< ciso
brief />
Tag Banner

All news with #business email compromise tag

118 articles

Helix vishing group targets SharePoint data theft

πŸ”’ A new extortion group dubbed Helix uses vishing, device-code phishing, and MFA abuse to access and exfiltrate files from SharePoint environments. Operators impersonate managers via phone calls and spoofed caller IDs to trick employees into granting access, then register authenticators for persistence and bulk-download content. ReliaQuest links Helix tactics and infrastructure to prior groups like ShinyHunters and BlackFile, and recommends disabling device-code authentication and restricting SharePoint to managed devices.
read more β†’

Global Operation First Light 2026 Targets Cybercrime

πŸ›‘οΈ A global anti-fraud operation, Operation First Light 2026, ran from January 15 to April 30, 2026, coordinated by Interpol with support from regional partners and funding from China’s Ministry of Public Security. The crackdown targeted social engineering scams such as romance fraud and BEC, leading to over 5,800 arrests, identification of 15,606 suspects and interception of $293m in illicit assets. Actions included raids, freezing 31,014 bank accounts, seizing devices and using Interpol’s I-GRIP stop-payment mechanism.
read more β†’

INTERPOL-led Operation First Light nets global arrests

πŸ•΅οΈ Law enforcement agencies coordinated Operation First Light 2026 across 97 countries, arresting 5,811 suspects and seizing $293 million in illicit assets. The operation targeted social engineering fraud β€” including BEC, sextortion, impersonation, romance, and investment scams β€” and associated money laundering between January 15 and April 30. Authorities identified over 142,000 victims, blocked 31,014 bank accounts, and analyzed 152,808 cases while additional suspects were identified. INTERPOL coordinated the effort with regional policing bodies and funding support from China's Ministry of Public Security.
read more β†’

Vishing campaign abuses Entra passkey enrollment

πŸ”” A threat actor is using voice-based fake security calls to trick Microsoft 365 users into enrolling a malicious Entra passkey. The attacker directs victims to realistic phishing pages that mimic the Microsoft enrollment flow and uses an operator-controlled PHP kit to capture credentials and MFA responses in real time. Okta attributes the campaign to O-UNC-066, linked to the extortion group Pink, which targets multiple industries and quickly exfiltrates data after account takeover.
read more β†’

Phishing job interview scam targets Google accounts

πŸ“§ A phishing campaign impersonates over 30 major brands to lure marketing professionals with fake job interview invites and steal Google credentials. The attackers abuse legitimate platforms like PeopleForce and an ExactTarget/Salesforce Marketing Cloud-linked domain, chaining redirects through services such as Wise Agent to reach malicious landing pages. The campaign uses real recruiter names and browser-in-the-browser popups to harvest sign-in data.
read more β†’

ARToken PhaaS reveals EvilTokens Microsoft 365 toolkit

πŸ›‘οΈ Cisco Talos uncovered a React-based ARToken management panel exposing 80+ API endpoints and client-side code that reveals expanded phishing capabilities. The platform, tied to the EvilTokens ecosystem, automates Microsoft 365 account compromise by stealing authentication tokens, obtaining persistent Primary Refresh Tokens (PRTs), and accessing Outlook, SharePoint, and OneDrive. ARToken deploys Cloudflare Workers, supports multi-tenant affiliate operations, and includes tools for BEC automation and mailbox monitoring.
read more β†’

Lessons from underground: combating BEC threats

πŸ“£ Flare researchers examined underground forum discussions and tools used to orchestrate Business Email Compromise (BEC) campaigns, finding that attacks extend beyond email to include remote access, cash-out networks, and call centers. Actors target finance and leadership SaaS accounts, increasingly using AI to craft realistic messages and scale operations. Defenders should monitor exposed credentials, enforce MFA, train high-risk staff, and treat multi-channel contacts cautiously.
read more β†’

Fraudulent OpenAI organization invites target security firms

πŸ”” Push Security discovered a campaign where attackers create fraudulent OpenAI tenants impersonating real companies and send legitimate-looking invites to employees. The invites originate from OpenAI notification addresses, pass authentication checks, and assign recipients Owner privileges within the fake organization. Attackers used Gmail accounts to pose as company executives and even attached a billing card to the tenant, likely to reduce suspicion. Push Security warns employees could be tricked into submitting sensitive data into the workspace and advises verification and monitoring of SaaS memberships.
read more β†’

Webinar: Automating email security with behavioral AI

πŸ“’ On July 8, 2026, BleepingComputer will present a live webinar titled "Stop chasing alerts: Automating email security with behavioral AI" featuring speakers from Abnormal AI and Novant Health. The session will examine why phishing, BEC, and ATO attacks still generate overwhelming alerts and how behavioral AI can automate detection, investigation, and remediation. Attendees will learn practical techniques to reduce manual workloads, prioritize high-risk incidents, and improve response times across email security operations.
read more β†’

Cybercrime Escalates Across Asia-Pacific Amid Digitization

πŸ›‘οΈInterpol warns that cybercrime now accounts for 30% of crime in over half of Asia and South Pacific nations, driven by rapid digital adoption. The 2025/2026 Asia and South Pacific Cyberthreat Assessment, covering 18 countries, highlights online scams, infostealers, ransomware, deepfakes and BEC as primary threats. The report notes sharp rises in ransomware, DDoS and deepfake activity, and calls for improved cross-border collaboration and capacity building.
read more β†’

