In a recent report titled “Trusted emails are weaponised for attacks”, IT-Online highlighted a disturbing new reality: attackers are increasingly using trusted internal or partner emails to deliver phishing and ransomware payloads. (Source: IT-Online)
Cisco Talos found that 75% of phishing attacks in Q2 2025 came not from random outsiders, but from compromised legitimate accounts. This trend makes traditional security measures far less effective. When an email comes from a known contact or familiar domain, users tend to trust it — and that trust is being exploited.
The report warns that attackers are now weaponizing trust itself, bypassing filters and fooling even the most cautious employees. Once a single account is compromised, attackers spread laterally, establish persistence, and deploy ransomware with devastating results.
Emails from trusted senders often slip past security filters. Even multi-factor authentication can fail to stop an attacker who already controls a legitimate account. This gives them direct access to corporate systems and communications.
Half of the incidents in Q2 2025 involved ransomware. Attackers first steal credentials, move laterally across the network, and only then unleash encryption tools. By the time detection occurs, it’s too late — systems are already compromised.
Attackers are increasingly using built-in system tools such as PowerShell v1.0 to execute commands. These tools appear legitimate to most security systems, making detection difficult.
Once inside, attackers send further phishing emails from compromised internal accounts. Known as “lateral phishing,” this technique helps expand their control and makes containment harder.
Most cybersecurity programs follow a simple model:
Detect suspicious activity
Respond and remediate
The problem is timing. By the time a breach is detected, the attacker has often already gained access, stolen data, and moved laterally. Detection-based systems react after the damage begins. It’s like locking the doors after the thief is already inside.
What organizations need now is a proactive defense that prevents malicious code from executing in the first place. That’s where isolation and containment come in.
AppGuard takes a fundamentally different approach. Instead of trying to identify every possible threat, it prevents untrusted processes from taking harmful actions. This approach has protected government and defense systems for over a decade and is now available for commercial use.
Here’s how AppGuard works to protect your business:
Prevention first: AppGuard isolates applications and blocks malicious actions automatically, stopping attacks before they can begin.
Zero trust at execution: Even legitimate applications like PowerShell can be exploited. AppGuard prevents them from executing unsafe behaviors.
Proven performance: With more than ten years of real-world success, AppGuard has consistently stopped threats that evade traditional antivirus and EDR tools.
Lightweight and reliable: AppGuard runs efficiently in the background without impacting performance or productivity.
Unlike “detect and respond” solutions that rely on alerts and post-incident cleanup, AppGuard stops threats in real time, keeping systems safe even when an attacker uses trusted credentials or applications.
Cybercriminals no longer rely on suspicious email domains or obvious phishing lures. They now use legitimate communication channels — your vendors, your partners, even your own employees. This makes detection-based defense ineffective and outdated.
Every minute between detection and response is an opportunity for the attacker to spread, encrypt, or steal. By focusing on isolation and containment, businesses can protect endpoints from compromise even when trust is abused.
Here’s how to start:
Reevaluate your security approach. Assume that trusted accounts can be compromised and plan accordingly.
Deploy containment-based protection. Use solutions like AppGuard to isolate untrusted actions in real time.
Test your systems. Run simulations where internal accounts are hijacked and ensure your defenses can contain the damage.
Educate your team. Make sure employees understand how to verify trusted sources before clicking or downloading attachments.
If you’re a business owner or IT leader, it’s time to rethink how you protect your network. The old model of “detect and respond” can’t keep up with attackers who use trusted email accounts to spread ransomware.
Talk with us at CHIPS about how AppGuard can prevent this type of incident. Let’s work together to move your business from “Detect and Respond” to “Isolate and Contain.”
Your trusted emails should stay trusted — and AppGuard can make sure they do.
Like this article? Please share it with others!