Deepfake Phishing Simulation Platforms: What Real Attacks Reveal
Deepfake Phishing
Simulation Platforms,
Ranked Against Real Threat Actor TTPs
Black Basta. UNC1069. Two documented, attributed campaigns that expose exactly what most simulation platforms cannot simulate. If you want to know whether your platform is actually preparing your workforce, stop reading feature sheets. Map the capability to the kill chain.
01 / Platform Comparison Matrix
We mapped the documented TTPs from two active, attributed campaigns against the capabilities of three platform categories. Here is what the kill chain actually requires, and what each category can cover.
| Capability | Legacy Platforms | Next-Gen Platforms | Breacher.ai OSES™ |
|---|---|---|---|
| Email phishing simulation | Yes | Yes | Yes |
| SMS / MMS simulation | Limited | Yes | Yes |
| Vishing (voice) simulation | No | Yes | Yes |
| AI voice cloning | No | Yes | Yes |
| Teams / Slack impersonation | No | No | Yes |
| Deepfake video meeting link | No | No | Yes |
| Orchestrated multi-stage campaigns | No | No | Yes |
| Behavioral trigger adaptation | No | No | Yes |
| OSINT-informed targeting | No | Limited | Yes |
| Simulates Black Basta TTP chain | No | Partial | Yes |
| Simulates UNC1069 TTP chain | No | No | Yes |
| Campaign adapts based on target behavior | No | No | Yes |
02 / What Real Attacks Look Like Right Now
Two documented campaigns define the current threat landscape for social engineering. Both are attributed. Both are active. Neither resembles anything a legacy simulation platform can replicate.
Black Basta affiliates do not start with a phishing email. They start with an email bombing campaign, flooding a target's inbox with hundreds of subscription confirmations to manufacture urgency and confusion. Then they move to Microsoft Teams.
Attackers message the target from external tenants they control, posing as IT help desk personnel. The display name reads "Help Desk." The message is calm and professional. They offer to resolve the email issue. Then comes the vishing follow-up, a call offering remote access assistance. Once the target installs AnyDesk or Quick Assist, the intrusion begins. Ransomware deployment follows within minutes.
This is a three-stage orchestrated sequence. Each step conditions the target for the next. None of it works in isolation.
UNC1069 operates at a different level of sophistication. Mandiant documented a 2026 intrusion where the group compromised a cryptocurrency executive's Telegram account, then used it to contact the victim and build rapport over time. After establishing trust, they sent a Calendly link to schedule a meeting.
The meeting routed to a spoofed Zoom domain on attacker-controlled infrastructure. During the call, the victim was presented with what appeared to be a deepfake video of a well-known industry CEO. When the attacker claimed audio problems, the victim was instructed to run troubleshooting commands. Those commands deployed seven distinct malware families, including SILENCELIFT, DEEPBREATH, and CHROMEPUSH, designed to harvest credentials, browser data, session tokens, and Telegram communications.
Every step was conditional on the one before it. That is not a multi-channel attack. That is an orchestrated influence campaign.
Every step was conditional on the one before it. That is not a multi-channel attack. That is an orchestrated influence campaign, and it is what your employees are actually facing.
03 / What This Means for Simulation Platforms
If your simulation platform cannot replicate these kill chains, it is not preparing your workforce for the attacks they will actually face. That is not a marketing claim. It is a capability gap with direct consequences.
Employees who pass a phishing click-rate test have not been tested against Black Basta. Employees who recognize a spoofed email have not been tested against UNC1069. These are fundamentally different scenarios requiring fundamentally different simulation infrastructure.
These are not organizations with bad security teams. Many have mature programs. The gap is that their defenses were built for a threat landscape that no longer exists.
04 / Why Partial Does Not Pass
Next-gen platforms get credit for adding AI voice. That matters. Vishing is a real vector and testing it is better than not testing it.
But partial simulation produces partial confidence, which is arguably more dangerous than no simulation at all. If your workforce passes a vishing test run in isolation, your CISO may believe they are prepared for a Black Basta-style attack. They are not. They have been tested on one step of a three-step sequence. The step they will actually face is the one where they have already been primed by an email flood and a Teams message from someone who appears to be their IT department. That conditioning changes everything.
No next-gen platform can simulate a spoofed video meeting where the target sees a synthetic executive on screen. No next-gen platform orchestrates the rapport-building phase, the scheduling link, and the live deepfake handoff as a connected sequence. They can generate an AI voice call. They cannot close the loop. The most dangerous step of the kill chain is exactly the one they stop short of.
The gap is not marginal. It is the difference between testing one channel and testing the full kill chain. And it is precisely the final step, the deepfake meeting link inside a trusted enterprise workflow, that produces the outcome attackers are after.
05 / The Gap That Defines the Market
Breacher.ai is the only platform capable of simulating the full kill chain documented in both of these campaigns.
OSES™ (Orchestrated Social Engineering Simulations™) was built specifically for this. Campaigns are sequenced, conditional, and adaptive. If a target opens the email, the platform escalates. If they engage on Teams, the vishing call triggers. If they join the meeting, they encounter the deepfake video link. Each step is informed by the prior one, exactly as a real adversary would operate.
That is not a multi-channel feature. That is a methodology built around how adversaries actually think.
Legacy platforms do phishing. Next-gen platforms add AI voice. No competitor orchestrates a conditional, multi-stage simulation that terminates in a live deepfake video meeting link delivered inside an enterprise collaboration workflow.
The question for every CISO is whether their workforce has ever been tested against anything that actually resembles these attacks. Black Basta used Teams to deploy ransomware across hundreds of organizations. UNC1069 used a deepfake video call to deploy seven malware families onto a single host. These are not hypothetical scenarios. They are documented, attributed, and actively replicated right now.
If the answer is no, you do not have a measurement problem. You have a gap in your security program that no phishing click rate has ever surfaced.
See the Full Kill Chain Simulated Live
We will run a sanctioned OSES™ simulation against your own executives, including email flood, Teams impersonation, vishing, and a deepfake video meeting link, as a single coordinated campaign. Most organizations are surprised by the results.
Latest Posts
Table Of Contents
About the Author: Jason Thatcher
support@breacher.ai
