A sophisticated spear phishing campaign that specifically targets CFOs (Chief Financial Officers) was recently uncovered by cybersecurity firm Trellix. This ongoing operation, first detected in mid-May 2025, has already affected organizations spanning Europe, Africa, Canada, the Middle East, and South Asia. The campaign’s method? A clever blend of social engineering and abuse of legitimate remote access software.
Anatomy of the Attack
The attackers impersonate representatives from reputable institutions, and lure victims with enticing proposition or straight up phishing emails. They contain a link that appears to point to a PDF document but instead redirects users to a Firebase-hosted web page. The malicious site employs a fake CAPTCHA mechanism, adding an extra layer of obfuscation to bypass automated email security filters.
Once the CAPTCHA is completed, the victim is prompted to download a ZIP archive containing a Visual Basic Script (VBS). When executed, this script deploys several tools and configurations to establish persistent, unauthorized access to the victim’s system.
Misuse of Legitimate Tools: NetBird and OpenSSH
Perhaps most alarming is the attackers’ use of NetBird, a legitimate remote access tool based on the WireGuard VPN protocol. This tool is not inherently malicious. In fact, it is designed for secure, encrypted connections. However, in this context, it’s used to provide covert access to compromised machines.
Alongside NetBird, the attackers install OpenSSH, create a hidden administrative account, enable Remote Desktop Protocol (RDP), and configure persistence techniques to maintain access even after system reboots. This hybrid approach, combining trusted software with deceptive delivery, underscores how attackers increasingly rely on “living off the land” tactics.
Scope and Reach
While Trellix characterizes the campaign as highly targeted, focusing specifically on CFOs and high-level financial executives, Proofpoint suggests the campaign could be more opportunistic than it appears. According to their data, over 2,200 phishing emails were sent to more than 300 organizations around the world. Affected industries include banking, energy, insurance, and investment sectors. Making this not only a high-stakes campaign but also one with potentially broad economic implications.
Why Executives Are Prime Targets
CFOs and finance executives are particularly attractive to attackers due to their access to sensitive financial systems, authorization capabilities for large transactions, and privileged data. Spear phishing campaigns tailored to these individuals are often more convincing and harder to detect than broader phishing attempts.
With more organizations using automation and summary tools like Gemini Email Summaries, there’s a growing opportunity to spot subtle anomalies in communication patterns. These solutions can highlight messages that deviate from regular sender behavior or include suspicious links, providing early warning signs even before users engage with malicious content.
Expert Recommendations
Security experts emphasize that technical defenses must be paired with user education and proactive monitoring. Here are key takeaways for organizations:
Tailored Awareness Training
Regularly update executive staff with training modules that simulate spear phishing scenarios. Education should be tailored to high-level roles.
Monitor Use of Legitimate Tools
Network activity involving tools like NetBird and OpenSSH should be carefully monitored, especially in departments with elevated access privileges.
Update Incident Response Protocols
Ensure your response plans are designed to quickly detect, isolate, and remove threats that use both social engineering and technical exploits.
Leverage AI-Powered Security Tools
Implement solutions like Gemini Email Summaries to monitor for abnormal communication behavior across inboxes and flag high-risk messages before they reach decision-makers.
Final Thoughts
This spear phishing campaign that targets CFOs is another example of cybercriminals’ dedication to evolve their tactics, merging psychological manipulation with technical sophistication. By abusing trusted tools and targeting high-ranking executives, they increase the chances of success while evading traditional detection methods.
Organizations must remain vigilant, combining behavioral analytics, security automation, and executive education to stay ahead. In an age where the inbox is often the weakest link, even CFOs must treat every email as a potential threat.
