Unit 42 on “Missed or Misclassified Critical Signals”
Digging into the details...
In their latest research, Unit 42 explains that many social engineering attacks don’t need advanced hacking tools. Instead, they work because of three main weaknesses: low detection coverage, alert fatigue, and organisational failures.
What Unit 42 meant by each factor
Low-detection coverage
Low-detection coverage means security tools and monitoring do not produce signals for many attacker actions, or they generate signals that are weak and hard to connect to a real threat. In practice, this looks like attackers moving around inside a network or abusing account recovery steps without any alerts firing, or alerts that never reach the right team. Unit 42 says social engineering often succeeds not because attackers used very advanced techniques, but because those early signals were missed or misclassified. Low detection coverage means that security systems miss early warning signs. The alerts either don’t fire at all or get labelled as low priority. That gap allows attackers to slip through everyday systems like account recovery or internal access paths without anyone noticing.
Alert fatigue
Alert fatigue describes the situation where security teams receive too many alerts, many of which are low quality or false positives, and as a result analysts stop investigating some alerts or deprioritize them. When people ignore or delay review of alerts, attackers can exploit that delay. Unit 42 reports ignored or misclassified alerts were a measurable enabler in social engineering incidents. This is what happens when security teams face too many alerts: when hundreds of warnings come in each day, people start tuning them out. It’s not because they don’t care — it’s because they can’t tell which ones really matter. This delay gives attackers more time to move deeper into the network.
Organisational failures
Organisational failures are the human and process side of the problem. These include weak password-reset systems, too many high-privilege accounts, and poor teamwork between IT and security staff. Unit 42 found that these gaps are often the main reason a small phishing email turns into a full breach. As an example, Unit 42 illustrates:
Executive MFA Reset Blocked by Conditional Access
Target: Mid-level executive credentials with broad system permissions. The attacker aimed to use these credentials to access sensitive business data and perform reconnaissance via cloud APIs. The attempt was contained before data exfiltration, thanks to conditional access controls.
Technique: After several failed phishing attempts, the attacker called IT support, impersonating the executive and citing travel-related access issues. The pretext was convincing enough to prompt an MFA reset. With fresh credentials, the attacker initiated Graph API queries to enumerate permissions, group memberships and file paths. However, the organization’s conditional access policy flagged the session due to an unusual login from an unrecognized device and location, blocking further escalation.
One distinct example of this overall problem is the “ClickFix” campaign:
ClickFix campaigns don’t rely on a single delivery method. Instead, they exploit multiple entry points. We have observed these campaigns using SEO poisoning, malvertising and fraudulent browser alerts to lure users into initiating the attack chain themselves.
In one confirmed IR case, the threat actor leveraged SEO poisoning to plant a malicious link high in search engine results. When an employee searched for a software installer, they were redirected to a spoofed landing page that triggered a payload download. Malvertising plays a similar role, delivering fake “click to fix” banners via ad networks or pop-ups mimicking trusted software brands. Another growing vector is fraudulent system alerts, crafted to mimic legitimate browser or operating system warnings. In one healthcare example, an employee encountered what appeared to be an authentic Microsoft update notification while accessing an internal system from home. The link led to the download of a loader, which executed an infostealer and enabled credential harvesting. These delivery mechanisms share three core attributes:
Mimicking to gain trust
User initiated
Platform agnostic
Because the user initiates the action (by clicking a link, downloading a file or responding to a prompt) the attack often bypasses traditional perimeter defenses and evades early detection by endpoint tools.1
How Unit 42’s data compares with other industry findings
These points line up with other reports across the industry. Unit 42 finds social engineering is the dominant initial access vector in many of their incident responses, with phishing and identity exploitation leading to data exposure in a large share of cases. That theme—human-targeted attacks and identity weaknesses driving breaches—matches other major industry reports. Verizon’s DBIR shows a high share of breaches involve human action and credential abuse, and multiple reports note credential compromise and phishing remain central problems. Palo Alto Networks+1
The detection problem Unit 42 calls out is echoed elsewhere. CrowdStrike and Microsoft report an increase in “malware-free” hands-on intrusions and identity-focused attacks that bypass traditional endpoint detections, which supports Unit 42’s point that detection coverage for identity and behaviour signals is often incomplete. These vendors also highlight that attackers increasingly rely on social engineering, vishing, and MFA-bypass techniques—tactics that generate fewer traditional signals.
Fixing the issue starts with better visibility and less noise. Security teams need tools that focus on identity signals — things like password-reset activity and unusual logins — not just malware alerts. They also need to reduce alert overload by tuning out false positives and automating simple responses. Organisations should tighten their help-desk and recovery steps, require stronger multi-factor authentication, and test their processes with regular social-engineering drills.
The message from all the research is clear. Modern attacks target people, not just machines. When detection, training, and process all work together, even simple defences can stop complex threats.