New data from Doppel identified that manufacturing remains one of the most heavily targeted sectors for cyberattacks, as threat actors increasingly exploit the industry’s dependence on operational uptime, complex supplier ecosystems, and trusted third-party relationships. The report found that attackers are shifting beyond traditional phishing toward more sophisticated social engineering campaigns involving vishing, executive impersonation, spoofed vendor communications, and fraudulent procurement portals, designed to disrupt production, steal intellectual property, or manipulate payments. It notes that manufacturing and engineering organizations face highest vishing vulnerability rate of any industry, making human-facing workflows a growing attack surface.
Doppel’s analysis highlights how modern manufacturing threats are increasingly multi-channel, with adversaries using messaging apps, email, and fake digital infrastructure in tandem to infiltrate supply chains. Rather than attacking core systems directly, threat actors often compromise trusted communication channels to impersonate suppliers or logistics partners, enabling them to reroute shipments, alter invoices, or propagate further compromise across vendor networks. This evolution underscores a broader shift in industrial cybersecurity: protecting manufacturing environments now requires not only securing IT and OT (operational technology) systems, but also defending the human and communications layers that connect the wider supply chain.
The researchers flagged that the most consistent finding in the broader dataset is the concentration of activity in credential leak sources. Credential leaks dominated February, April, and May, and remained the top source in March. This matters because leaked credentials can support several manufacturing-specific risk paths, such as access to supplier portals and customer portals, VPN, SSO, cloud, and remote access attempts, business email compromise and invoice redirection, abuse of contractor, maintenance, or logistics partner accounts, and follow-on targeting of operational support systems.
For manufacturers, this risk is amplified by distributed plants, legacy access patterns, shared third-party workflows, and a large population of vendors and contractors that may not be governed consistently.
“Doppel observed a massive spike in mid-April. The week of April 13 generated a 47x increase in dark web alerts from the prior week,” according to the post. “This pattern is consistent with a major credential dump, breach-related exposure, or concentrated dark web release. Even when the spike is tied to one week, it is still important for the vertical-level report because it shows how quickly manufacturing and industrial exposure can concentrate around a single high-volume event.”
Doppel’s findings also align with broader third-party breach reporting. Black Kite reported that 136 major third-party breaches in 2025 affected 719 named companies and an estimated 26,000 additional downstream victims that were never publicly identified. The report also found that the average third-party breach affected 5.28 downstream victims, the highest level Black Kite has recorded.
This is highly relevant to manufacturing because the sector depends on interconnected suppliers, logistics providers, contract manufacturers, distributors, and field-service partners. A single compromised vendor, shared platform, or high-dependency service provider can create exposure across many downstream organizations.
The Black Kite findings also reinforce the importance of Doppel’s credential leak signal. Black Kite reported that 62% of the most critical vendors had corporate credentials appearing in stealer logs, making identity exposure a key supply chain risk indicator. For manufacturers, leaked vendor or partner credentials can create indirect paths into supplier portals, procurement workflows, remote access systems, and shared business applications.
The research points to a clear shift from infrastructure-first threat activity toward identity-first attacks, where compromised credentials and user trust increasingly serve as the primary entry points.
In January, threat activity was relatively evenly distributed across dark web sources and hosting platforms. By February, credential leaks had emerged as the dominant threat vector. March saw a more diverse pattern, with credential leaks appearing alongside activity on Cloudflare Pages, Facebook, and GitBook. In April and May, the trend returned to a credential-heavy model, although Facebook remained a notable secondary channel.
This progression suggests that attackers are no longer relying on a single delivery mechanism. Instead, they are combining exposed credentials, trusted hosting services, social media platforms, and dark web marketplaces to support broader, multi-stage attack campaigns.
A likely attack chain begins with exposed credentials or compromised identity data obtained through leaks or dark web sources. Attackers then validate or enrich this information against business systems, customer portals, email accounts, or remote access services. Once access opportunities are identified, spoofed infrastructure, hosted phishing pages, or fraudulent social profiles may be used to impersonate brands, vendors, or support teams. Victims can then be funneled into phishing schemes, payment fraud, account recovery abuse, or other social engineering traps. Successful compromise can ultimately be monetized through fraud, data theft, extortion, or the resale of unauthorized access.
For manufacturers, this shift carries significant implications because operational disruption does not necessarily begin within OT environments. Instead, it may originate through compromised business identities, supplier credentials, email accounts, or third-party impersonation, later cascading into production delays, logistics failures, financial losses, or reputational damage.
Defenders should prioritize continuous monitoring for leaked employee, vendor, and partner credentials, as exposed identity data is increasingly becoming a primary attack vector. Organizations should also accelerate password resets and access reviews for accounts connected to VPNs, single sign-on platforms, email systems, supplier portals, remote access services, and privileged environments.
Strong authentication controls remain critical, making multifactor authentication and conditional access essential for high-risk access paths. At the same time, organizations should closely review third-party access into shared systems, support tools, customer portals, and remote maintenance environments to reduce exposure from trusted external relationships.
Manufacturers should establish clear verification processes for supplier payment changes, procurement requests, and account recovery attempts, all of which are frequently targeted in fraud campaigns. Security teams should also actively monitor for impersonation involving distributors, contractors, field-service providers, and logistics partners, as these trusted relationships are increasingly being exploited by attackers.
Particular attention should be given to recurring abuse on hosting platforms such as GitBook, Webflow, Blogspot, Netlify, and Cloudflare Pages. Hosted phishing pages on these platforms should be correlated with associated social media profiles, redirects, malicious domains, and credential harvesting workflows to build a more complete view of attacker activity.
Organizations should also monitor major social media platforms for fake brand, recruiter, support, distributor, and executive accounts. Facebook deserves particular scrutiny, as it remains a prominent channel for manufacturing-related social engineering campaigns. Takedown efforts targeting fraudulent social accounts should be linked to related domains, hosting infrastructure, and messaging pivots to uncover broader attacker operations.
Finally, while monitoring malicious domains remains important, defenders should treat domains as only one component of a wider attack chain rather than the complete threat picture. Security teams should pivot from suspicious domains to examine hosting providers, redirect paths, social profiles, and credential collection pages. Domain activity is often most useful as a late-stage conversion signal, especially when broader campaign activity is being driven by credential leaks or social engineering sources.
In conclusion, Doppel identified that manufacturing threat pressure is increasingly shaped by identity exposure, external infrastructure abuse, and attacker interest in operational leverage.
The researchers noted that the most important finding in this dataset is the dominance of credential leak activity. “While domains and hosted infrastructure remain important, the broader field of view shows that attackers are likely using exposed credentials and dark web data as core inputs for fraud, impersonation, and access enablement. May is projected to remain elevated, even though confirmed malicious domain activity is lower than in prior months. This suggests that the current risk is not primarily domain-led. It is identity-led and ecosystem-driven.”
For manufacturing organizations, the defensive priority should be broader than brand takedown alone. Effective disruption requires connecting credential exposure, dark web signals, social impersonation, hosted platform abuse, supplier risk, and domain infrastructure into a single external threat view.
