Message-Based β USPS SMS Phishing (Smishing)
One of the most widely distributed smishing campaigns in recent years impersonated the US Postal Service, sending text messages claiming a package could not be delivered and asking recipients to click a link to reschedule. The link directed victims to a convincing fake USPS website that captured their name, address, and payment card number under the guise of paying a small "redelivery fee."
The campaign succeeded because it exploited normal, expected behavior β people do receive USPS packages, and they do expect delivery notifications. The text message vector bypassed corporate email security gateways entirely, reaching victims on their personal phones. Millions of these texts were sent, and the conversion rate on SMS phishing is significantly higher than email phishing because people are less conditioned to be suspicious of text messages.
Message-Based β Business Email Compromise (BEC) Invoice Fraud
A manufacturing company's accounts payable department received an email that appeared to come from a long-term supplier, informing them that the supplier had changed banks and requesting that all future payments be directed to a new account number. The email came from a domain that was visually identical to the vendor's real domain β one letter transposed, impossible to notice without careful scrutiny. Over three months, $1.8 million in legitimate invoices was paid to the attacker's account.
BEC fraud requires no malware, no technical exploit, and no breach of the target organization's own systems. It exploits trust in email and normal business processes. Organizations that process large payments should implement out-of-band verification β calling the vendor on a known number to confirm any banking change β as a procedural control.
Image-Based β SVG XSS Injection
A web application allowed users to upload profile images. The application accepted SVG files without sanitizing their XML content. An attacker uploaded an SVG containing embedded JavaScript. When other users viewed the attacker's profile, their browsers rendered the SVG β and executed the script, which stole session cookies and sent them to the attacker's server. The attacker then used those cookies to impersonate other users.
The SVG displayed a completely normal image β a small geometric design. There was no visual indicator of the embedded JavaScript. The attack was a cross-site scripting (XSS) vector delivered through what appeared to be an image file. Proper defense requires treating SVG uploads as code uploads, sanitizing XML content before serving it to other users, or simply rejecting SVG uploads in favor of pixel-based image formats (JPEG, PNG) that cannot contain executable code.
Image-Based β SVG as Email Attachment Bypass
Attackers discovered that many email security gateways were configured to scan for malicious content in common document types (PDF, Office files) but did not apply the same scrutiny to image files. SVG files sent as email attachments bypassed these filters. The SVG appeared in the email as a small image β the attacker had embedded a script that, when the browser opened the attached SVG file, immediately redirected to a credential phishing page styled to look like the recipient's company's Microsoft 365 login.
The victim saw what looked like a corporate logo image in the email, double-clicked to view it, and was immediately taken to a convincing login page asking for their credentials. Because the redirect happened so quickly, many victims simply assumed they had been logged out and re-entered their credentials.
File-Based β Office Macro Malware (Emotet)
Emotet, one of the most destructive and costly malware families in history (FBI and CISA described it as "the world's most dangerous malware"), was primarily delivered via Microsoft Office documents with malicious macros. Victims received convincing emails β fake invoices, shipping notifications, employment documents β with attached Word or Excel files. When opened, the document displayed a message: "Enable Macros to view this document." Enabling macros triggered the VBA script, which downloaded and installed Emotet, which then spread across the network, harvested credentials, and frequently delivered secondary payloads including TrickBot and Ryuk ransomware.
Microsoft's decision to disable macros by default in Office documents downloaded from the internet (implemented 2022) was a direct response to years of macro-based malware campaigns. Organizations with macro execution policies in place were significantly less exposed throughout the Emotet years.
File-Based β Fake Browser Extension
A browser extension submitted to the Chrome Web Store advertised itself as a free PDF converter tool. It had thousands of downloads and positive reviews (many fake). The extension's actual functionality: reading the content of every web page the user visited, capturing form field inputs (including passwords typed into login forms), and exfiltrating this data to a remote server. It remained in the Chrome Web Store for several months before being identified and removed.