FTC: Record $3.5B Lost to Imposter Scams in 2025

πŸ“° The FTC reports Americans lost $3.5 billion to imposter scams in 2025, with these schemes comprising nearly one in three fraud reports. Scammers used texts, calls, emails, social media, and search results, with social platforms driving over $2.1 billion in losses. Business and government impersonators caused the largest harms, and the FTC has pursued enforcement under its Impersonation Rule to seek redress.
read more β†’

Attackers Exfiltrate Exchange Executive Mailbox

πŸ“§ Symantec and Carbon Black disclosed that unknown attackers maintained quiet access to a senior executive's Outlook mailbox at a major global stock exchange for at least five months, repeatedly copying messages and routing them through Dropbox and OneDrive to blend with normal cloud activity. The intruders used a mailbox stealer built on Aspose, ran binaries impersonating legitimate updaters and OneDrive, and staged additional backdoors before access likely ended in March 2026. Indicators point to espionage-focused credential theft and tunneling tooling rather than a financially motivated campaign.
read more β†’

Chinese PhaaS Grow More Sophisticated, Live Theft

πŸ›‘οΈ Google researchers report a rapid rise in Chinese phishing-as-a-service (PhaaS) operations that have shifted from static password harvesting to real-time credential interception and tokenization. These services use encrypted messaging protocols like RCS and iMessage to deliver convincing lures and employ live admin panels to capture OTPs and bypass MFA. Platforms also monetize stolen payment details via digital wallet provisioning and increasingly leverage AI to generate unique phishing pages and evade detection.
read more β†’

Cyber-enabled Cargo Crime Mirrors Ransomware Tradecraft

πŸ”’ Cybercriminals are applying the ransomware playbook to steal freight, using phishing and compromised email accounts to alter shipments, register fraudulent carriers, and redirect loads to criminal warehouses. These tactics affect high-value and perishable goods and frequently go unreported, amplifying losses for small and midsized fleets. NMFTA highlights controls and resources and invites practitioners to the 2026 cybersecurity conference.
read more β†’

MSPs Must Rethink Security and Recovery for Resilience

πŸ”’ Tomorrow at 2:00 PM ET, BleepingComputer will host a live webinar titled "From phishing to fallout: Why MSPs must rethink both security and recovery," with Austin O'Saben and Adam Marget of Kaseya. The session explains why prevention alone is insufficient as AI-driven phishing, ransomware, SaaS abuse and BEC evolve faster than many defenses. It will show how attackers exploit trusted infrastructure and why organizations must combine security, backups and rapid recovery. Attendees will learn practical steps to reduce downtime and disruption.
read more β†’

Sri Lanka Detains 37 Suspects in Overseas Romance Scam

πŸ” Sri Lankan police arrested 37 people, all Chinese nationals, on 2 May after raiding a property in Talangama, a Colombo suburb, following a tip-off. Officers seized 35 tablets, 147 mobile phones and 100 SIM cards and say several occupants were working illegally or overstaying visas. Authorities suspect romance-baiting operations that groom victims online and funnel them into fake cryptocurrency investment platforms. The arrests follow earlier large detentions and deportations tied to similar scam centres.
read more β†’

TCLBanker Trojan Self-Spreads via WhatsApp and Outlook

⚠️ A new banking trojan named TCLBanker is being distributed via a trojanized MSI installer for Logitech AI Prompt Builder and targets 59 banking, fintech, and cryptocurrency platforms, with initial activity observed mainly in Brazil. Researchers at Elastic Security Labs report the malware uses DLL side-loading and strong anti-analysis defenses, runs persistent watchdogs to detect debuggers, and monitors the browser address bar to trigger theft routines. It provides remote-control capabilities (live streaming, screenshots, keylogging, clipboard theft, and shell execution) and uses WPF overlays to capture credentials. Uniquely, TCLBanker includes worm modules that hijack WhatsApp Web sessions and abuse Microsoft Outlook to self-propagate to contacts, increasing the risk of rapid spread.
read more β†’

Webinar: Why MSPs Must Rethink Security and Recovery

πŸ”’ On May 14, 2026 at 2:00 PM ET, BleepingComputer will host a live webinar titled From phishing to fallout: Why MSPs must rethink both security and recovery with Austin O'Saben and Adam Marget of Kaseya. The session examines how AI-driven phishing, business email compromise, ransomware, and SaaS compromise are reshaping the threat landscape for managed service providers. Attendees will learn why prevention and recovery must operate together and how SaaS backups and a formal BCDR plan can reduce downtime and data loss.
read more β†’

MuddyWater Employs Microsoft Teams for Targeted Intrusion

πŸ” Rapid7 attributes a deception-driven intrusion to the Iranian-affiliated actor MuddyWater, which used Microsoft Teams social engineering to harvest credentials and manipulate MFA via live screen-sharing. Once inside, operators leveraged compromised accounts, remote-access tools like DWAgent and AnyDesk, and a trojanized WebView2 binary to maintain persistence and exfiltrate data rather than encrypt files. The campaign appears to have intentionally mimicked RaaS artefacts β€” including Chaos-related extortion indicators and a signed loader β€” to obscure state-backed motives and slow incident response.
read more β†’

Human-centric Failures: Why BEC Survives Despite MFA

πŸ”’ Multi-factor authentication reduces credential risk but does not stop many business email compromise (BEC) attacks, because adversaries target human decision points and process gaps rather than accounts. High-profile cases β€” Toyota Boshoku (2019, β‰ˆ$30M) and Arup (2024, β‰ˆ$25M) β€” show attackers using cloned messages and deepfakes without stealing credentials. Organizations should redesign approval workflows, require out-of-band verification for high-risk requests, run realistic BEC simulations, embed micro-learning, introduce purposeful friction and assign clear ownership of payment verification to close operational blind spots.
read more β†’