Skip to content

SC-063: AI-Generated Phishing Campaign

Scenario Overview

This scenario examines an advanced business email compromise (BEC) campaign executed by the cybercrime syndicate "SILKTHREAD," which leverages artificial intelligence at every stage of the attack chain. SILKTHREAD uses large language models to generate highly personalized phishing emails, deepfake voice cloning to impersonate the CEO during phone calls, and adversarial ML techniques to evade email security filters. The campaign targets Meridian Financial Group, a multinational investment firm, ultimately resulting in a $4.2M wire transfer to attacker-controlled accounts across three jurisdictions. The scenario demonstrates how AI is transforming social engineering from a craft into a scalable, automated operation.

Environment: Meridian Financial Group corporate network at 10.200.0.0/16; email via Microsoft 365; voice communications via Cisco Webex; finance operations at finance.meridian-financial.example.com Initial Access: AI-generated spearphishing email (T1566.001) + deepfake voice call (T1598.004) Impact: $4.2M wire fraud across 3 fraudulent transfers; credential compromise of 12 employees Difficulty: Moderate (AI tooling lowers skill barrier significantly) Sector: Financial Services

Threat Actor Profile

SILKTHREAD is a financially motivated cybercrime syndicate that has pioneered the use of AI and machine learning in social engineering campaigns. Active since mid-2024, the group consists of approximately 15-20 members organized into specialized cells: AI/ML engineers who develop and fine-tune models, social engineers who manage victim interactions, and money mule networks that launder proceeds. SILKTHREAD sells its AI phishing toolkit ("LURESMITH") on underground forums, but reserves the most sophisticated capabilities — voice cloning and real-time conversation AI — for its own operations.

Motivation: Financial — wire fraud, BEC, credential harvesting for resale Capability: High — custom LLM fine-tuning, voice synthesis, adversarial ML Target Sectors: Financial Services, Legal, Executive Leadership Revenue Model: Direct wire fraud + toolkit sales ($15,000/license for LURESMITH) Estimated Take (2025): $47M across 200+ successful BEC operations Unique Tradecraft: AI-native operations — every phase of the attack uses ML/AI

AI-Powered Social Engineering

AI is fundamentally transforming phishing and social engineering:

  • Personalization at scale: LLMs generate unique, contextually relevant emails for each target — no more template-based mass phishing
  • Voice cloning: 30 seconds of audio (from earnings calls, YouTube, podcasts) enables near-perfect voice synthesis
  • Language barriers eliminated: AI generates native-quality phishing in any language, eliminating the "bad grammar" detection signal
  • Filter evasion: Adversarial ML techniques craft emails that specifically evade statistical and ML-based email security filters
  • Real-time adaptation: AI chatbots handle victim responses automatically, maintaining persona consistency across extended conversations
  • Reduced skill requirement: Operators need only provide targeting data — the AI handles craft, personalization, and evasion

Attack Timeline

Timestamp (UTC) Phase Action
2026-01-05 Reconnaissance SILKTHREAD scrapes Meridian Financial Group's leadership from LinkedIn, SEC filings, earnings calls
2026-01-07 Voice Cloning CEO Robert Harrington's voice cloned from 2025 Q3 earnings call recording (47 minutes of audio)
2026-01-08 Email Model Training Fine-tune LLM on Harrington's public communications style (press releases, LinkedIn posts, conference talks)
2026-01-10 Target Selection Identify finance team: CFO Maria Chen, VP Finance David Park, Senior Accountant Sarah Kim
2026-01-12 08:00:00 Domain Setup Register meridian-financial-group.example.com (typosquat); configure SPF/DKIM/DMARC
2026-01-12 09:00:00 Email Infrastructure Deploy LURESMITH email generation engine on attacker infrastructure at 203.0.113.100
2026-01-15 07:30:00 Phishing Wave 1 12 personalized phishing emails sent to Meridian employees (credential harvesting)
2026-01-15 08:45:00 Credential Harvest 4 employees enter credentials on fake SSO page; MFA tokens captured via real-time relay
2026-01-15 14:00:00 Internal Reconnaissance Access Meridian email via compromised accounts; map finance workflows, approval chains
2026-01-16 09:00:00 Voice Call — Setup Deepfake voice call from "CEO Harrington" to CFO Maria Chen — announces confidential acquisition
2026-01-16 09:30:00 Phishing Wave 2 AI-generated email from "CEO" to CFO with wire transfer instructions referencing the call
2026-01-16 11:00:00 Wire Transfer 1 CFO approves $1.8M wire to "acquisition escrow" at attacker-controlled bank account
2026-01-17 10:00:00 Voice Call — Urgency Second deepfake call to VP Finance David Park — "additional escrow funding needed today"
2026-01-17 14:30:00 Wire Transfer 2 VP Finance approves $1.5M wire transfer
2026-01-18 08:00:00 Voice Call — Pressure Third deepfake call to Senior Accountant — "final closing payment, CEO already approved"
2026-01-18 10:00:00 Wire Transfer 3 Senior Accountant processes $900K wire transfer
2026-01-18 15:00:00 Detection Real CEO asks CFO about acquisition reference in a meeting — fraud discovered
2026-01-18 15:30:00 Bank Notification Meridian contacts banks to freeze transfers; $1.2M recovered, $3.0M lost

