sorry noob q, but do you mean that the company probably didn't think to search for the unencrypted traffic? I'm not sure if I understand why the encapsulated traffic being unencrypted is "advantageous" for the adversary
I think it's just that most scanning tools aren't trying to unwrap a TCP packet inside a TCP packet, so it bypassed their naive filters. Once a researcher spotted it, it was trivial to unwrap, but automated tooling would just see it as the outer TCP packet with some opaque data inside of it.
I would assume that the attacker's destination IP would show up on some dashboards somewhere though...
I would assume that the attacker's destination IP would show up on some dashboards somewhere though...