CyberheistNews Vol 15 #19 [Heads Up] Talos Report Shows Phishing Attacks Surged in Q1 2025

CyberheistNews Vol 15 #19 | May 13th, 2025

[Heads Up] Talos Report Shows Phishing Attacks Surged in Q1 2025 Stu Sjouwerman SACP

Phishing was the initial access vector in 50% of attacks during the first quarter of 2025, according to a new report from Cisco Talos.

"Threat actors used phishing to achieve initial access in 50 percent of engagements, a notable increase from less than 10 percent last quarter," Talos writes.

"Vishing was the most common type of phishing attack seen, accounting for over 60 percent of all phishing engagements, though we also observed malicious attachments, malicious links, and business email compromise (BEC) attacks.

"Adversaries predominantly leveraged phishing to gain access to a valid account, pivot deeper into the targeted network, and expand their foothold, contrasting other phishing objectives we have seen in the past such as eliciting sensitive information or monetary transfers."

Additionally, ransomware surged by 20%, accounting for half of Talos's engagements in Q1 2025. A single campaign using the BlackBasta and Cactus ransomware made up 60% of these ransomware incidents, targeting manufacturing and construction organizations. These attacks began with voice phishing (vishing) attempts that trick employees into granting access.

"The attack chain we observed begins with the threat actors flooding users' mailboxes at targeted organizations with a large volume of benign spam emails," Talos explains. "After a few days, the actors call the victim, usually via Microsoft Teams, and direct them to initiate a Microsoft Quick Assist remote access session, helping them with the installation of the program if not already present on the user's system."

Once the attacker gains access, they establish persistence, escalate privileges, and move laterally before deploying the ransomware.

Talos recommends user awareness training as a layer of defense against these types of social engineering attacks.

Blog post with links:
https://blog.knowbe4.com/talos-report-phishing-attacks-surged-in-q1-2025

FAIK Everything: The Deepfake Playbook, Unleashed

Brace yourself for a mind-bending journey into the world of digital deception! Generative AI is unleashing deepfakes so dangerously convincing they can manipulate even your most vigilant defenders. These aren't just Hollywood special effects anymore — they're the latest weapon in the cybercriminal's arsenal, already targeting your organization's vulnerabilities!

Join us for this heart-stopping webinar where Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, rips the mask off the alarming rise of AI-powered social engineering. Whether you're a security leader, red teamer, risk manager or anyone responsible for keeping your organization safe in this brave new world, this session is your ticket to staying ahead of the curve.

In this eye-opening webinar, you'll witness:

Exclusive, jaw-dropping demos of deepfake tech in action — including video impersonations, voice cloning, and synthetic crisis scenarios
Analysis of recent high-profile cases where synthetic media has been weaponized
An insider look at the AI deception tools and techniques being deployed by sophisticated threat actors today
"Adversarial thinking" strategies to identify your most vulnerable attack surfaces
Organizational strategies to build resilience against narrative manipulation at scale

Don't let your organization become the next victim of a deepfake disaster! Attend this webinar and arm yourself with the knowledge to outsmart even the most convincing AI tricksters and earn CPE credit for attending!

Date/Time: TOMORROW, Wednesday, May 14 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterward.

Save My Spot:
https://info.knowbe4.com/faik-everything?partnerref=CHN2

Warning: Phishing Campaign Impersonates the U.S. Social Security Administration

Researchers at Malwarebytes warn that phishing emails are impersonating the U.S. Social Security Administration (SSA) to trick users into installing the ScreenConnect remote access tool.

ScreenConnect is a legitimate tool used for remote IT management, but it can be abused by hackers to take control of victims' computers.

"Because ScreenConnect provides full remote control capabilities, an unauthorized user with access can operate your computer as if they were physically present," Malwarebytes explains. "This includes running scripts, executing commands, transferring files, and even installing malware—all potentially without you realizing."

The phishing emails, sent by the Molatori cybercriminal gang, state, "Your Social Security Statement is now available. Thank you for choosing to receive your statements electronically. Your document is now ready for download."

If a user downloads the attached file, a ScreenConnect client controlled by the attackers will be installed on their system.

"After cybercriminals install the client on the target's computer, they remotely connect to it and immediately begin their malicious activities," Malwarebytes says. "They access and exfiltrate sensitive information such as banking details, personal identification numbers, and confidential files. This stolen data can then be used to commit identity theft, financial fraud, and other harmful acts."

