All news with #phishing tag

🧯 Cisco Talos warns of extensive abuse of CSS to insert hidden “salt” — extraneous characters, comments and markup — into email preheaders, headers, attachments and bodies to evade detection. This hidden text salting technique is significantly more common in spam and malicious mail than in legitimate messages, undermining both signature and ML-based defenses. Talos advises detecting concealed content and, crucially, stripping or normalising that salt before passing messages to downstream engines, while also urging attention to longer-term strategic decision-making in cyber defense.

🔍 Ukraine's SSSCIP reported a sharp rise in AI-enabled cyber operations in H1 2025, documenting 3,018 incidents versus 2,575 in H2 2024. Analysts found evidence that attackers used AI not only to craft phishing lures but also to generate malware samples, including a PowerShell stealer identified as WRECKSTEEL. Multiple UAC clusters—such as UAC-0219, UAC-0218, and UAC-0226—deployed stealers and backdoors via booby-trapped archives, SVG attachments, and ClickFix-style tactics. The report also details zero-click exploitation of Roundcube and Zimbra flaws and widespread abuse of legitimate cloud and collaboration services for hosting and data exfiltration.

⚠️ A new FileFix variant uses cache smuggling to deliver a malicious ZIP via Chrome's disk cache while impersonating a Fortinet VPN Compliance Checker, tricking victims into pasting a crafted path into File Explorer. The embedded PowerShell command extracts a hidden ZIP from cached image files, writes a ComplianceChecker.zip and launches an executable, enabling execution without obvious downloads. Security firms report rapid abuse by ransomware and info-stealer operators and advise training users never to paste clipboard content into OS dialogs.

🛫 Kaspersky researchers uncovered a widespread email fraud campaign impersonating major airlines and airports to solicit advance refundable deposits. Attackers use convincing business-style messages, registration forms and NDAs rather than malware, then request several-thousand-dollar payments to secure partnership consideration. Recipients are urged to verify sender domains against official corporate contacts and treat any deposit request as a major red flag. Organizations should deploy strong email-gateway defenses and provide targeted security awareness training for finance, sales and procurement teams.

⚠ If you clicked a suspicious link, stay calm and act promptly. For work devices, contact IT immediately and follow their instructions. For personal devices, close the browser and check for unexpected downloads; if you entered credentials, change passwords and enable MFA; if financial data was entered, contact your bank; if a file was downloaded, disconnect, run a full scan, and consider restoring from a clean backup. Monitor accounts and report phishing attempts.

🛡️ Unit 42 describes the IUAM ClickFix Generator, a phishing kit that automates creation of ClickFix-style pages which coerce victims into pasting and executing attacker-supplied commands. The kit creates OS-aware, highly customizable pages with clipboard injection, obfuscation, and mobile blocking to deliver infostealers and RATs such as DeerStealer and Odyssey. Unit 42 observed real campaigns, shared developer artifacts, and recommends user education and technical controls to block domains, IPs, and malware indicators.

🔎 A Vietnam-linked group tracked as BatShadow is running a social-engineering campaign that lures job seekers and digital marketing professionals with faux job descriptions to deliver a previously undocumented Go-based malware, Vampire Bot. Attackers distribute ZIP archives containing decoy PDFs alongside malicious LNK or executable files that launch an embedded PowerShell script to fetch lure documents and remote-access tooling such as XtraViewer. The lure coerces victims into opening links in Microsoft Edge, triggering an automatic ZIP download that contains a deceptive executable padded to appear as a PDF; once executed, the Go binary profiles the host, exfiltrates data, captures screenshots, and maintains contact with a command-and-control server.

🛡️ Microsoft Threat Intelligence details how adversaries exploit Microsoft Teams collaboration capabilities—chat, calls, meetings, and screen sharing—at multiple stages of the attack chain. The post chronicles 2024–2025 campaigns and toolsets (phishing, malvertising, deepfakes, device code phishing, and red‑team tool reuse) that enable initial access, persistence, and exfiltration. It emphasizes layered defenses across identity, endpoints, apps, data, and network controls, and provides detection guidance, hunting queries, and product-specific recommendations to help defenders disrupt these operations.

🔒 Malwarebytes has flagged a phishing campaign that impersonated 1Password’s Watchtower breach alerts, nearly tricking an employee into surrendering their vault credentials. The message used authentic branding, familiar phrasing and urgency cues, and embedded legitimate-seeming support links before redirecting victims via Mandrill to a typosquatted credential‑stealing page. By Oct. 2 multiple vendors had marked the site as phishing and Mandrill blocked the redirect, but earlier clicks may already have exposed entire vaults.

🧂 Cisco Talos documents growing abuse of CSS to insert visually hidden 'salt' into emails, a technique that undermines parsing and language-detection systems. Observed across preheaders, headers, attachments and bodies between March 1, 2024 and July 31, 2025, attackers use CSS properties (font-size, opacity, display, clipping) and zero-width characters to conceal irrelevant content. Talos recommends detection plus HTML sanitization and filters—examples include Cisco Secure Email Threat Defense—to strip or ignore invisible content before downstream analysis.

