Sophisticated Ghost Phishing Attacks Hijack Business Emails, Bypass MFA

A sophisticated new "Ghost phishing" wave is targeting organizations by compromising legitimate business email accounts and inserting malicious requests into existing conversations. Using living-off-the-land tactics, AI-generated responses, and evasion techniques, these attacks bypass traditional filters and MFA, causing millions in losses. Organizations are adopting layered verification, behavioral analytics, and rigorous procedures to counter the threat.
Sophisticated Ghost Phishing Attacks Hijack Business Emails, Bypass MFA
Written by Ava Callegari

A new wave of phishing attacks known as Ghost phishing has security teams on high alert after researchers identified sophisticated campaigns that bypass traditional email filters with alarming success rates. According to a report published by The Hacker News, these attacks rely on compromised legitimate business accounts and advanced evasion techniques that make malicious messages appear completely authentic to both users and automated detection systems.

The campaigns first gained traction in early 2026 when multiple organizations reported unusual login attempts and financial losses traced back to seemingly internal communications. Attackers had taken control of business email accounts at partner companies and began sending messages that requested urgent wire transfers or credential updates. Because the emails originated from trusted domains and used correct internal terminology, recipients often clicked embedded links or downloaded attachments without hesitation.

Ghost phishing stands apart from standard phishing through its use of living-off-the-land tactics. Rather than creating fake domains that mimic legitimate ones, attackers compromise real accounts at small to medium businesses that frequently interact with larger enterprises. Once inside, they study existing email threads and communication patterns before inserting themselves into ongoing conversations. This approach allows them to reference specific projects, deadlines, and even personal details that build immediate credibility.

Security researchers examining these incidents discovered that attackers often maintain access for weeks before launching their final payload. During this observation period, they map out approval processes, identify key decision makers, and learn the normal flow of financial requests. When the time comes to strike, their messages blend perfectly with established conversation history, making them nearly impossible to spot through casual inspection.

One particularly effective variant involves the abuse of Microsoft 365 shared mailboxes and distribution lists. Attackers request access to these collaborative inboxes under the guise of temporary project needs, then use them to broadcast phishing messages that carry the authority of multiple internal stakeholders. Since shared mailboxes often have relaxed monitoring compared to individual accounts, malicious activity can persist undetected for extended periods.

The technical mechanisms behind Ghost phishing reveal careful planning and adaptation to modern security tools. Attackers employ HTML smuggling techniques that hide malicious links within seemingly benign document previews. When users hover over links or preview attachments, everything appears normal. Only after interaction does the true destination reveal itself, often redirecting through multiple legitimate-looking domains before landing on credential harvesting pages.

Another concerning element involves the integration of artificial intelligence to generate conversationally appropriate responses. Once initial contact succeeds, attackers use language models to continue dialogues that match the writing style and technical knowledge of the compromised account owner. This capability allows them to handle follow-up questions and maintain the deception across multiple email exchanges.

Organizations that fell victim to these attacks reported losses ranging from tens of thousands to several million dollars. In one documented case, a manufacturing firm lost $2.4 million after finance staff approved what appeared to be an updated vendor payment instruction sent from a long-term supplier’s compromised account. The message referenced specific invoice numbers and included scanned copies of legitimate purchase orders that attackers had obtained during their initial access phase.

Detection challenges stem partly from the way these attacks avoid common indicators of compromise. Traditional phishing emails often contain spelling errors, inconsistent branding, or suspicious URLs that security awareness training teaches employees to recognize. Ghost phishing messages display none of these flaws. They arrive from legitimate sending infrastructure, use proper grammar, and contain contextually relevant information that aligns with recent business activities.

Email security vendors have begun updating their detection models to address this threat vector. Advanced behavioral analysis now examines not just message content but also the relationship between sender and recipient, the timing of communications, and deviations from established patterns. However, sophisticated attackers continue to adapt by limiting the volume of messages sent from any single compromised account and carefully mimicking normal business rhythms.

