All news with #business email compromise tag

🔐 The State of Incident Response Report 2026 from Eye Security finds cybercriminals increasingly exploiting legitimate credentials rather than breaking systems. Identity-based attacks now dominate, with 97% of incidents involving passwords and Business Email Compromise making up over 70% of cases. Ransomware remains a major threat as RaaS and access-broker marketplaces lower barriers. Analysis of 630 European incidents (2023–2025) shows many breaches begin with phishing, misconfigured internet-facing systems, or social engineering, and can go undetected for weeks.

🔒 Microsoft warns of a multi-stage adversary-in-the-middle (AitM) phishing and BEC campaign targeting the energy sector. The attackers abused SharePoint file-sharing and legitimate trusted addresses (a living-off-trusted-sites, LOTS, technique) to deliver credential-harvesting links, then used stolen session cookies and inbox rules to persist and hide activity. Microsoft says simple password resets are insufficient; organizations must revoke sessions, remove malicious rules, and enforce phishing-resistant controls.

📧 Attackers abused Microsoft Teams functionality to distribute phishing content that appears to come from legitimate services. They created guest invitations and finance-themed team names that mimic billing and subscription notices, prompting recipients to contact a fraudulent support phone number. The campaign sent 12,866 phishing messages (about 990 per day) and targeted 6,135 users. Recipients were encouraged to call attackers posing as support to resolve fake payment issues.

🔒 Vodafone Business polled 1,000 senior UK leaders and found 89% are more alert to cyber threats after high-profile breaches, yet 10% said their organisations would likely not survive a similar incident. The survey highlights poor preparedness — only 45% confirmed basic cyber-awareness training and staff commonly reuse passwords across personal accounts. Leaders also warned that AI-enabled deepfakes complicate detection and response. Policymakers and telcos have introduced a second Fraud Sector Charter to harden networks, verify SMS sender IDs, enable traceback for suspicious calls and improve threat sharing and victim support.

🔒 Microsoft Defender researchers uncovered a multi‑stage AiTM phishing and BEC campaign that abused SharePoint file‑sharing to deliver credential‑harvesting traps and maintain persistence by creating malicious inbox rules. Attackers used trusted vendor‑style lures and legitimate SharePoint redirects to capture session cookies or credentials, then expanded the campaign across energy sector organizations by sending more than 600 phishing messages from compromised accounts. Defender XDR and Office 365 detections exposed session cookie theft, replay attempts, and malicious inbox rules — remediation requires revoking session cookies, deleting attacker‑created inbox rules, and restoring MFA controls in addition to password resets.

🔒 Palo Alto Networks' assessment identifies phishing and spoofed websites as the primary initial access vectors for the Milano-Cortina 2026 Winter Games. Researchers highlight business email compromise (BEC) as central to these campaigns, noting 76% of observed phishing relied on BEC to exploit trust among staff, partners and suppliers. The report warns that ransomware groups, nation-state actors and hacktivists will target ticketing, payment systems and APIs, and it advises basic vigilance, supplier vetting and reputable purchasing to reduce consumer risk.

🔒 LinkedIn's vast professional network provides abundant intelligence that threat actors exploit to support spear-phishing, business email compromise and direct recruitment efforts. Profiles and connections help attackers craft highly credible lures, while messages sent within the platform can bypass corporate email controls. To reduce risk, users should limit public detail, enable MFA, maintain patched devices and complete targeted security awareness training focused on fake profiles and malicious DMs.

🛡️Microsoft said it executed coordinated legal action in the U.S. and U.K. to seize infrastructure and take RedVDS (redvds[.]com) offline after linking the service to large‑scale fraud. For as little as US $24 per month, the subscription offered disposable Windows RDP hosts and a Telegram management bot with no activity logs. Microsoft attributed roughly US $40 million in U.S. fraud since March 2025 and says RedVDS‑enabled attacks compromised over 191,000 organizations worldwide since September 2025.

🔒 Microsoft says it disrupted RedVDS, a cybercrime-as-a-service platform tied to at least $40 million in U.S. losses since March 2025. The company filed civil lawsuits in the U.S. and U.K., and — working with Europol and German authorities — seized servers, took the marketplace and customer portal offline, and removed malicious infrastructure. RedVDS rented disposable Windows cloud servers worldwide to enable large-scale phishing, BEC, credential theft and AI‑enhanced impersonation campaigns.

🛡️ Microsoft announced on 14 January that it has seized the infrastructure and website of RedVDS, a subscription-based cybercrime platform that rented disposable virtual machines and AI tools to facilitate phishing, business email compromise (BEC) and fraud. The service, available from about $24/month, has been linked to more than $40 million in losses in the US and nearly 190,000 victimised organisations worldwide. Legal partners in the US and the UK, with international law enforcement support, coordinated the takedown.

