Unit 42 on “Missed or Misclassified Critical Signals”

Digging into the details...

Nov 07, 2025

∙ Paid

In their latest research, Unit 42 explains that many social engineering attacks don’t need advanced hacking tools. Instead, they work because of three main weaknesses: low detection coverage, alert fatigue, and organisational failures.

What Unit 42 meant by each factor

Low-detection coverage

Low-detection coverage means security tools and monitoring do not produce signals for many attacker actions, or they generate signals that are weak and hard to connect to a real threat. In practice, this looks like attackers moving around inside a network or abusing account recovery steps without any alerts firing, or alerts that never reach the right team. Unit 42 says social engineering often succeeds not because attackers used very advanced techniques, but because those early signals were missed or misclassified. Low detection coverage means that security systems miss early warning signs. The alerts either don’t fire at all or get labelled as low priority. That gap allows attackers to slip through everyday systems like account recovery or internal access paths without anyone noticing.

Continue reading this post for free, courtesy of Packt.

Or purchase a paid subscription.