Masters of Imitation: How Cyberattackers and Art Forgers Exploit Deception Techniques

Unmasking impostors has long been a challenge in the art world, a struggle that offers valuable insights for the realm of cybersecurity. Elmyr de Hory, a notorious forger in the 1960s, became infamous for successfully passing off counterfeit masterpieces attributed to renowned artists like Picasso, Matisse, and Renoir. Over the years, more than a thousand of his forgeries evaded detection, fooling experts who relied on trusted signatures and established provenance.

This historical context mirrors the current landscape of cybersecurity, where Security Operations Centers (SOCs) face similar challenges. We are now entrenched in an “Age of Imitation,” where cybercriminals leverage advanced technologies to mimic trusted users and obscure their malicious activities within legitimate network traffic. Understanding the tactics employed by these impostors is crucial for effective defense.

Key Takeaways for Defenders

1. Mimicry is the New Normal: According to CrowdStrike’s 2026 Global Threat Report, 81% of attacks are now malware-free.
2. Agentic AI: Cyberattackers are increasingly using AI to conceal their activities within seemingly innocuous network behaviors.
3. Layered Defense: A comprehensive defense strategy now requires multiple layers to protect software supply chains and federated identities.
4. Network Detection and Response (NDR): This technology enhances visibility to identify and neutralize deceptive tactics.

The Rise of Mimicry in Modern Attacks

Just as de Hory reused old canvases and pigments to create authentic-looking paintings, modern attackers employ similar strategies in the digital landscape. They utilize trusted tools and credentials to blend their malicious activities into normal operations. While mimicry has long been part of the attacker’s toolkit, recent advancements have made these techniques more sophisticated.

Living-off-the-Land (LotL) attacks and AI-enhanced tools have elevated the art of deception. The aforementioned CrowdStrike report highlights that 81% of attacks now rely on legitimate tools and techniques, underscoring the importance of rapid detection to disrupt potential threats before they escalate.

A Field Guide to Network Fakery

Agentic AI-Assisted Actors

Autonomous or semi-autonomous agents generate fake identities and mimic behaviors at scale. De Hory had a network of art dealers and representatives to sell his forgeries, often using various pseudonyms to evade suspicion. Similarly, today’s attackers deploy inexpensive AI agents to create believable identities for fraud and to develop exploit code for larger-scale attacks. These self-learning agents analyze network behavior and adjust their traffic patterns to evade detection, often synchronizing their activities with legitimate spikes in network traffic.

Supply Chain and Cloud Impostors

Attackers are increasingly using malicious AI agents to complicate software supply chains. By substituting harmful software disguised as benign updates, they obscure the origins of exploits. Microsoft researchers have documented how attackers modified numerous software packages to harvest developer credentials and API secrets, propagating through trusted internal networks while masquerading as legitimate updates. While supply chain attacks are not new, the speed and efficiency with which AI agents can execute these attacks have significantly increased.

Cloud-based deception tactics have also evolved. Attackers have long used fake login pages and spoofed cloud repositories to trick users into revealing credentials. AI tools can now create these convincing fakes at an unprecedented scale, making it easier for attackers to deceive users.

Cloaked Tunnels

Attackers often cloak their malicious traffic within allowed protocols or encrypted channels. De Hory expanded his operations by using galleries to mask his transactions. In a similar vein, cybercriminals use IP tunnels to conceal their network communications, making malicious activity appear legitimate. They may employ mismatched requests and replies to evade detection, lying dormant within corporate networks for extended periods before launching an attack.

Rogue Infrastructure

Cyberattackers frequently create lookalike servers, domains, and services to impersonate trusted infrastructure. Recent Microsoft research indicates that threat actors have lured users with fake Teams meeting messages, leading to credential harvesting sites disguised as legitimate login pages. Such deceptive connections can set the stage for further exploitation of network resources and sensitive data.

Phishing

Fakery is central to phishing campaigns, which often utilize fake email addresses that resemble legitimate domains. Techniques such as homoglyph or homograph attacks allow attackers to spoof domains with visually similar characters, redirecting communications under their control. De Hory’s meticulous attention to detail in replicating the styles of master artists finds a parallel in the efforts of cybercriminals to create convincing phishing schemes.

How NDR Can Expose the Fakes

The parallels between de Hory’s forgeries and contemporary cyberattacks are striking. Both rely on mimicry and the exploitation of trusted systems. De Hory was ultimately exposed when experts identified stylistic inconsistencies in his works. Similarly, Network Detection and Response (NDR) can identify attackers by monitoring behavioral patterns and anomalies that reveal underlying malicious activities.

NDR can help expose hidden threats in several ways:

• Detecting Behavioral Anomalies: Identifying deviations from established network baselines, such as unusual login times or atypical data transfers, can signal the presence of impostors.
• Revealing Protocol and Metadata Inconsistencies: Spotting mismatches that attackers cannot easily conceal, such as odd protocol combinations or suspicious encrypted sessions, is crucial for detection.
• Providing Context: Enriching raw traffic data with metadata helps analysts understand the broader picture, enabling them to differentiate real threats from benign activities.

As cybercriminals continue to evolve their tactics, defenders must employ advanced tools like NDR to maintain visibility and catch these threats early, preventing significant damage.

According to publicly available thehackernews.com reporting, Corelight’s Open NDR Platform empowers SOCs to detect emerging threats, including those utilizing advanced techniques. Its multi-layered detection approach includes behavioral and anomaly detection, enabling security teams to strengthen their defenses against increasingly sophisticated attacks.

For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.