.%20I.webp)
The Hidden Costs of IT Complexity in Mortgage Operations—Part 2
In This Article Quick Recap: Where Complexity Hides Case Study: From Fragmented to Centralized Building Transparency Into IT Operations ...
5 min read
The Exploit: Anatomy of a Modern Cyber Heist Part 2: The Perfect Phish
Justin Kirsch : May 19, 2025 2:30:00 PM
The Exploit: Anatomy of a Modern Cyber Heist Part 2: The Perfect Phish
4:50
In this article:
3.4 billion phishing emails hit inboxes every single day. The financial services sector absorbs 27.7% of all phishing attempts, more than any other industry. And 32% of employees fall for phishing scams when they have not received proper training.
In Part 1: The Leak in the Shadows, NullGhost found Chad's leaked credentials and built a target profile from his social media. Now they put that intelligence to work.
This is Part 2 of a three-part series. Read Part 1: The Leak in the Shadows and Part 3: The Clone Trap.
The Bait: An Invoice That Looked Right
Two weeks later, Chad sat at his desk on a Wednesday morning. He scanned his inbox and spotted an email with the subject line: Updated Invoice - Q2 Retainer.
The sender appeared to be Karen B., an account manager from a third-party vendor CYA Finance had used during their last system upgrade. The email was professional. No typos. No awkward phrasing. It referenced the real name of a finance system they used. It included a link to view the invoice on a "new secure vendor portal."
The timing was perfect. The quarter had just closed. Chad had recently approved similar payments. The name "Karen B." matched a contact from a past project. The invoice amount fell within normal ranges.
Everything felt routine. Chad clicked without hesitation.
The Hook: A Perfect Clone
The link opened what appeared to be a new billing portal. But the login page looked identical to CYA Finance's internal payment system. Colors, logo, layout. Every detail matched. The domain name was subtly different, close enough to pass a quick glance.
Chad entered his credentials. The page prompted him for two-factor authentication, just like the real system. He typed in the verification code sent to his phone.
The screen blinked. "Session Timeout. Please try again later."
Frustrated but not suspicious, Chad moved on with his day. He assumed a minor server glitch on the vendor's end.
The real issue had already started.
Behind the Curtain: What Actually Happened
Chad had just handed his login credentials and a valid MFA token to NullGhost. The portal was a proxy, built to mimic CYA Finance's real system and intercept everything in real time.
NullGhost was fully authenticated. Fully invisible.
They accessed finance records. Copied vendor data. Set up email forwarding rules inside CYA's mail system so any message from the real vendor would route to NullGhost's sandbox first. The illusion stayed intact. Nothing looked wrong from Chad's side.
This technique is called adversary-in-the-middle (AiTM) phishing. It defeats standard MFA by relaying tokens in real time. The November 2025 SitusAMC breach showed how a single vendor compromise can cascade across hundreds of financial institutions, including JPMorgan Chase, Citi, and Morgan Stanley.
How the Phish Got So Perfect
This was not a random phishing kit from a dark web marketplace. It was a targeted attack, custom-built with the data NullGhost mined during their earlier reconnaissance.
They knew Chad's communication tone from LinkedIn posts. They knew his vendors from comment threads. They knew how CYA Finance's portals looked from public-facing login pages. Every detail made the lie believable.
And every second Chad delayed reporting the error gave NullGhost more time to move laterally through CYA's systems.
Red Flags Every Mortgage Professional Should Know
- Unexpected invoices from known senders. Attackers study your vendor relationships. Just because the name looks familiar does not mean the email is genuine. Verify through a separate channel.
- Domains that look right but feel off. Phishing sites use subtle domain variations: swapped letters, added hyphens, different top-level domains. Hover before you click.
- Multiple authentication prompts without explanation. If a site asks for credentials and MFA in an unusual flow, stop. Contact IT.
- Session timeouts immediately after login. A timeout right after entering credentials is a hallmark of proxy-based phishing. The attacker just captured your session.
Building Phishing Resilience
Deploy intelligent email filtering. Microsoft Defender for Office 365 uses AI-driven analysis to catch well-crafted phishing emails, including those that reference real vendor names and mimic legitimate invoices. Standard spam filters miss these targeted attacks.
