Emergency "break-glass" accounts designed for disaster recovery often have monitoring intentionally disabled to ensure availability during crises. Attackers discover and use these accounts because the lack of alerts makes them invisible. Organizations are implementing temporary, audited break-glass procedures with automatic alerting after emergency windows expire.

Many organizations use shared mailboxes (support@, info@, noc@) that multiple employees access. These accounts often have weaker MFA or none at all. Attackers compromise one shared mailbox and gain access to password resets, customer data, and internal communications meant for the entire team without ever touching an individual account.

Attackers trigger thousands of SMS authentication messages to phone numbers they control, earning revenue from carrier fees paid by the sending organization. Some campaigns have generated six-figure monthly costs for victims. SMS-based MFA and notification systems now require rate limiting and anomaly detection on message volume per number.

Attackers spoof internal phone numbers and use AI voice generation to impersonate employees calling the help desk for password resets. Help desk staff, trained to trust caller ID, bypass verification protocols. Organizations now require callback verification or out-of-band confirmation for any credential change request made over phone.

Scalable Vector Graphics files can contain embedded JavaScript, CSS, and external references. Attackers send malicious SVG files as "harmless images." Security scanners expecting binary image formats miss the executable code inside. SVG files have become a preferred vector for cross-site scripting and drive-by download attacks.

Attackers embed commands into favicon.ico files served from legitimate, compromised websites. A victim's malware requests the favicon normally (as every browser does for every site), extracts commands from the image metadata or pixels, and executes them. This traffic blends perfectly with legitimate web browsing.

Real-time communication features in modern browsers expose local and public IP addresses to websites regardless of VPN activation. Attackers use this to de-anonymize users, map home IPs to corporate accounts, and bypass geofencing. VPN-only protection models now require browser-level WebRTC disabling or forced proxy routing.

Attackers who compromise any device synced to a victim's browser profile (Chrome/Firefox across phone, work laptop, home computer) can extract session tokens for every logged-in site from the sync servers. A compromised personal device leads directly to corporate application access, bypassing all endpoint controls on the work device.

Attackers create PWAs that look exactly like banking apps, password managers, or corporate portals. When victims "install" them from the browser, the PWA launches in its own window with a legitimate-looking address bar and no browser warnings completely indistinguishable from a real application downloaded from an official store.

Attackers now design emails where malicious payloads trigger on mouse hover rather than click. Traditional link scanners follow URLs only when clicked, leaving hover-triggered attacks undetected. Security teams are implementing JavaScript-based hover event inspection, which creates significant performance overhead.