Technical Analysis

Phase 1: AI-Powered Reconnaissance (T1593, T1589)

SILKTHREAD used AI tools to automate and scale their target reconnaissance, processing public information to build detailed profiles of Meridian Financial Group's leadership.

# SILKTHREAD reconnaissance pipeline (reconstructed from seized infrastructure)
# Automated OSINT collection and analysis

# Step 1: Target organization profiling
# Tool: LURESMITH Recon Module (custom Python/LLM pipeline)

luresmith recon --target "Meridian Financial Group" \
  --sources linkedin,sec_edgar,press_releases,youtube,podcasts \
  --output profiles/meridian_financial/

# Output: Organization profile
# {
#   "company": "Meridian Financial Group",
#   "sector": "Financial Services — Investment Management",
#   "employees": 2400,
#   "revenue": "$3.2B AUM",
#   "email_domain": "meridian-financial.example.com",
#   "email_format": "first.last@meridian-financial.example.com",
#   "sso_provider": "Microsoft Entra ID (Azure AD)",
#   "leadership": [
#     {
#       "name": "Robert Harrington",
#       "title": "CEO",
#       "email": "robert.harrington@meridian-financial.example.com",
#       "linkedin": "linkedin.com/in/robert-harrington-SYNTHETIC",
#       "voice_samples": ["Q3_2025_earnings_call.mp3 (47:23)"],
#       "communication_style": "formal, decisive, uses 'let me be direct'",
#       "recent_topics": ["Q3 earnings beat", "Southeast Asia expansion",
#                         "upcoming acquisition strategy"]
#     },
#     {
#       "name": "Maria Chen",
#       "title": "CFO",
#       "email": "maria.chen@meridian-financial.example.com",
#       "reports_to": "Robert Harrington",
#       "approval_authority": "$5M single-signature wire transfers"
#     },
#     {
#       "name": "David Park",
#       "title": "VP Finance",
#       "email": "david.park@meridian-financial.example.com",
#       "reports_to": "Maria Chen",
#       "approval_authority": "$2M single-signature wire transfers"
#     }
#   ]
# }

Phase 2: Deepfake Voice Cloning (T1598.004)

SILKTHREAD's AI engineers created a high-fidelity voice clone of CEO Robert Harrington using audio from publicly available earnings calls.

# Voice cloning pipeline (SILKTHREAD's internal tooling)
# Based on open-source voice synthesis models, fine-tuned for cloning

# Step 1: Audio extraction from earnings call recording
# Source: Q3 2025 earnings call (publicly available webcast)
# Duration: 47:23 (CEO speaking portions: ~22 minutes after isolation)

luresmith voice-clone \
  --source earnings_call_q3_2025.mp3 \
  --speaker-id "robert_harrington" \
  --isolate-speaker true \
  --model "voice-synth-v3" \
  --output models/harrington_voice_v1.model

# Training metrics:
# Speaker isolation: 98.7% accuracy (removed analysts, CFO segments)
# Voice clone MOS (Mean Opinion Score): 4.2/5.0
# Pronunciation accuracy: 96.3%
# Emotional range: neutral, confident, urgent (trained separately)
# Prosody match: 94.1% (speech rhythm, intonation patterns)

# Step 2: Voice clone validation
luresmith voice-test \
  --model models/harrington_voice_v1.model \
  --text "Maria, this is Robert. I need to discuss something confidential
          with you regarding an acquisition we're finalizing. Can you make
          sure this stays between us for now?" \
  --emotion confident \
  --output test_samples/harrington_test_01.wav

