All news with #phishing tag

📧 Cybersecurity firm Cyberproof has identified a surge of “silent subject” phishing attacks in Q1 2026 that deliberately omit email subjects to evade filters and trigger recipient curiosity. These campaigns target executives and high-value accounts, delivering links, QR codes and attachments that often redirect to spoofed sites or mobile interactions. Attackers rotate domains, use shortened URLs and deploy legitimate tools like Datto RMM to persist. Organizations are advised to enforce MFA, inspect full sender addresses and deploy advanced content-aware email defenses.

🔒 Talos IR’s Q1 2026 analysis finds phishing reemerged as the top initial access vector, with public administration and health care tied as the most targeted sectors. Investigations documented abuse of AI-enabled services like Softr to build credential-harvesting pages and the first observed intrusion by Crimson Collective exploiting exposed developer secrets. Pre-ransomware activity rose but no encryptions occurred due to early mitigation. Talos emphasizes properly configured MFA, patching, and centralized logging.

🛡️ France's government agency ANTS confirmed a data breach after a threat actor claimed to have stolen citizen records in an intrusion last week. The agency says exposed fields may include login IDs, full names, email addresses, dates of birth, unique account identifiers and, for some individuals, postal addresses, places of birth and phone numbers. ANTS has notified CNIL, the Paris prosecutor and involved ANSSI, is informing affected users and warns the data could be used for phishing and social engineering.

🔒 Tyler Robert Buchanan, a 24-year-old British national and senior member of the cybercrime group Scattered Spider, has pleaded guilty to wire fraud conspiracy and aggravated identity theft for his role in 2022 SMS-phishing attacks. He admitted launching tens of thousands of phishing texts that enabled intrusions at companies including Twilio, LastPass, DoorDash and Mailchimp. Prosecutors say the campaign fueled SIM-swap thefts that siphoned at least $8 million in cryptocurrency from U.S. investors. Buchanan faces a statutory maximum of 22 years; sentencing is set for August 21, 2026.

🔍 This podcast episode examines the 2025 Talos Year in Review, highlighting a sharp increase in internal phishing that evades traditional perimeter defenses. Hosts Amy Ciminnisi and Martin Lee explain how Microsoft 365's Direct Send feature has been broadly weaponized to deliver trusted-looking internal mail. They also unpack blended state-sponsored campaigns from China and North Korea that pair zero-day exploitation with advanced social engineering.

🔐 In 2025 attackers increased focus on weaknesses in multi-factor authentication (MFA) and the trust inherent in everyday workflows, with phishing used for initial access in 40% of incidents. Cascaded phishing leveraged compromised, legitimate accounts to craft highly convincing lures, while abuse of Microsoft 365 Direct Send enabled internal-looking spoofed messages. MFA spray attacks and device compromise—driven by voice phishing against administrators—targeted IAM tools and high-turnover device ecosystems, with higher education notably impacted. Defenders should harden device management, enforce strong lockout and conditional access policies, and adopt email protections such as Reject Direct Send and tightened SPF/DMARC.

🔐 Attackers increasingly rely on stolen credentials—via credential stuffing, password spraying and phishing—to gain immediate, low-noise access. Legitimate logins often evade detection, allowing adversaries to dump additional passwords, move laterally, and persist. The author warns that AI is accelerating these techniques and advocates a DAIR (Dynamic Approach to Incident Response) loop, plus clear communication and hands-on training to contain and remediate identity-based intrusions.

⚠️A cluster of 26 malicious apps on Apple's China App Store impersonated popular crypto wallets such as MetaMask, Coinbase, Trust Wallet, and OneKey to harvest recovery seed phrases and drain funds. The apps used typosquatting, fake branding, and were disguised as games or calculators to bypass local restrictions. They redirected victims to phishing pages that pushed trojanized wallets via abused iOS provisioning profiles; those trojans intercept mnemonics, encrypt them, and exfiltrate them. Kaspersky links the campaign, dubbed FakeWallet, to the ongoing SparkKitty operation, and Apple has removed the apps following disclosure.

🔒 Two phishing campaigns are delivering Formbook infostealer to Windows devices using distinct stealth techniques. One abuses DLL sideloading via RAR attachments containing multiple DLLs and an EXE, while the other hides payloads in obfuscated JavaScript and PDF files that drop PowerShell commands and a custom loader. WatchGuard warns these methods leverage trusted processes to evade detection and urges monitoring of archive attachments, anomalous DLL loads and suspicious PowerShell activity.

📧 Threat actors are exploiting Apple account-change notifications to deliver callback phishing within legitimate emails sent from Apple's infrastructure. They place scam text into the account's first and last name fields, then trigger a shipping-info update so Apple sends the altered notification. Because messages are sent from appleid@id.apple.com and pass SPF, DKIM, and DMARC, they appear authentic and can bypass filters, increasing the risk of successful callback scams.