Browser extensions are granted significant permissions by the browser β and users rarely scrutinize what permissions an extension requests during installation. A malicious extension with permission to "read and change all your data on the websites you visit" can act as a complete keylogger and session hijacker, operating inside the browser where many security tools have limited visibility.
Voice β IRS Vishing Scam
A widely reported vishing campaign had attackers calling victims claiming to be IRS agents, stating that the victim owed back taxes and would be arrested within hours unless immediate payment was made via gift cards or wire transfer. The calls used spoofed caller ID to display a real IRS phone number. Victims who called back reached fake "IRS agents" who continued the social engineering, demanding payment under threat of arrest, deportation, or legal action.
The campaign targeted elderly victims disproportionately and stole hundreds of millions of dollars over several years. The IRS repeatedly published warnings that they do not call threatening immediate arrest β but many victims, unfamiliar with IRS procedures and frightened by authority, complied. The attack had zero technical complexity. It exploited authority, fear, and urgency β three of the most powerful social engineering levers.
Removable Device β Stuxnet and the Air-Gapped Network
Iran's Natanz uranium enrichment facility was air-gapped β completely isolated from the internet. No external network connections of any kind. This was considered a complete security boundary. Stuxnet, a worm attributed to joint US-Israeli development, was specifically engineered to cross this air gap via USB drives.
USB drives carrying Stuxnet were reportedly introduced near the facility β potentially dropped in parking lots or given to unwitting contractors. Once a drive was inserted into any Windows machine that connected to the facility's network, Stuxnet spread silently via multiple zero-day exploits. It targeted Siemens PLC (programmable logic controller) software used to control the centrifuges, reprogrammed the centrifuges to spin at destructive speeds while reporting normal operation to operators, and ultimately destroyed approximately 1,000 centrifuges β setting Iran's nuclear program back by years. The operators watching their monitoring screens saw no indication of the attack in progress.
Removable Device β USB Rubber Ducky HID Attack
During a physical penetration test, a security researcher walked into a corporate office posing as a delivery person. While waiting at the front desk for 45 seconds, he plugged a USB Rubber Ducky device into an unlocked workstation. The device β indistinguishable from a standard USB drive β emulated a keyboard and typed a pre-programmed sequence that opened PowerShell, downloaded a reverse shell payload from the internet, and executed it. The entire sequence completed in under 10 seconds. The researcher had a remote command shell into the corporate network before he left the building.
The USB Rubber Ducky is a commercially available tool designed for penetration testing β but identical devices are used by malicious actors. The attack requires only brief physical access to an unlocked, unattended workstation and a USB port that hasn't been disabled.
Vulnerable Software β Log4Shell (Agentless Vector)
In December 2021, CVE-2021-44228 (Log4Shell) was disclosed β a critical remote code execution vulnerability in Apache Log4j, a Java logging library used server-side in an enormous number of applications and services. The client connecting to these services had nothing installed. Log4j ran on the server.
When an attacker sent a specially crafted string in any input that the application logged (a username, a user-agent header, a search query), the vulnerable Log4j library would process it as a JNDI lookup and fetch and execute a malicious payload from the attacker's server. Hundreds of millions of server-side instances were vulnerable. Every user connecting to a vulnerable server was using an application built on a compromised foundation.
There was nothing to patch on the clients β clients had no Log4j installed. The entire remediation burden was on server-side administrators. Organizations that could quickly inventory all their Java applications and identify Log4j dependencies were able to patch rapidly; organizations without accurate software inventories struggled for weeks.
Unsupported Systems β WannaCry and Windows XP in Hospitals
On May 12, 2017, WannaCry ransomware began spreading globally, exploiting EternalBlue β a vulnerability in Windows SMBv1 for which Microsoft had released a patch two months earlier. Microsoft had not released a patch for Windows XP (end of life since 2014) because XP was officially unsupported.
