The Red Team Report: Are organizations ready for AI-powered email attacks?

The Red Team attack simulation featured AI-powered phishing, the ClickFix scam and MFA bypass

Key takeaways

• An attack simulation using widely available tools shows it can take just five minutes for an AI-driven phishing attack to escalate into endpoint compromise and attacker persistence, while evading traditional security controls.
• The attack simulation chained a phishing email, ClickFix scam and multifactor authentication (MFA) bypass.
• The findings underscore the urgent need for continuous, real-time, automated security across the full attack lifecycle.

Barracuda Managed XDR’s Red Team runs internal simulations of real-world threats, providing security teams and researchers with insight into how attacks unfold. The Red Team Report is part of Barracuda Research — Barracuda’s threat intelligence arm.

The components of the attack chain

The Red Team attack simulation focused on the following threats:

AI-powered phishing: Attackers are using large language models (LLMs) to create highly convincing, personalized messages at scale, without the spelling errors or obvious red flags users were trained to spot. What once required skilled threat actors can now be done by anyone in minutes.

ClickFix: ClickFix scams are part of a rapidly evolving attacker toolkit. They trick users into running malicious commands by presenting fake error messages or “fix” instructions that appear legitimate. Instead of relying on downloads or traditional malware delivery, attackers manipulate targets.  

The modern attackers’ toolkit also features other, similar, tactics, such as fake login portals, QR code phishing or malicious app permissions, using AI to boost speed and volume and maximize the likelihood that users comply.

MFA bypass: Many attackers — including most phishing kits — use adversary-in-the-middle (AitM) techniques to evade authentication defenses such as multifactor authentication (MFA). Put simply, they insert themselves between the victim and the software application and intercept the login process in real time to capture credentials and session tokens. 

Illustration of the five minutes taken from the first phishing click to full compromise and persistence

The anatomy of a modern, multi-stage email attack

Stage 1: The phishing email

In our simulated scenario, we used a widely available LLM to craft a realistic-looking email with a SharePoint document notification.

Our AI prompt was simple: Impersonate a Microsoft SharePoint notification informing the target that a colleague has shared a compliance document requiring immediate review. 

The initial email attack flow. AI-generated image for illustration purposes.

The LLM produced an email that was structurally indistinguishable from a legitimate SharePoint notification: correct formatting, appropriate tone, realistic metadata, and a plausible business context. The entire process took just minutes.

The AI-generated phishing email

Several elements make this email effective, and none of them rely on the victim being careless. They include the use of terms with authority and urgency, such as “violation” and warnings of account suspension. This pressures the target into acting rather than scrutinizing the message.

The presentation is brand-perfect: inline-embedded images, Microsoft's exact color scheme (#0078d4), Segoe UI typography, and a pixel-perfect privacy footer all match genuine Microsoft emails.

The "Verify Identity" button points to the attackers’ interception (AitM) proxy domain. At first glance, the URL looks legitimate, although a vigilant user might catch the anomaly. However, it is buried behind a button that most users will click without inspecting.

Stage 2: Credential and session theft

The phishing email lands in the user’s inbox at 21:14 UTC.

Our target clicks the link 21 minutes later, at 21:35 UTC. They are presented with a login page that looks like the real Microsoft page because, functionally, it is. However, the page is controlled by the AiTM phishing framework Evilginx. Evilginx sits in the middle capturing everything the user enters.

Within 60 seconds the user has entered their credentials, at 21:36 UTC.

The login page for an adversary-in-the-middle attack

Evilginx relays those credentials to login.microsoftonline.com and waits for Microsoft's response. For both Microsoft and the user, this appears to be a normal login attempt.

By now, the victim’s credentials have been compromised, but that's not the real prize for the attackers.

At 21:37 UTC the user receives a response from Microsoft asking for MFA.

Microsoft’s MFA request is intercepted by Evilginx, which passes it on to the victim. The user opens their Authenticator app and completes MFA as they probably do multiple times every day.

Microsoft authenticates the user and returns a session cookie. With Evilginx sitting in the middle, the session cookie goes to the attackers first, then gets forwarded along.

Within two minutes of the victim clicking the phishing link, at 21:37 UTC, Evilginx has captured their username and password, the cookie and the session details. 