Malwarebytes offers the following advice to help users avoid falling for these attacks:

"Verify the source of the email through independent sources
Don't click on links until you are sure they are non-malicious
Don't open downloaded files or attachments until you are sure they are safe
Use an up-to-date and active anti-malware solution
If you suspect an email isn't legitimate, take a name or some text from the message and put it into a search engine to see if any known phishing attacks exist using the same methods"

Blog post with links:
https://blog.knowbe4.com/warning-phishing-campaign-impersonates-the-us-social-security-administration

[Live Demo] Supercharge Your Anti-Phishing Defense with AI

Cybercriminals are weaponizing AI, driving a 1,265% surge in phishing attacks since 2022. This isn't just about attack volume — these threats are smarter, more personalized and increasingly evade traditional secure email gateways.

With 92% of polymorphic attacks now utilizing AI, you need a new approach to outsmart these threats!

KnowBe4's PhishER Plus is your single-pane-of-glass incident response product that identifies and acts upon threats to keep your users safe where the most dangers lie: their inboxes. Combining AI analysis with human intelligence from a community of 13+ million users worldwide, PhishER Plus revolutionizes your email security posture.

Easily search, find and remove email threats with PhishRIP, while transforming real threats into training opportunities with PhishFlip.

In this live 30-minute demo of PhishER Plus, the #1 Leader in the G2 Grid Report for SOAR Software, discover how you can:

Automate email investigation and quickly remove phishing threats, saving your team 85% - 99% of time spent on manual review
Systematically remove threats from all user inboxes with PhishRIP technology
Transform every employee into an active threat sensor with seamless, one-click reporting with the Phish Alert Button (PAB)
Convert malicious emails into training opportunities with PhishFlip, identifying who would have fallen victim
Gain complete visibility into your email security posture with clear ROI metrics

Join us to see how organizations are transforming their security posture with PhishER Plus, turning potential vulnerabilities into proactive defense.

Date/Time: Wednesday, May 21st @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/phisher-demo-2?partnerref=CHN

Agentic AI Observation of the Week

"An agent is not just an LLM," Silvio Savarese, EVP and chief scientist of Salesforce Research said in a roundtable discussion on Tuesday. "An agent is actually a complex system with four components: a memory, a brain, an actuator [function calls], and an interface."

Do Users Put Your Organization at Risk with Browser-Saved Passwords?

Is the popularity of password dumpers, malware that allows cybercriminals to find and "dump" passwords your users save in web browsers, putting your org at risk?

KnowBe4's Browser Password Inspector (BPI) is a complimentary IT security tool that allows you to analyze your organization's risk associated with weak, reused and old passwords your users save in Chrome, Firefox and Edge web browsers.

BPI checks the passwords found in the browser against active user accounts in your Active Directory. It also uses publicly available password databases to identify weak password threats and reports on affected accounts so you can take action immediately.

With BPI you can:

Search and identify any of your users that have browser-saved passwords across multiple machines and whether the same passwords are being used
Quickly isolate password security vulnerabilities in the browser and easily identify weak or high-risk passwords being used to access your organization
Better manage and strengthen your organization's password hygiene policies and security awareness training efforts

Get your results in a few minutes!

Find Out Now:
https://info.knowbe4.com/browser-password-inspector-chn

Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: Your KnowBe4 Compliance Plus Fresh Content Updates from April 2025:
https://blog.knowbe4.com/knowbe4-cmp-content-updates-april-2025

Quotes of the Week

"Be brave. Take risks. Nothing can substitute experience."
- Paulo Coelho - Novelist (Born 1947)

"You miss 100% of the shots you don't take."
- Wayne Gretzky - Hockey Legend (Born 1961)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-19-heads-up-talos-report-shows-phishing-attacks-surged-in-q1-2025

Security News

Alert: Cybercriminals Are Finding New Ways to Leverage AI

Researchers at Check Point are tracking several new ways in which cybercriminals are using AI to assist in social engineering attacks. For example, the researchers recently observed a campaign that used AI to reword the text in each of the thousands of emails, which helped the messages evade detection.