🚨 Garrett Dutton (G. Love) says he downloaded a counterfeit Ledger Live app from Apple's App Store while setting up a new computer and was tricked into entering his seed phrase. Thieves used it to steal 5.9 BTC (about $440,000). Apple removed the fraudulent app on April 12 after investigators linked it to roughly $9.5 million stolen from more than 50 victims. Legitimate wallets never ask for your seed phrase; verify developer names and ratings and be especially cautious when installing apps on new devices.

🔔 As data breach notices become common, fraudsters increasingly send fake alerts or piggyback on real incidents to trick recipients into clicking malicious links or divulging credentials. These scams often demand immediate action, use spoofed sender addresses, and lack personal account details. Verify any notice by logging into the real account or contacting the organization through trusted channels, and reduce exposure with a password manager and MFA.

📧 In Q1 2026, Check Point Research found Microsoft was the most impersonated brand in phishing campaigns, accounting for 22% of brand impersonation attempts. Apple (11%), Google (9%), Amazon (7%) and LinkedIn (6%) followed, reflecting attackers’ focus on both enterprise and consumer ecosystems tied to identity, devices and payments. The report underscores a persistent trend: threat actors exploit trusted brands to harvest credentials and gain initial access to personal and corporate environments.

🔍 Cisco Talos identified an active PowerShell-based botnet dubbed PowMix, operating since at least December 2025 and targeting organizations and job applicants in the Czech Republic. The campaign deploys phishing ZIP archives containing LNK shortcuts that launch an obfuscated PowerShell loader which bypasses AMSI and executes a decrypted payload in memory. Talos observed tactical overlap with ZipLine and published IOCs and detection guidance.

🛡️CERT-UA has disclosed a campaign, dubbed UAC-0247, that between March and April 2026 targeted government and municipal healthcare organizations — primarily clinics and emergency hospitals — to deliver credential-stealing malware. Attacks begin with spear-phishing links leading to compromised or AI-generated sites that drop a Windows Shortcut (LNK) executing an HTA via mshta.exe, which loads multi-stage loaders and payloads such as RAVENSHELL, AGINGFLY, and the PowerShell-based SILENTLOOP. The intrusions enable reconnaissance, lateral movement, and theft of data from Chromium-based browsers and WhatsApp; CERT-UA advises restricting execution of LNK/HTA/JS, limiting use of abused utilities, and blocking suspicious connections.

⚠️ Cisco Talos details how attackers are misusing the AI workflow automation platform n8n to run sophisticated phishing and malware campaigns. Between October 2025 and March 2026, researchers observed a sharp increase in emails containing n8n webhook URLs that serve dynamic HTML payloads and CAPTCHA-protected bait to initiate downloads. These flows mask malicious payloads behind trusted domains and have been used to deploy modified RMM tools and to fingerprint recipients. Talos urges behavioral detection, IOC sharing, and AI-enhanced email defenses to mitigate this abuse.

🔒 Microsoft has added new protections in the April 2026 cumulative updates to help block malicious Remote Desktop (.rdp) files commonly used in phishing campaigns. After the update users see a one-time educational prompt and, on subsequent opens, a security dialog that lists local resource redirections with every option disabled by default. Unsigned files receive a 'Caution: Unknown remote connection' warning and unknown publisher label. Administrators can temporarily disable the dialog via a registry policy but Microsoft advises keeping the protections enabled.

🔒 The FBI Atlanta Field Office and Indonesian authorities dismantled the W3LL phishing platform and seized infrastructure, leading to the arrest of the alleged developer. The W3LL kit, sold for $500, enabled adversary-in-the-middle attacks to capture credentials, session cookies and one-time MFA tokens, allowing attackers to bypass multifactor protections. Its marketplace, W3LLSTORE, facilitated the sale of over 25,000 compromised accounts and contributed to attempts exceeding $20 million in fraud.

🛡️The FBI, with the Indonesian National Police, dismantled the infrastructure of the W3LL phishing network, detained the alleged developer identified as G.L., and seized key domains used to harvest credentials. The off‑the‑shelf W3LL toolkit—marketed for about $500—enabled adversary‑in‑the‑middle attacks that bypassed MFA and targeted primarily Microsoft 365 accounts. Authorities say the operation attempted more than $20 million in fraud and was linked to tens of thousands of compromised accounts.

🛡️ The FBI Atlanta field office, together with US and Indonesian authorities, dismantled a large-scale phishing operation built around the W3LL phishing kit. The kit, sold via a members-only marketplace called W3LL Store, enabled attackers to clone login pages and harvest credentials for as little as $500. Investigators seized the w3ll.store domain, identified an alleged developer known as 'G.L.', and say the toolkit may have been used against over 17,000 victims worldwide between 2023 and 2025.