Email, password and session cookie stolen by Evilginx

In the guise of the attackers, we open our own browser, paste the stolen session cookie in, and navigate to outlook.office.com. Microsoft sees a valid, authenticated session and serves up the mailbox. From Microsoft's perspective, this is just the user continuing their session.  

Attackers have full access to compromised account.

We are now inside the account. As attackers, we can read email, send email as the user, access SharePoint and OneDrive, create inbox rules to hide our activity (see below), and consent to malicious OAuth apps for persistence even after the session expires.

Stage 3: ClickFix execution

In our simulation, we added an additional layer to the AiTM attack. The victim is asked to perform additional verification steps before access is granted.

At 21:38 UTC, a new window appears:

A typical ClickFix prompt masquerading as a “quick fix” to verify the victim’s identity before login

Within a minute, at 21:39, the victim has clicked on the “Copy Verification Code” button, resulting in the command we have crafted being pasted into their clipboard.

They follow the next two steps on the prompt, not realizing that they have triggered a web request to download and execute a PowerShell script that is hosted on another machine.

Under the hood, this technique uses a method called “clipboard hijacking.” This removes the need to persuade the victim to manually “copy” the command and helps to keep it hidden.

In more aggressive variants, the code is copied to the victim’s clipboard when they visit the page without any other interaction needed. This is all done with a few lines of JavaScript, as seen below:

JavaScript used to copy text upon mouse movement — no other user interaction required

Once the payload is copied onto the clipboard, the next few steps rely on well-known Windows keyboard shortcuts. These include:

• “Win+R,” which opens a tool used to quickly access applications or specific locations within Windows. This tool will be familiar to System Administrators, but not to non-technical users.
• “Win + V,” a frequently used shortcut to paste content into the Clipboard. The user just presses “Enter” once the content is pasted into the open box. This launches a PowerShell command or a command prompt that chains into PowerShell.

A technical breakdown of a ClickFix payload seen in the wild

Notes for technical teams on characteristics that are often found in these commands:

• Execution policy bypass to skip script execution warnings or any confirmation prompts from appearing. Look for: -ep bypass, -ExecutionPolicy Bypass, -ex b
• Obfuscated commands, including Backticks (for PowerShell) and quotations (for CMD). They are generally ignored by the terminal. Concatenation has also been observed.
• Execution chaining, typically involving CMD into PowerShell.
• Flags to ensure windows are hidden upon launch. For example, “-WindowStyle Hidden” in PowerShell, which can be abbreviated to as little as “-w h” or “headless” in the command prompt.
• Web requests, including but not limited to PowerShell “Invoke-Webrequest”, “iwr”, “DownloadString”, “Start-BitsTransfer”.
• Call to an external website. This appears as both hardcoded IP addresses or newly registered domains that are used as command-and-control servers or staging servers that are hosting malware.

Stage 4: Establishing persistence

Once the command is successfully executed, the activity can head in different ways depending on the attackers and their goals.

Our team created a quick and simple script that establishes persistence via WMI Event Subscriptions. This starts at 21:40 UTC — five minutes after the victim opened the phishing email. It runs as follows: a (for simulation purposes, harmless) schedule is set on a 60-second interval to create and append to a txt document. In a real incident, this script would likely contain a delivery mechanism that fetches the payload, enabling it to evade disk-based detection.

Popular methods of persistence include:

• Scheduled tasks: The payload creates a scheduled task that re-executes on user login or at set intervals with elevated privileges, often leveraging LOLBins (legitimate Windows utilities like powershell.exe, mshta.exe, rundll32.exe, or cmd.exe) to evade detection. These tasks persist through system restarts.
• Registry run keys: The payload adds a registry value under HKCU\Software\Microsoft\Windows\CurrentVersion\Run (or RunOnce for single execution). On user login, Windows automatically executes whatever is referenced in these keys.
• WMI event subscriptions: Using PowerShell, the attackers create a new task using the “Set-WmiInstance” cmdlet, defining when the task triggers and what the task is. This is a more elusive method of scheduling jobs compared to Scheduled Tasks, as they are more difficult to view, do not generate as many logs, and are often overlooked initially by incident response tools.

