2025 Nonprofit Cybersecurity Incident Report with Matt Eshleman pt 1 Artwork

Community IT Innovators Nonprofit Technology Topics

Community IT offers free webinars monthly to promote learning within our nonprofit technology community. Our podcast is appropriate for a varied level of technology expertise. Community IT is vendor-agnostic and our webinars cover a range of topics and discussions. Something on your mind you don’t see covered here? Contact us to suggest a topic! http://www.communityit.com

All Episodes

Community IT Innovators Nonprofit Technology Topics

2025 Nonprofit Cybersecurity Incident Report with Matt Eshleman pt 1

April 25, 2025 • Community IT Innovators • Season 6 • Episode 17

2025 Nonprofit Cybersecurity Incident Report: Keeping Your Nonprofit Secure

Community IT CTO and cybersecurity expert Matt Eshleman delivered our annual report on trend lines and took questions live and online in this popular annual webinar.

In part 1, Matt discusses the landscape and background of cybersecurity attacks nonprofits face now, goes over the lingo and acronyms, and introduces new trends in attacks and protections. In part 2, Matt discusses the data from 2024 and takes questions.

Is your nonprofit prepared?

Drawn from anonymized data from the calendar year 2024 of cybersecurity incidents across end users in hundreds of our small and mid-sized nonprofit clients, this report shows changes in attacks and emerging threats.

Using this real and timely data, Matt walks through recommendations and outlines the practical steps your organization can take to prevent the most frequent attacks.

He covers new threats and training best practices for your nonprofit staff around evolving cybersecurity issues, including a spike in online and in-person harassment, wire fraud, AI-enabled scams, smishing and vishing, adversary-in-the-middle MFA attacks, and other new and disturbing trends.

You may also be interested in downloading the free Cybersecurity Readiness for Nonprofits Playbook to review a framework for focusing on your cybersecurity fundamentals, or using any of our free cybersecurity webinars and podcasts to learn more about specific protections you can take.

As with all our webinars, this presentation is appropriate for an audience of varied IT experience.

Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.

_______________________________
Start a conversation :)

Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
email Carolyn at cwoodard@communityit.com
on LinkedIn

Thanks for listening.

Carolyn Woodard: Welcome, everyone, to the Community IT Innovators Webinar, Nonprofit Cybersecurity Incident Report for 2025 with Matthew Eshleman. This is our seventh annual incident report. And in this popular webinar, Matt has studied the incidents reported at our thousands of client users over the course of 2024 and has determined what trends and changes that matter most to nonprofits we need to hear about today.

He will cover best practices around evolving cybersecurity issues, including increased online and personal threats to nonprofit staff, AI-enabled scams, smishing, adversary in the middle or AitM MFA attacks, and other new and disturbing trends. He’ll also give us some best practices and advice.

My name is Carolyn Woodard. I’m the Outreach Director for Community IT, and I’ll be the moderator today. I’m very happy to hear from our cybersecurity expert, Matt.

But first, I’m going to go over our learning objectives. By the end of today, we hope that you will

Learn our basic approach to cybersecurity. We do have a downloadable cybersecurity playbook that you can download for free from our site that we use to kind of ground us in the philosophy of how you should approach cybersecurity.
We’re going to learn the trends and attacks and organization protections that we saw in 2024 and the first little bit of 2025.
We want you to understand evolving security best practices as the tools change, as the hacks change. We’re hoping that we can give you kind of the insider look at what to watch out for and prepare your staff for, and also the new tools that are coming online to help us against these new attacks.
And then we hope you also will learn the role of governance policies and training in protecting your non-profit from common scams.

And I should say that we’re trying a hybrid situation today for the first time ever. We do have a live studio audience here at our offices in Washington, DC. So, if you were in the area and able to join us, thank you. Welcome, everyone. And for those of you listening at home, we welcome you as well for our usual Zoom webinar.

So Matt, would you like to introduce yourself?

Matt Eshleman: Welcome. My name is Matthew Eshleman. I’m the Chief Technology Officer here at Community IT. I officially started at Community IT almost 20 years ago, or 25 years ago in the summer of 2000.

