AI-powered phishing: Why SAP systems must become digital fortresses now

Content:

According to recent warnings from the German Federal Office for Information Security (BSI) and international analyses such as the ENISA Threat Landscape, social engineering attacks enabled by artificial intelligence are reaching unprecedented levels of sophistication. As phishing emails become increasingly difficult to detect and accounts are compromised, the internal security of SAP systems is coming into sharp focus. Anyone who has not yet proactively addressed the security of their SAP systems is overlooking one of the most critical issues in the IT world today. 

The technological upheaval is not just coming – it is already in full swing. Cybercriminals are increasingly using generative AI to perfect their attacks. 

In recent analyses, the BSI urgently warns that attacker groups are increasingly using artificial intelligence to perfect social engineering attacks. In particular, the credibility of AI-assisted phishing is rising massively due to increasingly “human-like” results from language models  [1]. The European cybersecurity agency ENISA also confirms this trend: By 2025, AI-assisted phishing campaigns will account for more than 80 percent of social engineering activities observed worldwide [2]. For companies, this means a drastic change in the threat landscape. The question is no longer whether a phishing email will be clicked on, but when. And above all: What happens next in your business-critical SAP systems?

The Evolution of Phishing: From Mass Emails to Tailored Attacks

For a long time, phishing emails were relatively easy to spot. Poor spelling, impersonal salutations, and obviously fake sender addresses were part of the attackers’ standard repertoire. But those days are finally over. With the emergence of Large Language Models (LLMs) and advanced AI tools, the playing field has fundamentally changed. 

How AI plays into the hands of attackers

Modern AI systems enable cybercriminals to generate error-free, highly personalized, and context-aware messages in a matter of seconds. They analyze publicly available information from social networks, corporate websites, and past data breaches to create a detailed profile of their targets. The result is so-called spear-phishing attacks that are precisely tailored to the victim’s role, interests, and current work environment. Neither the industry nor the language matters – with the right AI tools, spear-phishing attacks can be adapted to any individual or corporate situation. 

Furthermore, AI enables the automation of attacks on an unprecedented scale. Chatbots can interact with victims in real time, build trust, and skillfully manipulate them into revealing sensitive information or clicking on malicious links. Even voice and video calls can now be simulated to look deceptively real using deepfake technologies, taking social engineering to a whole new level. 

The False Sense of Security: Once the Account Is Compromised

Once an account has been compromised, the real work begins for the attackers. From this point on, they move within the corporate network, searching for the most valuable targets. In most companies, this is the SAP landscape – the digital heart of the organization where all sensitive financial, HR, and production data converges. 

The problem with unhardened SAP systems

The fatal flaw: In many cases, SAP systems are not sufficiently hardened internally. They resemble a castle whose outer walls are high, but whose inner doors are wide open. When attackers gain access to an unhardened SAP system via a compromised account, they often have an easy time of it.  

A lack of segmentation, excessive user privileges, and open RFC (Remote Function Call) interfaces allow them to move across system boundaries within the production environment or network (lateral movement) and cause extensive damage. A single compromised account – even if it does not belong to an administrator – can thus lead to the compromise of the entire company. 

Hooded figure with code background and red “Cyber Attack” text symbolizing cyber threats.

Typical attack vectors after compromise

Once attackers have a foothold, they exploit various vulnerabilities to escalate their privileges and access critical data: 

  • Exploitation of default passwords: Default users such as SAP* or DDIC are often not deactivated, or their passwords are not changed. 
  • Abuse of RFC connections: Insufficiently secured RFC connections between different SAP systems can be used to access a highly sensitive system from a less critical one. 
  • Vulnerabilities in custom developments: Flawed ABAP code in customer-specific developments often provides entry points for SQL injections, the injection of malicious code, or the bypassing of authorization checks. 
  • Lack of Segregation of Duties (SoD): If users have more permissions than they need for their daily work, attackers can abuse these rights to execute critical transactions. 
  • Unpatched systems: Missing or delayed security updates provide attackers with known vulnerabilities that they can exploit to gain deeper access to the system. 

 

 

The Solution: SAP Hardening and Proactive Awareness

To effectively counter this threat, a two-pronged strategy is required that addresses both the human factor and the technical infrastructure. Relying solely on firewalls and spam filters is not enough. Defences must go deep – a concept known in cybersecurity as defence in depth. Even if the first line of defense (e.g., a person or a spam filter) fails, additional security layers kick in to hinder the attacker. To objectively assess your current status, we recommend starting with a thorough assessment. With our Cybersecurity Assessments we analyze your existing security architecture and identify critical entry points before attackers can exploit them. 