# Quality assessment: 4.3/5.0 MOS
# Notable artifacts: slight unnatural pause before proper nouns (addressed in v1.1)
# Phone line simulation: applied 8kHz bandpass filter to mask remaining artifacts
# Result: Indistinguishable from real CEO voice over phone connection

# Step 3: Real-time voice synthesis configuration
# SILKTHREAD operates voice calls through a real-time synthesis bridge
# Operator types/speaks in native language → AI converts to target voice

luresmith voice-bridge \
  --model models/harrington_voice_v1.model \
  --input-mode text-to-speech \
  --latency-target 200ms \
  --phone-simulation true \
  --caller-id "+1-555-0147"    ← Spoofed to match CEO's known number
  --recording true \
  --output calls/

Phase 3: LLM-Generated Phishing Emails (T1566.001, T1566.002)

SILKTHREAD's LURESMITH platform generates unique phishing emails for each target, using the CEO's communication style and contextual information from OSINT.

# LURESMITH email generation (AI phishing engine)
# Each email is uniquely generated — no templates, no reuse

# Email generation for credential harvesting (Wave 1)
luresmith generate-email \
  --campaign "meridian_cred_harvest" \
  --sender-persona "IT Security Team" \
  --targets targets/meridian_wave1.json \
  --pretext "mandatory_security_review" \
  --landing-page "https://sso.meridian-financial-group.example.com/verify" \
  --evasion-mode aggressive \
  --output emails/wave1/

# Example generated email (for target: sarah.kim@meridian-financial.example.com)
# ──────────────────────────────────────────────────────────────────
# From: security-team@meridian-financial.example.com (spoofed)
# To: sarah.kim@meridian-financial.example.com
# Subject: Action Required: Annual Security Credential Verification
#
# Hi Sarah,
#
# As part of Meridian Financial Group's annual security compliance
# review (per our updated SOC 2 Type II requirements), all finance
# team members are required to verify their credentials through our
# updated authentication portal by end of business Friday.
#
# This specifically applies to your role as Senior Accountant, as
# your access to the wire transfer approval system (FinanceConnect)
# requires enhanced verification this quarter.
#
# Please complete your verification here:
# https://sso.meridian-financial-group.example.com/verify
#
# If you've already completed this for Q1, please disregard.
#
# Thanks,
# Meridian IT Security Team
# ──────────────────────────────────────────────────────────────────

# Note: AI-generated elements:
# 1. Personalized to target's name and role ("Senior Accountant")
# 2. References real internal system ("FinanceConnect") learned from LinkedIn
# 3. Cites real compliance framework (SOC 2 Type II) relevant to finance
# 4. Provides opt-out to reduce suspicion ("If you've already completed...")
# 5. No grammatical errors, natural tone, appropriate formality level

# Adversarial evasion techniques applied by LURESMITH:
# - Unicode homoglyphs in key detection-triggering words
# - Invisible zero-width characters to break signature matching
# - Base domain looks legitimate with proper SPF/DKIM/DMARC
# - HTML email with invisible text to confuse ML classifiers
# - Randomized sentence structure to avoid n-gram detection

Phase 4: Credential Harvesting with MFA Bypass (T1556.006, T1539)

# Real-time phishing proxy for MFA bypass
# SILKTHREAD deploys adversary-in-the-middle (AitM) proxy

# Phishing landing page: sso.meridian-financial-group.example.com
# Proxied to: login.microsoftonline.com (real Microsoft login)
# Tool: Custom fork of open-source AitM framework

# Attack flow:
# 1. Victim clicks link → arrives at attacker-controlled SSO page
# 2. Victim enters username/password → relayed to real Microsoft login
# 3. Microsoft sends MFA push → victim approves on their phone
# 4. Session token captured by proxy before reaching victim's browser
# 5. Attacker uses stolen session token to access victim's mailbox

# Credential capture log (from attacker infrastructure):
[2026-01-15 08:45:12 UTC] CAPTURE: sarah.kim@meridian-financial.example.com
  Password: S@r@hK!m_MFG2025 (synthetic)
  MFA: Approved (Microsoft Authenticator push)
  Session Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJS...REDACTED
  Access: Outlook, SharePoint, OneDrive

[2026-01-15 08:52:33 UTC] CAPTURE: d.nguyen@meridian-financial.example.com
  Password: Davi3_Nguyen! (synthetic)
  MFA: Approved (SMS code: 847291)
  Session Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJS...REDACTED

