Over the past number of months, our security team has been responding to a pattern of incidents across our customer base. While the tools and techniques evolve, the reality is this, email and identity remain the primary entry point for attackers.
From our position monitoring customer environments through our 24/7 Security Operations Centre (SOC), we’re seeing fewer noisy, opportunistic attacks and more patient, targeted attempts to blend into normal business activity. The objective is almost always the same, gain access to an identity, establish trust, and use that trust to extract money or sensitive information.
Below is a snapshot of what we’re seeing on the ground, how these attacks typically unfold, and how we actively protect customers when they do.
Business Email Compromise (BEC) remains the dominant threat
Across active investigations and alerts handled by our SOC, Business Email Compromise (BEC) continues to be the most common and impactful incident type we see among customers.
In many cases, these are not disruptive attacks. There’s no ransomware screen or system outage. Instead, an attacker gains access to a mailbox and quietly observes payment processes, supplier relationships, and internal approval workflows before stepping in at the right moment.
We often detect these incidents through abnormal sign in behaviour, suspicious mailbox activity, or proactive reporting by users who sense something is off.
AI‑enhanced phishing is how many attacks begin
One of the most noticeable changes we’ve seen is the quality of phishing emails. Among our customers, phishing messages are increasingly well written, context aware, and indistinguishable from legitimate business communications.
As organisations adopt AI tools for everyday communication, malicious emails are blending in more effectively. This increases the likelihood of credential capture and makes early detection harder without active monitoring.
MFA exists but enforcement quality matters
While most customer environments have MFA enabled, many incidents occur where MFA is inconsistently enforced or overly permissive. Common issues include MFA fatigue, long re‑authentication windows, and insufficient protection for privileged accounts.
Attackers exploit these gaps, not by breaking MFA, but by abusing user behaviour and weak enforcement policies.
Understanding token based attacks
In many investigations, MFA was technically enabled but still bypassed through session or token theft. Users are tricked into signing in to convincing phishing pages, approving MFA, and unknowingly handing attackers valid session tokens.
These attacks often appear as legitimate logins, which is why continuous behavioural monitoring is critical.
The next evolution: voice and deepfake assisted fraud
We are increasingly preparing customers for voice based and deepfake assisted fraud. These attacks combine email compromise with phone or voice interactions to apply authority and urgency, particularly around financial requests.
This is a natural progression of BEC and reinforces the need for strong verification processes beyond email.
How we protect customers
Through our 24/7 SOC, we continuously monitor identity activity, investigate alerts, and respond to incidents at any hour. We act quickly to contain threats by disabling accounts, revoking sessions, and preventing financial or data loss.
We also use real incident learnings to improve detection and strengthen customer environments.
Key actions we recommend
- Review how MFA is enforced, not just whether it is enabled
• Apply stronger controls to admin and privileged accounts
• Monitor identity behaviour continuously
• Introduce non email verification for payment requests
• Prepare staff for voice based social engineering
These attacks are happening daily across real organisations. With the right controls, monitoring, and response capability, they are highly disruptable and often preventable before real damage occurs.
Our focus remains on what we see every day across customer environments, and on stopping incidents before they escalate.
