In our tests, we used two configurations: a general productivity profile and a more stringent profile that includes email safety instructions that tell agents to be wary of phishing and to verify the identity of senders before acting on sensitive requests. Varonis said agents were still failing in some scenarios, especially when requests from colleagues appeared to be routine or urgent business tasks.
“In some cases, Pinchy not only failed to detect phishing attacks, but also carried out risky actions that could compromise real-world organizations,” the cybersecurity firm said in the report.
In one test, Pinchy transferred AWS IAM keys, database passwords, and SSH access details to an external Gmail account after receiving what appeared to be a routine request for staging credentials from a colleague.
In another test, the attacker asked agents to submit their latest customer exports for a quarterly business review presentation. Pinchy obtained and transferred CRM exports containing details about 247 business customers, including company name, contact information, contract dates, customer tiers, and approximately $1.28 million in monthly recurring revenue data.