1. Targeted SAP Hardening: Building the Digital Fortress

The SAP environment must be configured so that a compromised account does not allow access to all system components or even enable cross-system access to other systems. The goal is to limit potential damage and prevent the spread of an attack. 

  • Strict Permission Assignment (Least Privilege): Each user and each technical account should only be granted the permissions that are strictly necessary for the respective task. 
  • Network segmentation: The SAP landscape should be divided into different security zones to control and restrict access between systems. 
  • Securing Interfaces: RFC connections and other interfaces must be encrypted and equipped with strong authentication mechanisms. 

 

  • Regular patch management: SAP security updates must be applied promptly to address known vulnerabilities. 
  • Quality assurance and quality gates: Custom ABAP code must be checked for security vulnerabilities before going into production.  
  • Deactivation of standard users: Predefined accounts such as SAP* or DDIC must be consistently deactivated or secured with strong, unique passwords. 

2. Regular SAP penetration tests: Identify vulnerabilities before others do

Specialized penetration tests are essential for uncovering hidden vulnerabilities before attackers exploit them. These simulate targeted attacks from within (grey-box approach) and assess how far an attacker could actually go with a compromised account. 

A standard penetration test that focuses solely on the network and operating system levels falls short when it comes to SAP. It cannot uncover the specific vulnerabilities in the SAP application layer, in the configurations, or in the countless interfaces. A specialized SAP penetration test, on the other hand, delves deep into precisely these areas. It provides “proof-of-concept” and demonstrates in black and white how an attacker could compromise your system. 

This is exactly where we come in with our specialized  SAP penetration test. We put your SAP landscape through its paces to uncover even deeply hidden vulnerabilities in in-house developments or interfaces. 

An Employee taps on laptop with lock symbol for IT security displayed.

3. Raising Awareness of Social Engineering: Strengthening the Human Firewall

Employees must receive ongoing training to recognize increasingly sophisticated, AI-powered attacks. A strong security awareness is essential to minimize the success rate of phishing attacks. 

The goal is not to overwhelm employees with theoretical knowledge, but to provide them with practical tools to identify suspicious activities and respond appropriately. 

Conclusion: Resilience as a Strategic Advantage

The BSI’s warnings are clear: AI-powered social engineering is one of the greatest cyber threats of our time. Companies must accept that accounts could be compromised. The key metric for IT security is therefore the resilience of internal systems. 

A professionally hardened SAP landscape, supported by regular penetration tests and a security-aware workforce, forms a digital fortress that can withstand attacks even if the first line of defense falls. Don’t wait until it’s too late: Now is the right time to reassess the status quo of your SAP systems and implement proactive hardening measures.

The path to such resilience requires a holistic strategy that combines technology, processes, and the human factor. As part of our comprehensive cybersecurity consulting services, we guide you from the initial risk analysis through to the successful hardening of your business-critical systems. 
 

 

Contact us now! 

FAQs:

1. Why are AI-powered phishing attacks so dangerous?

AI enables attackers to create error-free, highly personalized, and context-specific phishing messages in a matter of seconds. These are virtually indistinguishable from legitimate communications, which drastically reduces the detection rate by employees. 

2. What does “lateral movement” mean in the context of SAP?

Lateral movement describes the tactic used by attackers to gradually gain further access rights within the network after initially compromising an account. In unhardened SAP systems, they often exploit open interfaces or overly broad permissions to do so. 

3. Why is a standard IT penetration test insufficient for SAP?

Standard penetration tests usually focus on the network and operating system levels. However, SAP systems have their own highly complex application layer. Only specialized SAP penetration tests can uncover specific vulnerabilities in ABAP code, RFC connections, or SAP configurations. 

4. How does SAP hardening help in the event of a compromised account?

Consistent hardening ensures that an attacker who has gained access to an account is severely limited in what they can do. Segmentation and the least-privilege principle prevent the attack from spreading to the entire company. 

5. What role does employee awareness play?

Since technical defenses cannot always intercept AI-generated phishing emails, vigilant employees are the most important line of defense. Regular training helps raise awareness of social engineering and detect attacks early on. 

You may also be interested in

Modern data center with security icon symbolizes abat's cyber security.

cybersecurity consulting

get advice now 

cybersecurity assessments

putting IT security to the test 

SAP penetration test

minimise risks now 

Contact our experts and let’s work together to optimize your SAP security strategy.