MSPs Under Pressure: Navigating AI Impersonation, Phishing Exploits, and Ransomware Fallout

[00:00:02] It's Wednesday, July 9th, 2025, and I'm Dave Solt. Four things to know today. MSPs face surging client demands in a vendor accountability gap in cybersecurity. AI deepfakes targeting US leaders exposing executive impersonation risks. Microsoft 365 directs Send Exploited for Phishing as static training fails. Ingram Micro's Ransomware Silence trains Partner Trust. And Kaseya absorbs Technology Marketing Toolkit raising questions about independence and culture.

[00:00:32] This is the Business of Tech. Managed service providers are facing heightened scrutiny from their customers regarding cybersecurity, with 58% of MSP leaders believing their clients are at greater risk now than last year. Research from CyberSmart indicates that 84% of MSPs report their customers now expect them to manage their cybersecurity infrastructure, a significant rise from 65% in 2024.

[00:00:59] The second annual CyberSmart MSP survey, which gathered insights from 900 MSP leaders across several countries, revealed that 77% of these leaders have seen increased scrutiny of their own security capabilities over the past year. The survey highlights that emerging threats, particularly those associated with artificial intelligence, are a major concern, with 38% of MSPs citing AI threats as significant risks. Why do we care?

[00:01:29] MSPs are under more pressure than ever to be their clients' cybersecurity backbone. Client expectations are climbing. 84% saying customers now expect them to manage cybersecurity end-to-end, up from 65%, is a significant shift in just one year. MSPs themselves are under scrutiny. 77% reporting heightened oversight of their own security practices. Clients and regulators increasingly recognize that a weak MSP is a threat multiplier.

[00:01:58] But here's the kicker. Most cybersecurity vendors aren't stepping up to share that risk. While vendors talk endlessly about partnership, very few offer real, shared risk models. The burden of delivery and liability sits squarely on the MSP's shoulders. Vendors supply tools, but MSPs are expected to integrate, monitor, and remediate, often without the resources of a full SOC.

[00:02:24] When breaches happen, it's the MSP's name on the line, not the vendors. Cyber insurance? Increasingly restrictive. Vendor indemnification? Almost non-existent. This exposes a growing accountability gap where MSPs are caught between rising customer demands and vendors' unwillingness to co-own outcomes. The market is forcing MSPs into a security-first approach, but the risk asymmetry is glaring.

[00:02:52] Cybersecurity vendors need to move beyond just selling licenses to sharing responsibility for outcomes with partners, whether through performance-based SLAs, indemnification, or embedded MDR SOC services. For providers, the takeaway is sobering. Don't assume your vendor will bail you out in a breach. Vet vendors not just for features, but for their posture on risk sharing and support in high-pressure scenarios.

[00:03:20] Decide if you're going to build security in-house or align with providers and MSPs who can assume part of the load. This isn't about tools, but trust, risk, and resilience. Are your customers getting the most from their Microsoft 365 Business Premium subscriptions? Are you delivering maximum value while ensuring best-in-class margins?

[00:03:44] Nerdio's new modern work features let you streamline the management of Microsoft technologies like Azure Virtual Desktop, Windows 365, Intune, and Defender. Reduce the need for multiple tools, consolidate your vendor stack, and deliver greater value to your customers. Help your customers maximize their investments, free up your team for strategic tasks, and drive meaningful business outcomes.

[00:04:07] With Nerdio Manager for MSP, a single, flexible platform with mix-and-match plans ensures a flexible, perfect fit for you and your customers. Deliver solutions that achieve real business impact. Visit GetNerdio.com to find out more. A fraudulent impersonator using artificial intelligence has targeted high-level U.S. officials by mimicking the voice and writing style of Secretary of State Marco Rubio.

[00:04:36] The individual has successfully contacted several foreign ministers, a U.S. governor, and a member of Congress, attempting to manipulate them for access to sensitive information. According to a senior U.S. official and a State Department cable obtained by the Washington Post, the impersonation campaign began in mid-June with the creation of a signal account under a name resembling Rubio's official email.

[00:05:01] The FBI has warned of an ongoing malicious messaging campaign using AI-generated voice messaging aimed at eliciting information or funds from senior government leaders. Experts suggest that such impersonation tactics require minimal technical skill, as they often exploit lax data security among government officials.

