Meta Accuses NSO Group of Violating WhatsApp Injunction With Fresh Spear-Phishing Campaign
A federal jury awarded Meta roughly $168 million in May after NSO's Pegasus spyware abused a WhatsApp voice-call flaw in 2019. Now Meta says NSO's operators are back — this time with social-engineering lures — and is asking a judge to hold the vendor in contempt.

Meta caught NSO Group running spear-phishing attempts against WhatsApp users after a permanent court injunction had already ordered the Israeli spyware vendor to stay away from the platform entirely.
What Happened
The campaign followed a straightforward social-engineering pattern. Operators sent messages designed to persuade targets into tapping malicious links. Those links pulled users off WhatsApp and onto attacker-controlled external pages. No publicly documented zero-click exploit chain was involved this time — just a crafted lure, a tap, and a waiting site built to harvest credentials or deliver a payload.
The timing makes the campaign notable. In May 2025, a federal jury handed Meta a civil verdict against NSO Group, awarding approximately $168 million in damages connected to the 2019 Pegasus operation. That earlier campaign had exploited a buffer-overflow vulnerability in WhatsApp's voice-call handler to silently deliver spyware to journalists, human-rights workers, and diplomats — no interaction required. The permanent injunction that accompanied the jury verdict was explicit: NSO is barred from accessing or targeting WhatsApp users or infrastructure in any form.
Meta's contempt filing argues NSO violated that order anyway.
Why a Contempt Motion Is the More Significant Story
Civil damages can be appealed for years. They can be restructured in bankruptcy, absorbed by state-affiliated clients, or simply ignored by a foreign entity with no U.S. assets. Contempt is a different instrument. A contempt finding can place individual officers personally on the hook and gives the presiding court a mechanism to escalate enforcement in ways a standard damages award does not.
NSO has long maintained that it sells Pegasus exclusively to vetted government clients and bears no responsibility for how those governments choose to deploy the tool. That argument may get harder to make when fresh evidence of spear-phishing sits in front of a judge who already signed an injunction forbidding the precise behavior at issue.
As of the time of writing, the court had not ruled on the contempt motion and NSO had not issued a public response to the allegation.
The Phishing-Resistant Auth Gap
The choice of spear-phishing as a tactic tells defenders something important. When zero-click exploit chains get patched or exposed, even well-resourced offensive vendors fall back to clicking links on phones. That is a meaningful capability downgrade — and it is one defenders can actually address.
Against a credential-harvest page on a domain a target trusted enough to visit, standard one-time passcodes or SMS two-factor authentication offer limited protection. An adversary proxying the session can relay stolen tokens in real time, rendering TOTP largely ineffective. Phishing-resistant authentication — FIDO2 passkeys, WebAuthn hardware tokens — removes the replayable credential from the equation entirely. NIST's Digital Identity Guidelines (SP 800-63B) classify FIDO2 authenticators at the highest assurance level precisely because they bind the credential to the legitimate origin, making a lookalike page functionally useless.
The Verizon 2024 Data Breach Investigations Report found that phishing was the initial access vector in 15 percent of all breaches analyzed, with credential theft the dominant outcome. Against nation-state-adjacent operators like NSO's government clients, that figure likely understates actual exposure for high-value targets.
Who Is Actually at Risk
NSO's known customer base has historically targeted a specific population: journalists, political dissidents, opposition figures, lawyers representing sensitive clients, NGO workers, and senior executives at organizations governments want to monitor. If you work with or support any of those groups, the threat model applies to people around you even if it doesn't apply directly to you.
Practical steps for high-risk users are well-established. Apple's Lockdown Mode, introduced in iOS 16, reduces the attack surface on iPhone by disabling link previews, blocking most message attachment types, and limiting certain network connections. Android offers equivalent hardened profiles through enterprise device management policies. Pair either configuration with hardware-backed passkeys on every account that matters.
