  • Effect: Security tools donโ€™t flag it because it looks like normal compliance workflow
  • Game Impact: +3 to social engineering when impersonating data subjects
  • Real-World Analogy: Fraudulent DSAR requests that appear indistinguishable from genuine data subject rights exercises

โšก Special Attack: Compliance Drowning

  • Mechanism: Floods privacy team with volume designed to force shortcuts
  • Effect: When staff skip identity verification steps due to time pressure, attacker gains access to legitimate data through โ€œtheir ownโ€ DSAR responses. Organizations may inadvertently SEND PII to attackers.
  • Game Impact: +2 vs targets under regulatory deadline pressure
  • Real-World Analogy: Spike in DSAR volume timed to coincide with compliance deadlines or understaffed periods

๐Ÿ”ฎ Hidden Ability: Reconnaissance Extraction

  • Mechanism: Some DSARs are crafted to reveal system architecture. โ€œPlease provide all data you hold about me, INCLUDING WHAT SYSTEMS STORE IT.โ€
  • Effect: Responses inadvertently map the data landscape for Phase 2 targeting
  • Trigger: Revealed when players analyze DSAR content patterns
  • Real-World Analogy: GDPR Art. 15 technically requires organizations to identify data sources โ€“ attackers exploit this to extract infrastructure maps

โฌ†๏ธ Evolution: Coordinated Exfiltration

  • Trigger: If DSARs distract defenders for 48+ hours
  • New Capabilities:
    • Secondary payload begins actual data exfiltration using infrastructure map from DSAR responses
    • The Inquisitorโ€™s final form: it ASKED for your data, you GAVE it your data, and then it TOOK the rest
  • Facilitation Impact: Exfiltration timeline starts BEFORE the DSAR spike is noticed โ€“ the DSARs were distraction and cover

Weaknesses

โš–๏ธ Cross-Functional Coordination

  • Vulnerability: Defeated when security and compliance teams share intelligence and recognize the coordinated pattern
  • Game Impact: -3 when defenders establish unified incident command across legal and technical functions
  • Containment Strategy: The attack relies on organizational silos. Break down those silos early.

Facilitation Notes

Learning Objectives

  1. Understand DSAR weaponization risks โ€“ Recognize how privacy compliance obligations create predictable attack surfaces
  2. Cross-functional incident response โ€“ Security and compliance teams must share intelligence; siloed responses fail
  3. Identity verification under pressure โ€“ Deadline pressure systematically degrades verification quality
  4. Recognize coordinated social engineering โ€“ Volume, timing, and content patterns reveal the campaign

Discussion Points

For Participants:

  • How does the 30-day GDPR response clock change your decision-making when youโ€™re on Day 4 of a volume spike?
  • What would make your team skip verification steps? What conditions normalize cutting corners?
  • Who โ€œownsโ€ this incident โ€“ privacy team or security team? What does that question reveal?
  • Is sending PII to attackers via a DSAR response a notifiable breach? Why or why not?

For Incident Masters:

  • The attack works by making legitimate processes look indistinguishable from malicious ones โ€“ donโ€™t rush players to the answer
  • The organizational silo (privacy โ‰  security) is the core vulnerability, not a technical weakness
  • Let teams discover the timeline: exfiltration started before the DSAR spike was noticed
  • Reward players who establish unified incident command early; thatโ€™s the key containment move

Containment Strategies

Technical Controls:

  • Enhanced logging and anomaly detection on DSAR processing systems
  • Multi-person authorization for responses containing infrastructure information
  • Automated checks: does this DSAR request system architecture details? (Out of scope โ€“ escalate)

Process Controls:

  • Identity verification checklist that doesnโ€™t compress under deadline pressure
  • Pause-and-review trigger: when DSAR volume spikes abnormally, loop in security before processing
  • DSAR response template review: what information should never be included regardless of whatโ€™s requested

Organizational Controls:

  • Joint security + privacy incident response protocol
  • Regular cross-functional tabletop exercises
  • Clear escalation path: โ€œthis feels wrongโ€ has a named owner and response process

Discovery

  • Habitat: Organizations subject to GDPR, CCPA, or other privacy regulations with mandatory response timelines
  • First Observed: 2025 โ€“ Increasingly common as privacy regulations expand globally
  • Related Threats: Social Engineering, Pretexting, Business Email Compromise

Community Contribution

This malmon was created by Inver, a privacy lawyer and TTRPG publisher. It draws on real attack patterns observed in privacy practice โ€“ the scenario is grounded in how DSAR weaponization actually works, not a hypothetical.

Contributor: Inver (privacy lawyer, TTRPG publisher) Contribution Date: 2026-02-10 Origin: Community Source: Inverโ€™s prep materials

References

  • The Inquisitor: Compliance Breach Scenario Card
  • GDPR Article 15 (Right of Access) โ€“ the specific provision attackers exploit
  • CCPA ยง1798.100 โ€“ equivalent US provision
  • NIST Privacy Framework โ€“ cross-functional privacy/security integration guidance