All news with #account takeover tag

🔒 Security researchers report a rise in attackers abusing mailbox rules inside Microsoft 365 accounts to maintain post-compromise access, exfiltrate data and manipulate communications. The Proofpoint analysis found that roughly 10% of breached accounts in Q4 2025 had malicious rules created within seconds of takeover. Rules are often given minimal or nonsensical names and configured to delete messages or move them to low-visibility folders to evade detection. Defensive steps include disabling external auto-forwarding, enforcing MFA, monitoring OAuth and promptly removing malicious rules and revoking sessions.

🔒 This article explains privacy and security risks associated with smart sex‑toy apps and companion services, focusing on realistic threats such as data collection, account compromise, and server-side access rather than rare remote device takeovers. It outlines practical mitigations — create anonymous accounts, avoid social logins, limit app permissions, use a strong unique password with two‑factor authentication, and keep software updated. The guidance emphasizes minimizing shared personal data and avoiding identifiable media to reduce risks like stalking, blackmail, and targeted profiling.

🔒 Microsoft says financially motivated group Storm-2755 is stealing Canadian employees' salary payments by hijacking Microsoft 365 accounts using malicious sign-in pages and AiTM tactics that capture authentication tokens and session cookies. Attackers used malvertising and SEO poisoning to promote fake Microsoft 365 sign-in forms, allowing them to bypass legacy MFA. They create inbox rules to hide payroll messages and either social engineer HR to change direct deposit details or directly update payroll platforms such as Workday using stolen sessions.

🔒 Abnormal researchers disclosed a targeted phishing-as-a-service called VENOM that has been active since at least last November and focuses on stealing C-suite Microsoft credentials. The campaign uses personalized SharePoint-style emails, injected fake threads, and Unicode QR codes to move victims to mobile-based landing pages while evading scanners. VENOM hides target addresses using double Base64 in URL fragments and filters out researchers before presenting an AiTM proxy or device-code flow that captures passwords, MFA codes, and session tokens. Researchers recommend FIDO2, disabling unused device-code flows, and tighter conditional access to mitigate token abuse.

🔒 The Figure breach exposed 967,200 email records without a single exploit, creating a large inventory adversaries can immediately weaponize for credential stuffing, AI-driven phishing, and help-desk social engineering. The article argues these exposures are operational inputs, not static data, and that common MFA methods — push notifications, SMS, and TOTP — are vulnerable to real-time relay (AiTM) attacks and MFA fatigue. Fixing the problem is architectural, not purely educational: effective defence requires cryptographic origin binding, hardware-bound private keys, and live biometric verification simultaneously.

🔒 A spear-phishing campaign targeting Middle Eastern civil society and journalists has been linked to the South Asian threat actor Bitter, according to Access Now and mobile-security firm Lookout. Active from 2023 through 2025, the operation used Android spyware tracked as ProSpy and deceptive staging sites to deliver malicious APKs and harvest credentials. Attackers attempted Apple and Google account takeovers and could exfiltrate files, messages, contacts, geolocation and remotely enable microphones and cameras.

🔒 A former core infrastructure engineer pleaded guilty after remotely accessing his employer's network and scheduling tasks that deleted domain administrator accounts and changed hundreds of passwords. Prosecutors say Daniel Rhyne targeted an industrial company in Somerset County, New Jersey, altering passwords to TheFr0zenCrew! and scheduling shutdowns that affected 254 servers and 3,284 workstations. He emailed coworkers demanding 20 BTC (roughly $750,000) and threatened to shut down 40 servers daily; investigators found web searches and a hidden VM used to plan the extortion. Rhyne was arrested in August and faces charges carrying up to 15 years in prison.

🔒 The Drift Protocol lost approximately $280 million after an attacker obtained administrative control of its Security Council by leveraging durable nonce accounts and pre-signed transactions to delay execution and strike at a chosen time. Drift stresses that no programs or smart contracts were exploited and no seed phrases were compromised. Protocol functions are largely frozen while the team coordinates with security firms, exchanges, and law enforcement.

🔐 Blackpoint Cyber's 2026 Annual Threat Report finds that routine, legitimate access paths — not software exploits — increasingly enable intrusions. Across thousands of 2025 investigations, SSL VPN abuse (32.8%) and misuse of legitimate RMM tools (30.3%) were dominant initial access vectors, with ScreenConnect implicated in most rogue RMM cases. Social-engineering campaigns such as fake CAPTCHA and ClickFix-style prompts drove 57.5% of incidents, while Adversary-in-the-Middle phishing facilitated session reuse after MFA in about 16% of cloud compromises. The report urges treating remote access as high-risk and strengthening inventories, installation controls, and conditional access to reduce these blended, legitimate-looking intrusions.