[2026-01-15 09:01:45 UTC] CAPTURE: j.wilson@meridian-financial.example.com
  Password: JW!ls0n_2025 (synthetic)
  MFA: Approved (Microsoft Authenticator push)
  Session Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJS...REDACTED

[2026-01-15 09:15:02 UTC] CAPTURE: m.rodriguez@meridian-financial.example.com
  Password: M@ri@R0d_MFG (synthetic)
  MFA: Approved (Microsoft Authenticator push)
  Session Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJS...REDACTED

# Total: 4 of 12 targets compromised (33% success rate)
# All 4 had MFA enabled — bypassed via real-time session token theft

Phase 5: Internal Reconnaissance via Compromised Mailboxes (T1114.002)

# Mailbox reconnaissance using stolen session tokens
# SILKTHREAD accesses victim mailboxes to map finance workflows

# Target: sarah.kim@meridian-financial.example.com (Senior Accountant)
# Access method: Stolen OAuth session token via Microsoft Graph API

# Graph API queries (from attacker logs):
GET https://graph.microsoft.com/v1.0/me/messages?
  $filter=contains(subject,'wire transfer') or
          contains(subject,'payment') or
          contains(subject,'approval')
  &$top=50
  &$select=subject,from,toRecipients,body,sentDateTime

# Intelligence gathered from mailbox analysis:
# 1. Wire transfer approval process:
#    - Requests initiated via email to wire-approvals@meridian-financial.example.com
#    - Single signature required for transfers under $5M (CFO authority)
#    - Dual signature required for transfers $5M-$25M
#    - Standard format: PDF with bank details, amount, purpose, account reference
#
# 2. Recent wire transfers (pattern analysis):
#    - Average 3-5 wire transfers per week
#    - Typical amounts: $500K - $3M
#    - Common purposes: "Investment acquisition," "Fund transfer," "Vendor payment"
#    - PDF attachments always use Meridian letterhead template
#
# 3. CEO communication patterns:
#    - CEO emails CFO directly for urgent matters
#    - Uses phrases: "Let me be direct," "This needs to move quickly,"
#      "Keep this close hold for now"
#    - Often follows up email with phone call for sensitive topics
#    - Doesn't CC others on confidential acquisition discussions

# SILKTHREAD used this intelligence to craft the CEO impersonation campaign

Phase 6: Deepfake Voice Call + BEC Wire Fraud (T1598.004, T1657)

# Deepfake voice call to CFO Maria Chen
# Real-time voice synthesis via LURESMITH Voice Bridge

# Call metadata:
# Date: 2026-01-16 09:00:00 UTC
# From: +1-555-0147 (spoofed — matches CEO Robert Harrington's known number)
# To: +1-555-0234 (CFO Maria Chen mobile)
# Duration: 4:37
# Voice model: harrington_voice_v1.1

# Call transcript (reconstructed from recording on attacker infrastructure):
# ──────────────────────────────────────────────────────────────────
# [Phone rings]
# CHEN: "Maria Chen."
# AI-HARRINGTON: "Maria, it's Robert. Do you have a minute? I need to
#   discuss something confidential."
# CHEN: "Of course, Robert. What's going on?"
# AI-HARRINGTON: "Let me be direct. We're finalizing the acquisition of
#   Pinnacle Asset Management — the Southeast Asia fund I mentioned at
#   the board meeting last month. The deal is closing this week, and I
#   need you to handle the escrow funding personally."
# CHEN: "I remember the discussion. What are we looking at?"
# AI-HARRINGTON: "The initial escrow is one point eight million. I'm
#   going to send you the wire details by email right after this call.
#   I need this processed today — the seller has a hard deadline, and
#   if we miss it, we lose our exclusivity window."
# CHEN: "One point eight to escrow... let me pull up the approval—"
# AI-HARRINGTON: "Maria, I've already spoken with the board about this.
#   It's approved at the executive level. I just need you to execute the
#   wire. And please keep this close hold for now — we haven't announced
#   publicly yet, and I don't want any leaks before the 8-K filing."
# CHEN: "Understood. I'll watch for your email."
# AI-HARRINGTON: "Thank you, Maria. I'll be in meetings the rest of
#   the day, so if you have questions, email me directly."
# [Call ends]
# ──────────────────────────────────────────────────────────────────

# Note: AI-generated speech included CEO's characteristic phrases
# ("Let me be direct," "close hold"), natural conversation pacing,
# and appropriate emotional tone (confident, slightly urgent).
# Phone line quality masking (8kHz filter) eliminated synthesis artifacts.