Run phishing simulations monthly. Not annual checkbox training. Monthly simulations with real-world scenarios tuned to your industry. The 2025 IBM data shows organizations with active phishing programs reduce breach costs by an average of $250,000.
Enforce browser-level domain controls. Configure browser policies to flag suspicious redirects and block access to known malicious domains. Microsoft Edge security policies integrate directly with Conditional Access in Entra ID.
Implement phishing-resistant MFA. Standard SMS-based MFA can be intercepted through SIM swapping or AiTM proxies. FIDO2 security keys and passkeys resist these attacks because they bind authentication to the legitimate domain. The NYDFS Part 500 amendments, with first certification due April 2026, require universal MFA for all system access.
Verify payment changes through a second channel. Any email requesting changes to payment details, vendor portals, or wire instructions should trigger a phone call to a known number. Not a number from the email itself.
Chad thought he was paying an invoice. Instead, he opened the gates.
Managed IT providers built for financial services catch these patterns before they escalate. Mortgage Workspace, backed by Access Business Technologies, monitors email flows, flags anomalous login behavior, and enforces phishing-resistant MFA across 750+ financial institutions. The Guardian control layer detects email forwarding rule changes, impossible travel logins, and MFA token replay attempts in real time.
Coming up in Part 3: The Clone Trap
What happens when a fake login page is not just stealing credentials, but hijacking entire sessions?
Talk to a Mortgage IT Specialist
Phishing attacks against mortgage companies are getting more targeted every quarter. Contact Mortgage Workspace to deploy phishing-resistant MFA and email protections built for regulated lenders.
Related Articles
Frequently Asked Questions
What is adversary-in-the-middle phishing and why does it bypass MFA?
Adversary-in-the-middle (AiTM) phishing uses a proxy server that sits between the victim and the real login page. When the victim enters credentials and an MFA code, the proxy relays them to the legitimate site in real time, capturing the authenticated session token. This defeats standard MFA because the attacker does not need the password or code again. They ride the stolen session token directly. FIDO2 security keys and passkeys resist this attack because they validate the domain before releasing credentials.
How often should mortgage companies run phishing simulations?
Mortgage companies should run phishing simulations at least monthly, using scenarios tailored to financial services workflows like invoice approvals, wire transfer requests, and vendor portal updates. Research shows 32% of untrained employees fall for phishing scams. Monthly simulations with immediate feedback reduce click-through rates over time. The FTC Safeguards Rule requires continual security awareness training for all staff handling customer information.
What email security features in Microsoft 365 help prevent targeted phishing?
Microsoft 365 includes Defender for Office 365 with Safe Links, Safe Attachments, and anti-phishing policies that use machine learning to detect impersonation attempts. Exchange Online Protection filters known malicious senders and domains. Conditional Access policies in Entra ID can block sign-ins from suspicious locations or unmanaged devices. Data Loss Prevention rules flag emails containing sensitive borrower information sent to unverified external addresses.
What is the NYDFS Part 500 universal MFA requirement for financial institutions?
The New York Department of Financial Services amended Part 500 to require universal multi-factor authentication for all individuals accessing any information system, not just remote access or privileged accounts. This covers cloud applications, on-premise systems, third-party tools, and vendor access. The first annual certification covering universal MFA is due April 15, 2026. Entities that are not certified by that date risk enforcement action including fines up to $100,000 per violation.
The Exploit: Anatomy of a Modern Cyber Heist Part 3 - The Clone Trap
Justin Kirsch : May 26, 2025 2:30:00 PM
In this article: The Live Proxy: More Than Stolen Credentials Inside the Perimeter: Surgical Precision No Alarms, No Alerts Protecting Your Digital...
Interface Security Best Practices for Mortgage Application Platforms
Justin Kirsch : Sep 10, 2025 11:00:00 AM
4.2 Billion Credential Stuffing Attempts in 2025: Is Your Mortgage Platform Ready? The numbers from the 2026 Authentication Security Threat Landscape...