⚠️ The FBI confirmed that Iran-linked hackers accessed the personal email account of FBI Director Kash Patel and published private photos and what appears to be his CV. The pro-Iranian hacktivist group Handala posted a selection of personal and work correspondence, with reporters verifying some items from Patel's Gmail account. The FBI said no classified or government systems were compromised and has taken steps to mitigate risks; strong, unique passwords and multi-factor authentication are advised.

📧 The FBI confirmed that the Iran-linked Handala group breached the personal Gmail account of Director Kash Patel and published watermarked photos, documents, and email correspondence. The bureau said the material appears historical, is not recent, and does not include government information. The FBI added it has taken precautions to mitigate potential fallout. Handala claimed the attack was retaliation after domain seizures and a $10 million reward.

🔒 Threat actors linked to Iran's MOIS claimed they breached the personal email account of FBI Director Kash Patel and published a cache of photos and historical emails. The FBI confirmed Patel's emails were targeted, said necessary mitigations were enacted, and characterized the released material as historical and not government information. Security firms attribute the campaign to the Handala Hack persona, which relies on compromised VPN accounts, RDP lateral movement, and destructive wipers, prompting Microsoft and CISA guidance to harden Intune and enforce phishing‑resistant MFA.

🔒 Threat actors are targeting TikTok for Business accounts with Cloudflare-hosted phishing pages that evade bot detection by using Google Storage redirects and a Cloudflare Turnstile check. Victims first see fake forms that request business-email validation and are then shown a reverse-proxy login page that captures credentials and session cookies, allowing account takeover even with 2FA enabled. Push Security links the activity to a campaign that previously targeted Google Ad Manager and notes multiple NiceNIC-registered domains hosted in the same Google Storage bucket. Users should verify domains, treat unsolicited invites cautiously, and prefer passkeys for high-value accounts.

🛡️ Modern fraud attacks function like a relay race: adversaries use bots, leaked credentials, and residential proxies to create large numbers of plausible accounts, then pivot to slower, human-driven sessions for logins and cash-out. Point-in-time, single-signal checks (IP, email, device) generate false positives and miss adaptive, multi-stage chains. The piece argues for correlating IP, identity, device, and behavioral signals into a unified risk model to reduce friction for legitimate users while stopping coordinated abuse.

📱 A new Group-IB report highlights how remote-access cloud phones — real Android devices hosted in data centres and accessed over the internet — have evolved from social-media automation into infrastructure for financial crime. Fraudsters use these devices to create and manage dropper accounts, often bypassing conventional device-based controls. Because instances present realistic hardware identifiers and sensor data, traditional fingerprinting often fails, prompting recommendations for multi-layered detection that combines device, network intelligence and behavioral analytics.

🔐 The SentinelOne Annual Threat Report for 2026 warns that attackers are executing identity-based compromises at industrial scale, abusing legitimate enterprise accounts and identity systems. These intrusions often bypass or subvert MFA — including through readily available MFA-bypass kits and coercive push attacks — leaving traditional defenses blind. The report also highlights fake-persona recruitment campaigns, including deepfake-enabled interviews, and warns of administrative account takeovers that can disable MFA organization-wide.

🔐 Huntress is tracking an active device code phishing campaign targeting Microsoft 365 identities at over 340 organizations across the US, Canada, Australia, New Zealand, and Germany. The attackers use Cloudflare Workers redirects and Railway.com-hosted infrastructure to harvest OAuth access and refresh tokens that remain valid after password resets. Sectors hit include construction, non-profits, real estate, manufacturing, finance, healthcare, legal and government.

🔒 Crunchyroll is investigating claims that attackers stole personal data for roughly 6.8 million users after compromising a support agent's Okta SSO credentials. The actor says they accessed multiple applications — including Zendesk, Slack and Google Workspace — and downloaded about 8 million support tickets containing names, emails, IPs, locations and ticket contents. Intrusive payment details were reportedly present only when customers shared them in tickets. The attacker demanded $5 million in extortion but, according to the actor, received no response.

🔎 Behavioral analytics and threat intelligence combined to identify a suspected North Korea-linked fake IT worker within 10 days of hire. LevelBlue SpiderLabs and Cybereason XDR flagged geolocation anomalies, unmanaged device access, and use of Astrill VPN, triggering a high-severity alert and timely account revocation. Organizations should enforce EntraID Conditional Access, manage endpoints, and maintain software baselines to detect such insider threats.

🔒 U.S. agencies warn that threat actors aligned with Russian intelligence are conducting targeted social-engineering phishing campaigns to compromise commercial messaging apps such as Signal and WhatsApp. The attacks have led to unauthorized access to thousands of accounts and involve impersonation of support personnel to request SMS codes, verification PINs, or to deliver malicious QR links. Victims who provide codes can lose account control, while those who scan attacker-controlled QR codes may have past and future messages exposed. Authorities advise never sharing verification codes and regularly reviewing linked devices in app settings.