Unit 42 on “High-Touch Attacks”

Digging a little deeper

Oct 31, 2025

If you’ve been following over the last few weeks, you’ll be well aware that we’ve been digging into Unit 42’s year-long research into social engineering and how it is changing in the modern world. This research, in its second part, explains that “high-touch attacks” are increasing—something that few industries might be consciously aware of and even fewer prepared to deal with.

The Basic of “High Touch Attacks”

These attacks focus on tricking people and using normal tools rather than malware by way of exploiting two key factors: bypassing multi-factor authentication (MFA) and exploiting IT support processes.

MFA Bypassing

Attackers get around MFA by fooling people or systems meant to stop them. They may send endless push notifications until a user accepts one, steal login tokens through fake sign-in pages, or convince a phone carrier to move a number to a new SIM card. Once they succeed, they can sign in as the victim and move up to more powerful accounts.

High-touch operations are often financially motivated, driven by threat actors who invest time and research to breach identity defenses without triggering alerts. They impersonate employees, exploit trust and escalate quickly from user-level access to privileged control. We have investigated multiple high-impact cases where attackers bypassed MFA and convinced help desk staff to reset credentials. In one recent case, the attacker progressed from gaining initial access to obtaining domain administrator rights in under 40 minutes, without deploying malware at all.

Exploiting IT Support Processes

Attackers often call or message IT helpdesks pretending to be an employee who needs urgent help. They might ask for a password reset or request that a new device be added to their account. If the support worker believes the story and does not verify the request, the attacker can gain control of key systems. Unit 42 described a case where this happened so quickly that the attacker became a domain administrator in under forty minutes—without using malware.

Groups such as Muddled Libra, a global, financially motivated cybercrime operation, exemplify this model. Instead of phishing broadly, these attackers identify key personnel, build a profile using public data and impersonate them convincingly. As a result, these groups gain deep access, broad system control and the ability to monetize attacks quickly.
Not all high-touch operations are profit-driven. We have also tracked state-aligned actors using similar tactics for espionage and strategic infiltration. Campaigns attributed to state-aligned threat actors such as Iran-affiliated Agent Serpens and threat groups from North Korea have relied on spoofed institutional identities, custom-crafted lures and counterfeit documentation to compromise diplomatic and public sector targets.

What is Everyone Else Saying?

Reports from CrowdStrike, Microsoft, and CISA confirm the same pattern. Attackers are focusing on identity and trust rather than on technical exploits. Social engineering and “malware-free” breaches are increasing fast. These reports also show that common MFA methods like push notifications or text codes are being targeted because they depend on human approval.

Together, these findings make Unit 42’s claims credible and show that their example reflects a real-world problem across the cybersecurity industry.

Why the Data Matters

The main takeaway is that attackers can move very fast when people and processes are weak points. Even the best technical protections can fail if someone inside an organization is tricked into giving access. That means the human layer and support systems must be secured as carefully as the technology itself.

How to Reduce These Risks

Organizations can cut risk by improving identity controls and support procedures:

Use phishing-resistant MFA such as security keys or passkeys, which cannot be tricked by fake login pages.
Tighten helpdesk rules by requiring extra proof before resetting passwords or granting access.
Apply “just-in-time” admin access so users only get high privileges when they need them, and only for a short time.
Monitor and log every admin change, login attempt, or support action so investigators can spot patterns quickly.
Train staff through regular simulations that teach how to recognize MFA fatigue and fake support requests.

Unit 42’s warning matches what many security groups are seeing worldwide. Attackers are now faster, more social, and less reliant on malware. The best defence is to strengthen MFA, make helpdesk processes harder to exploit, reduce standing privileges, and train people to be alert to social manipulation.

Roughly half of social engineering cases were business email compromises (BEC), and almost 60% of all BEC cases saw data exposure, showing that threat actors moved quickly from gaining access to exfiltrating data or harvesting credentials during these kinds of incidents. Additionally, general network intrusions and ransomware were the two other top incident types where data was exposed. Of those incident types, social engineering was in the top two initial access vectors, showing the popularity of this technique across different types of intrusions and actors.
Credential exposure was also a common precursor to broader data loss. In several cases, attackers reused compromised credentials to access file shares, customer systems or cloud environments. This chained exposure effect amplifies the impact of a single successful lure, turning one compromised identity into broader organizational risk.