I’m really excited to be with you online, and here in person, to talk about the incident report. As Carolyn mentioned, this is the seventh year that we have developed this report and shared the data out.

Carolyn Woodard: Before we begin, if you’re not familiar with Community IT, a little bit more about us. We’re a 100 percent employee-owned managed services provider. We provide outsourced IT support. We work exclusively with nonprofit organizations, and our mission is to help nonprofits accomplish their missions through the effective use of technology. We’re big fans of what well-managed IT can do for your nonprofit.

We serve nonprofits across the United States. We’ve been doing this for over 20 years. We are technology experts and we are consistently given the MSP 501 recognition for being a top MSP, which is an honor we received again in 2024.

And I’m very happy to welcome a couple of our clients here today to our in-person webinar seminar that we’re doing.

I want to remind everyone that for these presentations, Community IT is vendor agnostic. We only make recommendations to our clients and only based on their specific business needs. We never try to get a client into a product because we get an incentive or benefit from that. But we do consider ourselves a best of breed IT provider. It’s our job to know the landscape, what tools are available, reputable, and widely used. And we make recommendations on that basis for our clients based on their business needs, priorities, and budget.

We’re going to leave as much time as we can for Q&A for Matt. So please submit your questions through the Q&A feature or chat anytime today. I’ll either break in to ask them or I’ll save them for the end. We got a lot of good questions at registration, so we’re going to try and answer as many of those as we can. Anything we can’t get to, I’ll ask Matt to give us some written thoughts and I’ll append those to the transcript, so check back after the webinar if we don’t get to every question.

A little bit more about us. Our mission is to create value for the non-profit sector through well-managed IT. We also identify four key values as employee owners that define our company: trust, knowledge, service, and balance. We seek to always treat people with respect and fairness; to empower our staff, clients, and sector to understand and use technology effectively; to be helpful with our talents; and we recognize that the health of our communities is vital to our well-being, and that work is only a part of our lives.

Poll 1: Have You Had a Cybersecurity Incident This Year?

We’re going to go ahead and launch a poll, and the people who are in the audience here can answer it as well.

Has your organization had a cyber incident this year?

And the answers you can choose are no, not that we know, not sure. Yes, but we discovered it with time to mitigate the impact. Yes, but we suffered significant impact, or not applicable, or other.

There’s no shame. Please go ahead and answer. In the registration responses, many people said that they had not had an incident this year, which, knock on wood, that’s really good to hear. I think Matt’s going to talk a little bit more about that.

We’ve been doing cybersecurity training for years now, and seems like it is having an effect, we hope, that all nonprofits are really aware of it.

Matt Eshleman: It looks like of the people that have responded, it’s about half and half that people don’t know, or not that they know of, and yes, but they were able to mitigate the impacts.

Nobody said yes, and they’ve suffered significant impacts. That’s really great to see, and not to give it away, but we are starting to see some changes in the overall data amongst our clients and looks like folks that are attending as well, are maybe seeing some results of the investment that’s been made by a lot of organizations over the last number of years in their cybersecurity protection.

Carolyn Woodard: I think everyone should give themselves a pat on the back for that. And also, I want to shout out to all the people who said yes, but we discovered it with time. That also is quite impressive that we are having the training and being aware. And so even though hacks happen, attacks happen, it’s good to see that people are able to respond in time.

Cybersecurity Approach

Matt Eshleman: Right. If you’ve worked with us or downloaded any of our resources, this graphic will look pretty familiar. Really it is a reflection of how we think about cybersecurity and cybersecurity protection at Community IT that’s rooted in a foundation of policy.

Building on that, engaging staff through security awareness training. In the blue line, that’s really a list of the technical controls and protections that organizations can add in on top.

And then the final layer, I think we’re seeing a lot of movement in this area, particularly in the last year or so, is around compliance. We mean formal compliance standards that are being imposed upon organizations by funders, by the board, or by other entities that are actually saying, we need to have these controls in place in order for us to receive funding or receive grants or whatever the case may be.

