Hacker's Corner: Drive-By Ransomware, When Social Engineering Is All It Takes

This type of attack doesn’t start with malware; it doesn’t start with a zero-day; it starts with a phone call.

On a Tuesday morning that looks like every other Tuesday morning, an employee in Finance gets a call from someone who sounds exactly like they belong there. The caller knows the company uses Okta, references an internal ticket, mentions recent suspicious login attempts, and explains that the account must be “secured immediately.” Their tone is calm, technical, and urgent without being frantic. The employee is walked through a password reset and MFA re-enrollment.

In under ten minutes, the attacker owns a fully legitimate, authenticated session.

The scary part is that there is no exploit. From Okta’s perspective, this is simply a successful authentication with a reset authentication factor.

This is the modern drive-by ransomware attack.

Minutes to Monetization

In one version of this scenario, the compromised employee has more access than they should. Over time, they’ve accumulated permissions across SaaS platforms, CRM reporting, shared file repositories, and maybe even limited administrative export capabilities. None of it felt risky when granted; it was completely normal for the company.

Within minutes of access, the threat actor has enumerated what the compromised account can see. Native export features are used, customer lists are pulled, attachments are downloaded, and revenue reports are generated. The activity is very fast and targeted.

This pattern is not theoretical. Threat actors such as Scattered Spider have demonstrated exactly this operational model. They are known for high-skill social engineering campaigns that impersonate IT support, manipulate MFA resets, and gain access to identity providers. Once inside, they pivot directly into SaaS platforms such as Salesforce and ServiceNow, as well as cloud storage systems. They extract high-value data without deploying traditional ransomware payloads. In several publicly reported incidents, the intrusion window between credential compromise and data theft was measured in under an hour.

In our scenario, 30 to 40 minutes after the phone call, the ransom message arrives. It contains screenshots of internal dashboards and a small sample of customer records as proof of possession. The demand is simple: pay to prevent disclosure.

Meanwhile, the SOC detects anomalous behavior. There is an unusual login from an unfamiliar geography, followed by an MFA reset event tied to the same user. Next, they see a spike in download volume inconsistent with historical baselines. Analysts correlate the events, revoke sessions, disable the account, and begin forced password resets for similar roles.

Within an hour of initial compromise, the threat actors’ access is closed.

The damage is contained, but real; a partial dataset has been exfiltrated. There has been no lateral movement into internal infrastructure, and no ransomware has detonated. The attack was identity-driven, SaaS-contained, and economically motivated.

Hours to Full Exfiltration

In a second version, the same phone call unfolds, the same MFA reset followed by a clean login.

But this time, the permissions are broader. Perhaps the employee was temporarily granted elevated reporting rights that were never revoked. Perhaps an OAuth application was authorized with excessive API scope. The role design likely favored convenience over containment.

This is where recent real-world cases become instructive.

In 2025, security researchers reported campaigns in which threat actors impersonated IT personnel through voice phishing, convincing employees to authorize malicious OAuth applications on platforms like Salesforce. Once authorized, those applications enabled large-scale API-based data extraction. No malware was required. The attackers used the platform’s own data-export mechanisms at scale and then issued extortion demands based on the stolen information.

In our scenario, automation begins almost immediately. Scripts interact with SaaS APIs to pull entire object stores, document libraries, and associated metadata. Attachments and historical communications are packaged systematically. What might take a human days to download manually can be completed in under two hours through scripted API interaction.

Detection occurs, but slightly later. The SOC observes a surge in API calls tied to a single user, along with sustained high-volume export behavior. Analysts pivot to the identity logs and see the recent MFA re-registration. The SOC terminates all sessions, revokes OAuth tokens, and tightens conditional access policies. Within an hour of detection, the account is neutralized.

But the threat actor captured a near-complete copy of the SaaS tenant’s accessible data.

The ransom demand that follows is more severe. Screenshots show internal communications, financial forecasts, and customer databases. The message asserts full exfiltration and threatens staged public release.

And yet, even in this more damaging outcome, the attacker never moved laterally into internal systems. There was no domain escalation. No persistence was implanted. There was no encryption of endpoints. The entire campaign unfolded inside the boundaries of legitimate SaaS access.

The Shift From Encryption to Extortion

Groups associated with social-engineering-heavy campaigns have increasingly favored data theft and extortion over traditional encryption-based ransomware. The logic is straightforward. If you can access cloud data directly and extract it quickly, encryption becomes optional. The leverage comes from exposure risk, not operational downtime.

This is why the “drive-by” label fits.

Traditional ransomware campaigns involve dwell time. Attackers explore, escalate, and entrench themselves before detonating. In contrast, the drive-by model is transactional. Compromise an identity, extract what is accessible, and demand payment. Persistent access isn’t required.

The speed is the strategy.

What Actually Determines the Outcome

In both scenarios, the SOC successfully evicted the attacker within an hour of detection, and that matters. Rapid response prevented persistence and limited the blast radius. But the amount of data lost was determined by factors other than data loss: identity resilience and privilege design.

If MFA had been phishing-resistant rather than push-based, the initial social engineering call might have failed. If help desk procedures required hardware-backed verification before factor resets, the attacker’s window would have narrowed. If the employee’s SaaS permissions were tightly scoped and regularly reviewed, the exfiltration volume would have been smaller. If behavioral analytics had been tuned more aggressively to detect bulk exports and anomalous API usage, detection could have occurred earlier in the timeline.

Real-world campaigns show that adversaries are optimizing for exactly these seams, help desk workflows, MFA fatigue, OAuth authorization prompts, and over-provisioned SaaS roles. They are not relying on novel exploits. They are exploiting trust, speed, and architectural centralization of data in cloud platforms.

The uncomfortable conclusion is that the perimeter now sits at the identity layer, and identity compromise can translate into monetizable leverage in minutes.

Drive-by ransomware is not noisy. It is not cinematic. It is a phone call, a login, an export, and an email.

And in a SaaS-dominated enterprise, that is often all a threat actor requires.