September is here, bringing a packed edition of the Unit 42 Threat Bulletin. Expect new content and expert perspectives in each issue.
September is here, bringing a packed edition of the Unit 42 Threat Bulletin in a fresh new format. As the cyber threat landscape continues to evolve, we will share new content and expert perspectives with every issue. I’m Mitch Mayne, Editor in Chief of the Threat Bulletin and Cybersecurity Research Principal for Unit 42.
This month, we spotlight the surge in payroll account takeover attacks and reveal how attackers are seizing employee paychecks as a potential gateway to broader network compromise. You'll also find a candid video where I meet with Wendi Whitmore, Chief Security Intelligence Officer, to discuss why AI instances may be becoming the newest insider threat. Finally, we examine an aggressive SEO poisoning campaign targeting trusted government and enterprise organizations–showcasing how attackers are hijacking user search traffic to spread scams and malware.
Let’s get into it.
Mitch Mayne: We’re seeing a unique attack pattern emerge that targets an employee’s payroll information to redirect their direct deposit to the attacker’s account. Margaret, could you break down how this attack works?
Margaret Kelley: The attacker’s goal is to change the employee’s direct deposit information from inside the employee’s payroll account. They usually call the helpdesk, impersonate the employee, and rely on basic personal details like addresses, birthdays, manager’s name—information that can often be found through open sources or social media. From there, they convince the helpdesk to reset the password and MFA, then log in to change payroll information.
MM: This seems pretty unsophisticated compared to some tactics we see. I mean, it only works once per employee, because they notice when they get locked out of their account or don’t get paid, right?
MK: Exactly. And that simplicity is part of what makes it effective. The attacker only needs a few minutes to succeed. We’ve seen the same voice on multiple helpdesk calls. They hide behind VPNs, and once inside, they monitor the victim’s inbox to delete any password or MFA change notifications before the employee notices.
MM: How worried should organizations be about this attack type? How can they guard against it?
MK: For CISOs, the real takeaway is that these incidents highlight weaknesses in identity and access governance. Leaders should ensure helpdesk staff have clear and enforceable validation standards that go beyond publicly searchable data. Organizations should review what employees share online, such as badge photos, which can give attackers an advantage. From a detection standpoint, think about systemic signals—clusters of MFA resets in a short window, a shift in devices used for authentication, or logins from non‑approved VPN providers. These are indicators security teams can use to spot and stop this early.
“The best way to use a board, most often, is as thought partners — allowing them to ask the hard questions, challenge your thinking, satisfy themselves that you’ve really thought through all the possibilities and can figure out what are the more likely and higher impact ones… and which ones don’t deserve discussion at the board level.”
Communicating Cyber Risk Effectively to Your Board
Mitch Mayne: What should we know at a glance?
Yoav Zemah: This campaign targets trusted public-facing sites, including those belonging to government agencies and large enterprises. Attackers break in and alter web traffic so that normal users searching for common keywords are redirected to fraudulent sites, where they may be exposed to scams or malware. Users must realize that any internet-exposed web system is at risk, regardless of how well-known or “safe” the brand appears.
MM: What makes this attack stand out?
YZ: The real differentiator here is strategic scale and impact. This threat actor targets dozens of legitimate, high-value websites simultaneously, leveraging their reputation to hijack user trust and amplify the reach of their scam sites. By manipulating trusted brands and public institutions, the operators undermine stakeholder confidence and can inflict significant reputational and operational damage. The fact that the underlying code adapts to local search engines indicates careful planning and a focus on maximizing effectiveness in specific regions.
MM: What should CISOs take away from this research?
YZ: This campaign demonstrates a move toward more professionalized and persistent web server attacks. I predict attackers will further customize and expand these campaigns going forward, selling access and targeting additional segments. Security leaders should ensure that teams are actively monitoring for unusual web traffic patterns, including unauthorized redirects, and aggressively investigating any signs of malware “calling home” to external servers. YZ: Further, it is essential to educate employees and end users about safe browsing habits, specifically urging them to use direct links or bookmarks for login portals and other sensitive destinations, rather than relying on internet search results.
UNIT42 THREAT BULLETIN