The takeaway here is that we want to root these protections in policy so that organization has a good foundation to build on, to make decisions about, and articulate what they believe, in terms of how best to protect themselves and how to operate as an organization.

Nonprofit Cybersecurity Landscape

Carolyn Woodard: Before we get to the analysis from this year, Matt, can you tell us a little bit more about the bigger picture we’re seeing in cybersecurity in the landscape?

Matt Eshleman: I think this is something that does evolve and change year after year. I think while this cybersecurity incident report is really focused on data that we collected during 2024, we’re already here in the middle of April, so we also see a lot of stuff that’s happening in 2025.

Chaos Creates Opportunity for Threat Actors

One of the things that’s particularly apparent is that an overall chaotic environment presents an opportunity for threat actors. I think we saw a lot of this at the start of COVID, where there’s lots of chaos and uncertainty around just what’s going on. Threat actors capitalized on that to send phishing emails that preyed upon people’s sensitivity around COVID. “Hey, here’s this policy, here’s this link, here’s this information,” (but it was not a real email.)

In the same way, we’re seeing that uncertainty being used by threat actors now. Uncertainty around federal employment, uncertainty around social security, all these things are in play because the threat actors, again, they’re seeing it work.

This is financially motivated in the vast majority of cases.

That’s just one more opportunity that they have to create some uncertainty, create some risk, encourage people to click on things that they may not otherwise. The chaotic environment really presents an opportunity for those threat actors.

Compliance Requirements are Driving Cybersecurity Investments

The other piece here that we’ve seen really building over the last number of years, and I think it’s continued to get stronger, is around insurance, compliance, and funder mandates.

I think we still have very few cases where organizations are coming to us and saying, hey, we just want to be as secure as we can, because we think it’s important, and we want to do it. We see organizations coming to us and saying, hey, our cyberliability insurance says that we need to do X, Y, or Z controls, and so we need to spend this money. Or, our board says that we need to meet this compliance standard. Or, our funder says, hey, you need to meet the NIST standard or CIS standard in order for you to continue funding.

I think that’s what we’re really seeing organizations use to adopt these changes. They’re not just doing it because they want to. They’re doing it because of some external pressure to make those changes.

Loss of Reliable Official Cybersecurity Resources

I think the other new thing on here is some of the centralized resources that we have relied on, from FBI, from CISA, industry partners, if you’re following the news, the CVE, the Common Vulnerabilities and Exploits, that whole database and system is at risk from loss of federal funding. Some of that fractured, chaotic nature that we have at the federal space is really having meaningful impact in the tools and resources that MSPs rely on, that other cybersecurity providers rely on.

That’s shaking some of the foundation of incident response that that we rely on.

Attacks on Personal Accounts and Devices Are Growing

The other piece I would say, just to wrap up, is that we’re certainly seeing that attacks are going beyond your work email, or your office phone, and into personal accounts, personal devices. While a year or so ago, you maybe got a fake phishing text message on your phone once a month, now I get them multiple times a day. Including WhatsApp messages. We see that as part of the attack chain that a lot of threat actors are doing, because the work environment is pretty well protected, while personal phones, even work phones, text messaging, WhatsApp, those communication channels just don’t have the same degree of controls around. Threat actors are attacking personal accounts to exploit and initiate campaigns to install malware or do other financial fraud transactions.

Carolyn Woodard: I think with AI also, we’re seeing that they can figure out who you are on Facebook, who you are on LinkedIn, and put that together with who you are at your nonprofit. And so, they’re triangulating that and going after you personally.

Matt Eshleman: I think that is one thing we are seeing at organizations, particularly in targeted sectors. Those that work in reproductive rights, immigration, even democracy and good governance, are taking some steps to pull down resources about their staff on the website, to make that change because threat actors are using that information to launch personally directed attacks against those individuals in a way that wasn’t happening a year or so ago.

What Kind of Scams Are Targeting Nonprofits?