# Follow-up email (AI-generated, sent from spoofed address):
# From: robert.harrington@meridian-financial-group.example.com (typosquat)
# To: maria.chen@meridian-financial.example.com
# Subject: RE: Pinnacle Asset Management — Escrow Wire Details
#
# Maria,
#
# As discussed, please process the following wire transfer today:
#
# Beneficiary: Pinnacle Acquisition Holdings LLC
# Bank: First National Bank of Commerce
# Account: 7834-XXXX-XXXX-5291 (REDACTED — synthetic)
# Routing: 0219-XXXXX (REDACTED — synthetic)
# Amount: $1,800,000.00
# Reference: MFG-ACQ-2026-PINNACLE-ESC1
#
# This is the first of three escrow installments. I'll provide details
# on the remaining two next week.
#
# Keep this confidential until we file the 8-K.
#
# —Robert

# CFO processed the wire at 11:00 UTC
# No additional verification performed — CEO voice confirmation was trusted

Phase 7: Escalation and Additional Fraud (T1657)

# Second deepfake call (2026-01-17) — targeting VP Finance David Park
# SILKTHREAD escalated after successful first wire

# Call transcript excerpt:
# AI-HARRINGTON: "David, Robert Harrington here. Maria is handling
#   the primary escrow for the Pinnacle acquisition, but I need you
#   to process an additional funding tranche — one point five million
#   to a separate escrow account. The seller's counsel requires funds
#   in segregated accounts."
# PARK: "I see. Should I coordinate with Maria on this?"
# AI-HARRINGTON: "No — Maria's handling her portion separately. I need
#   these processed independently for regulatory reasons. I'll send
#   you the wire details now."
# PARK: "Understood, I'll take care of it."

# Wire Transfer 2: $1,500,000 to second attacker-controlled account
# Processed: 2026-01-17 14:30:00 UTC

# Third deepfake call (2026-01-18) — targeting Senior Accountant Sarah Kim
# AI-HARRINGTON: "Sarah, this is Robert. I know this is unusual for me
#   to call you directly, but Maria and David are both traveling today
#   and I need a final closing payment processed for the Pinnacle deal.
#   Nine hundred thousand to the escrow agent. Maria already approved
#   this — you can confirm with her when she's back, but I need it
#   done by noon."

# Wire Transfer 3: $900,000 to third attacker-controlled account
# Processed: 2026-01-18 10:00:00 UTC

# Total fraudulent transfers: $4,200,000
# Accounts used (all synthetic):
# Account 1: First National Bank of Commerce — $1,800,000
# Account 2: Pacific Commerce Bank — $1,500,000
# Account 3: Atlantic Trust Bank — $900,000
# Funds immediately cascaded through 7 intermediary accounts
# across 3 jurisdictions before conversion to cryptocurrency

Phase 8: AI-Powered Email Filter Evasion (T1036, T1027)

# LURESMITH adversarial evasion techniques
# Designed to bypass Microsoft Defender for Office 365 and third-party SEGs

# Technique 1: Semantic padding with invisible content
# Insert zero-width Unicode characters to break ML tokenization
# Example: "wire tr\u200Bansfer" → displays as "wire transfer" but
# breaks n-gram detection that looks for the exact string

# Technique 2: Context poisoning
# Include hidden HTML text (white-on-white) with benign content
# to shift ML classifier confidence score below detection threshold
# <span style="color:white;font-size:1px">Meeting notes from Q3 review.
# Please find attached the quarterly revenue summary and projections
# for the Southeast Asia expansion initiative...</span>

# Technique 3: Domain reputation building
# meridian-financial-group.example.com was registered 30 days prior
# Legitimate-appearing website deployed with SSL certificate
# SPF, DKIM, and DMARC configured correctly
# Sent benign emails for 2 weeks to build positive reputation score

# Technique 4: Payload-less initial contact
# First email contains no links or attachments — pure text
# Establishes conversation thread before introducing malicious elements
# Bypasses sandboxing and URL/attachment scanning

# Technique 5: LLM-generated unique content
# Every email is uniquely generated — no two emails share identical phrasing
# Defeats signature-based detection and template matching
# Writing style matched to sender persona using fine-tuned model

# LURESMITH evasion metrics (from attacker dashboard):
# Emails sent: 12
# Delivered to inbox (bypassed all filters): 11 (91.7%)
# Quarantined by email security: 1 (8.3%)
# Flagged as suspicious by recipient: 0 (0%)
# Clicked phishing link: 5 (45.5% of delivered)
# Entered credentials: 4 (36.4% of delivered)