[00:05:22] Hany Farid, a digital forensic professor, emphasizes the ease of impersonation once voice samples are obtained, highlighting the vulnerabilities in secure communication channels. Hackers are exploiting Microsoft 365's direct send feature to launch phishing attacks, impacting over 70 organizations, primarily in the U.S. This method allows attackers to send emails that appear to originate from legitimate internal addresses without needing to compromise any accounts.

[00:05:51] According to researchers at Varonis, since May, attackers have leveraged this feature, which is intended for internal use and does not require authentication to deliver phishing emails. The emails can bypass traditional security measures as they are treated as internal traffic by Microsoft's filtering systems.

[00:06:08] Varonis has noted unusual email activity associated with alerts for abnormal geolocation, indicating that organizations must enhance their security measures such as enabling reject direct send and implementing strict email policies to mitigate these threats.

[00:06:26] A recent study from the University of Chicago and the University of California, San Diego, reveals that traditional phishing awareness training is largely ineffective in preventing employees from falling victim to cyber attacks.

[00:06:39] The research, which involved nearly 20,000 personnel over an eight-month period, found that most standard training programs do not significantly improve employees' ability to identify phishing emails, and in some cases, they may even increase the likelihood of falling for such scams. In fact, employees subjected to cybersecurity awareness training showed only a 1.7% improvement in their ability to recognize phishing attempts.

[00:07:08] The study emphasized that interactive training was the most effective method, reducing the likelihood of clicking on phishing links by 19%. Conversely, static training sessions yielded no benefits, with many participants disengaging almost immediately. This research underscores a critical shift in how organizations may need to rethink their approach to cybersecurity training and invest more in technical solutions rather than relying solely on employee awareness.

[00:07:38] Why do we care? Why do we care? If attackers can convincingly fake the voice and style of a U.S. Secretary of State, imagine how trivial it is to spoof a CEO, CFO, or IT director. It raises the stakes for providers managing executive communications security and reinforces the need for verification protocols like multi-channel confirmations and anti-spoofing tools. Attackers are exploiting a built-in feature to send internal-looking phishing emails without compromising accounts.

[00:08:07] This bypasses the trust model many organizations rely on in Microsoft environments. For providers, it's a reminder that secure email configurations like disabling direct send where possible and enforcing SPF, DKIM, and DMARC are not negotiable. The University of Chicago UCSD study underscores a brutal truth. Check the box training doesn't work. Static slide decks and periodic quizzes won't stop modern attacks.

[00:08:34] Interactive simulations show promise, but the bigger takeaway is that technical controls like advanced filtering, zero trust, and identity protection must carry more weight than end-user vigilance alone. It's a triple wake-up call for providers. Expect AI-driven social engineering to go mainstream. Start discussing voice deepfake and text spoofing risks with clients now. Audit your Microsoft 365 environments for risky defaults.

[00:09:02] Direct send isn't the only feature attackers will weaponize. And rethink security training programs. If you're reselling or running awareness training, shift toward interactive simulations and couple them with technical solutions. Ingram Micro has begun the process of reactivating customer ordering capabilities following a ransomware attack that temporarily disabled its systems.

[00:09:27] The company announced that it is gradually restoring these capabilities region by region, stating that the unauthorized access to its systems is now contained and effective systems have been remediated. Ingram Micro, which generates approximately $190 million in revenue each working day, confirmed that while customers can start placing orders for subscriptions on products via phone and email, hardware orders remain limited.

[00:09:52] The distributor reported revenues of $12.28 billion in its most recent quarter, highlighting the financial impact of the downtime. However, customers have expressed concerns about the lack of communication from Ingram Micro regarding the ongoing situation and the potential impact on data security. The company had attributed the outage to a ransomware attack, which was claimed by the SafePay Group. Why do we care?

[00:10:18] Well, Ingram Micro's ransomware recovery is moving forward, but the bigger story may be how they've handled the breach publicly, or more accurately, how they haven't. Ingram Micro's initial response was silence. It took days before they confirmed a ransomware attack, leaving partners in the dark as orders piled up and customer frustration grew. Even now, Ingram has offered no insights into how the breach occurred, what systems were compromised, or whether customer or vendor data was accessed or exfiltrated.

