Researchers documenting a social engineering assessment found that C-suite targets who would never click a password reset email responded immediately to a fake news story about their company.

 

What happened

Security researchers conducting a social engineering assessment against a large organization successfully compromised C-suite executive accounts using a carefully constructed fake journalist persona rather than a standard phishing lure. According to Cyberpress, the assessment began with open-source intelligence gathering on the target organization's public communications, where researchers found a press release announcing a major new facility construction project. Using that real corporate milestone as the hook, researchers crafted a fake anonymous tip alleging improper disposal of hazardous waste at the construction site, an environmental controversy framed as posing immediate reputational damage to the organization. They then researched local news outlets, impersonated a real reporter, and registered a ProtonMail account under the journalist's name, exploiting that email provider's association with whistleblowers and investigative journalists to add passive credibility to the persona.

 

Going deeper

The attack unfolded in stages specifically designed to build trust before any malicious link was delivered. Initial emails to each C-suite member were text only, requesting comment on the alleged incidents and stating the story would be published with or without a company response. Asking for comment before providing any links proved the sender appeared to be a real human rather than an automated system, and created psychological pressure on executives to act quickly to protect the company's reputation. Only after this trust-building exchange did the researchers introduce links to materials related to the supposed investigation. Those links led through an adversary-in-the-middle framework that harvested authenticated session cookies, bypassing multi-factor authentication entirely by intercepting the session after the victim completed their real login. Researchers noted that framing the alleged incidents as occurring across a longer timespan rather than blaming specific individuals reduced the risk of executives making internal calls that would have exposed the deception before the link was clicked.

 

What was said

Researchers stated in their assessment cited by Cyberpress that "gaining privileged access at a large organization often requires targeting the C-suite," but that high-level executives "are constantly bombarded with generic malicious emails, making standard password reset lures highly ineffective." Researchers described the journalist impersonation approach as combining "deep OSINT research, psychological pressure, and [Adversary in the Middle] AiTM frameworks" to "trick even the most vigilant corporate leaders," and concluded that "as technical perimeters continue to harden, continuous security awareness training and strict communication policies remain the ultimate line of defense against targeted executive compromises."

 

In the know

Executive-targeted phishing has moved toward increasingly sophisticated social engineering as standard lures lose effectiveness against security-aware leadership teams. According to BleepingComputer, the VENOM phishing-as-a-service platform documented in April 2026 specifically targeted CEOs, CFOs, chairmen, and VP-level executives across more than 20 industry verticals, using SharePoint document-sharing lures and QR codes delivered through financial report themes. That campaign combined AiTM credential harvesting with device code phishing to capture authentication tokens that survive password resets. The journalist impersonation technique documented in this assessment takes a different approach but arrives at the same endpoint as a session cookie or authentication token captured through AiTM infrastructure that gives the attacker full account access regardless of MFA.

 

The big picture

Healthcare executives make particularly high-value targets for the journalist impersonation technique because the sector generates genuine regulatory controversy, litigation, and public accountability stories. A fake anonymous tip alleging patient safety failures, improper billing, or HIPAA violations at a hospital or health system would carry the same urgency and reputational threat as the construction site scenario documented in this assessment. Healthcare CEOs and CFOs regularly receive legitimate media inquiries about compliance matters, breach disclosures, and regulatory investigations which means a fake journalist inquiry fits naturally into the communications they already process. According to KnowBe4's April 2026 phishing trends report, 86% of phishing campaigns now involve AI in some form, and AI-assisted OSINT can surface the specific corporate events and public statements needed to construct credible journalist personas at scale and speed that was not previously possible.

 

FAQs

Why do executives respond to journalist impersonation when they ignore standard phishing?

Executives are trained to be skeptical of IT-themed lures but are not trained to treat media inquiries as potential security threats. A journalist seeking comment on a damaging story creates a different psychological dynamic: the executive's instinct is to manage the company's reputation, not to verify the journalist's identity through a separate channel before engaging.

 

What is open-source intelligence and how is it used to build credible fake personas?

Open-source intelligence, or OSINT, refers to information gathered from publicly available sources including company websites, press releases, social media, news archives, and corporate filings. Attackers use OSINT to identify real corporate events, find the names of actual journalists who cover the target organization, and anchor their deception in facts the executive will recognize and believe.

 

How does an adversary-in-the-middle attack capture credentials even when MFA is enabled?

An AiTM attack places attacker-controlled infrastructure between the victim and the legitimate login page. The victim completes their real login including any MFA step, and the attacker's infrastructure captures the session cookie issued after authentication. That cookie allows the attacker to access the account as the authenticated user without repeating the MFA challenge.

 

Why is ProtonMail specifically chosen for this type of impersonation?

ProtonMail is widely associated with whistleblowers, investigative journalists, and privacy-conscious sources. An inquiry arriving from a ProtonMail address signals to a recipient that the sender is deliberately protecting their identity, which fits the narrative of a journalist handling a sensitive tip. That association adds credibility to the persona without requiring the attacker to compromise a real news organization's email infrastructure.

 

What policy controls reduce the risk of executive-targeted journalist impersonation attacks?

Establishing a clear internal protocol requiring any unexpected media inquiry to be routed through communications or legal counsel before executives respond removes the individual executive's judgment from the equation. Training that specifically covers journalist impersonation as a social engineering vector, rather than focusing exclusively on IT-themed phishing, addresses the specific gap this technique exploits. Phishing-resistant MFA eliminates the value of any session cookies captured through AiTM infrastructure regardless of how convincing the lure was.