Skip to content

SC-057: Deepfake Social Engineering

Scenario Overview

The threat actor group "MIRROR SHADE" targets a multinational manufacturing firm through AI-generated deepfake attacks. After extensive reconnaissance of the CFO via social media, earnings calls, and conference appearances, the group trains a real-time deepfake video model and initiates a video call with the finance team impersonating the CFO. The call instructs an urgent $4.7M wire transfer to a "confidential acquisition target." Following the successful wire fraud, MIRROR SHADE pivots to deepfake voice calls targeting the IT helpdesk, socially engineering MFA resets for three executive accounts, enabling further account takeover and data access.

Environment: Meridian Industries corporate network at 10.20.0.0/16; Azure AD tenant meridian-ind.example.com Initial Access: Compromised Zoom account + AI-generated deepfake video/voice (T1566) Impact: $4.7M wire fraud, 3 executive accounts compromised, board confidence shaken Difficulty: Advanced Sector: Manufacturing / Finance

Threat Actor Profile

MIRROR SHADE is a financially motivated criminal group first observed in late 2025, specializing in synthetic media fraud. Unlike traditional BEC actors who rely on email spoofing, MIRROR SHADE invests heavily in AI infrastructure — training custom deepfake models for real-time video synthesis and voice cloning. The group operates a small team of 8-12 members with distinct roles: OSINT collectors, AI engineers, social engineers, and money launderers.

Motivation: Financial — wire fraud and account takeover for secondary monetization Capability: High — custom real-time deepfake video pipeline with <150ms latency, voice cloning from 5 minutes of audio Target Sectors: Manufacturing, financial services, technology firms with >$500M revenue Estimated Operations: 8-10 successful attacks in 2025-2026, average yield $3.2M per incident

Emerging Threat Context

Real-time deepfake video calls represent the next evolution of business email compromise:

  • Video quality: Modern face-swap models produce photorealistic output at 30fps with consumer GPUs
  • Voice sync: Combined audio-visual deepfakes achieve >90% deception rate in controlled tests
  • Verification gap: Most organizations lack procedures to authenticate video call participants
  • Scale: Open-source deepfake toolkits lower the barrier to entry for criminal groups

Attack Timeline

Timestamp (UTC) Phase Action
2026-02-10 - 2026-02-20 Reconnaissance OSINT collection on CFO, finance team, organizational hierarchy
2026-02-21 - 2026-02-28 Resource Development Deepfake model training, Zoom account compromise, domain setup
2026-03-04 08:30:00 Initial Access Compromised Zoom account sends meeting invite to finance team
2026-03-04 09:00:00 Social Engineering Deepfake video call impersonating CFO; wire transfer authorized
2026-03-04 09:45:00 Execution Finance team initiates $4.7M wire to attacker-controlled bank
2026-03-04 14:00:00 Persistence Deepfake voice call #1 to IT helpdesk — CEO MFA reset
2026-03-04 15:30:00 Persistence Deepfake voice call #2 to IT helpdesk — COO MFA reset
2026-03-05 09:00:00 Persistence Deepfake voice call #3 to IT helpdesk — VP Sales MFA reset
2026-03-05 10:00:00 Account Takeover Attacker accesses CEO mailbox; forwards sensitive board documents
2026-03-05 16:00:00 Detection Real CFO discovers unauthorized meeting on calendar
2026-03-06 09:00:00 Response Bank contacted; partial fund freeze ($1.2M recovered)

Technical Analysis

Phase 1: Reconnaissance and OSINT Collection

MIRROR SHADE collects extensive audio and video samples of CFO Angela Torres from publicly available sources to train their deepfake model.

