Executive Summary
In September 2025, organizations experienced a surge of sophisticated credential harvesting attacks that moved beyond traditional email phishing, utilizing instant messaging, social media, and malicious advertising channels. Attackers deployed advanced Attacker-in-the-Middle (AiTM) phishing kits and leveraged compromised accounts, cloned login pages, and rapid domain rotation to evade both detection and remediation. Case studies included targeted spear-phishing via LinkedIn and malvertising on Google Search, resulting in high-value session theft and lateral account compromise. These attacks not only bypassed email security but exploited any channel where business users could be reached, often leading to the breach of core cloud platforms and widespread internal access.
This campaign marks a critical evolution in attacker tactics, underlining that perimeter-focused and email-only defenses are insufficient. The surge in non-email phishing brings new urgency for organizations to secure east-west traffic, implement zero trust segmentation, and enhance visibility across all cloud and SaaS environments.
Why This Matters Now
The increasing use of non-email vectors for phishing attacks exposes critical gaps in conventional security controls and compliance readiness. As attackers adapt to target decentralized, hybrid workforces over multiple channels, immediate action is required to modernize threat detection, enforce granular access policies, and address compliance obligations for hybrid and multi-cloud environments.
Attack Path Analysis
Attackers initiated the breach through sophisticated phishing vectors outside conventional email (e.g., LinkedIn, Google Ads) to harvest user credentials. Once access was gained, compromised identities were leveraged to escalate privileges within key platforms, often exploiting single sign-on (SSO) and session token theft. Attackers moved laterally within cloud and SaaS environments, targeting additional users via internal messaging and app integrations. Communication with external infrastructure was facilitated for command and control, typically through obfuscated or encrypted channels. Credentials and sensitive data were then exfiltrated, exploiting legitimate services and egress channels. Finally, attackers were poised to impact the business through service disruption, data theft, or enabling wider-ranging compromise using obtained access.
Kill Chain Progression
Initial Compromise
Description
Attackers used social media direct messages and malicious ads to deliver phishing links, tricking users into providing valid credentials through attacker-in-the-middle (AiTM) phishing sites.
Related CVEs
CVE-2023-23397
CVSS 9.8A vulnerability in Microsoft Outlook allows remote attackers to execute arbitrary code via crafted email messages.
Affected Products:
Microsoft Outlook – 2013 SP1, 2016, 2019, 2021, 365
Exploit Status:
exploited in the wildCVE-2023-23392
CVSS 9.8A vulnerability in Microsoft Exchange Server allows remote attackers to execute arbitrary code via crafted email messages.
Affected Products:
Microsoft Exchange Server – 2013, 2016, 2019
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing via Service
Phishing: Spearphishing via Social Media and IM
Drive-by Compromise
Brute Force: Password Guessing
Modify Authentication Process: Web Portal
Adversary-in-the-Middle: Web Session Cookie
System Script Proxy Execution
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication Mechanisms
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9(1)
CISA Zero Trust Maturity Model 2.0 – Continuous Monitoring and Identity Threat Detection
Control ID: Identity Pillar: Detection & Response
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(2)(a)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
High-value targets for credential harvesting attacks via LinkedIn spear-phishing and malvertising, requiring enhanced east-west traffic security and zero trust segmentation capabilities.
Information Technology/IT
Critical exposure to non-email phishing through social media and search ads targeting tech executives, necessitating comprehensive multicloud visibility and threat detection solutions.
Computer Software/Engineering
Vulnerable to AitM phishing attacks exploiting SSO systems and cloud platforms, requiring kubernetes security and egress policy enforcement for modern development environments.
Capital Markets/Hedge Fund/Private Equity
Prime targets for LinkedIn executive impersonation attacks using fake investment opportunities, demanding encrypted traffic protection and anomaly detection for high-stakes communications.
Sources
- Why attackers are moving beyond email-based phishing attackshttps://www.bleepingcomputer.com/news/security/why-attackers-are-moving-beyond-email-based-phishing-attacks/Verified
- New LinkedIn phishing scam targets executives with fake board positionshttps://www.techradar.com/pro/security/linkedin-scammers-target-executives-with-fake-board-positionsVerified
- Malvertising Alert: Phishing Campaign Targets Onfido Users via Google Adshttps://cyberhoot.com/blog/malvertising-campaigns-target-onfido-user-credentials/Verified
- How Push stopped a high risk LinkedIn spear-phishing attackhttps://pushsecurity.com/blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attackVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west visibility, strong egress controls, and network-based threat detection would have significantly disrupted the adversary's ability to expand, maintain persistence, and exfiltrate data across cloud and SaaS environments. Enforcing distributed policy, anomaly response, and microsegmentation would have limited blast radius and exposed attacker actions at multiple kill chain stages.
Control: Threat Detection & Anomaly Response
Mitigation: Potential detection of unusual authentication and session behaviors.
Control: Zero Trust Segmentation
Mitigation: Limited attacker pivot by restricting privilege inheritance across applications.
Control: East-West Traffic Security
Mitigation: Detection and restriction of unauthorized internal traffic or lateral access.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound policy blocking of known malicious destinations and covert channels.
Control: Cloud Firewall (ACF)
Mitigation: Detection/blocking of anomalous or unapproved outbound data flows.
Centralized monitoring and rapid incident containment minimize business impact.
Impact at a Glance
Affected Business Functions
- Executive Communications
- Financial Operations
- Identity Verification Services
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of executive credentials, financial data, and sensitive client information due to compromised accounts.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and least-privilege access controls to prevent attacker privilege escalation and lateral movement.
- • Deploy anomaly detection and threat intelligence-backed monitoring for rapid discovery of credential and session abuse across cloud and SaaS environments.
- • Strengthen egress security with intelligent outbound filtering, including FQDN/policy controls, to thwart data exfiltration and command-and-control traffic.
- • Implement east-west traffic inspection and workload isolation to identify and disrupt internal attacker pivots.
- • Centralize cloud visibility and automate incident response to minimize impact and accelerate mitigation of advanced credential harvesting campaigns.