In terms of the overall landscape, though, I think we are still seeing, and I think this is probably something that we’ve echoed year after year, is that these generic automated attacks, viruses, malware, all that generalized stuff really is being blocked pretty effectively by the tools, even native tools, that are provided by Google or Microsoft. But they’re getting more sophisticated.

I think nonprofits especially remain at risk for targeted scams and cons for financial gain, and being used as targets to pivot to attack other organizations, like board members, partner organizations, funders, that kind of thing.

Nonprofits tend to be a soft target because they haven’t had the resources to invest in the cybersecurity protections that larger, more well-resourced organizations have. We’ll see in the data, but still the compromised emails, the spoofing, the phishing, that is the most common form of attack that we see amongst our clients. And we work with about 200 organizations. We support about 8,000 nonprofit staff, and the vast majority of attacks are really email-driven. That’s where all the volume is really coming from.

MFA Attacks

I’ve noted here that MFA protections are something that we’ve talked about for years and years and years. Last year, we saw the effectiveness of MFA fall because of these new attacker-in-the-middle attacks. Attacker in the middle is a way for attackers to steal not just your password, but your authentication token. MFA was kind of subverted.

The good thing is that we are seeing some new and more sophisticated MFA methods start to be more easily deployed, so that is actually protecting organizations in a more comprehensive way.

And then, as we talked about in the previous slide, hackers are taking advantage of this chaotic environment to have more effective and more successful attacks. While we are still seeing maybe a small increase in mission or hacktivist type attacks against individuals and organizations, the vast majority of attacks are still broadly distributed, and financially motivated. It’s not because of you and the organization that you work at, but it’s simply that you’ve got money, or maybe you have access to money, and that’s really driving the vast majority of attacks against organizations even to this day.

I think on the operational side, we talked about cyber liability insurance. There are also some additional controls that are coming in the audit requirement SAS 145 which is now including IT risk assessments. Our CEO, Johan, talked a little bit about this a few months ago about those new dimensions of the financial audit that is including IT risk as part of the financial control.

AI and Cybersecurity at Nonprofits

I don’t think you can have a presentation where you don’t talk about AI. And in terms of its impact in cybersecurity, I think it’s enabling both new attacks and automations, but it’s also enabling new protections as well.

We’ve kind of got this arms race of new attack vectors and options and sophistication, but then also improved protections as well.

Wire Fraud

One of the things we’ll see in the data is that in general, wire fraud is what we are most concerned about because of the financial impact that it represents. And talking about protecting against wire fraud, there are some technical protections that we have in place.

We want to make sure that we are reducing the amount of spam and phishing messages that are targeting organizations.
We want to make sure that MFA is in place to protect those accounts.
We still find that training to identify those attacks is important, and then
policies and procedures so that organizations have an effective way of verifying the identity of whoever is making that request for financial updates is known, and that’s an approved process.

You can have all the technology in the world, but if we don’t have supporting processes and training, then they can be easily circumvented.

IT Governance as a Foundational Strategy

The operational trend here we are seeing a lot of emphasis on is IT governance. We’ve talked about this for many, many years, but the policy foundation is crucial. I think organizations in particular are becoming attuned to developing AI policies. And we’re starting to see that a lot.

We see a lot of traction there. I think that’s a really important thing to not only talk about as an organization from the policy side, but then connect that to technical controls, training for staff, so that you’ve got not just the policy foundation, but you also have a way to support and implement that as well.

Carolyn Woodard: I did put in the chat a whole bunch of resources, links to our site, and on communityit.com, you’ll find a whole bunch of the resources that I put in there.

Definitions and Jargon: Know the Lingo

I think we wanted to do a few definitions, Matt, just to make sure that we’re on the same page of what all of these acronyms are about. We always say you should be able to understand what your MSP is talking about. So go ahead and help us with some of these definitions.

Matt Eshleman: Sure. So this is kind of a laundry list of some of the things that we see and talk about. I think I’ve said a couple of these already.

We kind of generically define the person that’s kind of attacking you as the threat actor. That’s the person on the other side of the keyboard. It’s also helpful to understand that that is what’s happening, right? It’s not just anonymous or faceless. There is a person on the other side.

