Why Attackers Target Manufacturers, and What the Attacks Look Like

Manufacturing is the most-attacked industry in the world for the fifth consecutive year, accounting for 27.7% of incidents in IBM's 2026 X-Force Threat Intelligence Index. Our own threat data agrees. Through June, phishing attacks in our case flow landed on more distinct manufacturing organizations each week than at any point this spring, and the growth came from a widening set of companies rather than one noisy campaign.

This post breaks down the three attack types hitting manufacturers hardest right now (credential harvesting, vendor impersonation, and invoice fraud), the delivery technique that keeps recurring (Microsoft 365 Direct Send abuse), and the specific settings and controls that shut them down.

I watch the case flow coming out of our Phishing SOC Agent the way some people watch box scores, and most weeks the industry mix is boring in a good way.

Manufacturing broke the pattern this quarter. Let's dig in to the why.

Why do attackers target manufacturing companies?

Attackers target manufacturers because the economics favor them. Invoice and PO traffic is constant and high-dollar. Supplier relationships are broad and change often, so unfamiliar senders are normal. IT teams are lean relative to the size of the mail flow, and plant-floor operations pressure everyone to keep things moving. An attacker running invoice fraud or credential harvesting gets more shots on goal per mailbox in manufacturing than almost anywhere else.

The payoff math is public record. Business email compromise cost victims $3.04 billion in reported losses in 2025 per the FBI's IC3 annual report, averaging roughly $123,000 per incident, and 86% of those losses moved by wire transfer or ACH. A payment-diversion request aimed at a manufacturer's accounts-payable team is a direct path to that money.

The supplier network is the soft spot, and the breach data backs that up. Verizon's 2026 Data Breach Investigations Report ties third parties to 61% of manufacturing breaches and the human element to 56%.

What phishing attacks hit manufacturers most?

Credential harvesting is the most common attack type in our manufacturing cases, and the DBIR explains why attackers bother. Stolen credentials contributed to 41% of manufacturing breaches in the 2026 report.

The lures arrive dressed as the software manufacturers already use. E-signature requests, document-share notifications, ERP and plan-room platforms, shipping and scheduling systems.

The landing pages are pixel-accurate, and the links frequently route through legitimate infrastructure (email service providers, redirect chains on real marketing domains) before arriving at the harvest page.

We published a teardown of an Adobe Sign lure that bounced through a multi-hop redirect chain on its way to the credential form, and it's representative of the genre.

Attack of the Day teardown: Adobe Sign e-signature lure with a multi-hop redirect chain

Vendor email compromise and supplier impersonation sit right behind credential theft. Manufacturers run on long supplier lists, and attackers exploit that trust with fabricated invoice threads, payment-diversion requests riding spoofed or lookalike supplier domains, and BEC attempts that reference plausible-sounding orders.

In one case we tore down, a compromised vendor's real M365 account issued fraudulent banking-change instructions to redirect payments.

Attack of the Day teardown: compromised vendor M365 account issuing fraudulent banking-change instructions

These emails routinely pass SPF, DKIM, and DMARC. Attackers send from real ESP accounts or compromised vendor mailboxes, so authentication tells you the mail is technically legitimate while everything about its intent is hostile.

One of my favorite case titles from the series says it all. SPF pass, DKIM pass, DMARC pass. Still phishing.

Attack of the Day teardown: authenticated supplier invoice with cousin-domain display-name impersonation

What is Microsoft 365 Direct Send abuse?

Direct Send is a Microsoft 365 feature that lets devices like printers, scanners, and line-of-business applications send email into your tenant without authenticating. Attackers abuse Direct Send to deliver mail that appears to come from your own domain, or a trusted affiliate's, without compromising a single account.

Mail delivered this way carries no malicious payload signature and no known-bad URL at send time, so gateways and content scanners have nothing to block. What flags it is behavior, a sender identity that has never behaved this way, at volumes or in patterns that make no sense for it. Our Adaptive AI catches these on the anomaly, and in manufacturing environments it has been getting regular exercise lately. We covered the mechanics of this abuse when the technique first spiked, and it has aged well (unfortunately).

How do manufacturers defend against these attacks?

Three controls close most of the gap, and none of them requires a big project.

Disable or lock down Direct Send. Microsoft's RejectDirectSend setting (Set-OrganizationConfig -RejectDirectSend $true) went GA in late 2025 and is off by default, so odds are your tenant still accepts this mail. Test it and turn it on. We walked through Microsoft's crackdown and what the setting does in a follow-up post.

Get DMARC to enforcement, on your domains and your suppliers'. Half the impersonation we see rides on domains nobody bothered to protect. Your own enforcement policy stops attackers spoofing you; pressure on key suppliers shrinks the lookalike surface aimed at your AP team.

Evaluate detection against authenticated, payload-free mail. Ask any vendor (us included) how their product handles mail that passes SPF, DKIM, and DMARC and contains nothing scannably bad. That describes most of what we catch in this vertical.

We publish teardowns of attacks like these every day, tagged by industry. If you want to see exactly what's hitting manufacturers (the real emails, the headers, why each one got past the first line of defense), the Attack of the Day Explorer has dozens of manufacturing cases and counting.

Frequently asked questions

What is Direct Send in Microsoft 365?

Direct Send is a Microsoft 365 feature that lets devices and applications (printers, scanners, line-of-business apps) send email to mailboxes inside your tenant without authentication. Attackers abuse it to deliver spoofed mail that appears to come from your own domain without compromising any account.

How do I check if Direct Send is enabled?

Run Get-OrganizationConfig | Select RejectDirectSend in Exchange Online PowerShell. If RejectDirectSend is False (the default), your tenant still accepts unauthenticated Direct Send mail. Enable rejection with Set-OrganizationConfig -RejectDirectSend $true.

Why is manufacturing the most targeted industry for cyberattacks?

Manufacturing has been the most-attacked industry for five consecutive years (IBM X-Force 2026) because the operating environment favors attackers. High-value invoice and PO traffic, broad and changing supplier networks, lean IT teams, and production pressure that rewards fast decisions all raise the odds that a phishing email gets actioned.

What is vendor email compromise?

Vendor email compromise (VEC) is an attack where a threat actor uses a supplier's compromised or impersonated email account to send fraudulent invoices, banking-change requests, or payment instructions to that supplier's customers. Because the request arrives from a known, often fully authenticated sender, it bypasses both gateways and human suspicion.

Do phishing emails pass SPF, DKIM, and DMARC?

Yes. Attackers routinely send phishing from legitimate ESP accounts, compromised vendor mailboxes, and unauthenticated paths like Direct Send, all of which can produce passing or absent authentication results. Email authentication verifies the sending infrastructure, and says nothing about intent.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.