"In a recent case, Check Point Harmony Email & Collaboration blocked a sextortion campaign that used diverse textual phrasing to avoid detection," the researchers write. "Each email in the thousands of messages uniquely reworded the urgency of 'Time is running out,' using expressions like 'The hourglass is nearly empty for you' or 'You're approaching the end of your time.'"

Since sextortion campaigns typically do not contain traditional Indications of Compromise (IoCs) like malicious URLs or attachments, apart from cryptocurrency wallet addresses, detection relies heavily on text analysis, further complicating defense measures.

Check Point also observed a business email compromise (BEC) operation that uses AI to analyze hacked email accounts, looking for relevant financial information.

"Another example of an AI textual application is the 'Business Invoice Swapper' developed by the cyber criminal group GXC Team," the researchers write. "It is designed to facilitate Business Email Compromise (BEC) by automatically scanning compromised email accounts for invoices or payment instructions.

"It alters banking details to redirect funds to attacker-controlled accounts. Leveraging AI, it seamlessly overcomes language barriers, manages large data volumes efficiently, and automates distribution, enhancing the scalability and impact of fraudulent email attacks."

Criminals are still struggling to implement live video deepfakes in their attacks, but Check Point says attackers have already succeeded in using audio deepfakes in social engineering attacks.

"Cyber criminals increasingly employ AI-generated audio, or 'audio deepfakes,' to execute sophisticated impersonation scams," the researchers explain. "This technology produces highly realistic replicas of individuals' voices, enhancing scammers' ability to deceive victims. Voice samples on social media—from celebrities to everyday users—provide ample resources for attackers."

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Check Point has the story:
https://research.checkpoint.com/2025/sate-of-ai-in-cyber-security/

Phishing Kits Are Growing More Sophisticated; Focused on Bypassing MFA

Researchers at Cisco Talos warn that major phishing kits continue to incorporate features that allow them to bypass multi-factor authentication (MFA).

Commodity phishing kits like Tycoon 2FA and Evilproxy achieve this by using reverse proxies to intercept traffic from the authentication process during a phishing attack.

"A reverse proxy functions as an intermediary server, accepting requests from the client before forwarding them on to the actual web servers to which the client wishes to connect," the researchers write. "To bypass MFA the attacker sets up a reverse proxy and sends out phishing messages as normal.

"When the victim connects to the attacker's reverse proxy, the attacker forwards the victim's traffic onwards to the real site. From the perspective of the victim, the site they have connected to looks authentic — and it is! The victim is interacting with the legitimate website. The only difference perceptible to the victim is the location of the site in the web browser's address bar."

If a user falls for the phishing attack, the attacker can steal their credentials and the authentication cookie needed to log in to the targeted site.

"By inserting themselves in the middle of this client-server communication the attacker is able to intercept the username and password as it is sent from the victim to the legitimate site," the researchers explain. "This completes the first stage of the attack and triggers an MFA request sent back to the victim from the legitimate site.

"When the expected MFA request is received and approved, an authentication cookie is returned to the victim through the attacker's proxy server where it is intercepted by the attacker. The attacker now possesses both the victim's username/password as well as an authentication cookie from the legitimate site."

Talos notes that commodity phishing kits allow unskilled threat actors to easily launch these attacks.

"Thanks to turnkey Phishing-as-a-Service (Phaas) toolkits, almost anyone can conduct these types of phishing attacks without knowing much about what is happening under the hood," the researchers write. "Toolkits such as Tycoon 2FA, Rockstar 2FA, Evilproxy, Greatness, Mamba 2FA, and more have emerged in this space. Over time the developers behind some of these kits have added features to make them easier to use and harder to detect."

While multi-factor authentication is still an important layer of defense, users should be aware that it isn't foolproof. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/phishing-kits-are-growing-more-sophisticated

What KnowBe4 Customers Say

"I just wanted to relay to you what an epic experience I had with your rep Alan A. I first met with him last year in October to go over the dashboard and my visions for what threat training I wanted to be made available for the organization prior to the upcoming holidays.

Not only did he make time for my unconventional schedule (outside of 8-5), but he also truly listened to my needs. The package he delivered was spectacular – like I had put it together myself!

I've been in the IT industry for about 30 years now, much of it in customer support. I give credit where it is due, and this young man deserves every bit of credit I've given. Thank you for your time."

- G.M., Help Desk Administrator

The 10 Interesting News Items This Week