Multi-factor authentication, MFA, something you know, which is your password, along with something you have, like an authenticator app, or increasingly a physical security key. We see that you intersect with MFA fatigue attacks or push attacks, where the threat actors will, if they have your password, they’ll just keep logging in, and logging in. You might get a couple of unprompted or unexpected MFA notifications on your phone, and they rely on somebody just being like, all right, fine. IT is always bugging me. I’m just going to hit OK. And then that can let them into your account.

Smishing would be a term about cell phone or SMS phishing. So all those text messages that you get, that your EZPass is overdue or your FedEx delivery was not was not made, or maybe you’re getting recruiting e-mails. All of that stuff is smishing, which is compared to spear phishing, which is really targeted email-based attacks that are obfuscating the sender, maybe combining some unique information about you into an attack. So, the executive director is saying, hey, can you do this for me real quick? You know, I know we’re all getting those messages. So that’s kind of an example of spear phishing combining with spoofing, right? Faking who a message appears to be from in order to lend some sort of legitimacy.

QR code malware is something that we have kind of seen, I think, conceptually, but we haven’t – we see it kind of in some special cases.

What we see a lot of and probably the most annoying variety of attacks is like the malware, the browser pop-up. And so that’s when you maybe go to a new website and all of a sudden your screen fills up with a very scary message that says, your computer has been compromised, please call this number. It’s a virus. But there’s nothing at all. It’s just they’ve been able to create a pop up that creates this sense of uncertainty. You call, but it ends up just being a scammer. That is very helpful to take your credit card, charge you $300, close out the browser, and then move on.

And then we’ll talk a little bit about pastejacking. I have an example of what that looks like. Basically, tricking people into running code on their computers.

And then doxxing is an attack where you’re really targeting an individual where they live, usually involving law enforcement or having some other sort of physical response in the real world at somebody’s house.

Carolyn Woodard: Luckily, I have not clicked on any QR code tricking malware, but I have started to see messages from your bank, and in the message, it’s the legitimate email that says, we will never ask you to verify something through a QR code. They’re seeing this scam and reacting to it as well.

Poll 2: What Kind of Cybersecurity Incident Did You Have in the Past Year?

All right, I’m going to go ahead and launch this poll. This one is a multiple choice. What kind of cybersecurity incident did you have in the past year?

And you can choose as many as apply.

You can choose none.
The other options are a virus or a generic attack, a malware – something that wasn’t aimed at you, it just, you were unlucky and it came to you and somebody clicked on it.
Ransomware – a ransom was demanded and or paid.
Compromised account. Your credentials were suspected or confirmed to have been hacked.
Advanced persistent threat, which is precise and targeted. And usually when we talk about advanced persistent threat, we mean from a state actor. China, North Korea, Russia, some other organized crime, basically, that is going after nonprofits because of the countries that you work in or the advocacy that you do, that they want to learn about that, or they want to be in your system so they can see what you’re doing, who you’re meeting with, who’s in your network. Maybe they want to learn which of their national citizens are in your network that you’re talking to, that sort of thing.
Wire fraud, where the money was sent to the hacker’s account.
Personal attacks or attacks outside of work devices and e-mails.
Other. Something else, if you feel comfortable putting that in the chat, letting us know.
Not applicable.

There was a question about this. Is this just we were attacked, or it was successful?

So, this is you were attacked. If you had an attack but you fought it off, you can go ahead and still put that in. And then I’m going to end the poll and share it.

And Matt, you can see the results again. Building on our success, we have a lot of people who said none. And then it looks like the compromised accounts is runner up.

Matt Eshleman: Yeah. I mean, the question is interesting, right? Security incident means something happened, which we differentiate from a breach, which is we have a confirmation that something was lost, or stolen, or unauthorized access was gained, right?

They are kind of two different things – related, but different.

I would say I would expect 100% of respondents to say, we’ve had spoofing emails that we’ve received, right? That’s something that everybody should be experiencing, unless you’re maybe communicating only by letter, I don’t know – but something everybody experiences.

