The new phishing tactic that exploits SOC fatigue

In recent years we have learned to train people to detect suspicious emails and to deploy filters that block known threats. However, there is a second line of defense that receives less attention and that the attackers have become a target: the investigation process that follows a phishing report. When that process becomes slow or inconsistent, the organization leaves an open door that is not seen in the network diagrams: human attention.

The attackers no longer only try to fool an employee; they seek to exhaust the team that investigates. Instead of betting everything on a very sophisticated single mail, many campaigns combine a tide of low complexity messages with a few carefully directed emails. The apparent objective - making noise - hides a strategic purpose: to conmanage the work line of the operations centre (SOC) until the few valuable messages go unnoticed.

This phenomenon, which researchers and practitioners already describe as a form of denial of information service (DOS), exploits a basic property of any system with limited resources: human care does not scale indefinitely. Studies on warning fatigue and surveys of security operations show that when the volume of reports is fired, the quality of the analysis tends to decrease (see study in arXiv), and industry surveys reveal that a large part of the SOCs simply cannot manage all incoming alerts with the necessary depth (SANS 2024 report).

Imagine the following scenario: thousands of employees report tens of thousands of messages that are mostly annoying but harmless. Each of these reports requires some processing: open the message, check headers, validate links, correlate endpoints telemetry and make a decision. If analysts are overloaded, they adopt useful cognitive shortcuts in the short term but dangerous as a whole: they review above, rely on surface indicators and prioritize the cleaning of the tail. It is precisely in those shortcuts that well-designed speed-phishing find their opportunity.

The economy of the attack is in favour of the attacker. Producing and distributing thousands of low-sophistication emails costs almost nothing, especially with automation and text generation tools. For the defender, each reported message consumes minutes of qualified professionals; a thorough investigation may take hours. This asymmetry - low cost to create noise, high cost to process it - makes saturation a cost-effective tactic.

The immediate response of many teams has been to increase rule-based automation: automatically close trust domain reports, unduplicate identical reports or apply reputational lists. These measures help to reduce volume, but have significant limits. The fixed rules create exploitable patterns; if the attackers know or infer that certain signals cause self-closure, they can superficially alter their messages to overcome those defenses. In addition, when automation functions as a "black box" that does not explain its decisions, staff will distrust, reopen cases or cancel automatic actions, eliminating the gains promised by automation.

More data and more rules do not solve the central problem: what fails is the ability to convert information into quick and reliable decisions. That is why a new way of thinking about it is emerging: it is not just about analyzing emails, but about delivering investigations prepared for the decision. Instead of presenting to an analyst a set of raw indicators, the idea is that a research engine will produce a reasoned verdict, with the evidence and reasoning necessary for the human to review and value, not to reconstruct from scratch.

A promising approach uses "agentiva" IA architectures in which different specialized agents work in parallel on different dimensions of research. An agent may be responsible for verifying the authenticity of the sender (SPF, DKIM, DMARC, domain history), another for analysing the language of the message in search of social engineering signals, and a third for correlated with endpoints telemetry and abnormal activity. The crucial thing is not for the IA to decide on its own, but for each agent to document what it verified, what it found and how it affects the conclusion.

Transparency and traceability change the relationship of trust between humans and machines. If the system gives a conclusion and also shows the chain of evidence, analysts can understand the reasons, challenge assumptions and, over time, trust that automated decisions are explicable. This confidence allows routine resolutions to be managed with controlled autonomy, while humans focus on incidents that require judgment and creativity.

The most tangible practical benefit is time. The difference between an investigation that closes in minutes in front of another that takes hours is not a minor operational improvement: it is the difference between a rebuttal credential before the attacker does damage and one that has already served to move laterally, scale privileges or exfilter information. Filter cost and response time reports show that every hour counts when a malicious actor has gained initial access (IBM: cost of gaps).

This approach also requires rethinking what metrics matter. The traditional SOC control tables measure operational performance: average response time, tickets closed by analyst, etc. To resist tactics that exploit volume, the metrics must capture the consistency of the investigative quality under load, the latency to reach a confident verdict, the accuracy of the climates during peak activity and the percentage of automated decisions that include audible reasoning. Measuring proactivity - how close to the point of impact the threats are detected - completes the vision.

By changing the focus from "more signs" to "more precise and explained decisions," defense radically alters the strategic landscape. If the high volume no longer degrades the deepening or the decision time, the tactic of inundating the SOC is no longer effective: the wave of cheap messages does not hide anything and the attacker will have spent resources without profit. The symmetry is reversed.

This approach does not eliminate the need for employee training or the importance of perimeter protection layers. Maintaining the visible report button and promoting staff responsibility remains crucial. The difference is that now the engine behind that button will not be an exploitable bottle neck, but a resilient barrier: a system that is not fatigue and that delivers, in minutes, an evaluation with evidence.

For organizations that evaluate solutions, it is useful to review research and guides published by the security community and public agencies, such as technical documentation of mail authentication in Microsoft (Microsoft: mail protection) or practical recommendations on phishing and response from the CISA agency (CISA: anti-phishing advice). In addition, annual incident reports provide context for where the greatest damage occurs when early detection fails, such as industry reports on gaps (Verizon DRIR).

There is no magic solution, but there is a clear path: to design processes and technologies that reduce the dependence of human memory and resistance on load peaks, while preserving the ability of analysts to intervene with criteria. Some commercial platforms are already applying agentiva architectures to produce "ready to decide" research and drastically reduce resolution times; knowing the capabilities and transparency of these tools is a step that each SOC should take now.

In the end, effective defense against campaigns that seek to exhaust the human team requires a change of perspective: stop seeing each mail as an isolated unit and start managing research as a chain of decisions. If the target of the attacker is to consume your attention, the best answer is to build an investigation that is not tired. Technical information on platforms implementing specialized and sound auditable actors can be consulted for solutions to this approach. (more information on CognitiveSOC).