Detection Opportunities

SIEM Detection Queries

KQL — Deepfake Voice Call Correlation

// Correlate suspicious wire transfers with preceding phone calls
// from known executive numbers (potential voice deepfake)
let SuspiciousWires = WireTransferLogs
| where TimeGenerated > ago(7d)
| where Amount > 500000
| where BeneficiaryType == "New" or DaysKnown < 30
| project WireTime = TimeGenerated, Amount, Approver, BeneficiaryName;
let PrecedingCalls = PhoneSystemLogs
| where TimeGenerated > ago(7d)
| where CallerID in ("15550147", "15550148")  // Known exec numbers
| where CallDuration > 120  // > 2 minutes
| project CallTime = TimeGenerated, CallerID, CalledNumber, CallDuration;
SuspiciousWires
| join kind=inner (PrecedingCalls) on $left.Approver == $right.CalledNumber
| where (WireTime - CallTime) between (0min .. 4h)  // Wire within 4h of call
| project WireTime, Amount, Approver, BeneficiaryName,
          CallTime, CallerID, CallDuration
| extend AlertSeverity = "Critical"
| extend Description = "Wire transfer to new beneficiary preceded by call from exec number"

KQL — AitM Phishing Session Token Theft

// Detect adversary-in-the-middle session token theft
// Pattern: successful login from unusual location followed by
// immediate access from different IP
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0  // Successful login
| extend ParsedUA = parse_user_agent(UserAgent)
| summarize LoginCount = count(),
            IPs = make_set(IPAddress),
            Locations = make_set(Location),
            UserAgents = make_set(UserAgent)
            by UserPrincipalName, bin(TimeGenerated, 5m)
| where array_length(IPs) > 1  // Multiple IPs in 5-minute window
| mv-expand IP = IPs
| extend IPCount = array_length(IPs)
| where IPCount >= 2
| extend AlertSeverity = "Critical"
| extend Description = "Multiple concurrent sessions from different IPs — potential AitM token theft"

KQL — Anomalous Wire Transfer Pattern

// Detect unusual wire transfer patterns (BEC indicator)
WireTransferLogs
| where TimeGenerated > ago(30d)
| summarize AvgAmount = avg(Amount),
            StdDevAmount = stdev(Amount),
            AvgPerWeek = count() / 4,
            UniqueRecipients = dcount(BeneficiaryAccount)
            by Approver
| join kind=inner (
    WireTransferLogs
    | where TimeGenerated > ago(7d)
    | where BeneficiaryType == "New"
    | project TimeGenerated, Amount, Approver, BeneficiaryName,
              BeneficiaryAccount
) on Approver
| where Amount > AvgAmount + (2 * StdDevAmount)  // Statistical anomaly
| extend AlertSeverity = iff(Amount > 1000000, "Critical", "High")

SPL — Typosquat Domain Detection

index=email sourcetype=exchange_message_tracking
| eval sender_domain=mvindex(split(sender, "@"), -1)
| eval legitimate_domain="meridian-financial.example.com"
| where sender_domain!=legitimate_domain
| eval levenshtein_dist=levenshtein(sender_domain, legitimate_domain)
| where levenshtein_dist > 0 AND levenshtein_dist <= 3
| stats count by sender, sender_domain, recipient, subject, _time
| eval alert_severity="Critical"
| table _time, sender, sender_domain, recipient, subject,
        levenshtein_dist, alert_severity

SPL — Mailbox Reconnaissance via Graph API

index=azure sourcetype=azure_audit_log
| where Operation IN ("MailItemsAccessed", "SearchQueryInitiatedExchange")
| where ClientAppId!="known_internal_app_id"
| stats count AS access_count,
        dc(MailboxOwnerUPN) AS mailboxes_accessed,
        values(Operation) AS operations,
        values(ClientIPAddress) AS source_ips
        by UserId, ClientAppId, _time span=1h
| where access_count > 50 OR mailboxes_accessed > 1
| eval alert_severity=case(
    mailboxes_accessed > 3, "Critical",
    access_count > 200, "Critical",
    access_count > 100, "High",
    true(), "Medium")
| table _time, UserId, ClientAppId, access_count,
        mailboxes_accessed, source_ips, alert_severity

