Lead
Monthaftermonththecountofenterprisestrippedbyphishingneverhitszeroeveninmatureprograms. Even as authentication hardens and detection stacks converge, attackers keep finding ways to coax users into handing over what tech alone cannot fully guard: trust. The result is a steady pulse of compromises that refuses to quiet, not a spike that fades.
That is the unsettling takeaway from a 26‑month analysis set to be discussed at Black Hat Europe, where researchers tracked high‑signal indicators across real enterprise environments. Instead of shrinking into the backdrop, phishing maintained a constant presence, exposing how social engineering and session theft scaled alongside modern defenses.
Nut Graph
This matters because organizations tend to treat phishing as an emergency to be stamped out, not a recurring business cost to be managed. The study’s core finding—that the number of affected organizations never fell to zero in any month—recasts the problem. Phishing is less a one‑off intrusion and more a background radiation that needs layered containment.
Moreover, the enterprise stack is converging on identity: single sign‑on, conditional access, and passwordless flows are reshaping daily work. Adversaries have adjusted in kind, leaning on evil proxy services and streamlined social scripts to hijack sessions instead of cracking code. With only 40% of users leveraging phishing‑resistant authentication in a given month, the door remains open wide enough for persistent abuse.
Body
The analysis prioritized fidelity over volume. Researchers treated failed phishing‑resistant attempts from FastPass as a high‑confidence signal, then paired expert analyst review with grounded LLM classification and customer validation. That triage cut through noise to separate errant logins from adversary‑in‑the‑loop campaigns, a critical distinction when the goal is understanding real exposure rather than counting alerts.
The timeline told a clear story: no month was clean. Phishing behaved like a hum—predictable, low‑variance, and always present. In practice, this exposed a practical truth: email gateways, endpoint tools, and awareness training reduced some pressure but did not dam the flow. Attackers reliably routed around controls, often by staging victims through look‑alike domains and live relay.
Evil proxy kits played a starring role. Sold as turnkey services, they handled TLS, device fingerprints, and real‑time MFA prompts, letting lower‑skill actors carry off higher‑fidelity deception. “They don’t need a zero‑day when they can sit in the middle and replay the session,” said a security architect at a global manufacturer. “That shifts the fight to token binding and session hygiene.”
Adoption gaps compounded the risk. With phishing‑resistant authentication used monthly by fewer than half of users, session theft remained viable at scale. Conditional access and step‑up checks helped, but fallbacks and exceptions—convenient for business continuity—gave adversaries daylight. As one regional bank’s CISO put it, “Our exceptions became their roadmap.”
Visibility emerged as the weak link. In five of seven validated evil proxy incidents, administrators learned of the activity from platform notifications rather than internal detections. Telemetry lived in silos; identity signals did not always correlate cleanly with endpoint or network data. That made subtle session hijacks look like normal travel, especially when attackers replayed tokens from cloud infrastructure.
Targeting patterns underscored how uniform enterprise environments enable scale. U.S. organizations took the brunt, and Office 365 consistently led as the lure for single sign‑on deception. The appeal was obvious: one convincingly crafted prompt could open a corridor to email, docs, chat, and more, amplifying lateral movement without noisy malware.
Interviews with responders challenged comfortable assumptions. “We trained them” did not inoculate users against in‑the‑moment prompts that looked and felt legitimate. Social engineering plus session capture—not novel exploits—drove outcomes. Meanwhile, cross‑tenant notifications surfaced campaigns that individual teams missed, suggesting that careful sharing can raise the collective floor without exposing sensitive details.
The study’s participants described a pragmatic path forward. “Make phishing‑resistant the default, not the exception,” urged an enterprise IAM lead. Enforce device‑bound passkeys or equivalent FIDO2 methods, tighten token lifetimes, and bind sessions so replay breaks. Build playbooks for evil proxy incidents: contain access, invalidate tokens, brief users, and coordinate legal steps when data exposure is likely.
Detection needs sharpening where it counts. Correlate identity, endpoint, and network telemetry to spot impossible travel, MFA fatigue, and proxy fingerprints. Treat failed phishing‑resistant attempts as priority signals, not curiosities. Harden identity providers and SaaS with conditional access and step‑up for sensitive apps, reducing the value of captured tokens even when an initial lure lands.
Conclusion
Phishing persisted because it exploited people and sessions, not code, and services that simplified evil proxy attacks kept the market busy. The research pointed to specific moves that reduced the blast radius: push phishing‑resistant authentication beyond 90% coverage, minimize fallbacks, bind tokens to devices, and shorten their lifetimes. Teams that correlated identity signals with endpoint and network data closed visibility gaps, while cross‑organization notifications revealed patterns no single tenant could see. Realistic training still had a place, especially simulations of proxy‑based flows, but it reinforced technical controls rather than standing in for them. Taken together, those steps had offered a path from constant hum to managed risk, turning an unavoidable threat into a problem that could be contained rather than endured.
