You have physical access to a facility by looking the part: suit, tie, and a fake ID badge.  Walking around the office, you notice a multifunction printer and scanner. During the course of the day, you see employees walk up to the device with papers in hand, punch something into the user interface, scan the documents, and then walk back to their desks.  What is likely happening here is that the scanner is taking the images and storing them in a file share so that the user can access them from his or her computer. In order to do this, the printer must authenticate to the file share. Printers are often left with default administrator credentials, allowing us to change the configuration. The accounts used are often domain administrators, or at the very least, have permissions to access highly sensitive data. How you modify the printer's settings will depend on the specific model. Searching online for the user guide to the specific model is a no-brainer.

The idea is to temporarily change the destination share to the UNC path of your Kali box. When I did this, I kept a close eye on the screen; once I captured authentication attempts, I changed the settings back as quickly as I could to minimize any suspicion. The user's documents never make it to the file share; if it only happens once, they'll likely assume a temporary glitch and think nothing of it. But if multiple users are finding they consistently can't get documents onto the share, IT will be called.