SPL — Wire Transfer to New Beneficiary with Executive Override

index=finance sourcetype=wire_transfers
| where beneficiary_days_known < 30 OR beneficiary_type="NEW"
| where amount > 500000
| join type=left approver_email [
    search index=email sourcetype=exchange_message_tracking
    | where subject="*wire*" OR subject="*transfer*" OR subject="*escrow*"
    | eval approver_email=recipient
    | stats latest(_time) AS email_time,
            values(sender) AS request_sender,
            values(sender_domain) AS sender_domain
            by approver_email
]
| eval time_from_email=_time - email_time
| where time_from_email > 0 AND time_from_email < 14400
| eval domain_match=if(sender_domain=legitimate_domain, 1, 0)
| where domain_match=0
| eval alert_severity="Critical"
| table _time, approver_email, amount, beneficiary_name,
        request_sender, sender_domain, time_from_email, alert_severity

Log Sources

Log Source Value Collection Method
Microsoft 365 Unified Audit Log Email delivery, mailbox access, Graph API activity O365 Management API
Exchange Message Tracking Email metadata, sender/recipient, header analysis EAC/PowerShell
Azure AD Sign-in Logs Authentication events, MFA status, IP/location Azure Monitor
Phone System CDR Call detail records, caller ID, duration, timing CUCM/Webex API
Wire Transfer System Logs Transfer amounts, approvers, beneficiary details Banking system SIEM
Email Security Gateway Filter decisions, quarantine reasons, threat scores SEG API
DNS Logs Typosquat domain resolution, phishing site lookups DNS server logs
Web Proxy Logs Access to phishing pages, SSL inspection results Proxy/SWG

Indicators of Compromise

IOC Type Value Context
Domain meridian-financial-group.example.com Typosquat domain for BEC
Domain sso.meridian-financial-group.example.com AitM phishing proxy
IP 203.0.113.100 LURESMITH email infrastructure
IP 203.0.113.101 AitM phishing proxy server
IP 203.0.113.102 Voice bridge server
Phone +1-555-0147 (spoofed) Deepfake voice call caller ID
Email robert.harrington@meridian-financial-group.example.com CEO impersonation email
SHA256 c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0 LURESMITH phishing kit
OAuth App ID a1b2c3d4-e5f6-7890-abcd-ef1234567890 Malicious OAuth application
Account Ref MFG-ACQ-2026-PINNACLE-ESC1 Fraudulent wire reference
User-Agent Mozilla/5.0 (LURESMITH/3.2) Phishing proxy user agent

MITRE ATT&CK Mapping

Tactic Technique ID Technique Name Scenario Phase
Reconnaissance T1593 Search Open Websites/Domains LinkedIn, SEC filings, earnings calls
Reconnaissance T1589 Gather Victim Identity Information Executive profiling and voice sampling
Resource Development T1583.001 Acquire Infrastructure: Domains Typosquat domain registration
Resource Development T1588.005 Obtain Capabilities: Exploits LURESMITH AI phishing toolkit
Initial Access T1566.001 Phishing: Spearphishing Attachment AI-generated credential phishing
Initial Access T1598.004 Phishing for Information: Spearphishing Voice Deepfake CEO voice calls
Credential Access T1556.006 Modify Authentication Process: MFA Interception AitM session token theft
Credential Access T1539 Steal Web Session Cookie OAuth token capture
Collection T1114.002 Email Collection: Remote Email Collection Mailbox reconnaissance via Graph API
Defense Evasion T1036 Masquerading CEO persona impersonation
Defense Evasion T1027 Obfuscated Files or Information Unicode/HTML evasion techniques
Impact T1657 Financial Theft $4.2M wire fraud

Impact Assessment

Category Impact
Financial $4.2M in fraudulent wire transfers ($1.2M recovered, $3.0M lost)
Credential Compromise 4 employee accounts with MFA bypassed; 12 targeted
Data Exposure Internal wire transfer procedures and approval workflows exposed
Reputational CEO voice clone exists and could be reused; client confidence damaged
Regulatory SEC investigation into financial controls; SOX compliance review
Insurance Cyber insurance claim; policy limits and social engineering coverage dispute

Response Playbook

Immediate Containment (0-4 hours)

  1. Freeze wire transfers — contact all recipient banks immediately to freeze or recall funds; engage law enforcement for emergency bank freeze orders
  2. Revoke compromised sessions — invalidate all stolen OAuth tokens; force re-authentication for all Microsoft 365 sessions
  3. Disable compromised accounts — temporarily disable the 4 compromised email accounts; reset passwords and MFA tokens
  4. Block typosquat domain — add meridian-financial-group.example.com to email and web proxy block lists
  5. CEO verification — establish out-of-band verification channel with CEO; confirm no legitimate acquisition was in progress
  6. Preserve evidence — capture phone system CDRs, email headers, wire transfer records, and Azure AD sign-in logs

