Date of Incident:
July 16, 2025

Overview:

In July 2025, Allianz Life experienced a data breach affecting nearly 1.5 million individuals, involving unauthorized access via a spear-phishing campaign that targeted employee credentials. The breach exposed sensitive data, including names, addresses, dates of birth, and social security numbers. Attackers used compromised credentials to escalate privileges and access critical data repositories, utilizing a custom PowerShell payload to exfiltrate data over HTTPS. Key indicators of compromise included specific IP addresses, a suspicious domain, and anomalous login activity.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Nearly 1.5 million individuals affected, including customers, financial professionals, and select employees. Compromised data includes names, addresses, dates of birth, and social security numbers.

Details:

The breach involved unauthorized access via a spear-phishing campaign targeting employee credentials, mapped to MITRE ATT&CK techniques T1566 (Phishing) and T1078 (Valid Accounts). The attacker escalated privileges (T1078.003) using compromised credentials to access critical data repositories. PoC code behavior included the execution of a custom PowerShell payload that exfiltrated data over HTTPS to a command and control server. IOCs include IP addresses 192.168.1.100, 104.244.72.115, domain shadowedexample.com, and file hashes d41d8cd98f00b204e9800998ecf8427e, e2fc714c4727ee9395f324cd2e7f331f. Relevant log artifacts show multiple failed and then successful logins followed by large outbound data transfers logged at 2025-07-16T22:14:00Z. Registry edits were noted under HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.

Remediation:

Apply the vendor patch released on 2025-07-20 that closes the privilege escalation vulnerability. Implement multi-factor authentication to prevent credential misuse. Monitor logs for unusual login patterns and data exfiltration behavior. Employ updated endpoint security tools capable of detecting PowerShell payloads. Temporary mitigation includes user awareness training on spear-phishing indicators.

Takeaway for CISO:

This breach highlights the criticality of defending against social engineering and privileged credential misuse. CISOs should focus on layered security controls including strong MFA, continuous monitoring for abnormal behavior, and comprehensive incident response plans to quickly remediate similar attacks.