The Office of the Comptroller of the Currency (OCC), part of the US Treasury Department, recently disclosed a breach of its Microsoft 365 tenant, with 103 email accounts caught up in the compromise. After carrying out an investigation, the OCC notified the US Congress, stating the breach met the criteria for a “major information security incident.”

In recent years, organizations facing such incidents usually sheepishly say in effect, “mea culpa; now we’ll implement multi-factor authentication to prevent this type of incident in the future.” While a lack of multi-factor authentication is part of this story, it’s much more nuanced than a blanket oversight.

Key details:

• In May 2023, hackers compromised a service account in its Microsoft 365 tenant that had administrative-level privileges.
• Multi-factor authentication was not enabled on the breached service account.
• Microsoft discovered the breach in early February 2025 (some 20 months later) and alerted the OCC. The discovery was based on observing unexpected behavior.
• The OCC made an initial disclosure on February 26, 2025. At that point, the extent of the incident was noted as “an administrative account in the OCC email system” and that “a limited number of affected email accounts that have since been disabled.”
• The OCC engaged Mandiant and CrowdStrike to investigate.
• Over the course of the 20 months of access, the hackers appear to have leveraged their initial foothold to gain access to other Microsoft 365 mailboxes, including those of senior deputy comptrollers, international banking supervisors, and other staff. This provided access to around 150,000 emails – although “access to” is different to “they actively read.” Quantifying the latter remains under investigation.
• On April 8, 2025, the OCC notified Congress of the incident. In its public notice of doing so, the OCC said: “The OCC discovered that the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.”

As a result of its investigation, the OCC asserts that “there is no evidence of impact on the financial sector,” (per SecurityWeek), although in its letter to Congress, the OCC said it is likely to “result in demonstrable harm to public confidence” (per Bloomberg).

What appears particularly galling about this breach is that the OCC has for years talked the talk and walked the walk on multi-factor authentication and embracing strong authentication. As a matter of policy, it has required the use of multi-factor authentication for two decades – since 2005. It has championed for wider adoption of multi-factor authentication in the financial sector. For example, in an August 2022 speech to the joint meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council, the then Acting Comptroller of the Currency (Michael Hsu) said:

The first line of defense against malicious cyber actors is the implementation of strong preventative controls to protect against unauthorized access. Last August [2021], through the FFIEC, we updated our authentication guidance to highlight how the base layer security approach of multifactor authentication, or controls of equivalent strength, can significantly strengthen controls to mitigate unauthorized access to systems and data. All financial institutions should implement effective multifactor authentication controls for access to all nonpublic systems, as even basic network systems can be entry points for malicious activity.

With a policy framework of using MFA and public statements to spread that policy more broadly, why would a critical Microsoft 365 account not have MFA enabled? In its coverage of the incident, Bloomberg spoke with an ex-special counsel for enforcement at OCC. His response – “it is shocking that they did not have it [MFA] enabled for this administrative account.”

The OCC is not a client of Osterman Research. We do not have access to inside information. We can only see what is being reported in key media outlets. Our hypothesis, on the evidence we’ve seen, is that this was a shocking blindsided incident to the OCC that was completely unexpected. The initial administrative’s account was overlooked or not seen by the IT and security teams when MFA controls were put in place, and the OCC did not have the optics, visibility, or reporting to highlight where their policy was not being followed – initially, or subsequently. Newer identity security solutions, especially in the identity security posture management area, could have prevented this incident at the OCC. Such solutions add an independent assessment and enforcement engine for authentication policies, highlighting, for example, where accounts – service and user – don’t have MFA enabled.

Last month we published CISO and CIO Investment Priorities for Cybersecurity in 2025, which includes a deep dive on investment priorities for identities. See pages 24-27 for more. Non-human identities (which includes service accounts) gets a specific call out on page 27:

Protecting against identity attacks that seek to compromise non-human identities is the only issue across all four areas where the security priority in 2025 is higher among those not managing risks well compared to those who are. This is an unaddressed issue for too many organizations, and the warning bells are sounding.

Don’t be the next OCC.

Our latest report on email security is now available. It was commissioned by TitanHQ and is called The State of Email Security in 2025. It’s the first of what could become an annual series by TitanHQ, although as with all annual reports we undertake, the focus in future years is responsive to the issues and trends of each year. An annual report offers a framework for what’s important aligned with an overarching theme, not a tomb for what isn’t relevant anymore.

For the 2025 annual report, we analyze email security realities at organizations with up to 1,000 employees in the United States, Canada, United Kingdom, and the European Union. If this describes your organization, please get a copy hot off the press from the TitanHQ web site.

