Unlike traditional phishing, this approach stands out for its 'zero footprint' nature. The attackers do not use malicious files or fraudulent links that can be blocked by conventional antivirus. Instead, they employ a strategy focused on convincing the user to enter a legitimate code on a seemingly official page. This opens the door to access the corporate account, a process that is carried out entirely through in-house services that bypass most organisations’ protection systems.

Persistence and automation, the pillars of the attack

Prosegur Cybersecurity's analysis highlights two critical factors: prolonged persistence and advanced automation. Once the attacker obtains authorisation, they can maintain access for weeks or even months, thanks to permissions that make it possible to reactivate sessions without user intervention, even if the organisation changes passwords. Added to this is a level of automation that accelerates intrusion: attackers use processes capable of checking emails, extracting documents and creating permanent internal access in a matter of seconds by modifying email rules or registering new applications within the corporate environment.

This dual approach, durable access and high-speed execution, creates a uniquely difficult threat for security teams to detect and contain.

Strengthening protection strategy

Prosegur Cybersecurity warns that this type of threat forces organisations to rethink their protection strategy. Security can no longer rely solely on passwords or malicious file detection and instead must focus on continuous monitoring of authentication protocols, permissions and digital identity health.

The company insists on the need to review access configurations, monitor the creation of new internal applications, audit the permissions granted to connected services and establish response procedures that allow access permissions to be completely revoked. It also considers it essential to install mechanisms that allow identification and removal of fraudulent emails in all corporate mailboxes to prevent them spreading.

As Carlos A. Fernández, director of the xMDR division of Prosegur Cybersecurity, explains: "Rather than trying to breach systems, this approach takes advantage of users’ trust and authentication services. It is a profound change in the way companies are attacked and forces us to strengthen surveillance of digital identity. Understanding how this technique works and its increased use allows us to anticipate and help organizations protect against a threat that is already active and will continue to evolve."