< ciso
brief />
Tag Banner

All news with #business email compromise tag

118 articles · page 4 of 6

Microsoft Disrupts RedVDS, Takedown of Fraud RDP Service

🛡️Microsoft said it executed coordinated legal action in the U.S. and U.K. to seize infrastructure and take RedVDS (redvds[.]com) offline after linking the service to large‑scale fraud. For as little as US $24 per month, the subscription offered disposable Windows RDP hosts and a Telegram management bot with no activity logs. Microsoft attributed roughly US $40 million in U.S. fraud since March 2025 and says RedVDS‑enabled attacks compromised over 191,000 organizations worldwide since September 2025.
read more →

Microsoft Seizes Servers, Disrupts RedVDS Cyberplatform

🔒 Microsoft says it disrupted RedVDS, a cybercrime-as-a-service platform tied to at least $40 million in U.S. losses since March 2025. The company filed civil lawsuits in the U.S. and U.K., and — working with Europol and German authorities — seized servers, took the marketplace and customer portal offline, and removed malicious infrastructure. RedVDS rented disposable Windows cloud servers worldwide to enable large-scale phishing, BEC, credential theft and AI‑enhanced impersonation campaigns.
read more →

Microsoft Disrupts RedVDS Cybercrime Subscription Service

🛡️ Microsoft announced on 14 January that it has seized the infrastructure and website of RedVDS, a subscription-based cybercrime platform that rented disposable virtual machines and AI tools to facilitate phishing, business email compromise (BEC) and fraud. The service, available from about $24/month, has been linked to more than $40 million in losses in the US and nearly 190,000 victimised organisations worldwide. Legal partners in the US and the UK, with international law enforcement support, coordinated the takedown.
read more →

Phishing Campaign Uses Fake PayPal Alerts, Abuses RMM

📧 CyberProof documented a wave of phishing-led intrusions where attackers used fake PayPal alerts to trick victims into installing legitimate remote access software. The campaign targeted both personal and corporate accounts and represents a shift from seasonal lures to high-urgency financial themes. Attackers initially deployed LogMeIn Rescue then pivoted to AnyDesk to maintain access while avoiding EDR detection. Recommended mitigations include tighter phishing controls, restricting RMM ports and adopting a zero-trust posture.
read more →

Inside RedVDS: Virtual Desktop Abuse Fuels Global Fraud

📌 Microsoft Threat Intelligence exposed RedVDS, a criminal VDS marketplace that sold inexpensive, unlicensed Windows RDP servers enabling widespread BEC, mass phishing, account takeover, and financial fraud. The service repeatedly cloned a single Windows Server 2022 image (host name WIN-BUNS25TD77J), producing consistent fingerprints defenders could detect. RedVDS tenants deployed mass-mailer tools, harvesters, remote access utilities and AI writing assistants to craft and scale phishing campaigns. In coordination with law enforcement, Microsoft disrupted the infrastructure and published detection and mitigation guidance including Defender XDR telemetry and recommended email and identity controls.
read more →

Spain Arrests 34 Suspects Linked to Black Axe Cybercrime

🛡️ Spanish law enforcement arrested 34 individuals in a coordinated operation targeting a criminal network tied to the Black Axe syndicate, with assistance from the Bavarian State Criminal Police Office and Europol. Searches in Seville, Madrid, Malaga, and Barcelona yielded €66,400 in cash, electronic devices, vehicles, and frozen bank accounts totaling €119,350. Authorities say the group specialized in Man-in-the-Middle (MITM) frauds, notably Business Email Compromise, and caused more than $6 million in losses over 15 years, $3.5 million of which relate to this case. Four principal suspects are in pretrial detention and face charges including aggravated continuous fraud, money laundering, and document forgery.
read more →

Europol: 34 Arrested in Spain in Major Black Axe Operation

🚨 Europol and the Spanish National Police announced the arrest of 34 suspected members of the Black Axe transnational crime group across Seville, Madrid, Málaga and Barcelona. Authorities froze €119,352 in bank accounts and seized €66,403 in cash during coordinated searches, while estimating fraud losses exceeding €5.93 million linked to the network. Investigators describe Black Axe as a hierarchical syndicate involved in cyber-enabled fraud, trafficking, kidnapping and other violent crimes with origins in Nigeria.
read more →

Europol Leads Global Crackdown on Black Axe Gang Members

🛡️ Europol-backed Spanish and German police have arrested 34 suspects linked to the international cybercriminal group Black Axe, executing coordinated raids across Seville, Madrid, Málaga and Barcelona. Authorities froze €119,352 in bank accounts and seized €66,403 in cash while attributing nearly €6m in local fraud losses to the cell. Europol provided intelligence, analysis and on-site support to disrupt a core group that recruits money mules in high-unemployment areas and runs BEC, romance scam, phishing and extortion operations.
read more →

Misconfigured Email Routing Enables Internal Domain Phishing

🔒 Microsoft warns that threat actors are exploiting misconfigured email routing and lax spoof protections to send phishing messages that appear to originate from an organization’s own domain. The Microsoft Threat Intelligence team says the tactic surged since May 2025 and is commonly deployed via Tycoon 2FA phishing-as-a-service kits. Attacks aim to steal credentials, bypass MFA via AiTM techniques, and enable follow-on fraud or BEC, often using fake invoices, HR notices, or shared-document lures. Organizations should enforce DMARC reject and strict SPF policies, validate third-party connectors, and disable Direct Send if unnecessary.
read more →