Worse outlook for their own organization versus everyone else

When you get a copy of the report, have a look at Figure 2 (on page 4). It presents the comparison of answers to two questions – how threats will intensify against all organizations in general, and how threats will intensify against the respondent’s organization specifically. Asking the question pair is a test of how the respondents view the likelihood that their organization is under attack versus everyone else. For every threat type we asked about (e.g., phishing, zero-day exploits, ransomware, and 9 others), respondents saw their organization as being more directly in the line of fire than everyone else. It’s more normal for a sense of bravado to reign in such answers, with other organizations in general being more at risk. But for the respondents to this survey, that didn’t happen. Respondents acknowledge full ownership of the fact that they are under attack and expect to be under increasing levels of attack over the next 12 months. We use this acknowledgment to lay out a decision matrix for email security readiness (see Figure 3 in the report) for organizations.

The top investment priorities are the newest threats

We use a three question series in our Cybersecurity Investment Priorities programs (see 2023 and 2025) to assess the correlation across concern about current posture for a given area, the investment required to bring a given area up to the organization’s desired standard, and the spending priority for that area over the next 12 months. We used the same approach for TitanHQ’s annual report to assess the priorities for 10 areas related to email security. We’re pretty happy with the shape of the dominant patterns that our research found, with protecting against AI-enhanced attacks at the top of the list, followed by protecting against attacks that use deepfake audio or video in second place. These are both new and emerging types of threats that many organizations are less prepared to mitigate / address / deal with, and seeing them at the top of the list is right where we’d hope they’d be. Coming back to the idea above about taking ownership, indeed, there is work to be done on these by most.

These two emerging attack types are followed closely by continued investment in various enduring threat types that we talk about throughout the research, such as phishing. Phishing attacks were the most common incident type for the organizations in this research, and yes, given how threat actors are always exploring new approaches to make phishing attacks more nefarious, more effective anti-phishing protections are essential.

Other topics

There are multiple other topics explored in this year’s annual report, including deep dives on BEC attacks, QR code phishing, and generative AI. There’s also a major section on email security strategies, covering human risk management, priorities for 2025, and buying criteria for email security products / services. As above, please get a copy hot off the press from the TitanHQ web site for more.

The most common data security incident reported to the Information Commissioner’s Office (UK) for October to December 2024 was … unsurprisingly, misdirected emails. The frequency of using email for communicating with others, the ease of stumbling when using type-ahead addressing in Outlook and other email clients, and the frenetic pace of much office work means that it’s just too easy to choose the wrong person. Of the total incident count reported to the ICO, 21% were of this type.

There are email security add-ins that will alert users that something doesn’t add up in their communication, some of which we’ve written about in recent years. There should also be a necessary emphasis on training users to check and double check when adding someone to an email message or distribution list, but that’s not guaranteed to work in all instances.

The cost of getting it wrong is reputational mainly, although the extent of that cost and ancillary costs will depend enormously on the contents of the misdirected communication. Banal stuff … not so much. Corporate IP, confidential data, and data subject to privacy regulations … much more so. Excel spreadsheets with customer information – yes, that’s a problem. Mitigation wise, it depends on the nature of the information that people are sending and receiving, and the personal / corporate / national implications of getting it wrong. The higher the risk, the more layered a mitigation approach should be. And for very high risk situations, choose your tools extremely carefully.

It deosn’t mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe.

One of the common recommendations in security awareness training for identifying phishing emails is to check that email addresses and domain names are correct. So microsoft.com is that, and not some close derivative (like microsott.com or M1CROSOFT.COM) and it’s actually paypal.com not paypa1.com. Small changes in email addresses and domain names can signal big trouble ahead (e.g., BEC incidents that result in paying the wrong person), and it takes a snazzy piece of brainwork to consistently identify those subtle changes. Slow down, read the address carefully, and then proceed with caution. That’s the general advice.

While snazzy brainwork is helpful in detecting new cyberattacks, the way our brains work can undermine the very outcomes we’re trying to achieve. As with the headline for this post, many of you can quickly read what’s written, and while the first couple of words may take a millisecond longer than normal to get, the subsequent ones get progressively easier. Optical illusions provide a second category of examples where what looks reasonable on first glance becomes more complicated on the second.

Hence, with respect to security awareness training, the advice to check the email address and domain name is sound but flawed. We would want someone to see that memcosoff.com was not microsoft.com, but we should not be surprised when people miss the difference between slight variations. Yes, the differences between paypal and paypa1 may be clear and obvious in retrospect, but to write people off due to missing the differences when their brain actually creates the signals it expects to see is disingenuous.

We’re a great advocate for email security solutions that use anomaly detection (and similar techniques) to do the heavy lifting in identifying subtle changes in email addresses and domain names. Textual analysis for near-matches, unusual patterns in combining sender names with email addresses, and the like provide a level of machine-precision that brains can’t match (and that’s okay, since brains are good at other things). Asking your people to check these details is fine, but don’t do so without using the best of what’s now available to detect, highlight, and remediate cyberattacks predicated on subtle differences that brains will often miss.

