Skip to content
The FIFA World Cup is in full swing, and we do love the beautiful game. But as exciting as it is, there’s a concerning security side to the event that seems to be evolving in front of our eyes in real time.
Here’s the number that’s been making the rounds since the start of the year: an 84% malicious email penetration rate. In other words, the vast majority of malicious emails targeting professional sports organizations, and specifically their employees, are getting through.
According to Darktrace/Zimperium research, attackers are pulling this off by bypassing DMARC authentication, the control that’s supposed to catch spoofed, fraudulent email before it ever reaches an inbox. They’re doing it by compromising third-party sending services (i.e. cloud platforms, marketing tools, calendar invite systems) and using that trusted infrastructure to reach large numbers of employees at once.
Arctic Wolf Labs uncovered a phishing kit running across roughly ten fake “FIFA hiring” domains -ites like fifahiring[.]com and jobs-fifa[.]com, built to mimic legitimate World Cup recruitment pages. A victim applies for a job, gets walked through a fake interview scheduler, and lands on what looks like a normal Google login. Behind the scenes, the kit logs into the victim’s real Google account in real time, watches for the MFA prompt Google sends back, renders that exact prompt to the victim, and relays the one-time code to Google within seconds — all inside the attacker’s own session. By the time the victim finishes typing their six-digit code, the attacker already has a live, authenticated session. MFA did nothing to stop it.
What we’re seeing here is that the two tools most security teams treat as their go-to (DMARC and MFA) aren’t holding up.
It’s Not Just FIFA
The World Cut is a useful case study, but we’ve seen this before. Tax season is the most wonderful time of year for hackers to take advantage of the financial services industry. A natural disaster is great to lure clicks from insurance employees. Any time there’s a live event where people are anxious, excited, or searching for answers whether it be a ticket or a job, attackers become very convincing and their audience is very willing to click instead of thinking carefully.
AI, Threat Speed and Lure Improvement
Just looking at the numbers during this World Cup, more than 10,000 World Cup-themed domains registered since January, built with generative AI tools. AI has not only made it faster to set up phishing infrastructure, it’s made phishing email language remarkably more convincing. Language models can now produce fluent, natural, regionally appropriate copy in nearly any language. Phishing campaigns are reaching communities and language groups that historically saw very little of this kind of targeting.
The window we have to react to an intrusion has also collapsed. The average time between an initial access broker getting inside a victim environment and handing the keys off to a ransomware operator has dropped from over eight hours in 2022 to just twenty-two seconds in 2025. That means we can no longer assume we’ll even be aware of any unauthorized access while it’s happening.
There is no choice but to be prepared both at the individual employee level, and across the enterprise as a whole.
Thinking About Our Employees: Training Is More Important Than Ever
For an individual who is attacked, the damage is often personal. It can be a depleted 401K rather than something that touches the organization directly. For the employees that work at these targeted organizations, corporations have a responsibility to protect them.
That responsibility goes beyond financial exposure. The mental health toll on victims is real. And even though the attack may ultimately target a personal phone, the lure often arrives through a company email account. Organizations can’t assume a “FIFA job ad” will get flagged, or that DMARC enforcement is as strict as they think it is. Authentication methods like passkeys and FIDO2 hardware keys are starting to replace OTP for good reason. Ongoing training has to reflect the most current threats. This can’t be a one-and-done exercise.
For The Enterprise: Prevention Is Never Going to Be Enough On Its Own
Going back to that initial stat: 84% of malicious emails are getting through. That means prevention controls are succeeding only a fraction of the time. “Prevent the breach” can no longer stand alone as a strategy, and as agentic AI keeps evolving, our approach has to shift toward “recover fast, assess as you go.
What Good Prevention Looks Like For the Enterprise: Proven Recovery
First, we need to recognize that AI-powered ransomware and phishing tools are shrinking the window we have to even realize an intrusion has happened. Once an attacker has a live session or a stolen credential, there’s already a lot at stake. With little to no detection time, the absence of clean, isolated backups means the difference between a quick recovery and days or weeks of downtime, manual rebuilding, and an uncomfortable conversation with customers.
Recovery readiness means asking your business continuity team a few key questions:
- Are backups isolated enough that a compromised credential or an infected endpoint can’t reach and corrupt them?
- Are current recovery times (for both VMs, network configurations and metadata) measured in minutes and hours rather than days?
- Have we tested multi-resource restores? Do we have reports to prove it?
- Do we have multiple security layers in place so that a single compromised account or one infected machine doesn’t lock us out of our backups? Do we hold at least our latest backup copy across accounts, subscriptions and even clouds?
- Has a security assessment been done on all third party platforms?
Final Thought: It’s Not About Prevention Anymore. It’s Assuming Recovery
The World Cup will end. The next live event that attackers build a campaign around won’t be far behind it and the pattern repeats because it works: attention is high, guard is down, and the lure only has to be convincing for a few seconds. Trying to close that gap with prevention alone means betting your organization’s resilience on never having an employee have a bad day. That’s not a bet worth making.
Prevention buys you fewer incidents. Recovery determines how much any single incident actually costs you. In a threat landscape where the front-line controls are already failing in measurable, public, documented ways, that second half of the plan isn’t optional anymore.
About N2W
This is where N2W comes in. We built our platform around the assumption that prevention will eventually fail somewhere, for someone, and that the only real defense at that point is how fast and how cleanly you can recover. N2W gives you immutable, isolated backups across AWS, Azure and Wasabi that a compromised credential or an infected endpoint can’t reach, with recovery times measured in minutes rather than days. Whether it’s a single compromised account or a full environment, you can restore exactly what you need, fast, with the reporting to prove it held up when it mattered. Prevention is still worth investing in, but recovery is what keeps a phishing click from turning into a multi-week outage.
We’d love to hear how your team is approaching high-volume events like the World Cup. Chat with one of our solutions engineers to talk through your specific pain points and see how N2W can help.