Full Report
Voice phishing is second most common initial access method across all IR probes, and top in cloud break-ins Voice phishing surged last year to become the second most common method used by cybercriminals to gain initial access to their victims' IT estate – and the No. 1 tactic used when breaking into cloud environments.…
Analysis Summary
# Incident Report: Surge in Interactive Voice Phishing and Edge Device Exploitation
## Executive Summary
In 2025, voice phishing (vishing) emerged as the second most common initial access vector overall and the primary method for breaching cloud environments. Threat actors are utilizing real-time human interaction to deceive IT help desks and bypassing traditional security perimeters by embedding themselves in unmonitored "edge" network devices. The result is a dual-threat landscape: "machine-speed" attacks (access hand-offs in under 30 seconds) and ultra-stealthy espionage campaigns with dwell times exceeding 400 days.
## Incident Details
- **Discovery Date:** Various (Reported March 2026)
- **Incident Date:** Full Year 2025
- **Affected Organization:** Multiple Global Entities
- **Sector:** Cross-industry (specifically targeting Cloud and IT Services)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout 2025
- **Vector:** Interactive Social Engineering (Voice Phishing) and Edge Vulnerability Exploitation.
- **Details:** Threat actors call IT help desks to register attacker-controlled devices for MFA or reset passwords. Additionally, "ClickFix" lures trick users into running malicious commands via fake "I-am-not-a-robot" prompts.
### Lateral Movement
- Access is often sold or handed off between groups (e.g., Initial Access Brokers to Ransomware gangs) in under 30 seconds.
- In stealthier campaigns, actors move from edge devices (routers/firewalls) into VMware environments using stolen clear-text credentials.
### Data Exfiltration/Impact
- Interception of clear-text passwords directly from network traffic on compromised edge devices.
- Deployment of ransomware or long-term espionage/data theft.
### Detection & Response
- **Discovery:** Detected via Mandiant incident response engagements (500,000+ hours of data).
- **Response:** Remediation involves patching zero-day vulnerabilities in edge devices and hardening help desk authentication protocols.
## Attack Methodology
- **Initial Access:** Voice phishing (11% of attacks), Zero-day exploitation of edge devices (32%), and "ClickFix" social engineering.
- **Persistence:** Maintaining presence on edge devices (firewalls, VPNs) where endpoint security cannot be installed.
- **Privilege Escalation:** Registering unauthorized MFA devices to take over administrative accounts.
- **Defense Evasion:** "Living on the edge"—operating on hardware (routers/gateways) that lacks EDR/AV coverage.
- **Credential Access:** Sniffing clear-text passwords from intercepted network traffic on compromised edge hardware.
- **Discovery:** Identifying network traffic patterns and internal assets directly from the network gateway.
- **Lateral Movement:** Utilizing valid credentials harvested from the edge to pivot into virtualized environments (VMware).
- **Collection:** Gathering sensitive secrets and traffic data at the core network level.
- **Exfiltration:** Direct exfiltration from edge devices to attacker C2.
- **Impact:** Ranges from catastrophic ransomware encryption to year-long espionage (dwell times of 393+ days).
## Impact Assessment
- **Financial:** High (Ransomware payouts and incident response costs).
- **Data Breach:** Extensive theft of clear-text credentials and proprietary corporate data.
- **Operational:** Business disruption from ransomware; long-term integrity compromise due to stealthy espionage.
- **Reputational:** Significant damage to organizations failing to secure cloud environments against "vishing."
## Indicators of Compromise
- **Network indicators:** Unusual traffic originating from edge appliances (firewalls/routers) to unknown external IPs [defanged: hxxp://untrusted-c2-link[.]com].
- **File indicators:** Malicious scripts executed via "ClickFix" prompts; unauthorized MFA tool installations.
- **Behavioral indicators:** Unexpected MFA device registrations; IT help desk calls from unrecognized numbers requesting password resets; edge device reboots/config changes.
## Response Actions
- **Containment:** Revoking unauthorized MFA devices and resetting compromised administrative credentials.
- **Eradication:** Patching zero-day vulnerabilities on network edge hardware (VPNs, firewalls).
- **Recovery:** Re-imaging compromised edge devices and shifting to phishing-resistant MFA (e.g., FIDO2 keys).
## Lessons Learned
- **The "Help Desk" Vulnerability:** Attackers are weaponizing the professional "desire to help" inherent in IT support roles.
- **Edge Blind Spots:** Edge devices are the new "dark corners" of the network; lack of EDR on these devices allows for extreme dwell times.
- **Speed Gap:** Defensive response is currently outpaced by "machine-speed" hand-offs between threat actors.
## Recommendations
- **Help Desk Hardening:** Implement strict, out-of-band verification for all password resets and MFA changes.
- **Edge Auditing:** Regularly audit logs and configurations of network appliances that do not support traditional security agents.
- **Phishing Defense:** Move beyond non-interactive email filters to address interactive voice-based threats through employee training and "phishing-resistant" authentication.