Before deploying to Afghanistan after a three-year tour on Recruiting Duty, the Marine Corps required every Marine (including myself) to undergo Combat Hunter training. This critical, life-saving course taught us to recognize environmental inconsistencies, identify concealed threats, and make rapid decisions under pressure. Most importantly, it reinforced the necessity of constant vigilance, regardless of the adversary’s perceived activity level.
The Combat Hunter Mindset, paired with up-to-date intelligence, was a crucial tool in preventing complacency on the battlefield. These principles directly apply to today’s cybersecurity landscape. But how are we, as security professionals, instilling this same mindset in our users? While internal phishing simulations help, they alone are not enough to combat the ever-evolving cyber threats we encounter daily.
Why Regular Patching of the Human Firewall Matters
Just like a firewall requires regular updates, users also need frequent cybersecurity awareness training to recognize and respond to emerging threats. In this context, “patches” refer to a user’s understanding of the latest cyber threats and how to identify them. By keeping the Human Firewall updated, organizations can cultivate a culture of vigilance, preventing cyberattacks before they gain access to critical environments.
In this blog series, we’ll explore two highly pervasive social engineering threats seen over the last few months—ones we expect to remain significant throughout 2025.
ClickFix & FakeCAPTCHA: A Growing Social Engineering Threat
Throughout 2024 and into 2025, cybercriminals have been leveraging deceptive social engineering tactics identified as ClickFix and FakeCAPTCHA campaigns. These attack methods typically start with:
- Clicking a link in a phishing email (T1566.002)
- Opening an infected email attachment (T1566.001)
- Landing on a malicious webpage that prompts a CAPTCHA or a browser update (T1608.004 & T1189)
Once on the page, users are presented with a pop-up instructing them to “Verify” or “Update” their browser.
Fig 1.) Fake browser update pop-ups.
If they comply, they unknowingly execute a Windows PowerShell Command (T1059.001), exploit a process in MSHTA.exe (T1218.005), and typically install an infostealer like Lumma Infostealer or a Remote Access Trojan (RAT).
These stolen credentials are then:
- Used for unauthorized access
- Sold on dark web marketplaces
User Training Tip: Instead of overwhelming users with technical jargon, visual aids (like the example in Figure 1) should be used to help them recognize these scams. Training users to immediately close suspicious pop-ups or documents without interaction is key to breaking this attack chain. Bonus points for security teams that encourage users to report incidents promptly.
Recognizing Malicious URLs: The Rise of gTLD and ccTLD Phishing Attacks
A 2024 study by KrebsOnSecurity and Interisle Consulting revealed a 40% increase in phishing attacks between September 2023 and August 2024. A significant portion of this growth was linked to new generic top-level domains (gTLDs) such as:
- .shop
- .top
- .xyz
- .vip
- .club
Additionally, cybercriminals heavily abused country-code TLDs (ccTLDs) like:
- .cn (China)
- .cc (Cocos Islands)
- .ru (Russia)
- .co (Colombia)
- .us (United States)
![Screenshot of a fake Microsoft Office Center login page with a suspicious URL "server.mvmail3650ffice.xyz". The email address "[email address removed]" is pre-filled. A password field is present, along with a "Next" button.](https://ascentslns.wpengine.com/wp-content/uploads/2025/02/Screenshot-2025-02-18-071110.png)
Fig 2.) Fake Microsoft Office Center login page.
How to Protect Your Organization
While we can’t prevent hackers from registering malicious domains, we can empower users to recognize red flags. For example, educating users that Microsoft-themed login pages hosted on gTLDs or ccTLDs are likely phishing attempts (Figure 2) can reduce account compromise rates significantly.
Proactive Defense Measures:
- Implement URL filtering to block suspicious gTLDs and ccTLDs
- Train employees on URL anatomy to recognize phishing attempts
Final Thoughts: The Importance of a Patched Human Firewall
“As defenders, we must be correct 100% of the time, whereas threat actors only need to succeed once.”
While security tools provide critical defense layers, history has shown that some threats will inevitably bypass automated defenses. Many of these incidents could have been prevented with an intelligence-informed, well-trained Human Firewall. Building a resilient organization requires both reactive and proactive cybersecurity measures.
Strengthen Your Cyber Defenses Today
At Ascent Solutions, we understand that each organization faces unique security challenges, which is why our Cyber Threat Intelligence as a Service (CTIaaS) delivers personalized, actionable intelligence that matters to your specific industry and infrastructure.
Our team of dedicated cybersecurity experts continuously monitors, analyzes, and interprets emerging threats across the global threat landscape. We transform complex threat data into clear, actionable insights that enable your security teams to make informed decisions and take proactive measures to protect your critical assets.
What sets our CTIaaS apart is our commitment to delivering time-sensitive, relevant intelligence that directly impacts your security posture. We don’t just provide generic threat feeds—we offer contextual analysis, detailed mitigation strategies, and ongoing support to ensure your organization stays resilient against sophisticated cyber attacks.
Don’t wait for a security breach to strengthen your cyber defenses. Take the first step toward comprehensive threat protection by reaching out to our team of cybersecurity experts today. Contact us at info@meetascent.com to schedule a consultation.