Eradication (4-48 hours)

  1. Email infrastructure sweep — search all mailboxes for emails from typosquat domain; identify any additional compromised accounts
  2. Phishing infrastructure takedown — submit abuse reports for typosquat domain; request takedown of AitM proxy infrastructure
  3. Session token audit — review all active OAuth sessions across the organization; revoke any sessions with suspicious origins
  4. Phone system hardening — implement caller ID verification; flag calls from spoofed executive numbers
  5. Financial controls review — require dual authorization for all wire transfers above $100K; mandate video call verification for new beneficiaries

Recovery (48 hours - 2 weeks)

  1. Implement phishing-resistant MFA — deploy FIDO2 hardware keys for all finance team members; eliminate SMS and push-based MFA
  2. Wire transfer verification protocol — require in-person or video call verification for all new beneficiary wire transfers above $100K
  3. AI-aware training — conduct deepfake awareness training; establish voice verification code words for sensitive financial instructions
  4. Email security upgrade — deploy URL rewriting, sandboxing, and AI-generated content detection capabilities
  5. Cryptocurrency tracing — engage blockchain forensics firm to trace converted funds; coordinate with law enforcement

Lessons Learned

What Could Have Prevented This

  1. Phishing-resistant MFA (FIDO2) — hardware security keys would have prevented the AitM session token theft entirely; push-based MFA is vulnerable to real-time phishing proxies
  2. Wire transfer verification procedures — requiring video call or in-person confirmation for new beneficiaries above a threshold would have caught the deepfake voice fraud
  3. Executive voice verification codes — pre-shared code words between executives and finance team for authenticating sensitive financial instructions would defeat voice cloning
  4. Domain monitoring — proactive monitoring for typosquat registrations of the company domain would have provided early warning
  5. Email security with AI content detection — emerging tools can detect LLM-generated text and adversarial evasion techniques in email content
  6. Dual authorization for wire transfers — requiring two independent approvers for transfers above $500K would have required compromising multiple verification channels simultaneously

Control Gaps

Gap Recommended Control Priority
MFA vulnerable to AitM Deploy FIDO2 hardware keys for finance team Critical
No wire transfer voice verification Require video call + code word for new beneficiary transfers Critical
No typosquat domain monitoring Deploy brand domain monitoring service High
Single-signature wire authority Dual authorization for transfers above $500K Critical
No deepfake awareness training AI social engineering training program for high-value targets High
Email security bypassed by AI Deploy AI-content detection and enhanced URL analysis High
No caller ID verification STIR/SHAKEN verification; flag unverified executive calls Medium
Credential reuse from breaches Breach credential monitoring; enforce unique password policy Medium

Discussion Questions

  1. SILKTHREAD's voice clone was created from a publicly available earnings call recording. Should executives limit their public audio/video exposure, or is this impractical in an era requiring corporate transparency? What alternative protections exist?

  2. The AitM phishing proxy bypassed MFA by capturing session tokens in real time. Given that push-based MFA is now vulnerable to this technique, what is the case for mandatory FIDO2 hardware key deployment, and what barriers prevent widespread adoption?

  3. LURESMITH's AI-generated emails bypassed email security filters 91.7% of the time. As AI-generated phishing becomes indistinguishable from legitimate communication, what detection strategies remain viable beyond content analysis?

  4. The CFO approved a $1.8M wire transfer based on a phone call and email, without additional verification. How should financial controls balance security with operational efficiency, especially for time-sensitive transactions?

  5. SILKTHREAD sells its LURESMITH toolkit on underground forums for $15,000 per license, democratizing AI-powered phishing. How does the commoditization of AI attack tools change the threat landscape, and what policy responses are appropriate?

  6. The voice cloning attack exploited the inherent trust in phone calls from recognized numbers. As caller ID spoofing becomes trivial and voice synthesis becomes undetectable, is phone-based authentication fundamentally broken?

Purple Team Exercise Reference

  • Purple Team Exercise Library — Social engineering and BEC exercises
  • PT-031 through PT-040: Phishing and social engineering exercises
  • PT-061 through PT-070: Identity and credential attack exercises

Cross-References