I suspect more corpos have exposure like this than any of them would like to admit. E.g.: BigCo picks up a company SmallCo, and inherits their systems for some time. There's some cruddy ancient CRM, IT or travel system, and some random test tenant, that has hooks to email, and from there it's a short step to enumerate targets, send auto-generated emails from a trusted system and the hackers are off to the races.
Yes, it can be an endless headache. A company I worked for had acquired a smaller company with some products and services that nicely complimented our own products and services. From the outside it was a good match and for the most part, the integration went well but they had been using Rational Clearcase for over two decades and absolutely didn't want to migrate to git and the rest of our tool suite. They had very little turnover in their IT department and things ran very well for them but higher ups wanted everyone integrated into a single system and the accounting folks wanted to stop paying fees for all the Rational stuff, especially since they hated dealing with IBM. Infosec had pretty much no knowledge of how to best secure anything on that side and the acquired company had nearly no infosec capabilities of their own. When I left, it was still a point of contention that didn't look to get resolved any time soon.
This is genuinely something I hadn't considered. A test tenant may have been in a more than ideal position to stage phishing attacks from. Hopefully this is the case, and not a more concerning lack of disclosure or shudder NSL situation.
I wouldn't put it passed them to straight up lie about the vector. How many have worked in these situations where some slick dicky worked up the word salad to make issues sound like non-issues?
That's the most concerning fact that they just glossed over.