# OSINT collection sources (reconstructed from post-incident analysis)

# Video sources for deepfake training:
# - Q4 2025 earnings call (YouTube, 32 min) — front-facing, studio lighting
# - Bloomberg interview (YouTube, 8 min) — high-quality studio capture
# - Industry conference keynote (Vimeo, 45 min) — multiple angles
# - Internal "CEO message" video on LinkedIn (3 min) — professional quality
# Total: 88 minutes of high-quality video, 120+ minutes of audio

# Organizational intelligence gathered:
# - LinkedIn: identified finance team members, reporting structure
# - SEC filings: board members, compensation details, M&A history
# - Glassdoor: internal process details, communication culture
# - Corporate website: executive bios, press releases
# - Twitter/X: CFO's communication style, recent travel schedule

# Attacker infrastructure setup:
# Domain registered: meridian-secure.example.com (2026-02-15)
# Zoom account compromised: atorres-meridian@example.com (credential stuffing)
# Deepfake training: 72 hours on 4x GPU cluster
# Voice clone MOS score: 4.7/5.0
# Video deepfake quality: FID score 12.3 (near-photorealistic)

Phase 2: Zoom Account Compromise

The attacker gains access to a Zoom account associated with the CFO through credential stuffing from a prior data breach.

# Credential stuffing attack (from Zoom audit logs)
# Target: atorres-meridian@example.com
# Source IPs: 198.51.100.22, 198.51.100.23 (rotating residential proxies)
# Attempts: 3 over 48 hours (low and slow to avoid lockout)
# Success: 2026-02-28 03:14:00 UTC — password reuse from 2024 breach
# MFA: Account had SMS-based MFA — bypassed via SIM swap
#   SIM swap executed against carrier on 2026-02-27

# Post-compromise actions:
# - Changed recovery email to attacker-controlled address
# - Maintained existing display name and profile picture
# - Reviewed scheduled meetings for finance team patterns
# - Identified recurring "CFO Finance Sync" meeting (Tuesdays 9 AM ET)

Phase 3: Deepfake Video Call — Wire Fraud

MIRROR SHADE initiates a Zoom meeting from the compromised account, running real-time deepfake video synthesis to impersonate the CFO.

# Meeting details (from Zoom admin console):
# Meeting ID: 987-6543-2109
# Host: atorres-meridian@example.com (compromised CFO account)
# Participants:
#   - "Angela Torres" (attacker with deepfake video)
#   - David Kim (Treasury Manager — MERIDIAN\dkim)
#   - Priya Sandoval (Wire Transfer Coordinator — MERIDIAN\psandoval)
# Duration: 22 minutes
# Recording: disabled by host

# Call transcript summary (reconstructed from participant interviews):
# - "CFO" explained confidential acquisition of a European supplier
# - Referenced real details from Q4 earnings call to build credibility
# - Instructed $4.7M wire to "escrow account" for the acquisition
# - Provided wire instructions via Zoom chat (not email — avoiding email DLP)
# - Emphasized urgency: "Board approved this yesterday, we need to close by EOD"
# - Told team not to discuss externally: "This is material non-public info"

# Wire transfer details:
# Amount: $4,700,000.00
# Destination: First Atlantic Bank (attacker-controlled shell company)
# Account: 9876543210 (Meridian Acquisition Holdings LLC — fictitious entity)
# Reference: MER-ACQ-2026-CONF
# Authorized by: David Kim (believed he had CFO verbal authorization)

Phase 4: Deepfake Voice Calls — MFA Reset Social Engineering

After the wire fraud, MIRROR SHADE pivots to compromising executive accounts by calling the IT helpdesk using cloned voices.

# Helpdesk call #1 (from phone system logs and helpdesk ticket):
# Ticket: HD-2026-04571
# Caller: "Richard Okafor" (CEO — voice cloned from annual shareholder meeting)
# Helpdesk agent: Mike Torres (Tier 1)
# Caller ID: +1-555-0142 (spoofed to match CEO's known mobile)
# Request: "I'm traveling internationally, my authenticator app isn't working.
#           I need MFA reset on my account immediately for a board matter."
# Verification: Agent asked security question — attacker answered correctly
#   (answer sourced from CEO's social media posts)
# Action: MFA reset completed, temporary code issued
# Duration: 4 minutes 22 seconds