🛡️ New variants of the XWorm backdoor (6.0, 6.4, 6.5) are being distributed via phishing campaigns after the original author, XCoder, abandoned the project. Multiple operators have adopted these builds, which now support more than 35 plugins enabling data theft, remote control, and a ransomware module that encrypts user files and drops HTML ransom notes. Trellix observed diverse droppers and recommends layered defenses including EDR, email/web protections, and network monitoring.

🔒 German SMEs face a sharp rise in ransomware and data-exfiltration incidents, with leak-site publications more than quadrupling from 2021 to 2024. Authorities report that 80% of analyzed ransomware incidents targeted small and medium-sized enterprises, often using double extortion. Attackers favor targeted phishing—executives receive on average 57 such attempts yearly—and many firms lack adequate defenses amid staffing shortages and overly complex security stacks.

🔒 Renault has informed customers that a cyber-attack on a third-party supplier led to the extraction of personal data from one of the supplier's systems. The vendor confirmed the breach affected names, gender, contact details, postal addresses and vehicle identification and registration numbers, though no financial information or passwords appear to have been taken. Renault says its own systems were not compromised and that the incident has been contained, and it has notified the relevant authorities. Affected customers are warned to expect targeted phishing using the stolen information.

🔒 ParkMobile has settled a class action tied to its 2021 data breach, offering affected users a $1 in-app credit as part of a $32.8 million resolution. Threat actors leaked a 4.5 GB CSV exposing nearly 22 million customers' names, contact details, bcrypt-hashed passwords, mailing addresses, license plates and vehicle information. Claimants must manually apply promo code P@rkMobile-$1 (most codes expire Oct 8, 2026; California codes do not), and the company warns of continuing SMS phishing campaigns targeting users.

⚠️ Trend Micro has uncovered a self-propagating malware campaign named SORVEPOTEL that primarily targets Brazilian Windows users via WhatsApp. The attack is delivered through convincing phishing messages with malicious ZIP attachments that contain LNK shortcuts which trigger PowerShell to download a batch payload. The payload establishes persistence by copying itself to the Windows Startup folder and contacts a command-and-control server, and if WhatsApp Web is active the malware automatically forwards the infected ZIP to contacts and groups, causing rapid spread and frequent account bans. Researchers report no evidence of data exfiltration or file encryption so far.

📄 Researchers at Varonis have identified a sophisticated phishing toolkit called MatrixPDF that embeds prompts, JavaScript, and external redirects inside seemingly legitimate PDF files to target Gmail users. Attackers exploit Gmail's preview and desktop PDF readers: a blurred preview displays a prompt to 'open secure document' that directs victims to external payloads, while embedded scripts can fetch malware if a user grants permission. Because the malicious content is only retrieved after user interaction, Gmail's automated scanners and attachment sandboxes can be bypassed. Security experts recommend stronger webmail controls, robust attachment sandboxing, endpoint detection, and frequent, realistic user awareness training.

🔍 Check Point Research found a marked rise in Amazon Prime Day scams during the first three weeks of September 2025, driven by malicious domains, phishing emails, and credential-harvesting pages that mimic legitimate Amazon communications. Attackers are exploiting urgency and trusted branding to capture login and payment details. Consumers and organizations should verify senders and domains, enable MFA, apply robust email filters, and monitor account activity to reduce exposure.

🔒 Kaspersky analyzed a global phishing campaign that uses convincing fake voting pages to hijack WhatsApp accounts. Attackers lure victims with personalized requests and multilingual scam pages; when users click Vote they’re prompted for the phone number linked to their account and shown a single‑use verification code. Victims who then enter or paste that code in their WhatsApp app inadvertently activate a remote WhatsApp Web session, giving attackers full access. Immediately check Linked devices, disconnect unknown sessions, and follow Kaspersky’s recovery and prevention guidance.

📣 The EU security agency's ENISA Threat Landscape 2025 report, analyzing 4,875 incidents from 1 July 2024 to 30 June 2025, finds phishing was the initial access vector in 60% of intrusions, with vulnerability exploitation at 21%. Botnets and malicious applications accounted for 10% and 8% respectively, and 68% of intrusions led to follow-up malware deployment. ENISA highlights AI-powered phishing exceeded 80% of social engineering globally by early 2025 and warns of attacks aimed at critical digital supply chain dependencies and high-value targets such as outdated mobile and OT systems.

📄 Researchers at Varonis have discovered MatrixPDF, a toolkit that disguises malicious web redirects and scripts inside seemingly benign PDFs to bypass Gmail filters. The files use blurred content, overlays and convincing prompts such as “Open Secure Document” to trick users into opening external sites. In some cases embedded JavaScript can auto-fetch payloads when a reader grants permission. Because Gmail treats preview clicks as user-initiated, these PDFs often evade email scanners and sandboxes.