The attack and breach were down to a successful social engineering campaign which ended in compromised credentials for MailChimp Employees. MailChimp detected the breach on the 26th of March when a threat actor was accessing internal customer support tools and account administration. Although the attack was stopped at that stage it did not prevent exfiltration of some customer data and API Keys (now disabled) The yet unidentified attackers appeared to be looking for customer data and APIs keys from the Crypto and Finance sectors.
With the mailing lists and API Keys the attackers would be able to set up and run mailing campaigns via the API and without needing to access the customer portal. The emails would appear to come from a legitimate source even if the links they contained were not. This is likely what was done to the Trezor customers over the weekend.
Social Engineering attacks are not an uncommon method to gain initial access to an environment. The technique is effective when properly employed especially when it is done over voice channels. Many organizations focus on phishing protection and anti-malware but leave this open. Lapsus$ used this to great effect against targets like Okta. The tactic is also very effective due to the explosion in the remote workforce. Crypto and the Financial sector are always going to be good targets, adding in an extra level to make a phishing campaign look more legitimate is an interesting twist here, but not an unheard of one.
We have seen other threat groups leverage an initial compromise to move on to other targets and we often see this in wire fraud phishing campaigns. Here the attacker targets company X, compromises an account, listens and learns, steals marketing collateral, then sends out new phishing emails to hit potentially bigger fish. It is all the great circle of life.
There are some obvious and common methods to reduce risks like this including systems that are effective at detecting voice fraud (including some social engineering attacks). However, all the systems in the world do not replace the right level of training, awareness and the creation of a proper security culture.