< ciso
brief />
Tag Banner

All news with #phishing tag

694 articles

Forg365 PhaaS Targets Microsoft 365 with AI

🛡️ Forg365 is a phishing-as-a-service platform that targets Microsoft 365 accounts by combining adversary-in-the-middle (AiTM) and device-code phishing with integrated AI-assisted lure generation. The service offers an admin dashboard for campaign management, OAuth and SMTP configuration, token handling, and a browser extension called ForgCookie for persistent cookie harvesting. Researchers at ZeroBEC found the operation uses legitimate delivery services like Amazon SES and SendGrid-hosted resources to blend malicious emails into normal traffic.
read more →

Phishing job interviews steal Google credentials

🔒 Security teams have uncovered a targeted phishing campaign impersonating over 30 major brands to lure candidates into fake job interviews and harvest Google account passwords. Attackers use realistic recruiter names, photos and PeopleForce-sent messages to appear legitimate, and links redirect through trusted domains to a calendar booking page that prompts a Google sign-in. The scheme leverages a browser-in-the-browser trick where a fake Google auth pop-up captures credentials, though password managers can often block autofill. The campaign has operated for months and highlights growing sophistication in recruitment scams amid workplace uncertainty.
read more →

Global Operation First Light 2026 Targets Cybercrime

🛡️ A global anti-fraud operation, Operation First Light 2026, ran from January 15 to April 30, 2026, coordinated by Interpol with support from regional partners and funding from China’s Ministry of Public Security. The crackdown targeted social engineering scams such as romance fraud and BEC, leading to over 5,800 arrests, identification of 15,606 suspects and interception of $293m in illicit assets. Actions included raids, freezing 31,014 bank accounts, seizing devices and using Interpol’s I-GRIP stop-payment mechanism.
read more →

INTERPOL-led Operation First Light nets global arrests

🕵️ Law enforcement agencies coordinated Operation First Light 2026 across 97 countries, arresting 5,811 suspects and seizing $293 million in illicit assets. The operation targeted social engineering fraud — including BEC, sextortion, impersonation, romance, and investment scams — and associated money laundering between January 15 and April 30. Authorities identified over 142,000 victims, blocked 31,014 bank accounts, and analyzed 152,808 cases while additional suspects were identified. INTERPOL coordinated the effort with regional policing bodies and funding support from China's Ministry of Public Security.
read more →

Dual‑RAT phishing targets India tax filers this season

🛡️ Researchers at Cyderes uncovered a phishing campaign impersonating the Indian Tax Department that delivers two remote access trojans via a multi-stage infection chain. Victims receive fake tax assessment emails that prompt them to download a seemingly legitimate ITR utility, which abuses signed Windows binaries to sideload malicious DLLs and perform in-memory execution and process injection. The campaign deploys a Gh0st RAT derivative and a .NET implant related to the QuasarRAT/AsyncRAT family, each communicating with separate C2 servers, providing redundant access even if one implant is blocked.
read more →

ESET H1 2026: Threats, AI, and Ransomware Trends

🔍 The first half of 2026 sees attackers adapting established techniques to new platforms and behaviours, with AI increasingly shaping operations. ESET analyzed nearly 900,000 AI skills and found tens of thousands suspicious and thousands malicious, while AI features began appearing inside malware such as the Android PromptSpy. Other trends include expanded click-based social engineering, surging QR-code phishing, and persistent ransomware activity using EDR killers.
read more →

Fake Microsoft Teams support call scam targets files

📢 Palo Alto Networks’ Unit 42 warns of a new campaign targeting Microsoft Teams users that begins with a survey email and a malicious PDF. If opened, victims soon receive a voice call claiming to be Microsoft Support; the fake agent requests permission to install a remote access tool and additionally deploys Ether RAT. The Trojan gives attackers full access to the compromised machine, enabling theft of sensitive information and files. Users should be cautious of unsolicited surveys and support calls.
read more →

RedWing malware: Android bank-fraud service rental

🛡️ RedWing is a commercially rented Android malware operation sold via Telegram that enables low-skill criminals to take over victims' phones and harvest banking credentials and one-time codes. Zimperium's zLabs links it to an earlier rent-a-malware family and says a Telegram bot builds custom malicious apps on demand. Infection begins with phishing to a fake app-store page that persuades users to sideload and authorize intrusive permissions like Accessibility and default SMS handling. Once installed, RedWing can present overlays, read SMS OTPs, forward calls, stream the screen, record input, and exfiltrate files and location.
read more →

Google sues scammers leveraging Gemini AI

🛡️ Google has filed suit against a group called Outsider Enterprise, accused of running phishing-as-a-service via Telegram using Gemini to create convincing fake sites. The operation reportedly offered nearly 300 scam templates impersonating Google, YouTube, and agencies like New York’s E‑ZPass. Google coordinated with carriers and used on‑device protections in Google Messages to block many malicious texts. The company hopes legal action and technical defenses will curb the campaign.
read more →

Universities targeted via Roundcube zero‑day chain

🛡️ A suspected China-aligned threat cluster exploited patched and unpatched Roundcube webmail flaws to target physics and engineering departments at U.S. and Canadian universities. The campaign, tracked as UNK_MassTraction and first seen in May 2026, used CVE-2024-42009 XSS to steal credentials and a follow-up RCE CVE-2025-49113 to drop web shells or deploy VShell. The payload, dubbed IceCube, siphons credentials, 2FA tokens and cookies, then attempts persistent access via SquareShell or VShell.
read more →

