Skip to content
The FIFA World Cup is in full swing, and we do love the beautiful game. But as exciting as it is, there’s a concerning security side to the event evolving in front of our eyes in real time.
Here’s the number that’s been making the rounds: an 84% malicious email penetration rate. In other words, the vast majority of malicious emails targeting professional sports organizations, and specifically their employees, are getting through.
According to Darktrace research, attackers pull this off by bypassing DMARC authentication, the control that’s supposed to catch spoofed, fraudulent email before it ever reaches an inbox. They’re doing it by compromising third-party sending services (i.e. cloud platforms, marketing tools, calendar invite systems) and using that trusted infrastructure to reach large numbers of employees at once.
Arctic Wolf Labs uncovered a phishing kit running across roughly ten fake “FIFA hiring” domains: sites like fifahiring[.]com and jobs-fifa[.]com, built to mimic legitimate World Cup recruitment pages. A victim applies for a job, gets walked through a fake interview scheduler, and lands on what looks like a normal Google login. Behind the scenes, the kit logs into the victim’s real Google account in real time, watches for the MFA prompt Google sends back, renders that exact prompt to the victim, and relays the one-time code to Google within seconds, all inside the attacker’s own session. By the time the victim finishes typing their six-digit code, the attacker already has a live, authenticated session. MFA did nothing to stop it.
What we’re seeing is that the two tools most security teams treat as their go-to, DMARC and MFA, aren’t holding up.
It’s Not Just FIFA
The World Cup is a useful case study, but we’ve seen this before. Tax season is the most wonderful time of year for hackers to take advantage of the financial services industry. A natural disaster is great to lure clicks from insurance employees. Any time there’s a live event where people are anxious, excited, or searching for answers (whether it’s a ticket or a job), attackers become very convincing, and their audience is very willing to click instead of thinking carefully.
How AI Is Collapsing the Window to Respond
Just looking at the numbers during this World Cup: more than 10,000 World Cup-themed domains registered since January (Arctic Wolf Labs, roughly 2,000 a month), many built with generative AI tools. AI hasn’t only made it faster to set up phishing infrastructure. It’s made phishing language remarkably more convincing. Language models now produce fluent, natural, regionally appropriate copy in nearly any language, reaching communities and language groups that historically saw very little of this kind of targeting.
The window to react has also collapsed. The average time between an initial access broker getting inside a victim environment and handing the keys to a ransomware operator has dropped from over eight hours in 2022 to just twenty-two seconds in 2025 (Mandiant M-Trends 2026). That means we can no longer assume we’ll even be aware of unauthorized access while it’s happening.
There is no choice but to be prepared, both at the individual employee level and across the enterprise as a whole.
Protecting Our Employees: Training Is More Important Than Ever
For an individual who is attacked, the damage is often personal: a depleted 401(k) rather than something that touches the organization directly. For the employees who work at targeted organizations, corporations have a responsibility to protect them.
That responsibility goes beyond financial exposure. The mental health toll on victims is real. And even though the attack may ultimately target a personal phone, the lure often arrives through a company email account. Organizations can’t assume a “FIFA job ad” will get flagged, or that DMARC enforcement is as strict as they think. Authentication methods like passkeys and FIDO2 hardware keys are starting to replace OTP for good reason. Ongoing training has to reflect the most current threats. This can’t be a one-and-done exercise.
For The Enterprise: Prevention Is Never Going to Be Enough On Its Own
Going back to that initial stat: 84% of malicious emails are getting through. That means prevention controls are succeeding only a fraction of the time. “Prevent the breach” can no longer stand alone as a strategy. As agentic AI keeps evolving, our approach has to shift toward “recover fast, assess as you go.”
What Good Security Really Looks Like: Proven Recovery
First, recognize that AI-powered ransomware and phishing tools are shrinking the window to even realize an intrusion has happened. Once an attacker has a live session or a stolen credential, there’s already a lot at stake. With little to no detection time, the absence of clean, isolated backups is the difference between a quick recovery and days or weeks of downtime, manual rebuilding, and an uncomfortable conversation with customers.
Recovery readiness means asking your business continuity team a few key questions:
- Are backups isolated enough that a compromised credential or an infected endpoint can’t reach and corrupt them?
- Are current recovery times (for both VMs, network configurations, and metadata) measured in minutes and hours rather than days?
- Have we tested multi-resource restores? Do we have reports to prove it?
- Do we have multiple security layers in place so that a single compromised account or one infected machine doesn’t lock us out of our backups? Do we hold at least our latest backup copy across accounts, subscriptions and even clouds?
- Has a security assessment been done on all third party platforms?
Final Thought: It’s Not About Prevention Anymore. It’s Assuming Recovery
The World Cup will end. The next live event attackers build a campaign around won’t be far behind. And the pattern repeats because it works: attention is high, guard is down, and the lure only has to be convincing for a few seconds. Trying to close that gap with prevention alone means betting your organization’s resilience on never having an employee have a bad day. That’s not a bet worth making.
Prevention buys you fewer incidents. Recovery determines how much any single incident actually costs you. In a threat landscape where the front-line controls are already failing in measurable, public, documented ways, that second half of the plan isn’t optional anymore.
About N2W
This is where N2W comes in. We built our platform around the assumption that prevention will eventually fail somewhere, for someone, and that the only real defense at that point is how fast and how cleanly you can recover. N2W gives you immutable, isolated backups across AWS, Azure and Wasabi that a compromised credential or an infected endpoint can’t reach, with recovery times measured in minutes rather than days. Whether it’s a single compromised account or a full environment, you can restore exactly what you need, fast, with the reporting to prove it held up when it mattered. Prevention is still worth investing in, but recovery is what keeps a phishing click from turning into a multi-week outage.
We’d love to hear how your team is approaching high-volume events like the World Cup. Chat with one of our solutions engineers to talk through your specific pain points and see how N2W can help.