INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
The Phishing Email is Evading Encryption
| 2026-03-23 15:00 CRITICAL HIGHExecutive Summary AI-generated
The threat landscape has shifted dramatically in recent years, with voice-based phishing emerging as a significant concern. This shift is concerning given the sophistication of social engineering attacks and their ability to exploit vulnerabilities without requiring technical skill. Mandiant's annual M-Trends report highlights that voice phishing surged in 2025, accounting for 11% of all incidents, while email-based phishing dropped significantly. The rise of voice phishing marks a new era in cybercrime tactics, making it more time-consuming and challenging for attackers to gain access to victim networks. This shift underscores the need for organizations to prioritize robust incident response measures and stay vigilant against emerging threats like voice-based phishing.
Technical Mitigations AI-generated
* Implement robust security measures, such as multi-factor authentication and encryption, to protect against voice-based phishing attacks.
* Regularly update software and systems with the latest security patches to prevent exploitation of known vulnerabilities.
* Educate employees on social engineering tactics and best practices for reporting suspicious activity to ensure timely incident response.
* Conduct thorough risk assessments and vulnerability scans to identify potential entry points for attackers before they can exploit them.
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Scattered SpiderScattered Spider
CarbonCarbon
CVE-2025-53770CVE-2025-53770
CVE-2025-31324CVE-2025-31324
CVE-2025-61882CVE-2025-61882
Target & Sectors
Global Scope
technologytechnology
healthhealth
financefinance
Incident Timeline
2025-01-15
Threat actors used Scattered Spider's extortion-only tools to target Marks & Spencer on January 15, 2025.
Click on any entity below to view its context and source!
tactic
Extortion
Another cybercriminal gang increasingly engaging in extortion-only attacks is
Scattered Spider
, although the group still deployed regular ransomware attacks – as seen in
incidents targeting Marks & Spencer and The Co-op last year
.
tactic
Ransomware
Another cybercriminal gang increasingly engaging in extortion-only attacks is
Scattered Spider
, although the group still deployed regular ransomware attacks – as seen in
incidents targeting Marks & Spencer and The Co-op last year
.
threat_actor
Scattered Spider
Another cybercriminal gang increasingly engaging in extortion-only attacks is
Scattered Spider
, although the group still deployed regular ransomware attacks – as seen in
incidents targeting Marks & Spencer and The Co-op last year
.
organisation
Marks & Spencer
Another cybercriminal gang increasingly engaging in extortion-only attacks is
Scattered Spider
, although the group still deployed regular ransomware attacks – as seen in
incidents targeting Marks & Spencer and The Co-op last year
.
2025-03-23
Threat actors used voice-based phishing to target 11% of all incidents last year, including campaigns attributed to threat groups such as Google Threat Intelligence Group's UNC6040 and UNC6240.
Click on any entity below to view its context and source!
tactic
Phishing
“We’ve clearly seen several threat actors being very specialized and very successful with this type of attack.”
Voice-based phishing was at the root of multiple attack sprees Mandiant responded to last year, including
campaigns targeting Salesforce customers
attributed to threat groups Google Threat Intelligence Group tracks as
UNC6040
and UNC6240.
attribution
Google Threat Intelligence Group
“We’ve clearly seen several threat actors being very specialized and very successful with this type of attack.”
Voice-based phishing was at the root of multiple attack sprees Mandiant responded to last year, including
campaigns targeting Salesforce customers
attributed to threat groups Google Threat Intelligence Group tracks as
UNC6040
and UNC6240.
tactic
Social Engineering
Social engineering, of course, wasn’t the only way attackers gained access to victim networks last year.
threat_actor
Scattered Spider
These points of intrusion, which have been a hallmark of attacks attributed to members of the cybercrime collective The Com, including offshoots such as
Scattered Spider
, accounted for 11% of all incidents Mandiant investigated last year.
general_metric
11 %
These points of intrusion, which have been a hallmark of attacks attributed to members of the cybercrime collective The Com, including offshoots such as
Scattered Spider
, accounted for 11% of all incidents Mandiant investigated last year.
general_metric
32 %
Exploited vulnerabilities remained the top initial access vector for the sixth-consecutive year, giving attackers footholds in 32% of all incidents last year, the company said.
general_metric
6 %
The incident response firm said it was only responsible for 6% of intrusions last year, down from 14% in 2024 and 22% in 2022.
general_metric
14 %
The incident response firm said it was only responsible for 6% of intrusions last year, down from 14% in 2024 and 22% in 2022.
general_metric
22 %
The incident response firm said it was only responsible for 6% of intrusions last year, down from 14% in 2024 and 22% in 2022.
data_breach
500,000 combined hours
Mandiant clocked 500,000 combined hours of incident response investigations globally last year, up from 450,000 hours in 2024.
general_metric
450,000 hours
Mandiant clocked 500,000 combined hours of incident response investigations globally last year, up from 450,000 hours in 2024.
