#NSBCS.076 - Social Engineering and Phishing 2.0: The Next Wave of Cyber Deception
Source: NSB Cyber
Social Engineering and Phishing 2.0: The Next Wave of Cyber Deception
Phishing is no longer merely poorly worded emails from anonymous strangers. In today's digital battlefield, it has evolved into a sophisticated, multi-layered threat that leverages artificial intelligence, deepfakes, and psychological manipulation. Welcome to Phishing 2.0 - where trust is the weakest link.
Traditional phishing relied on casting a wide net: generic messages sent to thousands hoping that a few would bite. Modern phishing, especially spear phishing, is far more targeted. Cybercriminals research their victims, sometimes for weeks, using data from social media, leaked credentials, or corporate websites to craft emails that appear highly personal and legitimate.
Natural language processing tools, such as ChatGPT and others, are now being exploited by attackers to create convincing, grammatically correct messages in seconds. These tools can even mimic a company's tone and internal language, making it more challenging than ever to detect a fake.
One of the most chilling developments is the use of deepfake audio and video. Executives have been impersonated in real-time voice calls, instructing finance teams to transfer funds. Video calls and voice messages can now be fabricated with uncanny realism, undermining trust in what we see and hear.
Despite advanced detection tools, the human element remains the most exploited. Phishing 2.0 doesn't just fool machines - it manipulates emotions such as urgency, fear, or trust to bypass judgment. Training and awareness programmes are crucial but must evolve to cover these new tactics.
Combatting modern phishing requires a multi-pronged approach: zero-trust security models to limit internal exposure, advanced email filtering with AI to detect suspicious patterns, real-time user training (including simulated attacks), and strong authentication layers such as biometric and behavioural verification.
Social engineering is no longer about crude deception - it's a psychological and technological arms race. As attackers adopt AI and deepfakes, organisations must rethink how they train users, validate identities, and respond to threats. Phishing 2.0 is here, and it's smarter than ever.
What we read this week
APT41 Uses Google Calendar for Stealthy ToughProgress C2 Operations - APT41 has deployed a new malware dubbed ToughProgress that abuses Google Calendar as a command-and-control (C2) channel to bypass detection. Discovered by Google’s Threat Intelligence Group, the campaign delivers a ZIP file via phishing, containing a disguised LNK shortcut and DLL loader. The attack chain involves memory-only execution and process hollowing of
svhost.exe, with C2 instructions hidden in calendar event descriptions. Responses are written back into new events, evading endpoint detection tools. Google has disrupted attacker infrastructure and updated Safe Browsing protections. ToughProgress continues APT41’s trend of exploiting trusted cloud services, following previous abuse of Google Sheets and Drive.Docusign Abused in Dual-Vector Credential Phishing Campaigns - Cybercriminals are exploiting Docusign’s legitimate infrastructure to launch advanced phishing campaigns, targeting its 1.6 million customers—including most Fortune 500 firms. Recent attacks involve threat actors registering real Docusign accounts and using its APIs to send authentic-looking envelopes containing QR codes. Victims scanning these codes via mobile devices—often unprotected—are redirected to credential-harvesting sites spoofing Microsoft login portals. This technique, combining trusted infrastructure abuse and mobile targeting, bypasses conventional detection and security awareness defences. Analysts note phishing now accounts for 19% of data breaches, with 60% involving human error—making Docusign impersonation a potent threat vector for corporate compromise.
DragonForce Exploits SimpleHelp RMM in MSP Supply Chain Attack - Sophos has detailed how ransomware group DragonForce exploited three chained vulnerabilities in SimpleHelp (CVE-2024-57726, -57727, -57728) to conduct a supply chain attack via a managed service provider (MSP). Attackers pushed a malicious SimpleHelp installer through the MSP’s legitimate RMM instance, deploying ransomware across customer environments. The campaign, linked to DragonForce’s aggressive RaaS affiliate model, led to widespread data theft and double extortion. With 70+ attacks attributed to the group, experts warn of its rapid rise and appeal to unaffiliated threat actors. Sophos urges immediate patching and enhanced monitoring for infostealers and lateral movement indicators.
Void Blizzard Espionage Group Targets NATO via Entra and Cloud APIs - Microsoft and Dutch intelligence agencies have exposed Void Blizzard, a Russian state-linked group exploiting credentials from infostealer markets to breach NATO-aligned organisations. Since mid-2024, the group has compromised defence, telco, and healthcare entities across Europe and North America. Recent spear-phishing campaigns leverage Evilginx to mimic Microsoft Entra logins and harvest session cookies via adversary-in-the-middle (AitM) tactics. Post-access, the group abuses Exchange Online and Graph API to mass-exfiltrate emails, files, Teams chats, and Entra tenant configurations. The campaign highlights the growing use of low-cost credential theft and cloud-native abuse in state-backed cyber espionage operations.
References
https://www.bleepingcomputer.com/news/security/apt41-malware-abuses-google-calendar-for-stealthy-c2-communication/
https://cybersecuritynews.com/threat-actors-impersonate-fake-docusign-notifications/
https://www.darkreading.com/application-security/dragonforce-ransomware-msp-supply-chain-attack
https://www.securityweek.com/russian-government-hackers-caught-buying-passwords-from-cybercriminals/