All news with #phishing tag

🔒 Cybersecurity researchers disclosed Starkiller, a commercial phishing suite marketed by a group calling itself Jinkusu that proxies legitimate login pages to bypass multi-factor authentication. The platform launches a headless Chrome instance inside a Docker container and acts as an AitM reverse proxy, relaying keystrokes, form submissions and session tokens. Abnormal warns the toolkit centralizes deployment, URL masking and session monitoring to give low-skill criminals effective MFA-bypass capabilities at scale.

🔒 Microsoft warned on Mar 3, 2026 of phishing campaigns that leverage OAuth redirect URLs to bypass email and browser defenses and deliver malware to government and public-sector targets without directly stealing tokens. Attackers register malicious applications and manipulate identity providers like Entra ID and Google Workspace to craft redirect links sent in emails or embedded in PDFs. The delivery chain uses ZIP -> LNK-triggered PowerShell -> MSI -> DLL sideloading to execute in-memory payloads and contact external C2; some campaigns also used AitM kits such as EvilProxy. Microsoft removed identified malicious apps and recommends limiting consent, auditing app permissions, and removing unused or overprivileged applications.

🔍 Cloudflare integrated Large Language Models (LLMs) into its email security pipeline to surface previously invisible phishing behaviors and move from reactive to proactive defense. LLMs tag messages with granular categories such as Sales Outreach and PrizeNotification, providing high-fidelity, near-real-time signals for analysts. From those tags Cloudflare curated targeted corpora, extracted sentiment and intent features, and trained specialized classifiers that emit risk scores. Those scores are combined with reputation and link signals to enforce blocking or quarantine, reducing user-reported misses and accelerating updates.

🔒 A phishing campaign impersonating Google directs victims to a malicious PWA on google-prism[.]com that harvests contacts, clipboard contents, GPS data, and one-time passcodes. The PWA leverages a service worker, Periodic Background Sync, and the WebOTP API while checking an /api/heartbeat endpoint for commands. It can act as an HTTP proxy via a WebSocket relay and uses push notifications to prompt users to reopen the app so it can access data. An optional Android APK escalates access with dozens of permissions and persistence mechanisms.

🔒Microsoft Defender researchers observed phishing campaigns that abused OAuth redirection mechanics to route victims from trusted identity domains to attacker-controlled hosts. Attackers used silent authorization requests (for example prompt=none and intentionally invalid scopes) and embedded target addresses in the state parameter to trigger error redirects that landed users on malicious pages or download hosts without yielding tokens. Microsoft flagged correlated activity across email, identity, and endpoints; Microsoft Entra disabled the identified applications, though related activity persists and requires continued monitoring.

⚠️The UK National Cyber Security Centre (NCSC) has issued an advisory warning British organisations of an elevated risk of Iranian cyberattacks amid the ongoing Middle East conflict. While the NCSC says there is not yet a significant change in the direct threat to the UK, state‑sponsored and Iran‑linked actors likely retain some capability despite Iran’s domestic Internet blackout. Organisations with operations or supply chains in the region are urged to follow guidance on DDoS, phishing, and ICS targeting, review external attack surfaces, and increase monitoring.

🛡️ Meta said it is suing deceptive advertisers in Brazil, China, and Vietnam, suspending their payment methods, disabling related accounts, and blocking domains used in scams. The company also issued cease-and-desist letters to eight marketing consultants accused of offering ways to evade ad-policy enforcement, including fake 'un-ban' services and renting access to trusted accounts. Meta highlighted targeted celeb‑bait schemes and cloaking tactics, and said its protections now cover more than 500,000 celebrity and public-figure images.

🚨 Cisco Talos reports an ongoing campaign by UAT-10027 using a new backdoor called Dohdoor since December 2025. Dohdoor leverages DNS-over-HTTPS (DoH) for stealthy command-and-control, downloads and executes payloads within legitimate Windows processes, and employs phishing, PowerShell abuse, and DLL sideloading. The campaign targets U.S. education and health care organizations with C2 infrastructure hidden behind reputable services.

📧 Darktrace detected more than 32 million high-confidence phishing emails in 2025, signaling a major escalation in identity-driven attacks and automated campaigns. Over 8.2 million of those targeted VIPs, while 1.6 million originated from newly created domains and 1.2 million included malicious QR codes. The vendor reported 70% of phishing passed DMARC, 41% were spear-phishing and 38% used novel social-engineering techniques, highlighting attackers’ growing sophistication and emphasis on credential compromise.

🛡️ Cisco Talos reports an active campaign, observed since December 2025, in which actor UAT-10027 deployed a previously undocumented backdoor called Dohdoor that uses DNS-over-HTTPS (DoH) for covert C2. The multi-stage chain leverages phishing-delivered PowerShell to fetch a batch dropper that sideloads a disguised DLL into legitimate Windows binaries and tunnels C2 through Cloudflare’s edge. Dohdoor decrypts and reflectively executes payloads in memory, unhooks ntdll to evade EDR, and was observed targeting U.S. education and healthcare organizations.

