A fraudulent impersonator using artificial intelligence has targeted high-level U.S. officials by mimicking the voice and writing style of Secretary of State Marco Rubio. The individual has successfully contacted several foreign ministers, a U.S. governor, and a member of Congress, attempting to manipulate them for access to sensitive information. According to a senior U.S. official and a State Department cable obtained by The Washington Post, the impersonation campaign began in mid-June with the creation of a Signal account under a name resembling Rubio’s official email. The FBI has warned of an ongoing malicious messaging campaign using AI-generated voice messages, aimed at eliciting information or funds from senior government leaders. Experts suggest that such impersonation tactics require minimal technical skill, as they often exploit lax data security among government officials. Hany Farid, a digital forensics professor, emphasizes the ease of impersonation once voice samples are obtained, highlighting the vulnerabilities in secure communication channels.
Hackers are exploiting Microsoft 365’s Direct Send feature to launch phishing attacks, impacting over 70 organizations primarily in the United States. This method allows attackers to send emails that appear to originate from legitimate internal addresses without needing to compromise any accounts. According to researchers at Varonis, since May, attackers have leveraged this feature, which is intended for internal use and does not require authentication, to deliver phishing emails. The emails can bypass traditional security measures, as they are treated as internal traffic by Microsoft’s filtering systems. Varonis has noted unusual email activity associated with alerts for abnormal geolocation, indicating that organizations must enhance their security measures, such as enabling “Reject Direct Send” and implementing strict email policies, to mitigate these threats.
A recent study from the University of Chicago and the University of California San Diego reveals that traditional phishing awareness training is largely ineffective in preventing employees from falling victim to cyberattacks. The research, which involved 19,789 personnel over an eight-month period, found that most standard training programs do not significantly improve employees’ ability to identify phishing emails, and in some cases, they may even increase the likelihood of falling for such scams. In fact, employees subjected to cybersecurity awareness training showed only a 1.7% improvement in their ability to recognize phishing attempts. The study emphasized that interactive training was the most effective method, reducing the likelihood of clicking on phishing links by 19%. Conversely, static training sessions yielded no benefits, with many participants disengaging almost immediately. This research underscores a critical shift in how organizations may need to rethink their approach to cybersecurity training and invest more in technical solutions rather than relying solely on employee awareness.
Why do we care?
If attackers can convincingly fake the voice and style of a U.S. Secretary of State, imagine how trivial it is to spoof a CEO, CFO, or IT director. This raises the stakes for MSPs managing executive communications security and reinforces the need for verification protocols (multi-channel confirmations, anti-spoofing tools).
Attackers are exploiting a built-in feature to send internal-looking phishing emails without compromising accounts. This bypasses the trust model many organizations rely on in Microsoft environments. For MSPs, it’s a reminder that secure email configurations (disabling Direct Send where possible, enforcing SPF/DKIM/DMARC) are non-negotiable.
The University of Chicago/UCSD study underscores a brutal truth: check-the-box training doesn’t work. Static slide decks and periodic quizzes won’t stop modern attacks. Interactive simulations show promise, but the bigger takeaway is that technical controls (advanced filtering, Zero Trust, identity protection) must carry more weight than end-user vigilance alone.
This is a triple wake-up call for IT service providers:
- Expect AI-driven social engineering to go mainstream – Start discussing voice deepfake and text spoofing risks with clients now.
- Audit Microsoft 365 environments for risky defaults – Direct Send isn’t the only feature attackers will weaponize.
- Rethink security training programs – If you’re reselling or running awareness training, shift toward interactive simulations and couple them with technical solutions.