The research programme:

• Collected data from a global audience of critical infrastructure organizations, with representation across North America, EMEA, and APAC. The survey was balanced to get around 40% of responses from North America, 20% from EMEA, and 40% from APAC.
• Engaged with leaders within these organizations that have IT or security responsibility and knowledge of their email security posture.
• Drew on CISA’s list of critical infrastructure sectors, such as chemicals, commercial facilities, communications, critical manufacturing, dams, and more. CISA says there are 16 sectors classified as critical infrastructure. CISA defines these sectors on this basis: sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. While this definition is US-centric, the same principle applies in other places, too.

Once the research design was agreed, we worked on the survey questions, took this to field, and analyzed the data. You can get your copy of the results from the OPWAT website. But here’s a preview:

• Critical Infrastructure Remains a Target
  80% of critical infrastructure entities fell prey to email-related security breaches within the past 12 months, highlighting their attractiveness to cyber threat actors.
• Lingering Vulnerability
  Despite advancements in cybersecurity, 48% of organizations lack confidence in their existing email security defenses, leaving them vulnerable to potentially devastating cyberattacks.
• Noncompliance presents significant operational and business risks
  Shockingly, 65% of organizations are not compliant with regulatory standards, exposing themselves to significant operational and business risks.

A major recommendation in the report is finding email security capabilities that “preclude and prevent threats” from finding their way into an organization’s email system. While this is critical for critical infrastructure organizations, it is no less so for those in other sectors.

Check out OPSWAT’s site for your copy.

Key findings per the report:

• On receiving the phishing simulation message, 10.4% of all recipients clicked the link. This opened a web page that masqueraded as a valid site and asked for username and password details. Of those who had clicked, 65% entered their details and lost their credentials. Here’s one of the diagrams from the report.

• Aaarrgghhh.
• Per Fortra, “Phishing links don’t click themselves – human beings, however well-intentioned, do.“
• Click rates varied by industry – education was worst (16.7% vs. 10.4% average), finance was best (6.3% vs. 10.4% average). There’s a full breakdown in the report.
• The percentage of recipients-who-clicked-the-link who then submitted their password also varies by industry. Education takes worst place again – 72.8% of those who clicked lost their credentials. Finance is third from best, at 45.2%. Agriculture and food were in first place / best place – at 29.1%.
• A decade ago, the Verizon 2013 Data Breach Investigation Report said this about the mathematics of phishing: sending 10 phishing messages almost guarantees a click. Put another way, 10%. Page 38 of the VDBIR 2013 has this box:

• A decade later, click rates remain the same or are slightly worse.
• Yes, users need to be trained – especially as threats become more sophisticated due to AI, phishing toolkits, MFA bypass as routine, etc. Don’t stop doing that. But … revisit / reassess / recheck the efficacy of whatever technical protections you are using and keep those phishing and BEC emails as far away from a user’s inbox as possible.
• On that note, you should read our report on the role of AI in email security.

There are some useful data points in the report. These stood out:

• 20% illegitimacy rate
  1 in 5 emails are not legitimate. That is, 80% make good business sense within the work flow of a given individual. 20% don’t.
• 70% of attacks are phishing; huge increase in BEC attacks
  Phishing attacks remain the most frequently observed threat type, at 70% within the Perception Point data. In the FBI’s data from 2023 – based on a different data set of incidents reported to the FBI’s IC3 unit – it was 34% phishing (299K phishing out of 880K total incidents). Perception Point also reported a massive increase in the number of BEC attacks it identified, to 18.6% of all attacks. Per the FBI data, BEC occurs less frequently but is significantly more costly than plain phishing attacks.
• AI in email attacks
  “2023 was defined by the advances and widespread usability of generative AI … and its use in more intricate and deceptive malicious campaigns.” They even quote our report on The Role of AI in Email Security (which they co-sponsored).
• Details on attacks against SaaS apps, such as Zendesk and Salesforce
  Perception Point protects users from threats, irrespective of where they come from. Email was the starting point. Collaboration and SaaS apps followed. The report dives into some of the forms that attacks against Zendesk and Salesforce take (among others), and why organizations need security protections over uploaded content and shared URLs via these services.
• Hospitality sector under attack
  “Phishing attacks against the hospitality sector are often focused on stealing the Booking.com login credentials for a given hotel – so they can then access hotel profiles and acquire guest information, including emails, phone numbers, and financial details – for use in large-scale phishing campaigns.”

There’s a lot of good data and vital recommendations in the white paper based on what we found from the survey. Get your copy from IRONSCALES and scan the key findings on page 2, and then dive into what is of most relevance to you. In this article, what I want to focus on is the eureka moment as we looked at the data.