Phishing Actors Exploit Complex Mail Routing and Spoofing

📧 Phishing actors are exploiting complex mail routing and misconfigured spoof protections to send messages that appear to originate internally, frequently using PhaaS platforms such as Tycoon2FA. Microsoft observed increased use of this vector since May 2025, including nested redirect chains and AiTM techniques to harvest credentials. Tenants with MX records pointed to Office 365 benefit from built-in protections; others must enforce strict SPF hard-fail, DKIM signing, and DMARC reject policies and correctly configure connectors to prevent these spoofing campaigns.
read more →

Cybercriminals Abuse Google Cloud to Send Phishing Emails

📧 Check Point disclosed a large-scale phishing campaign that abused Google Cloud Application Integration to send authentic-looking messages from noreply-application-integration@google[.]com, enabling attackers to bypass SPF and DMARC protections. The emails mimicked routine enterprise notifications to prompt clicks and redirected victims through Google Cloud storage to a fake CAPTCHA and a counterfeit Microsoft login page. Google has blocked the abuse and is implementing further mitigations.
read more →

LinkedIn Job Scams: Global Tactics and Local Impacts

🔎 This post summarizes a cross‑national pattern of LinkedIn job scams in which fake employers and recruiters extract money or credentials from prospective employees. Tactics vary by market: tech‑job baiting in India, referral‑style fraud in Kenya, fake formal roles in Mexico, and credential‑harvesting schemes in Nigeria. The author emphasizes these are employer‑side frauds and distinct from scams where attackers pose as employees to secure remote work.
read more →

Microsoft Teams to let admins block external users

🔒 Microsoft will let security administrators block external users from sending messages, placing calls, or inviting employees to meetings in Teams, managed directly through the Tenant Allow/Block List in the Microsoft Defender portal. The capability integrates with Defender for Office 365 and the Defender XDR web portal and applies across all Teams clients without altering existing domain blocks or federation settings. Organizations must enable two disabled Teams admin center settings to grant security teams permission to manage blocked domains and users.
read more →

SEC Charges Firms Over $14M AI-Themed Crypto Scam Alleged

⚖️ The U.S. Securities and Exchange Commission has filed charges alleging an elaborate cryptocurrency fraud that stole more than $14 million from retail investors. The complaint names trading platforms Morocoin Tech, Berge Blockchain, and Cirkor and investment clubs that lured victims with fake AI-generated investment tips on WhatsApp. Investors were steered into bogus Security Token Offerings and fake trading platforms that later froze accounts and demanded advance fees. The SEC is seeking injunctions, civil penalties, and repayment with prejudgment interest.
read more →

Interpol Operation Sentinel Disrupts Cybercrime in Africa

🔍 Interpol’s month-long Operation Sentinel targeted cybercriminal infrastructure across 19 African countries, producing 574 arrests, the decryption of six ransomware strains, and the takedown of roughly 6,000 malicious links. The sweep also uncovered a business email compromise (BEC) scheme that nearly cost a petroleum company $7.9 million and helped recover about $3 million. National law enforcement teams in Ghana, Benin and Cameroon executed targeted takedowns, recovered terabytes of data, and seized devices and servers with assistance from private cybersecurity organizations.
read more →

INTERPOL Nets 574 Arrests Across Africa, Ransomware Case

🛡️ INTERPOL coordinated Operation Sentinel between Oct. 27 and Nov. 27, 2025, recovering $3 million and prompting the arrest of 574 suspects across 19 African countries. The campaign targeted business email compromise, digital extortion and ransomware, taking down over 6,000 malicious links and decrypting six ransomware variants. Authorities disrupted fraud rings that stole more than $400,000 and seized devices and servers. Separately, a Ukrainian national pleaded guilty for his role as a Nefilim ransomware affiliate.
read more →

Interpol Operation Sentinel Leads to 574 Arrests in Africa

🔍 Operation Sentinel, coordinated by Interpol, resulted in 574 arrests across Africa during the month-long campaign from 27 October to 27 November. Authorities recovered $3m in alleged cybercrime proceeds, decrypted six ransomware variants and removed around 6,000 malicious links and domains. Key interventions included halting a $7.9m fraudulent wire transfer in Senegal and recovering 30TB of data encrypted in an attack on a Ghanaian financial institution. The operation involved national forces and industry partners such as Team Cymru and Trend Micro.
read more →

Scripted Sparrow Sends Millions of Targeted BEC Emails

📧 Fortra researchers have identified a global business email compromise (BEC) collective dubbed Scripted Sparrow that is sending an estimated 4–6 million highly tailored messages each month. The group poses as executive coaching and leadership consultancies, registering numerous domains and webmail addresses while sending spoofed reply chains with fake invoices and W‑9 forms to Accounts Payable teams. Fortra urges organisations to enforce strict payment approval protocols, verify requests via official channels and never trust embedded reply chains.
read more →

Nigeria Arrests RaccoonO365 Developer Behind PhaaS

🔒 Authorities in Nigeria arrested three alleged internet fraud suspects, including the principal developer of the RaccoonO365 phishing-as-a-service toolkit, following a joint investigation with Microsoft and the FBI. Investigators say the suspect operated a Telegram channel selling phishing links for cryptocurrency, hosted fraudulent Cloudflare portals, and used stolen or fraudulently obtained credentials to harvest Microsoft 365 logins. Laptops, mobile devices, and other evidence were seized during searches.
read more →

OAuth Device Code Phishing Surges, Targeting Microsoft 365

🔐 Proofpoint has observed a sharp increase in phishing campaigns that abuse Microsoft's OAuth device code authorization flow to gain access to Microsoft 365 accounts. Attackers use social engineering — QR codes, embedded buttons and hyperlinks — to trick users into entering device codes on Microsoft's legitimate verification page, which yields valid access tokens. Readily available tools such as SquarePhish2 and Graphish have lowered the bar for both state-aligned and financially motivated actors.
read more →