Threat Actors Leverage Access to Valid Accounts via Phishing Attack

In a significant shift observed during the first quarter of 2025, cybersecurity experts have documented a dramatic surge in phishing attacks, with threat actors increasingly using this vector to gain access to valid user accounts.

According to recent incident response data, phishing attacks spiked to represent 50 percent of all initial access vectors, a staggering increase from less than 10 percent in the previous quarter.

This trend demonstrates a tactical evolution as attackers prioritize credential theft over direct system exploitation.

Vishing campaigns-phone-based social engineering-accounted for over 60 percent of these phishing incidents, with attackers employing sophisticated social engineering techniques to manipulate users into granting remote access to their workstations.

In typical scenarios, adversaries first flood targeted organizations with benign spam emails before initiating contact via platforms like Microsoft Teams, posing as IT support personnel.

These actors then guide unsuspecting users through the process of establishing remote access sessions using tools like Microsoft Quick Assist.

Once connected, the attackers swiftly begin loading malicious tooling, establishing persistence mechanisms, and disabling security protections.

The manufacturing sector has been disproportionately targeted, representing 25 percent of all incidents this quarter, with construction organizations also facing significant attacks.

The campaign bears hallmarks of sophisticated threat actors associated with BlackBasta and Cactus ransomware operations.

Cisco Talos researchers identified a notable evolution in these attacks, observing that threat actors have pivoted from simply eliciting sensitive information to establishing persistent access within networks.

“This represents a tactical shift where phishing serves as just the first step in a multi-stage attack chain aimed at deeper network penetration,” noted Talos incident response team in their quarterly report.

Persistence Techniques Reveal Advanced TTPs

After gaining initial access via phishing, attackers employ sophisticated persistence techniques that enable ongoing control over compromised systems.

A technical analysis of recent incidents reveals that adversaries modify the Windows Registry to maintain access.

Specifically, they create or modify the TitanPlus registry key, embedding command and control infrastructure using character substitution for obfuscation. The registry modification typically follows this pattern:-

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TitanPlus" /v "Server" /t REG_SZ /d "hXXps://mal1c10us[.]d0main/c2" /f

The attackers also employ token theft to bypass multi-factor authentication protections.

In one documented case, actors successfully stole a user’s MFA session token along with their credentials through a malicious link in a phishing email.

This allowed unauthorized access to Microsoft Office 365 environments where the attackers deployed enterprise applications to facilitate access to additional accounts.

After stealing tokens, attackers would clone active access tokens and specify new credentials for outbound connections.

Without robust detection mechanisms focused on identifying suspicious registry modifications and token manipulation, organizations remain vulnerable to these sophisticated persistence techniques that can lead to devastating ransomware deployments like BlackBasta and Cactus.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

The post Threat Actors Leverage Access to Valid Accounts via Phishing Attack appeared first on Cyber Security News.