Stage 5: The attack unfolds — privilege escalation, data exfiltration, encryption, and more

Once the attackers have a reliable means of access to the network, they will try to gain privileged access to the environment. If they’re successful, they can progress their attack to include data exfiltration, destruction or encryption, and more — all enabled by the success of the initial access phishing email.

Practical steps to stay safe

To reduce risk exposure and mitigate the impact of an attack, organizations are advised to implement the following:

• Phishing-resistant MFA (like security keys). Hardware keys only work on legitimate websites, so attackers can’t trick users into logging in via fake pages and then stealing their sessions. Such keys include YubiKeys, which provide users with protection against proxy sites. YubiKeys use FIDO2/WebAuthn, a protocol that binds authentication to the specific domain the user is visiting.
• Lock down email authentication (through the industry standards of DMARC, SPF and DKIM). Domain-based Message Authentication, Reporting & Conformance (DMARC) is the overarching policy layer for tools that check if a sender’s IP is authorized to send on behalf of a domain and verify that the message wasn't tampered with in transit. Properly configured DMARC helps block spoofed emails before they reach users.
• Train users to stop and verify unusual requests. Especially anything that asks them to paste commands, “fix” errors or urgently log in.
• Don’t rely on users spotting bad emails. AI-generated phishing looks realistic and error-free, so security tools must do more of the detection heavy lifting.
• Monitor for suspicious login sessions and behavior. AiTM attacks use stolen session tokens, so look for logins from unusual locations or devices or at irregular times for that user.
• Block or restrict risky system behaviors. Limit access to tools like PowerShell, clipboard access, and “Run” commands wherever possible to reduce ClickFix-style attacks.
• Watch for persistence tricks after compromise. Attackers often add inbox rules, scheduled tasks or background scripts to stay hidden after login.
• Use continuous, automated, intelligent layered security. No single control stops advanced, evasive email attack chains — you need visibility and mitigation capabilities at every stage of the attack lifecycle.

How Barracuda can help

Barracuda helps organizations defend against advanced email attacks by combining protection and cyber resilience across email, applications, data, and networks. For further information and product insight, see BarracudaONE, Barracuda Integrated Email Protection and Barracuda Managed XDR. Barracuda Managed XDR also offers Automated Threat Response (ATR) for email, accelerating real-time containment of threats at the inbox level.

Indicators of Compromise

Endpoint IOCs

All the following can be detected via 4688 logs (ensure command line auditing is enabled) or via most endpoint solutions.

• Hidden window flags: -w hidden, -w h, headless
• Obfuscated command lines: Backticks, concatenation, and base64 encoding
• Call to external webpages, often newly registered, accompanied by data transfer commands: curl -O https://example.com and DownloadString, iwr, WebClient
• WMI subscriptions: wmiprvse.exe spawning cmd or Powershell at regular intervals
• Suspicious process tree: Explorer.exe spawning cmd.exe or powershell.exe, clear indicator that the command was executed via the Run dialog box. Nested commands are common: Explorer.exe à cmd.exe à powershell.exe

Email IOCs

• Bulletproof hosting providers: VPNs are commonly associated with suspicious activity, but they are also widely used in legitimate enterprise environments worldwide, which makes them a noisy indicator on their own. A more telling trend Barracuda Managed XDR has been tracking is the rise of bulletproof hosting providers. These are used widely for malicious activity, and the list is likely to include DigitalOcean, PacketHub S.A., Clouvider Limited, ReliableSite LLC, DataCamp Limited, and more.
• Inbox rules: One of the most common post-exploitation actions observed in our SOC is the creation of malicious inbox rules. These are designed to silently filter, hide or redirect specific messages so the victim remains unaware that their account has been taken over.
  • Keyword-based filtering rules to automatically move, mark as read or delete any incoming message containing terms relating to the attack like hacked, suspicious, fraud, unauthorized, payment, invoice, etc.
  • Auto-forwarding rules that quietly send copies of messages matching financial keywords to an attacker-controlled external address.
  • Move-to-folder rules that relocate sensitive messages into rarely checked folders like RSS feeds, Conversation History and Archive.

Since these rules operate silently and persist even after password resets (unless explicitly removed), detecting and remediating malicious inbox rules is a critical step in any email compromise investigation.