Voice phishing has overtaken traditional phishing as the leading method for initial cloud breaches, with criminals using real-time social engineering to trick IT help desks and gain access to corporate systems.
Voice phishing has emerged as the primary method for breaching cloud environments, with cybercriminals increasingly using real-time social engineering tactics to manipulate IT help desks and gain unauthorized access to corporate systems.
According to Google Cloud's latest M-Trends report, voice-based phishing attacks accounted for 11 percent of all successful intrusions last year, making it the second most common initial access method overall and the number one tactic for cloud break-ins. This represents a significant shift from traditional phishing emails, which declined to just six percent of successful attacks.
Interactive social engineering on the rise
The report, based on over 500,000 hours of incident response engagements conducted globally by Mandiant Consulting, reveals that sophisticated criminal groups like ShinyHunters and Scattered Lapsus$ Hunters are increasingly employing interactive social engineering techniques. These methods involve real-time human interaction to steer conversations and manipulate victims.
"What we've seen in 2025 is certain threat actors calling IT help desks to, for example, register attacker-controlled devices for MFA to try and reset passwords," explained Jurgen Kutscher, VP of Mandiant Consulting at Google Cloud. "They're building a number of different scenarios to trick IT help desks, and an IT help desk, by default, tries to help. That's part of the reason why the social engineering attacks that are interactive are so powerful."
This trend reflects a broader evolution in cybercrime tactics, where attackers are investing more effort into sophisticated, interactive approaches that yield higher returns. The human element remains a critical vulnerability, as help desk personnel are trained to assist users and may not recognize social engineering attempts.
ClickFix attacks multiply
Beyond voice phishing, the report documents a surge in ClickFix attacks, another form of social engineering where victims are tricked into running malicious commands on their own computers. Attackers typically present fake prompts that appear to be legitimate system fixes or CAPTCHA verifications, but actually execute harmful commands when clicked.
Google's threat intelligence team observed "dozens" of criminal groups using ClickFix techniques last year, particularly in widespread initial access operations. These attacks demonstrate the creativity and adaptability of modern cybercriminals in finding new ways to compromise systems.
Extreme timelines in cyberattacks
The report highlights two contrasting trends in attack timelines that present unique challenges for defenders. On one end, attackers are executing "hand-offs" where initial access is transferred to ransomware or data extortion groups in under 30 seconds. This extreme speed means defenders must "operate at machine speed" to respond effectively.
"When an attack life cycle takes place in seconds, human speed is probably not going to be sufficient to stop these types of attacks," Kutscher noted. This rapid progression from initial compromise to full breach leaves little time for manual intervention.
On the other extreme, sophisticated espionage groups and North Korean scam IT workers are achieving unprecedented stealth, remaining undetected in victim environments for hundreds of days. These attackers typically target network edge devices like firewalls, routers, and VPNs, exploiting zero-day vulnerabilities in systems that often lack endpoint security protection.
Living on the edge
Google has identified a concerning trend called "living on the edge," where attackers not only use edge devices for initial access but also leverage their core functionalities to maintain long-term persistence. This includes intercepting network traffic, capturing clear-text passwords, and stealing sensitive data directly from the edge device without needing to move deeper into the network.
One notable example involved a suspected Chinese government spy crew tracked as UNC6201, which used a backdoor called Brickstorm to maintain access to edge devices for an average of 393 days. These attackers broke into devices that didn't support endpoint security products, deployed their backdoor, captured valid credentials, and used them to access victims' VMware environments while remaining completely undetected.
Implications for defenders
The evolving threat landscape requires organizations to fundamentally rethink their security approaches. The speed of modern attacks means that even low-impact incidents could escalate to catastrophic breaches within seconds, eliminating the luxury of delayed investigation.
"You also have to realize that a low-impact incident may turn into a high-impact incident within seconds," Kutscher emphasized. "From an investigative perspective, you can no longer just classify something as low-impact and dismiss it for later. You have to look at all of these events and understand what could be a stage-one attack and could lead to a potential catastrophic consequence for the enterprise."
The median dwell time for attackers has increased from 11 to 14 days, indicating that while some attacks are becoming faster, others are becoming more sophisticated at remaining hidden. This dual threat requires organizations to implement both rapid detection and response capabilities alongside enhanced visibility into edge devices and network traffic.
As voice phishing and interactive social engineering continue to evolve, organizations must invest in comprehensive security awareness training, implement strict verification procedures for IT help desk interactions, and deploy advanced detection technologies capable of identifying these sophisticated attack patterns before they result in breaches.
Comments
Please log in or register to join the discussion