The actual breach, like the confirmed compromise, is probably going to be less likely. About 10% of folks said they had some kind of virus or malware, a very small number of respondents said ransomware, either ransom was demanded and or paid. So beyond just the initial email saying, hey, give me some money, maybe a website or other access was compromised.

Compromised credentials is about a third of the respondents said that they experienced that. That’s something, probably wire fraud is the most serious incident that we see.

Compromised accounts usually precede that in some form. And so that’s why we put a lot of emphasis on protected against compromised accounts.

A good chunk had business email compromise.

A small percentage would say advanced persistent threat. And I’d probably be even a little bit more precise, typically advanced persistent threat actors are state sponsored. Think Russia, North Korea, China, and those are typically targeting organizations that are doing policy work that are government adjacent. So, if you’re not in that sector, it’s very unlikely that you’re going to attract that attention. But on the flip side, if you are in a policy world or you have government staff or you have staff on your organization that have worked in the government previously, you’re very likely targeted by these sophisticated threat actors.

And then 13% of folks said that they had personal attacks outside of work on devices and emails. I think that’s an area I’m interested in to kind of track and understand how that changes over time.

2025 Nonprofit Cybersecurity Incident Report Data

Talking a little bit about the attacks that we are seeing, as was mentioned, this is the seventh year we’ve done this report, and it’s interesting to see the data over time. We’ll see a little bit on a chart over that.

You know, AI-powered phishing attacks, I think a lot of the things that we used to rely on to identify messages that were not sent by the person they say they were, that’s all really gone out the window because it’s very easy now to go to any of the AI tools, get a well-crafted message in whatever language you want, to create enticing content for people to click upon.

That works if you’re a hacker, it works if you’re in the development department. The tools are out there. The stakes have really gone up in terms of how to detect that kind of thing.

Last year, or I would say in 2023 was the first year that we saw these attacker-in-the-middle attacks that really circumvented multi-factor authentication. The flip side is that in the past year, we’ve really had an emphasis on improving MFA methods using what are called phish-resistant MFA methods or passkeys, physical tokens, as a way to prevent those attacks. Maybe not everybody in the organization needs to do it, but maybe your IT and your finance folks need to take that step.

Pastejacking, so we’ll have an example of that, but basically tricking people into running malicious PowerShell code on their computers. So instead of writing a sophisticated virus, you just ask somebody to run some suspicious code. And again, it’s a way to create uncertainty and use that to leverage access.

That is tied into compromised accounts. We’re also seeing once an account is compromised, the threat actors will then leverage the ability that Microsoft provides to install other applications into your environment. Through the cloud, you can authorize applications. If you are using Calendly or Otter AI as an add-in, you all get that little pop-up saying, hey, I want to authorize this app to read my email or do whatever.

The threat actors are doing that as well. If your account is compromised, they will often register additional applications under your profile so that they can maintain persistence. So even if you reset your password, reset your MFA, that access still exists.

Now it’s part of our incident response process. It’s gotten a lot more complex because now, instead of just resetting your password and then resetting your MFA, now we have to go through and look at all the actions that that threat actor may have taken to maintain persistence once they’ve been kicked out.

Shadow IT as a Risk Not Just an Annoyance

And then I added this on here as a cybersecurity attack because I think it is interesting how shadow IT has maybe made the transition from being an annoyance that exists at organizations for example we’re a Microsoft shop, we use Microsoft, but somebody uses Google.

That has, I think, shifted from being, oh, that’s an annoyance and we wish our data was in one place – to now being a real risk to the organization because that data exists in other systems. It’s maybe unnumbered, it’s not protected, it doesn’t have the same set of controls that the primary system does.

I think it’s particularly apparent in the use of AI and the use of AI tools and policies. I think organizations have done a good job of adopting or starting to write AI policies. There’s lots of great tools and templates. I think we have a great tool and template. There’s just a ton of resources out there to write great AI policies.