# Helpdesk call #2 (similar pattern):
# Ticket: HD-2026-04573
# Caller: "Sarah Chen" (COO — voice cloned from podcast interview)
# Request: MFA reset, claimed phone was lost during travel
# Action: MFA reset completed

# Helpdesk call #3 (next day):
# Ticket: HD-2026-04589
# Caller: "James Morton" (VP Sales — voice cloned from webinar)
# Request: MFA reset, claimed new phone setup
# Action: MFA reset completed

# Post-reset attacker activity:
# 2026-03-04 14:22 — CEO account login from 203.0.113.88 (VPN exit node)
# 2026-03-04 14:25 — Mailbox access: 847 emails downloaded via IMAP
# 2026-03-04 14:30 — Mail rule created: forward all board@ emails to external address
# 2026-03-05 10:15 — CEO account: accessed SharePoint board documents folder
# 2026-03-05 10:30 — Downloaded: "Board_Strategy_2026.pptx", "MA_Pipeline.xlsx"

Detection Opportunities

KQL — Anomalous MFA Reset Clustering

// Detect multiple MFA resets for executive accounts in a short window
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName == "Reset strong authentication method"
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| extend InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| summarize
    ResetCount = count(),
    TargetUsers = make_set(TargetUser),
    ResetTimes = make_list(TimeGenerated)
    by InitiatedBy, bin(TimeGenerated, 4h)
| where ResetCount >= 2
| sort by ResetCount desc

KQL — Suspicious Mailbox Forwarding Rule Creation

// Detect mail forwarding rules to external domains (post-compromise indicator)
OfficeActivity
| where TimeGenerated > ago(7d)
| where Operation == "New-InboxRule"
| where Parameters has "ForwardTo" or Parameters has "RedirectTo"
| extend ForwardingAddress = extract(@"ForwardTo.*?([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})", 1, tostring(Parameters))
| where ForwardingAddress !endswith "meridian-ind.example.com"
| project TimeGenerated, UserId, ForwardingAddress, ClientIP, Parameters
| sort by TimeGenerated desc

KQL — Unusual Wire Transfer Authorization Patterns

// Detect wire transfers exceeding normal patterns (requires financial app logs)
CustomLog_WireTransfers_CL
| where TimeGenerated > ago(7d)
| where Amount_d > 1000000
| extend AuthMethod = tostring(AuthorizationMethod_s)
| where AuthMethod == "verbal" or AuthMethod == "video_call"
| where Destination_s !in (known_vendors_watchlist)
| project TimeGenerated, Initiator_s, Approver_s, Amount_d,
    Destination_s, AuthMethod, Reference_s
| sort by Amount_d desc

KQL — Impossible Travel After MFA Reset

// Detect login from unusual location shortly after MFA reset
let mfa_resets = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName == "Reset strong authentication method"
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| project ResetTime = TimeGenerated, TargetUser;
SigninLogs
| where TimeGenerated > ago(24h)
| join kind=inner mfa_resets on $left.UserPrincipalName == $right.TargetUser
| where TimeGenerated between (ResetTime .. (ResetTime + 2h))
| where Location !in ("United States", "Canada")
| project TimeGenerated, UserPrincipalName, Location, IPAddress,
    AppDisplayName, ResetTime
| sort by TimeGenerated desc

SPL — Helpdesk MFA Reset Velocity Alert

index=itsm sourcetype="servicenow"
  category="MFA Reset" OR category="Authentication Reset"
| eval target_role=case(
    match(target_user, "(?i)(CEO|CFO|COO|CTO|CISO|VP)"), "executive",
    1=1, "standard")
| where target_role="executive"
| stats count as reset_count
        dc(target_user) as unique_executives
        values(target_user) as exec_list
        values(agent) as helpdesk_agents
        by span=4h
| where reset_count >= 2
| eval alert_severity=if(reset_count >= 3, "CRITICAL", "HIGH")
| sort -reset_count