2026-03-23
Threat actors used voice-based phishing to target companies around the world, including Allianz, Qantas and Google.
Click on any entity below to view its context and source!
organisation
Pure Data Theft and Extortion
Hackers Increasingly Shun Encryption in Favour of Pure Data Theft and Extortion.
organisation
CVE-2025
Researchers also noted that one zero-day vulnerability which was exploited to deploy encryptionless extortion campaigns included
CVE-2025-61882
, a vulnerability in
Oracle E-Business Suites
that allowed unauthenticated attackers to remotely execute code.
organisation
Oracle E-Business Suites
Researchers also noted that one zero-day vulnerability which was exploited to deploy encryptionless extortion campaigns included
CVE-2025-61882
, a vulnerability in
Oracle E-Business Suites
that allowed unauthenticated attackers to remotely execute code.
organisation
Salesforce
ShinyHunters’ campaigns
specifically targeted Salesforce instances
, using social engineering and voice phishing attacks to gain access to credentials for Salesforce portals and exploit this to move laterally across the network.
organisation
Mandiant
Voice-based phishing, a form of social engineering where attackers call employees or IT help desks under false pretenses in an attempt to gain access to victim networks, surged in 2025, Mandiant said Monday in its annual M-Trends report.
organisation
CVE-2025-61882
The top three vulnerabilities Mandiant observed as the initial access vector in 2025 include
CVE-2025-31324 in SAP NetWeaver
,
CVE-2025-61882 in Oracle E-Business Suite
and
CVE-2025-53770 in Microsoft SharePoint
.
organisation
CVE-2025-31324
The top three vulnerabilities Mandiant observed as the initial access vector in 2025 include
CVE-2025-31324 in SAP NetWeaver
,
CVE-2025-61882 in Oracle E-Business Suite
and
CVE-2025-53770 in Microsoft SharePoint
.
organisation
SAP NetWeaver
The top three vulnerabilities Mandiant observed as the initial access vector in 2025 include
CVE-2025-31324 in SAP NetWeaver
,
CVE-2025-61882 in Oracle E-Business Suite
and
CVE-2025-53770 in Microsoft SharePoint
.
organisation
Oracle E-Business Suite
The top three vulnerabilities Mandiant observed as the initial access vector in 2025 include
CVE-2025-31324 in SAP NetWeaver
,
CVE-2025-61882 in Oracle E-Business Suite
and
CVE-2025-53770 in Microsoft SharePoint
.
organisation
Microsoft SharePoint
The top three vulnerabilities Mandiant observed as the initial access vector in 2025 include
CVE-2025-31324 in SAP NetWeaver
,
CVE-2025-61882 in Oracle E-Business Suite
and
CVE-2025-53770 in Microsoft SharePoint
.
organisation
ShinyHunters
A prominent example of this during 2025 was a series of attacks by the
ShinyHunters
gang which hit companies around the world, including Allianz, Qantas and Google.
organisation
Allianz
A prominent example of this during 2025 was a series of attacks by the
ShinyHunters
gang which hit companies around the world, including Allianz, Qantas and Google.
organisation
Qantas
A prominent example of this during 2025 was a series of attacks by the
ShinyHunters
gang which hit companies around the world, including Allianz, Qantas and Google.
organisation
Google
A prominent example of this during 2025 was a series of attacks by the
ShinyHunters
gang which hit companies around the world, including Allianz, Qantas and Google.
organisation
CyberScoop
It is more time consuming, obviously it requires skills and impersonation skills that the threat actors need to have, especially when they contact their IT help desk,” Jurgen Kutscher, vice president at Mandiant, told CyberScoop.
Tactical Metrics
Metrics
data_breach
500,000
Combined Hours
Click for context!
Mandiant clocked 500,000 combined hours of incident response investigations globally last year, up from 450,000 hours in 2024.
Intelligence Sources
Infosecurity-Magazine
2026-01-15
Hackers Increasingly Shun Encryption in Favour of Pure Data Theft and Extortion
Infosecurity-Magazine
CyberScoop
2026-03-23
The phone call is the new phishing email
CyberScoop
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T11:33
Comprehensive Tactical Telemetry
Highly Correlated Entities
17x
organisation
Identified Entity
Pure Data Theft and Extortion
entity
10x
general metric
%
1
%
6x
tactic
Cyber Operation Type
Extortion
tactic
5x
timeline
Temporal Reference
2025
date
3x
vulnerability
Exploited CVE
CVE-2025-61882
cve
3x
industry
Targeted Sector
Technology
sector
2x
attribution
Attributing Entity
MFA
authority
Contextual Telemetry
Context Block
6 METRICS
general metric
Incidents
1,500
incidents
malware
Malware Payload
Carbon
tool
threat actor
APT Group
Scattered Spider
actor
general metric
Figure
28
figure
data breach
Combined Hours
500,000
combined hours
general metric
Hours
450,000
hours
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.