Treat unsolicited WhatsApp messages from unknown contacts with the same skepticism you would apply to an unexpected email from a stranger. The delivery channel changed. The social engineering didn't.
What the Control Failure Actually Was
This incident illustrates two separate failures that security teams should examine independently.
The first is the limit of legal deterrence as a security control. A permanent injunction is a powerful legal instrument, but it is not a technical barrier. It does not prevent a foreign vendor from continuing to operate against targets outside U.S. jurisdiction, and it does not automatically alert defenders when that operation begins. Organizations protecting high-risk individuals cannot treat a court order as a substitute for endpoint hardening and authentication hygiene.
The second failure is the enduring effectiveness of human-targeted deception at the highest levels of offensive capability. Employees and high-profile individuals who understand how to recognize a malicious link before tapping it represent a genuine reduction in attack surface — not a complete defense, but a meaningful one. Organizations that train staff to scrutinize unexpected links, verify sender identity through a separate channel, and report suspicious messages before clicking create friction that slows even well-funded operators. Security-awareness training that uses realistic simulated phishing scenarios, not just annual compliance videos, measurably reduces click rates on exactly the type of lure NSO's operators deployed here. Train2Secure's simulation-based training programs are built around that evidence — you can review the methodology and standards behind the curriculum before committing to anything.
What Defenders Should Do Now
Four actions are worth prioritizing immediately for any organization that includes high-risk individuals in its user population:
- Audit authentication methods across all critical accounts. Replace SMS and TOTP with FIDO2 passkeys or hardware security keys wherever possible.
- Enable Lockdown Mode on iOS devices issued to journalists, executives, legal staff, and anyone else whose communications a government might want to monitor.
- Run phishing simulations that include mobile messaging vectors — most awareness programs still focus on email. WhatsApp, Signal, and SMS lures require separate training scenarios.
- Establish a clear reporting path for suspicious messages. Users who know where to send a suspicious link without fear of blame are more likely to report before they click.
- Inventory your high-risk user population explicitly. If your organization employs or supports people NSO's known clients have historically targeted, those users need a differentiated security profile, not just the standard employee baseline.
The court filing is pending. The underlying threat is not.
How This Attack Could Have Been Disrupted
- Deploy phishing-resistant FIDO2 passkeys or hardware security keys on every account used by high-risk staff — eliminate replayable credentials entirely.
- Run mobile-channel phishing simulations so users recognize WhatsApp and SMS lures with the same instinct they apply to suspicious email.
- Establish a no-blame reporting path for suspicious messages so users act before they click, not after.
Train2Secure delivers simulation-based security-awareness training built around exactly these attack vectors — [explore our approach](https://train2secure.com/free-trial) before your high-risk users become the next case study.
Start free — no card requiredSources & further reading
Frequently asked questions
What did NSO Group allegedly do after losing the Meta lawsuit?
Meta alleges NSO operators ran spear-phishing campaigns against WhatsApp users, sending malicious links designed to redirect targets to attacker-controlled pages — conduct Meta says violates the permanent injunction issued alongside the May 2025 jury verdict.
Would multi-factor authentication have protected targets from this attack?
Standard SMS or TOTP-based MFA would not reliably protect targets if an attacker is proxying the session in real time. Phishing-resistant authentication — FIDO2 hardware keys or passkeys — is the standard that actually defends against this attack class because the credential is cryptographically bound to the legitimate site origin.
Who is most at risk from NSO Group-style spear-phishing on WhatsApp?
NSO's documented customer base has historically targeted journalists, political dissidents, human-rights workers, lawyers handling sensitive matters, and senior executives. Anyone in those categories or who works closely with them should treat their threat model as elevated.
What is Apple Lockdown Mode and does it help against this type of attack?
Lockdown Mode, available since iOS 16, restricts link previews, blocks most message attachment types, and limits certain network connections to reduce the attack surface on high-risk devices. It is one of the most practical controls available for individuals who may be targeted by sophisticated mobile spyware operators.