SPL — Video Conference Account Anomaly Detection

index=saas sourcetype="zoom:activity"
  action="meeting.started" OR action="meeting.participant_joined"
| eval host_ip=coalesce(host_ip, src_ip)
| iplocation host_ip
| stats count as meetings
        dc(host_ip) as unique_ips
        dc(Country) as unique_countries
        values(Country) as countries
        by host_email span=24h
| where unique_countries > 1
| eval risk=if(unique_countries > 2, "HIGH", "MEDIUM")
| sort -unique_countries

SPL — Bulk Email Download After Account Compromise

index=o365 sourcetype="o365:management:activity"
  Operation="MailItemsAccessed"
| stats count as access_count
        dc(MailboxItemId) as unique_items
        values(ClientIPAddress) as client_ips
        by UserId span=1h
| where access_count > 500
| iplocation client_ips
| eval alert=if(access_count > 800, "CRITICAL", "HIGH")
| sort -access_count

MITRE ATT&CK Mapping

Tactic Technique ID Technique Name Scenario Phase
Reconnaissance T1593.001 Search Open Websites/Domains: Social Media OSINT and voice/video sample collection
Resource Development T1585.001 Establish Accounts: Social Media Accounts Deepfake model training and infrastructure
Initial Access T1566 Phishing Deepfake video call impersonating CFO
Initial Access T1078 Valid Accounts Compromised Zoom account login
Execution T1204.001 User Execution: Malicious Link Finance team acts on fraudulent wire instructions
Persistence T1534 Internal Spearphishing Voice calls to helpdesk for MFA resets
Credential Access T1556.006 Modify Authentication Process: MFA Reset Social engineering IT helpdesk
Collection T1114.002 Email Collection: Remote Email Collection Bulk mailbox download via IMAP
Impact T1565 Data Manipulation Fraudulent wire transfer authorization

Impact Assessment

Category Impact
Financial $4.7M wire fraud ($1.2M recovered, $3.5M net loss)
Account Compromise 3 executive accounts (CEO, COO, VP Sales) compromised for 18+ hours
Data Exposure Board strategy documents, M&A pipeline, 847 executive emails exfiltrated
Regulatory SEC disclosure required (material cybersecurity incident)
Reputational Board confidence shaken; external forensic investigation required
Operational 72-hour incident response, all executive passwords and MFA reset

Remediation & Hardening

  1. Implement out-of-band wire transfer verification — require callback to a pre-registered phone number (not caller-provided) for all transfers exceeding $50,000
  2. Deploy FIDO2/hardware security keys for all executive accounts — phishing-resistant MFA that cannot be socially engineered via helpdesk
  3. Establish identity verification codewords — rotating verbal passphrases for helpdesk authentication that change weekly
  4. Restrict MFA reset authority — executive account MFA resets require in-person verification or approval from CISO
  5. Monitor video conference platforms — integrate Zoom/Teams admin logs into SIEM; alert on impossible travel for meeting hosts
  6. Conduct deepfake awareness training — train finance and helpdesk teams to recognize synthetic media indicators
  7. Implement dual-authorization for wire transfers — two independent approvers with separate verification channels
  8. Reduce executive digital footprint — audit and limit publicly available audio/video content of C-suite

Discussion Questions

  1. Your organization's CFO has 4+ hours of publicly available video on YouTube and LinkedIn. How would you assess and mitigate the deepfake risk without restricting legitimate business communications?

  2. An IT helpdesk analyst receives a call from someone who sounds exactly like the CEO requesting an MFA reset. What verification procedures should be in place, and how do you balance security with executive convenience?

  3. The finance team authorized a $4.7M wire transfer based on a video call. What technical and procedural controls could have prevented this without creating friction that causes workarounds?

  4. How should your incident response plan account for deepfake-based attacks? What forensic evidence would you collect, and how would you establish that a call was synthetic?

  5. As deepfake technology improves, voice biometrics and video-based identity verification become less reliable. What authentication paradigms should replace them for high-value authorizations?

  6. Should organizations implement AI-based deepfake detection tools for video calls? What are the false positive/negative tradeoffs, and at what confidence threshold would you block a call?

Cross-References