📧 CyberProof documented a wave of phishing-led intrusions where attackers used fake PayPal alerts to trick victims into installing legitimate remote access software. The campaign targeted both personal and corporate accounts and represents a shift from seasonal lures to high-urgency financial themes. Attackers initially deployed LogMeIn Rescue then pivoted to AnyDesk to maintain access while avoiding EDR detection. Recommended mitigations include tighter phishing controls, restricting RMM ports and adopting a zero-trust posture.

📌 Microsoft Threat Intelligence exposed RedVDS, a criminal VDS marketplace that sold inexpensive, unlicensed Windows RDP servers enabling widespread BEC, mass phishing, account takeover, and financial fraud. The service repeatedly cloned a single Windows Server 2022 image (host name WIN-BUNS25TD77J), producing consistent fingerprints defenders could detect. RedVDS tenants deployed mass-mailer tools, harvesters, remote access utilities and AI writing assistants to craft and scale phishing campaigns. In coordination with law enforcement, Microsoft disrupted the infrastructure and published detection and mitigation guidance including Defender XDR telemetry and recommended email and identity controls.

🛡️ Spanish law enforcement arrested 34 individuals in a coordinated operation targeting a criminal network tied to the Black Axe syndicate, with assistance from the Bavarian State Criminal Police Office and Europol. Searches in Seville, Madrid, Malaga, and Barcelona yielded €66,400 in cash, electronic devices, vehicles, and frozen bank accounts totaling €119,350. Authorities say the group specialized in Man-in-the-Middle (MITM) frauds, notably Business Email Compromise, and caused more than $6 million in losses over 15 years, $3.5 million of which relate to this case. Four principal suspects are in pretrial detention and face charges including aggravated continuous fraud, money laundering, and document forgery.

🚨 Europol and the Spanish National Police announced the arrest of 34 suspected members of the Black Axe transnational crime group across Seville, Madrid, Málaga and Barcelona. Authorities froze €119,352 in bank accounts and seized €66,403 in cash during coordinated searches, while estimating fraud losses exceeding €5.93 million linked to the network. Investigators describe Black Axe as a hierarchical syndicate involved in cyber-enabled fraud, trafficking, kidnapping and other violent crimes with origins in Nigeria.

🛡️ Europol-backed Spanish and German police have arrested 34 suspects linked to the international cybercriminal group Black Axe, executing coordinated raids across Seville, Madrid, Málaga and Barcelona. Authorities froze €119,352 in bank accounts and seized €66,403 in cash while attributing nearly €6m in local fraud losses to the cell. Europol provided intelligence, analysis and on-site support to disrupt a core group that recruits money mules in high-unemployment areas and runs BEC, romance scam, phishing and extortion operations.

🔒 Microsoft warns that threat actors are exploiting misconfigured email routing and lax spoof protections to send phishing messages that appear to originate from an organization’s own domain. The Microsoft Threat Intelligence team says the tactic surged since May 2025 and is commonly deployed via Tycoon 2FA phishing-as-a-service kits. Attacks aim to steal credentials, bypass MFA via AiTM techniques, and enable follow-on fraud or BEC, often using fake invoices, HR notices, or shared-document lures. Organizations should enforce DMARC reject and strict SPF policies, validate third-party connectors, and disable Direct Send if unnecessary.

📧 Phishing actors are exploiting complex mail routing and misconfigured spoof protections to send messages that appear to originate internally, frequently using PhaaS platforms such as Tycoon2FA. Microsoft observed increased use of this vector since May 2025, including nested redirect chains and AiTM techniques to harvest credentials. Tenants with MX records pointed to Office 365 benefit from built-in protections; others must enforce strict SPF hard-fail, DKIM signing, and DMARC reject policies and correctly configure connectors to prevent these spoofing campaigns.

📧 Check Point disclosed a large-scale phishing campaign that abused Google Cloud Application Integration to send authentic-looking messages from noreply-application-integration@google[.]com, enabling attackers to bypass SPF and DMARC protections. The emails mimicked routine enterprise notifications to prompt clicks and redirected victims through Google Cloud storage to a fake CAPTCHA and a counterfeit Microsoft login page. Google has blocked the abuse and is implementing further mitigations.

🔎 This post summarizes a cross‑national pattern of LinkedIn job scams in which fake employers and recruiters extract money or credentials from prospective employees. Tactics vary by market: tech‑job baiting in India, referral‑style fraud in Kenya, fake formal roles in Mexico, and credential‑harvesting schemes in Nigeria. The author emphasizes these are employer‑side frauds and distinct from scams where attackers pose as employees to secure remote work.

🔒 Microsoft will let security administrators block external users from sending messages, placing calls, or inviting employees to meetings in Teams, managed directly through the Tenant Allow/Block List in the Microsoft Defender portal. The capability integrates with Defender for Office 365 and the Defender XDR web portal and applies across all Teams clients without altering existing domain blocks or federation settings. Organizations must enable two disabled Teams admin center settings to grant security teams permission to manage blocked domains and users.