Consider this finding from one of the questions in the survey: more than 70% of respondents self-assess their current email security stack as highly effective at detecting image-based and QR code phishing attacks. This is from IT managers, IT team leads, IT security managers, email security managers, email security administrators, etc. These are the men and women on the front lines that are deeply involved in securing their organization against traditional, new, and emerging phishing threats – such as image-based and QR code phishing attacks. While that means 30% are less than confident in the efficacy of their detection capability, 70% out of the gate is a pretty high benchmark.

But then juxtapose that finding with another one: only 5.5% of respondents said their current email security defenses were able to detect and block all image-based and QR code phishing attacks from reaching user inboxes. That means 94.5% had one or more of these new types of phishing attacks flow through their email defenses to an employee’s inbox, and based on that happening, 75.8% of organizations experienced a compromise of account credentials or exfiltration of sensitive information due to image-based or QR code phishing attacks over the previous 12 months. In comparison to the data point above, that’s quite a low benchmark of battle-tested reality. It could be the tale of the one that got through, but that doesn’t make logical sense if 75.8% of organizations experienced a compromise based on just one that slipped through. Many, many of these attacks must have made their way through to inboxes, and someone or someones at each organization got phished.

On that note, better cybersecurity awareness training and phishing simulations based on real-world examples of image-based and QR code phishing attacks was a highly ranked strategic intent across the organizations we surveyed. If attacks will get through, make sure employees know what to look out for. But equally / in parallel / it’s not one or the other, augmenting current email security defenses is just as essential. People plus tech work in combination; it’s not either/or.

We will be joining IRONSCALES for a webinar on April 11 to dive into the findings. There will be Q&A … so please register and attend to have your questions answered.

Headline findings:

• Malicious phishing messages have increased 1,265% in the 12 months from Q4 2022 to Q3 2023, with ChatGPT and malicious generative AI services a significant contributing factor.
• SlashNext detected an average of 31,000 phishing attacks each day. This is an average number across the 12 months under investigation. What’s not disclosed is the baseline number of email messages sent each day that were subjected to SlashNext’s analysis. Globally, the number is around 350 billion emails sent each day, which makes 31,000 a mere 0.00000886% of the global total. But that’s an unfair calculation, because SlashNext doesn’t see all of those. If we assume that SlashNext has the optics to assess 1% of the total email traffic volume (3.5 billion emails), then it’s 0.000886%. However you cut it, phishing is a dangerous needle in a very, very, very, very large haystack, and the high percentage of phishing messages being BEC threats (68%) in that needle is very, very, very expensive to get wrong.
• Key point – “AI chatbots (like ChatGPT) lowered the barriers to creating sophisticated BEC attacks and improved malware.” Be warned.
• SlashNext explores the rise of multi-stage attacks, cross-channel attacks, the use of trusted services to host malicious content (e.g., SharePoint – and why that’s a problem), and dark web hi jinx with jailbreak prompts and anonymizing wrappers for generative AI services.

Request the full report from SlashNext (25 content pages). Registration is required.

Key data points:

• Overall, irrespective of the question asked by Abnormal, the vast majority of the security stakeholders who responded to the survey were concerned / worried / aware of and about the issues. Aside from a small minority of outliers, the threat of generative AI across multiple dimensions is widely felt.
• Bad actors are already taking advantage of generative AI to create and disseminate large volumes of seemingly realistic email messages – but which are actually attacks. Beware.
• “Email was the most common first step in data breaches even before generative AI came onto the scene, but this technology has clear potential to increase the volume, sophistication, and resulting effectiveness of email-based attacks” (page 6). As an alternative POV, it also has the potential to decrease the volume but increase the sophistication and resulting effectiveness by using greater targeting and choosing ‘the precisely best message thread to compromise.’ Under this scenario, messages become more pernicious because they are fewer and better hidden in normal message flows, as opposed to more voluminous because every cybercriminal and their hound dog decide to generate an avalanche of AI-refined attacks.
• If AI is being used in a malicious way against your organization, you’re going to have to respond with “good AI” and fight AI with AI. This is the next mega theme in the cybersecurity arms race. Organizations without AI-powered email security solutions are playing a losing game – a theme we also highlighted in our report on AI in email security.
• Respondents using an integrated cloud email security (ICES) solution were almost twice as confident as those using a secure email gateway (SEG) in the ability of their email security to detect if an attack is generated by AI. While Abnormal likes the directionality of the answer, they point out that given the capabilities of currently deployed ICES solutions, the percentages should be lower than they are.

Abnormal’s research on this topic is profiled in:

• The press release from October 24
• A blog post from October 25
• The report itself – and you’ll need to register