[00:10:46] For a company doing $190 million in daily revenue, that's a troubling lack of communication. For providers reliant on Ingram for hardware and subscriptions, it wasn't just an inconvenience. It disrupted supply chains and strains customer trust. We had to scramble for alternative distributors or delayed deployments, all while fielding tough questions from clients. Some will argue Ingram is playing it safe on legal advice, particularly if an investigation or regulatory process is underway.

[00:11:15] But in today's environment, silence erodes trust faster than it protects liability. Compare this to other major vendors who've experienced attacks, but communicated quickly and clearly, even if the initial details were limited. It's also a reminder to MSPs, you are judged by how you communicate in a crisis, not just how fast you restore systems. So ask tough questions now. Does your distributor have a clear incident response and disclosure plan? How about all your vendors?

[00:11:44] Do you have multi-distributor procurement strategies to avoid single points of failure? Can you communicate more effectively to your own customers than Ingram has? This isn't just about Ingram. It's a case study in how not to manage breach communications. The MSPs who learn from it will be better positioned when, and not if, they face similar pressure.

[00:12:08] And lastly, Kaseya has announced the expansion of its community investment with the addition of the Technology Marketing Toolkit, aimed at enhancing resources for managed service providers. The initiative will provide customers access to essential sales and marketing materials, coaching, and a platform for collaboration among IT professionals. The Technology Marketing Toolkit focuses on building a robust community of success-minded entrepreneurs in the managed services provider sector, promising tools and training designed to foster profitable business growth.

[00:12:38] Robin Robbins, the founder of the Technology Marketing Toolkit, will assume a strategic advisory role to further develop marketing and sales strategies for Kaseya's unified community. Why do we care? Why do we care? Well, let's start with this. Congratulations to Robin on the successful sale of her business. Entrepreneurs work to build value, and that should be celebrated.

[00:13:00] It's an openly discussed belief that this acquisition took place well before the announcement, based on business filing records and the use of Kaseya's infrastructure by TMT. One commenter called it the worst-kept secret. So why announce it now? Two obvious potential reasons. Robin's transition. After more than 20 years, she may be ready to take a step back operationally. The only positional change noted in the announcement is her shift to a strategic advisory role.

[00:13:30] This is often coded language to a transition out of the business. Kaseya's leadership dynamics may also play. Assuming the transaction closed some time ago, the announcement might align with internal strategy shifts. New leadership could be keen to consolidate marketing-focused assets, like TMT, True Peer, and Powered Services, to avoid duplication and strengthen Kaseya's unified MSP community strategy. So some questions to consider.

[00:13:57] Will TMT's secret sauce survive? Many TMT customers valued its independence, seeing Robin's community as a distinct one from vendor-driven marketing efforts. Merging into a larger vendor ecosystem risks diluting that unique voice. A culture clash, perhaps? TMT's entrepreneurial, often irreverent culture may not align with Kaseya's more corporate structure. Will the same practical, hard-hitting marketing advice persist?

[00:14:25] Or will it evolve into vendor-aligned messaging? For MSPs, the key question becomes, does this new TMT still serve my business if I'm not all in on Kaseya's ecosystem? That's worth testing before fully committing. Thanks for listening. Today is National Sugar Cookie Day, and also National Don't Put All Your Eggs In One Omelette Day. That one's good advice. Join me for a webinar sponsored by ThreadDown,

[00:14:54] AI's Dark Side, What Every MSP Needs To Know. Visit bit.ly slash ThreadDown to register. It's next week, so make sure to do it now with links in the show notes. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too.

[00:15:22] If you want to support the show, visit patreon.com slash MSP radio, and you'll get access to content early. Or buy our Why Do We Care merch at businessof.tech. Have a question you want answered? We take listener questions, send them in, ideally as a voice memo or video to question at MSP radio.com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn.

[00:15:48] If you've got a comment or a thought on a story, put it in the comments if you're on YouTube, or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit MSP radio.com slash engage. Once again, thanks for listening, and I will talk to you again on our next episode. Part of the MSP radio network.