In our previous blogs (Vol. 1, Vol. 2, Vol. 3) we introduced the Combat Hunter Mindset, a disciplined approach that trains employees to spot danger early and react fast in the digital battlefield. The lesson is clear: a vigilant, threat‑aware workforce will often make the difference between a near miss and a full‑blown breach.
Volume 4 turns attention to three attack vectors that continue to evade even best-in-class technical controls:
- Callback Phishing: Voice-based lures that bypass email filters entirely
- Malvertising via Generic Top-Level Domains (gTLDs): Malicious ads hiding in plain sight across trusted platforms
- LinkedIn as Attack Surface: The professional network your employees trust, and adversaries exploit
For each threat, we break down the mechanics, surface the red flags users need to recognize, and outline countermeasures security teams can deploy immediately. The goal is straightforward: help your organization move people from soft targets to active defenders; strengthening the Human Firewall from the inside out.
Callback Phishing
Over the past three months, our Threat Intelligence team has tracked a surge in Callback Phishing campaigns (also known as Telephone-Oriented Attack Delivery) across multiple vendor reports. The pattern is consistent and worth your attention.
The attack is deceptively simple. It starts with an email that slips cleanly through Secure Email Gateways. The email presents a fabricated urgency: an unpaid invoice, an outstanding balance, a billing dispute, etc. The payload is just a phone number.
If the target calls, a social engineer takes over. From there, the objective typically escalates: redirect a payment, update banking details, or convince the victim to install remote access software and hand over control of their device.
What makes this campaign particularly effective right now is the abuse of trusted platforms. Threat actors are sending these lures directly through Microsoft Teams, Entra, Zoom, PayPal, and Google services, legitimate sending infrastructure that bypasses technical controls and disarms user skepticism before the conversation even begins.
When an email originates from a platform employees use daily, the instinct to question it diminishes. Don’t underestimate this threat because it looks low-tech. It works. Consistently.
Recommendations:
- Scrutinize the content. Sender verification is no longer enough. Any unsolicited billing claim should be validated through your organization’s official channels. Do not validate by calling a number provided in the email.
- Trust your instincts. If something feels off, report it to the security team immediately. Friction is a feature, not a flaw.
- Don’t call the number. Engaging with the attacker, even to challenge them, hands them the opportunity to manipulate.
Malvertising Using Generic Top-Level Domains (gTLD)
During pre-deployment training for Afghanistan, one instruction was drilled into every service member repeatedly: Watch where you step. The threat of IEDs made every step a decision. That same mindset applies directly to malvertising; because every Google search is a minefield.
Malvertising isn’t new, but it has scaled dramatically. The catalyst: the proliferation of generic Top-Level Domains (gTLDs). Unlike legacy domains, many gTLDs carry no ICANN price restrictions, making them cheap to register, difficult to regulate, and trivial for threat actors to abuse at scale. Standing up malicious, non-attributable infrastructure used to carry meaningful cost and friction. gTLDs removed both.
The attack surface is broader than most users realize. When an employee searches for software, a driver update, a specification manual, or a configuration document, sponsored results and lookalike domains are waiting. A single click on what appears to be a legitimate download can deliver an infostealer, a remote access trojan, a credential-harvesting login page, or ransomware
Commonly abused gTLDs:
- .xyz
- .top
- .shop
- .site
- .store
- .pro
- .click
- .vip
- .club
- .win
- .online
- .bid
- .tech
- .icu
- .buzz
- .space
Not every domain on these extensions is malicious, but threat actors favor them precisely because volume and anonymity work in their favor. Unfortunately, you can’t stop actors from registering malicious domains, but you can make it harder for your users to detonate.
Recommendations:
- Learn to read a URL. Train employees on URL anatomy so they can identify suspicious domains before clicking, especially in search engine results where ads appear above organic content.
- Monitor the threat landscape. Cloudflare Radar publishes data on the most frequently abused TLDs. Security teams should reference this regularly to stay ahead of emerging patterns.
- Block at the perimeter. Implement URL filtering to restrict access to sites and downloads hosted on high-risk gTLDs and country-code TLDs (ccTLDs) where abuse rates are elevated.
LinkedIn is a Part of the Attack Surface Too
Your employees are on LinkedIn. So are your adversaries. Over the past several months, our team has tracked a steady rise in LinkedIn-based threat campaigns: phishing schemes, credential-harvesting via fraudulent comment replies, fake recruiters, and elaborate investment scams.
The platform that employees use to build their professional brand is simultaneously being used by threat actors to profile targets, establish trust, and initiate contact; all before a single malicious payload is ever delivered.
Here’s what makes LinkedIn particularly dangerous from a security posture standpoint: it bypasses your email security stack entirely. Secure Email Gateways, AI-based detection, advanced filtering; none of it touches a LinkedIn DM.
Most organizations permit LinkedIn access from corporate workstations, which means the attack surface extends directly onto managed endpoints, and the controls that protect your email environment simply don’t apply.
This isn’t unique to LinkedIn. The same exposure exists across any platform where messages can be exchanged, such as Telegram, Signal, Discord, WhatsApp, and social platforms like Facebook, Instagram, Reddit, and TikTok.
The principle is simple: if a message can be sent on a platform, that platform is part of your attack surface. For applications with no legitimate business use case, the answer is straightforward; restrict or block access from enterprise devices.
We can’t stop threat actors from attacking us but, we can learn how to anticipate the threats posed by them. In the Marine Corps, Marines are consistently instructed to be hard targets, no matter how widespread the enemy presence might be.
We cannot stop the enemy from watching and scheming against us, however, we can make it challenging for them with training, discipline, awareness and being resilient enough to make the attack not worth the effort. That’s the standard to set for your organization on LinkedIn.
Recommendations:
- Enable Two-Factor Authentication. A compromised LinkedIn account is a launchpad for attacks on your contacts and organization. 2FA is a non-negotiable first layer. LinkedIn’s own account security guidelines walk through the setup.
- Treat unsolicited connections and messages with skepticism. Only accept connections from known, trusted individuals. Any unsolicited message containing a link should be treated as hostile until proven otherwise.
- Report and block aggressively. Don’t ignore suspicious profiles, messages, or content. Report them immediately. LinkedIn has published specific guidelines for reporting scammers, fake profiles, and malicious content. Use them.
Final Thoughts: The Importance of a Patched Human Firewall
There’s an old saying in cybersecurity that remains as true as ever: Defenders must be right 100% of the time. Attackers only need to be right once. Technical controls are essential, but they aren’t sufficient.
The incidents that breach mature security programs rarely expose a failure of technology alone. More often, they exploit the gap between what your tools can detect and what your people know to do. A workforce that is threat-aware, skeptical by habit, and trained to recognize the early indicators of an attack closes that gap. That’s the beauty of the Human Firewall.
Building a resilient organization demands both reactive and proactive security measures. Ascent’s Cyber Threat Intelligence as a Service delivers actionable, time-sensitive intelligence on the threats most relevant to your business, so your team isn’t learning about a campaign after it’s already inside your environment.
Reach out to info@meetascent.com to connect with one of our experts today.