🔒 Android is expanding its AI-driven Scam Detection protections for calls and messages, bringing on-device Gemini models to more Pixel and Samsung Galaxy devices. A real-world example describes a Pixel user who avoided a convincing bank scam after receiving a timely Scam Detection warning during the call. Google Messages protections now cover 20+ countries and multiple languages and have improved detection for sophisticated threats like job-offer and romance “pig butchering” scams. Processing occurs on-device, data aren’t stored or shared, and the feature is off by default and excluded for contacts.

🔒 The Kaspersky Team outlines evolving variations of the ClickFix social‑engineering technique, where attackers trick users into executing malicious commands on their own machines. Recent campaigns abuse legitimate utilities such as mshta.exe, nslookup and the legacy Finger protocol, and have used platforms like TikTok, Pastebin and fake extension pages to prompt victims to run code. Observed payloads include infostealers and remote access trojans such as ModeloRAT. Organizations are advised to prioritize user awareness and robust endpoint and XDR controls to mitigate these risks.

🔒 Malwarebytes researchers warn of a convincing fake Zoom meeting page that silently downloads and installs a covert build of Teramind on Windows endpoints. Victims see scripted participants and an “Update Available” countdown that triggers a silent download while a fake Microsoft Store screen displays a staged installation. Because the payload is a repackaged commercial monitoring tool, many defenses may not flag it, so prompt verification and training are essential.

📧 A financially motivated threat group dubbed Diesel Vortex has run an extensive phishing campaign since September 2025 targeting freight and logistics operators across the U.S. and Europe, using roughly 52 domains to harvest credentials. Researchers at Have I Been Squatted and partner Ctrl-Alt-Intel discovered exposed repositories and Telegram webhook logs revealing the group's tooling, communications, and an internal mind map describing a call-center style operation. The campaign stole 1,649 unique credential pairs and employed sophisticated evasion — Cyrillic homoglyphs, a nine-stage cloaking chain, voice phishing, Telegram infiltration, and pixel-perfect clones — before coordinated takedowns disrupted the infrastructure.

🛡️ 1Campaign is a cloaking service that helps threat actors run malicious Google Ads by passing automated screening and serving benign pages to security researchers while exposing real users to phishing and crypto-drainer content. According to Varonis, the platform offers a dashboard for targeting by geography, ISP, and device, and assigns fraud risk scores to filter out cloud-based and researcher traffic. It also includes a Google Ads launcher that aids operators in bypassing policy checks and impersonating brands, allowing malicious ads to remain online until manually reported.

🔎 Business Email Compromise (BEC) exploits social engineering and subtle technical deception to manipulate employees and bypass controls. Attackers use domain tweaks, display-name spoofing, urgent off-hours requests, and impersonation to pressure finance, HR, or operations into transfers or data disclosure. Inspect headers and SPF/DKIM/DMARC, enforce MFA, run phishing simulations, and maintain a strict verification culture.

🔒 A sophisticated phishing campaign impersonating cryptocurrency broker Bitpanda has been uncovered by Cofense, employing a near-perfect fake login to steal credentials. Victims are guided through a staged MFA flow that requests names, phone numbers, addresses and dates of birth, enabling account takeover and identity abuse. The fraudulent landing page uses deceptive domains and urgent messaging before redirecting users to the real login page. Users should verify sender addresses, hover over links and access platforms via bookmarks rather than email links.

⚠️ CrowdStrike's Global Threat Report 2026 warns that AI-enabled cyber-attacks rose 89% in 2025 as adversaries used machine learning and LLMs to scale and refine phishing, disinformation and malware operations. Researchers observed LLMs producing multilingual, convincing phishing lures and automating campaign creation, while some actors embedded prompting into malware (eg, LameHug) for reconnaissance. CrowdStrike recommends strong identity controls, AI-focused awareness training and threat-intel monitoring to mitigate the accelerating threat.

🔐 Cybercriminals increasingly employ generative AI to automate and scale established attack techniques, from highly convincing phishing and deepfakes to AI-assisted malware creation and accelerated vulnerability exploitation. Adversaries are building custom LLMs, hijacking cloud LLM resources, and orchestrating multi-agent campaigns that speed reconnaissance and weaponization. Organizations should adopt layered defenses, monitor API and AI usage, tighten identity and access, and leverage AI-based detection to mitigate these evolving threats.

🔍Typosquatting remains a highly effective deception tactic where attackers register look-alike domains to phish, harvest credentials, and deliver malware. CrowdStrike describes how adversaries exploit weak registrar verification and craft convincing WHOIS records while using techniques such as strategic HTTP redirects, geo-targeted content and fake sale pages to evade detection. Organizations should monitor registrations, protect brands, and use Falcon Adversary Intelligence to detect and disrupt campaigns.