Multi-factor authentication, while still essential, has proven insufficient as a standalone defense. Many Ghost phishing campaigns target users who already have MFA enabled by combining account compromise with session hijacking or prompt bombing techniques. Once attackers control an active authenticated session, they can access internal resources and send messages that carry all the proper authentication signals.

The human element remains the most difficult aspect to address. Even security-conscious employees can fall victim when messages appear to come from trusted colleagues discussing time-sensitive matters. The psychological pressure created by urgent requests for action, especially those that reference upcoming deadlines or potential financial penalties, often overrides normal verification procedures.

Companies responding to these threats have implemented several layered defenses. Strict verification protocols for financial transactions now require secondary confirmation through phone calls to known good numbers rather than email replies. Some organizations have adopted digital signing requirements for any request involving money movement, ensuring that alterations to approved processes trigger immediate alerts.

Employee training programs have evolved to include scenario-based exercises that simulate Ghost phishing attempts. Rather than generic phishing simulations, these exercises use real examples from recent campaigns and focus on the subtle cues that might indicate account compromise. Participants learn to verify unexpected requests through channels outside the email system, even when all technical indicators appear normal.

Technical controls have also advanced. Many security teams now monitor for anomalous mailbox access patterns, such as logins from unusual geographic locations or sudden increases in forwarding rules. Automated systems can temporarily quarantine suspicious messages while additional verification occurs, giving analysts time to investigate without disrupting legitimate business communications.

The financial services sector has been particularly hard hit by Ghost phishing due to the high value of successful attacks. Banks and investment firms report increased incidents where attackers pose as high-net-worth clients requesting immediate transfers. Because these messages often reference recent account activity that only legitimate users would know, they carry significant persuasive power.

Smaller businesses that serve as suppliers to larger corporations face elevated risks as well. Attackers frequently target these organizations first, knowing that a compromise at a trusted vendor can provide access to multiple enterprise customers. The asymmetric security capabilities between small suppliers and their large clients create opportunities that sophisticated threat actors actively exploit.

Looking ahead, experts anticipate that Ghost phishing will continue evolving as defensive measures improve. Future campaigns may incorporate more sophisticated social engineering that leverages information from professional networking sites and public business registries. Some researchers have already observed test messages that combine compromised accounts with deepfake audio calls to provide additional verification when email requests face skepticism.

The rise of these attacks highlights the need for fundamental changes in how organizations approach trust and verification in digital communications. Rather than assuming that messages from known accounts are legitimate, businesses must implement systems that verify the intent and authenticity of high-risk requests through multiple independent channels.

Security professionals recommend several immediate steps for organizations concerned about Ghost phishing. First, establish clear protocols for any financial transaction requests that arrive via email, regardless of the apparent sender. Second, regularly audit shared mailbox permissions and remove unnecessary access. Third, implement comprehensive logging of email rule changes and forwarding configurations to catch unauthorized modifications early.

Additionally, organizations should consider deploying email security solutions that analyze communication graphs and flag messages that deviate from normal interaction patterns. While no single tool can prevent all variants of this attack, combining behavioral analytics with strict procedural controls significantly reduces the likelihood of successful compromise.

The Ghost phishing wave represents a maturation of social engineering tactics rather than an entirely new technical vulnerability. By focusing on legitimate compromised accounts and patient observation of target environments, attackers have found ways to bypass many technological defenses that organizations spent years implementing. As these campaigns continue to develop, the most effective responses will combine updated technology with heightened awareness and rigorous verification procedures that extend beyond simple email inspection.

Business leaders must recognize that protecting against these sophisticated attacks requires investment in both technical capabilities and organizational processes. The cost of prevention remains far lower than the potential losses from a single successful incident, particularly as attackers refine their methods and expand their targeting to organizations of all sizes. Regular assessment of current defenses against these evolving threats should become a standard part of any security program moving forward.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us