The UK's National Health Service was among the hardest-hit organizations. Thousands of NHS computers and medical devices still ran Windows XP β many because specialist medical device manufacturers had written software that only ran on XP and had never updated it. When WannaCry hit, approximately 80 NHS trusts were affected, 19,000 appointments were cancelled, and ambulances were diverted. The attack that exploited unsupported, unpatched systems directly threatened patient care.
Microsoft ultimately released an emergency patch for Windows XP even after EOL β a rare exception driven by the scale of the crisis. But the vulnerability window that existed for those systems was permanent and unavoidable as long as they remained on XP.
Unsecure Network β Rogue Access Point in Hotel Lobby
Business travelers staying at a hotel noticed a Wi-Fi network named "HotelFreeWiFi" β indistinguishable from the hotel's legitimate network name. An attacker had set up a mobile hotspot in the hotel lobby configured to mimic the hotel's SSID. Travelers' devices, having previously connected to similar-named networks, auto-connected without user confirmation. The attacker performed a man-in-the-middle attack on all traffic β capturing login credentials for corporate email, VPN login pages, and web applications. Several laptops attempted to connect to corporate VPNs that used certificate-based authentication, inadvertently revealing corporate domain information in the connection attempts.
Default Credentials β Mirai Botnet
In 2016, the Mirai botnet was released β malware that scanned the internet for IoT devices (security cameras, home routers, DVRs, baby monitors) and attempted to log in using a hardcoded list of 61 default username/password combinations. Factory defaults like admin/admin, root/root, admin/password, and device-specific defaults like the username "xc3511" used by a specific camera manufacturer.
Mirai compromised over 600,000 devices. Their owners had no idea. On September 20, 2016, Mirai launched a DDoS attack against journalist Brian Krebs's website, peaking at 620 Gbps. On October 21, 2016, Mirai attacked DNS provider Dyn with traffic exceeding 1 Tbps, taking down major services including Twitter, Netflix, Reddit, GitHub, Airbnb, and CNN for hours across the US East Coast.
The entire attack was possible only because hundreds of thousands of device owners never changed factory default passwords. There was no vulnerability exploited. The devices were accessed using the credentials they shipped with.
Supply Chain β 2013 Target Breach via HVAC Contractor
In November 2013, attackers compromised Fazio Mechanical Services, a small HVAC company that had a network connection to Target Corporation for submitting invoices and performing remote monitoring of heating and cooling systems at Target stores. Fazio's security was far weaker than Target's β attackers compromised Fazio's systems using a phishing email containing the Citadel Trojan.
Using Fazio's credentials, attackers connected to Target's vendor portal and pivoted from the vendor network segment to Target's internal POS network β a lateral movement that Target's network segmentation failed to prevent. They installed Kaptoxa malware (a variant of BlackPOS) on POS terminals across all Target stores. Over 19 days during the holiday shopping season, the malware captured credit and debit card magnetic stripe data at the point of swipe. Approximately 40 million payment card numbers and 70 million customer records were exfiltrated before the breach was detected.
Target's own security tools had flagged the intrusion multiple times during the breach period, but alerts were not acted upon. The entry point was a third-party HVAC company β a vendor relationship that no one had considered a security risk.
Supply Chain β Fake Cisco Catalyst Switches (2020)
The FBI and DHS issued alerts regarding counterfeit Cisco Catalyst 2960-X series switches being discovered in US government and enterprise networks. The switches appeared physically identical to genuine Cisco hardware β same form factor, same labels, same packaging. They operated normally under regular conditions, passing all functional tests.
The counterfeits were identified through an unexpected behavior: they could not successfully apply Cisco IOS software updates. Firmware update processes that relied on cryptographic signing checks failed on the counterfeit hardware because the underlying hardware was not authentic Cisco silicon and could not pass the verification process. Investigation revealed the counterfeits contained modified firmware and in some cases additional hardware components not present in genuine units.
Supply chain hardware tampering is particularly insidious because the compromise occurs before the device reaches the victim organization β it arrives looking legitimate, passes visual inspection, and operates functionally for years while potentially exfiltrating traffic or providing persistent backdoor access.