Phishing campaign abused Facebook verification claims

🔒 Cybercriminals abused Facebook Messenger chatbots to deliver phishing messages that appeared to come from legitimate Facebook Business accounts. The campaign, active from November 2025 until June 2026, coaxed victims to log in on fake pages and surrender credentials, MFA codes, contact details and images of government IDs. Meta disrupted the infrastructure after Huntress reported the activity, but business accounts remain attractive targets.
read more →

Phishing job interview scam targets Google accounts

📧 A phishing campaign impersonates over 30 major brands to lure marketing professionals with fake job interview invites and steal Google credentials. The attackers abuse legitimate platforms like PeopleForce and an ExactTarget/Salesforce Marketing Cloud-linked domain, chaining redirects through services such as Wise Agent to reach malicious landing pages. The campaign uses real recruiter names and browser-in-the-browser popups to harvest sign-in data.
read more →

Avalon modular malware framework and CrownX ransomware

🛡️ Cybersecurity researchers uncovered a modular malware framework dubbed Avalon that uses a multi-stage phishing chain to bypass traditional defenses and deploy a ransomware component called CrownX. The campaign begins with a spoofed legal-document email pointing victims to a password-protected Proton Drive archive containing an ISO image. Interaction with a malicious Windows Shortcut inside the mounted image triggers an MSBuild-led loader that disables ETW, fetches additional payloads, and ultimately launches Avalon. The framework includes credential harvesting, crypto-wallet theft, lateral movement, data exfiltration, recovery disruption, anti-forensics, and disk tampering capabilities.
read more →

Board Games Sharpen Cybersecurity Intuition

🎲 The Threat Source newsletter draws a connection between learning board games and developing cybersecurity skills, arguing that games sharpen pattern recognition, intuition, and adaptive thinking. The piece highlights how diverse games—from Ticket to Ride to Go—teach strategy, breaking habits, and embracing failure as a learning tool. It also summarizes Talos research on the ARToken phishing-as-a-service panel and recent threat trends affecting Microsoft 365, AI agents, and RMM vulnerabilities.
read more →

ConsentFix and ClickFix: Microsoft 365 hijacks

🔒 Modern phishing variants like ClickFix and the newer ConsentFix convert routine user actions into account takeover opportunities. Attackers trick victims into executing keyboard shortcuts or dragging callback links, which hands over OAuth tokens and session access to Microsoft 365 services without passwords or MFA bypass. The technique relies on familiar workflows and readily available tooling, with public sharing of blueprints lowering the barrier to entry.
read more →

Phishing campaign impersonates Interpol to spread ransomware

🛡️ Cybercriminals are impersonating Interpol in a phishing campaign aimed at small businesses across Europe, Asia, the Middle East and North America. The emails claim to be from the 'Cybercrime Investigation Unit' and urge recipients to open a password-protected Proton Drive file supposedly containing evidence. The file leads to an executable disguised as a video that deploys ransomware and instructs victims to contact attackers via Tox rather than listing a ransom.
read more →

Phantom squatting: AI-hallucinated domains abused

🛡️ Palo Alto Networks' Unit 42 warns attackers are registering AI-hallucinated domains and using them for phishing and malware distribution. The report shows models invent millions of links, many unregistered, and attackers are preemptively purchasing and cloning brand sites. Because new domains lack reputation data, they evade blocklists until damage is done. Unit 42 documents several real-world cases and offers mitigation steps for defenders and users.
read more →

Scammers Exploit Venezuela Earthquake Registrations

🧭Researchers uncovered 212 domains registered within five days of the Venezuela earthquake, many claiming to offer aid, donations, or rescue services. While some registrations may be legitimate, 93% hid registrant contact details and several solicit Bitcoin with no verifiable accountability. The pattern mirrors past disaster-driven scams; donors are advised to use known charity sites and avoid new or crypto-only donation pages.
read more →

Pre-positioned cyber threats around FIFA 2026 event

⚠️ Check Point Research found that cybercriminals pre-built and partially deployed fraud infrastructure targeting FIFA World Cup 2026 before the June 11 kickoff, focusing on financial services, transportation, hospitality, and gambling. Pre-tournament research highlighted weak DMARC enforcement among partners, a 60x surge in fake sportsbook apps concentrated on Google Play, and large volumes of lookalike travel and hotel domains created two months prior. Check Point's exposure, brand protection, and dark web monitoring capabilities flagged the activity and report rapid remediation metrics.
read more →

Attackers Use TON Blockchain to Target Hotels

🛡️ Trend Micro's TrendAI discovered a phishing campaign targeting Booking.com partner accommodations in Japan that uses guest complaint impersonations to trick staff into opening malicious attachments. The delivered malware, TONResolver, is hosted via a smart contract on the TON blockchain and acts as a remote access trojan, establishing persistent backdoor connectivity for follow-up intrusion. Attackers abused scheduling-tool notifications to bypass SPF/DKIM/DMARC protections and used Node.js obfuscation and LNK-based delivery to frustrate detection.
read more →