Skip to main content

Back to Blog

How AI and Compromised Credentials are Fueling Spear Phishing Attacks

The Next Generation of Attacks

You’re at your desk on a typical workday when you receive a Microsoft Teams message from your boss. It reads like any other message from them, requesting sensitive information related to an ongoing project. You think nothing of it and reply. But what you don’t realize is that the person you just replied to isn’t your boss—it’s a cyberattacker.

This scenario isn’t far-fetched. It begins with an adversary obtaining compromised credentials, possibly purchased from the Dark Web. Armed with these credentials and exploiting a conditional access policy in Microsoft Teams that only requires multi-factor authentication (MFA) from unknown IP addresses, the attacker cleverly spoofs the IP to bypass MFA. This breach is particularly sinister because the attacker uses AI, feeding previous communications into a system like ChatGPT, to replicate your boss’s communication style perfectly.

In this scenario, the organization itself did not necessarily make any obvious mistakes in their cybersecurity practices. However, they still fell victim to a breach due to factors beyond their immediate control. The initial point of compromise was an employee who had reused their work credentials on a third-party website. Unbeknownst to them, this external site was breached, the employee’s credentials were stolen, and these credentials subsequently appeared on the Dark Web.

This incident highlights a common and challenging aspect of cybersecurity: the interconnected nature of digital identities means that actions outside the workplace can have unforeseen consequences within it. The employee’s decision to reuse credentials—a common practice among most internet users—inadvertently created a vulnerability that was exploited by the attacker.

The sophistication of the attack was compounded by the use of AI. The attacker, armed with compromised credentials, managed to spoof a familiar IP address and bypass MFA, gaining access to Microsoft Teams. They then utilized an AI system, fed with prior legitimate communications, to convincingly mimic the boss’s style of interaction. The information requested by the supposed boss was contextually relevant to the ongoing project, making the request seem legitimate. Compliance with this request provided the attacker with expanded access to intellectual property and sensitive data within the organization, which could then be exploited or even sold on the Dark Web.

The seamless execution of this attack highlights a crucial point: even when organizations have robust security measures in place, the human element can often be the weakest link. This scenario underscores the need for comprehensive security strategies that extend beyond technical measures, incorporating thorough employee education on cybersecurity best practices, including the risks associated with credential reuse.

The Enhanced Threat of AI-Driven Social Engineering

The advent of AI technologies, particularly generative AI, has significantly amplified the capabilities of cybercriminals in executing social engineering attacks. AI algorithms can analyze extensive data sets, including those from social media, forums, and previous data breaches. This enables attackers to craft highly personalized phishing messages that can convincingly mimic the communication style of compromised individuals, such as your boss.

The scenario begins with the compromise of an individual’s account in an organization. This could be achieved through traditional methods like phishing, credential stuffing, or exploiting security vulnerabilities. Once inside, the attacker gains access to a wealth of information, including past emails, messages, and possibly voice recordings. This is where AI comes into play.

Modern AI technologies, particularly those focusing on Natural Language Processing, are capable of analyzing vast amounts of text and speech data. They can learn to replicate an individual’s specific communication style, including nuances, jargon, and even typing patterns. This capability allows the attacker to craft messages or emails that are indistinguishable from those the actual person would write, effectively wearing a digital mask that is nearly perfect.

Armed with this AI-crafted impersonation, the attacker can then target other individuals within the organization. They could send emails requesting sensitive information, passwords, or even instruct employees to transfer funds or grant access to secure systems. The recipients of these communications, believing they are interacting with a known and trusted colleague, are far more likely to comply, unaware that they are actually aiding an intruder.

The truly insidious aspect of this attack is its subtlety. Traditional indicators of phishing or impersonation, such as odd language use or unfamiliar tone, are absent. The messages are convincingly authentic, making detection incredibly challenging.

Deepfake technology, a notable application of AI, poses an additional threat. These AI-generated videos and images can mimic recognizable figures with startling accuracy. Deepfakes can be used to create misleading content, potentially causing reputation damage or financial loss. When combined with compromised credentials, this technology can be used to impersonate individuals within an organization, making the deceit even more convincing. Researchers at Mandiant, a cybersecurity firm owned by Google, reported in August the initial recorded instances where deepfake video technology was specifically developed and marketed for use in phishing schemes.

Defending Against AI-Enhanced Social Engineering

To counter these advanced threats, a multifaceted approach combining technology, education, and proactive measures is essential:

1. Implement Continuous Credential Monitoring: An ounce of prevention is worth a pound of cure. Establish a system that continuously monitors for compromised credentials. This involves scanning Dark Web databases, hacker forums, and other platforms where stolen credentials are often traded or exposed. This is required by frameworks such as NIST, regardless of whether an organization has MFA in place.

2. Rapid Response Plan for Compromised Credentials: Develop and implement a rapid response plan for instances where compromised credentials are detected. Identifying compromised credentials at an early stage can facilitate the process of securing the affected accounts, thereby reducing the likelihood of your workforce being exposed to scenarios where cyber attackers impersonate fellow employees. This plan should outline immediate steps such as forcing password resets, revoking access rights, and analyzing the extent of the potential breach. Enzoic for Active Directory automates the detection and remediation of accounts in your organization to ensure threats are addressed before causing a compromise.

3. Establish Clear Communication Policies and Rules of Engagement: Develop and implement comprehensive policies defining the rules of engagement for internal communications. These policies should outline what kind of information can be shared, the appropriate channels for different types of communication, and the verification protocols to be followed before responding to requests for sensitive data or actions.

4. Employee Training and Phishing Simulations: Educate employees on the importance of remaining vigilant and following established policies. Conduct regular training sessions and phishing simulations to make them aware of how attackers might try to steal information, in addition to providing the best practices to prevent such incidents.

Forward-Thinking Defenses

The integration of AI in cybersecurity is a double-edged sword. While it provides capabilities for defense, it’s also a powerful tool for attackers. Cybersecurity professionals must remain informed of the latest advancements in AI and social engineering to effectively protect their organizations. This involves a continuous process of learning, adapting, and strategically deploying countermeasures to anticipate and neutralize threats.



Josh Parsons

Josh is the Product Marketing Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.