In volume 1 and volume 2 of Patching the Human Firewall, we introduced the Combat Hunter Mindset, a disciplined approach that trains employees to spot danger early and react fast in the digital battlefield. The lesson was clear: well‑trained, threat‑aware, and vigilant users often make the difference between a near miss and a full‑blown breach.
In this third installment, we examine two sophisticated and increasingly effective threat vectors that continually slip past best-in-class detections:
- Software Extensions: Browser Extensions
- Social Engineering via Phishing: Spearphishing Voice
We’ll break down how each attack vector operates, why it remains effective, and what controls security leaders should implement to mitigate associated risks. The objective: help every organization patch its Human Firewall, turning people from soft targets into a proactive, first line of defense.
The Hidden Risk in Your Browser: Malicious Extensions
MITRE Technique: T1176.001
In 2025, our Security Operations Center (SOC) Team at Ascent Solutions conducted several intelligence-driven threat hunts to identify malicious browser extensions identified by other vendors. These malicious extensions present significant security risks, such as stealing personal information or redirecting users to untrusted websites.
These malicious extensions present significant security risks, such as stealing personal information or redirecting users to untrusted websites. Specifically, compromise or malicious exploitation of browser extensions with such extensive permissions can result in a myriad of vulnerabilities and attack vectors such as credential theft, account takeover, session hijacking, and data theft.
They are often disguised as legitimate tools and request unnecessary permissions that allow deeper access and/or control into the user’s browser or device. According to LayerX, 66% of browser extensions have high and/or critical-level permissions granted to them, and 40% of users have extensions with high/critical-level permission scope installed on their computers.
One notable example: the Cyberhaven incident, which revealed that nearly 40 compromised extensions exposed cookies and identity data from millions of users across thousands of organizations. Additionally, several 2025 disclosures, including reports by Symantec, highlighted that misconfigured extensions were transmitting sensitive data over unencrypted HTTP.
In total, nearly 3 million users across thousands of organizations were affected by a large-scale attack campaign that exploited vulnerabilities in browser extensions, exposing sensitive cookies and identity data. Throughout 2025, multiple incidents have been reported in which threat actors compromised browser extensions at the developer level—resulting in downstream impact across a wide range of end users. Most recently, Symantec released two detailed reports uncovering that several browser extensions were transmitting user data over HTTP instead of HTTPS, due to misconfigurations.
Mitigation Recommendations
While the abuse of browser extensions is not a new tactic, attackers are increasingly recognizing the effectiveness and scalability of this threat vector. As the risks continue to evolve, it’s critical for organizations to adopt a proactive, defense-in-depth strategy to mitigate exposure.
To that end, the following recommendations—sourced from MITRE and Ascent’s Security Operations Center (SOC)—outline key actions for both end users and security teams to reduce the threat posed by malicious browser extensions:
For End Users
- Validate source and authenticity before installing any extension—only use those from verified developers via official browser extension stores.
- Review permissions carefully during installation and especially after updates; remove extensions that request excessive or unrelated privileges.
- Close browser sessions when not in use to reduce the risk of background activity by malicious extensions.
For Security Teams
- Implement allow/deny lists for browser extensions, governed by policy and business need.
- Monitor for anomalous browser behavior, such as untrusted network connections initiated from browser processes.
- Incorporate extension threat intelligence into threat hunting workflows; maintain and update hunting queries based on IOCs from vendor reports.
Weaponizing Trust: Spearphishing via Voice (Vishing)
MITRE Technique: T1566.004
Within the last year, several vendors have reported on a variety of unique threat actors that specialize in spearphishing voice (aka vishing). Our SOC has observed this trend firsthand, with an increasing volume of vishing attempts targeting our customer environments.
Most recently, our SOC disrupted Storm-1811, a threat actor cluster known for using Microsoft Teams-based vishing tactics to target an international manufacturer. Alongside Storm-1811, groups such as Luna Moth, UNC6040, and the highly active Scattered Spider have consistently leveraged vishing as a primary technique for gaining initial access.
Why is Vishing so Effective
What makes vishing so effective is its deliberate exploitation of human trust. Threat actors commonly impersonate IT or other Support staff (T1656: Impersonation). convincing victims to take actions that bypass traditional security controls.
Unlike malware-based intrusions, vishing typically avoids triggering endpoint detection systems, as attackers rely on social engineering to coerce authorized users or help desk staff into granting access, resetting passwords, registering new devices, or rerouting communications.
Scattered Spider, in particular, has demonstrated remarkable success using these techniques against help desks in the retail, insurance, and transportation sectors. These actors are skilled, English-speaking social engineers who conduct detailed reconnaissance, collecting personally identifiable information (PII), open-source intelligence, and dark web data to impersonate employees with convincing accuracy.
They anticipate authentication protocols and often possess the exact answers to common verification questions. As their success grows, other ransomware groups are taking notice—actively recruiting professional social engineers to emulate Scattered Spider’s approach and expand their own operational capabilities.
How to Combat Vishing Threats
Vishing is simple, effective and, most importantly, it works. The only thing standing in the way is your human firewall.
Ensure users are regularly briefed on the latest vishing tactics
Vigilance is the antidote to complacency. Security awareness must evolve alongside attacker sophistication. For example, when a user calls the help desk requesting to enroll a new device or reset a password, instruct your team to verify the request by calling the user back using the phone number already on file, never the one provided during the initial interaction.
Reconsider Help Desk Authentication
Traditional identity verification methods (e.g., date of birth, middle name, or last four of SSN) are often easily sourced or socially engineered. Instead, implement authentication mechanisms that rely on more secure, personalized challenge questions that are memorable to the user, specific in detail, and difficult to answer using publicly available information.
Drawing from military practices such as the U.S. Marine Corps’ use of brevity codes and ISOPREP (Isolated Personnel Report) challenge questions, organizations can apply similar principles to fortify help desk procedures. Below are examples of more secure, context-rich questions:
- What was your first vehicle? Example Answer: A blue 1995 Ford Mustang.
- What is your favorite childhood memory? Example Answer: Attending a Metallica concert with my dad in 1995 in Minneapolis.
- What was your first pet? Example Answer: A Golden Retriever named Sparky, adopted from an animal shelter in 1995.
These enhanced verification measures raise the barrier for impersonation and provide a practical, scalable defense against modern vishing campaigns.
Final Thoughts: Elevating the Human Firewall
There is an old (but true) saying in cybersecurity: Defenders must be right 100% of the time; attackers only need to be right once.
While modern security tools are highly effective at reducing risk, no defense is foolproof.
In several recent incidents, threat actors successfully bypassed technical controls—events that may have been preventable with a better-informed and more vigilant human firewall. In today’s threat landscape, vigilance must outpace ignorance, and organizations must recognize that cyber risk is inseparable from business risk.
Building a resilient organization requires both proactive intelligence and responsive defense. Ascent’s Cyber Threat Intelligence as a Service delivers timely, actionable insights tailored to the threats most relevant to your business and sector. To learn how we can help strengthen your security posture with intelligence-led decision-making, contact us at info@meetascent.com. 