But the real work is not in the writing of the policy, it’s in the implementation and the training and the ongoing support and governance of it. What I see often is that organizations have written good AI policies, but then whenever we look and analyze the traffic of where folks are going in the organization, they are going to all kinds of other sites that aren’t on the official AI policy template. Even if those solutions maybe are safe, so to speak, data is potentially leaving the organization. That represents a risk. It’s not just the bad guy threat actors that are targeting us, but now we have a situation where we’re actually putting data out into ungoverned systems, and we lose control of that. I think that is an area where we’ve made the shift from these ungoverned shadow IT systems are just an annoyance or an ungoverned IT asset to now, they actually present a cybersecurity risk to the organization.

That ties into tools and solutions that are adopted without IT input or cybersecurity protections. Those things all kind of fit together.

Data Mapping

Organizations really do need to make that investment in their own governance, particularly with a data map.

Where does the data live in the organization, which systems, who has rights to it? Make sure that we’ve got good protections around that data.

Staff On- and Off-Boarding

And then finally, just the perpetual issue that I know organizations face is just on staff offboarding. I think staff onboarding has gotten pretty good. I know organizations have good processes for that.

But whenever we do assessments, we often see that the staff offboarding process hasn’t lived up to those same standards. We have lots of accounts that exist for staff that haven’t logged in for quite a while.

Attacker-in-the-Middle Attack Example

I just want to walk through the attacker-in-the-middle example. This is done using what’s now a commercially available framework, right? Hackers can buy these frameworks.

What occurs is that an individual would receive a message, and often it’s going to be an email from a trusted partner, somebody that you already work with, but their account has been compromised. You have a partner organization that you work with. All of a sudden, you get a message from them. That’s maybe not unusual. But it’s a shared document link.

In this case, the example is a PDF, and it’s from somebody you trust, right? So it goes straight through the spam filters. No issues.

Whenever you click on the link though, if you’re paying attention, you will notice that the first link that it takes you to, will look a little strange. This random string of characters, maybe a CAPTCHA built into it.

It’s routing your authentication traffic through a proxy, and then that proxy is able to steal your authentication token. Once you end up, you will actually get to your sign-in page or the sign-in page for the organization, which is legitimate. But whenever you enter in your credentials at next, the threat actor is able to steal the authentication token.

It’s not your password, but it’s able to steal your access. And then they can, for all intents and purposes, appear as you. So that means that they have access to everything that your cloud account does.

And through that approach of using this attacker-in-the-middle example, even if you had MFA on your phone, or text messaging or the Authenticator app, you can be susceptible to this sort of attack because the attacker is able to steal this token.

Microsoft has ways to help protect against this. They call it phish-resistant MFA. That would be through the use of a physical security key called a FIDO key. Or enabling passkey support in Microsoft Authenticator is a way to do this. Google has a similar methodology as well.

The attacker-in-the-middle attack, we saw that be very effective against multi-factor authentication, particularly in 2023, a little bit less so in 2024. It’s a significant security risk for individuals and organizations.

Pastejacking

The pastejacking attack starts in a very similar way. You may receive a message from a trusted partner, somebody that you work with. Again, simply a message with an attachment.

But then, in the message itself, you’re going to get some prompts. We’ve seen cases where this is combined, where maybe you’re having a conversation with an individual, where they want to send you this other link. For example. “I’m going to send you instructions for how to access our secure video call or secure communication channel.”

All they’re doing is basically prompting people to open up the command prompt, and then they will copy and paste a whole bunch of PowerShell code and execute it. And then they’re able to gain access and gain persistence to that individual’s computer.

They could write sophisticated malware, try to get it through your email filters, make sure that you click on it, maybe make sure that the antivirus is not working, right? But in these pastejacking attacks, they’re working through a confidence scheme, or basically tricking you into running and subverting the technical controls that may be in place at your organization, in order to gain access to the system.

On the one hand, it’s not that sophisticated because all they’re doing is asking you to run malicious software. At the same time, it takes a certain amount of gall and time to outright ask you hey, can you go ahead and click on this for me? So that’s a pastejacking attack, something we saw in 2024 with some frequency.