All news with #phishing tag

🔗 Phishers are exploiting the Bubble no-code app builder to host web apps whose URLs appear legitimate and thus evade email filters. The platform’s dense JavaScript and Shadow DOM output confuses automated scanners, masking simple redirects to credential-harvesting pages. These Bubble-hosted apps are embedded in phishing messages and lead victims to convincing Microsoft sign‑in clones. Organizations should combine user training with endpoint protections and gateway anti-phishing controls to reduce risk.

🔁 Tycoon2FA, a phishing-as-a-service platform disrupted by Europol and Microsoft on March 4, has returned to pre-takedown activity levels within days. CrowdStrike observed a brief decline to about 25% of normal volumes on March 4–5, 2026, before activity rebounded and cloud compromise remediations returned to early-2026 levels. The service continues to use similar TTPs targeting Microsoft 365 and Gmail, exploiting redirection, URL shorteners, and compromised domains. CrowdStrike warns that without arrests or physical seizures, operators can quickly recover and replace impacted infrastructure.

🛡️ Tycoon2FA, a subscription-based phishing-as-a-service platform, has resumed operations following a coordinated takedown that seized 330 domains. The service uses adversary-in-the-middle techniques to intercept live authentication sessions and bypass multifactor authentication, and it continues to deploy AI-generated decoy pages and malicious URLs. CrowdStrike reported multiple suspected Tycoon2FA-enabled incidents in early March. Organisations are urged to prioritise continuous detection, real-time signal correlation, and layered defences to counter this adaptive threat.

⚠️Microsoft reported large-scale IRS-themed phishing campaigns in February 2026 that targeted more than 29,000 users across 10,000 organizations, using tax refund, payroll and W‑2 lures to harvest credentials and deliver remote access tools. Attackers leveraged Phishing-as-a-Service kits (notably Energy365 and SneakyLog/Kratos) and abused legitimate RMM products such as ScreenConnect, Datto, and SimpleHelp to maintain persistent access. Microsoft advises enforcing 2FA, applying conditional access, and blocking malicious domains and payloads to reduce exposure.

⚠️ Microsoft Azure Monitor alerts are being abused to distribute callback phishing messages that impersonate billing and security notices. Attackers create alert rules with custom descriptions and configure them to send emails to lists they control, causing legitimate azure-noreply@microsoft.com messages to reach targets and pass SPF/DKIM/DMARC checks. Recipients are urged to call listed numbers, a tactic that can lead to credential theft, payment fraud, or remote access compromise.

🔒 U.S. agencies warn that threat actors aligned with Russian intelligence are conducting targeted social-engineering phishing campaigns to compromise commercial messaging apps such as Signal and WhatsApp. The attacks have led to unauthorized access to thousands of accounts and involve impersonation of support personnel to request SMS codes, verification PINs, or to deliver malicious QR links. Victims who provide codes can lose account control, while those who scan attacker-controlled QR codes may have past and future messages exposed. Authorities advise never sharing verification codes and regularly reviewing linked devices in app settings.

🔔 The FBI has publicly attributed widespread phishing campaigns against encrypted messaging apps—primarily Signal and, to a lesser extent, WhatsApp—to actors linked to Russian intelligence services. The adversaries do not break end-to-end encryption; they hijack accounts via social engineering, commonly tricking victims into sharing verification codes or scanning malicious QR codes. Thousands of accounts worldwide have reportedly been compromised, often targeting individuals with sensitive access. Authorities urge users to refuse unsolicited device-linking requests and never share verification codes.

🔒 CISA and the Federal Bureau of Investigation issued a joint Public Service Announcement warning of ongoing phishing campaigns by cyber actors associated with Russian intelligence services targeting commercial messaging applications (CMAs). The campaigns seek to bypass encryption by compromising individual user accounts rather than breaking application cryptography. Evidence indicates thousands of CMA accounts have been accessed to view messages and contact lists, send messages, and conduct follow-on phishing. CISA and FBI urge users to review the PSA, adopt recommended cybersecurity practices, and remain vigilant for suspicious activity.

🛡️ On March 4, 2026, Europol coordinated a technical disruption that seized 330 domains tied to Tycoon2FA, a subscription-based phishing-as-a-service platform that enabled adversary-in-the-middle (AITM) attacks to bypass multifactor authentication. CrowdStrike observed an immediate drop in activity followed by a return to pre-disruption campaign volumes as operators reconstituted infrastructure and continued using established TTPs. Defenders should maintain layered controls across phishing, DNS resolution, cloud authentication, and Exchange inbox protections while leveraging Falcon and Falcon Complete for detection and response support.

🔒Google outlines five practical defenses to help users spot and avoid tax‑season scams. It describes on‑device AI protections on Pixel phones including Call Screen and optional real‑time Scam Detection alerts, plus text‑vetting with Circle to Search and Lens. The post highlights real‑time Safe Browsing, high‑visibility Gmail warning banners and security steps like Passkeys and 2‑Step Verification to reduce fraud risk.

📧 Microsoft Threat Intelligence and the Defender Security Research Team observed a surge of tax-themed phishing and malware campaigns in early 2026, exploiting W-2s, 1099s, IRS notices, and CPA communications to trick recipients. Attackers used Phishing-as-a-Service kits such as Energy365 and SneakyLog, QR-coded documents, and repackaged RMM tools (ScreenConnect, SimpleHelp, Datto) to steal credentials and gain remote access. Highly customized messages, multi-step flows, and legitimate hosting services helped these campaigns evade detection and target both individuals and tax professionals.

🔐 Modern phishing now uses adversary-in-the-middle proxies that capture entire authentication flows, including MFA prompts and session cookies. Employees can complete legitimate logins and still be compromised because attackers replay session tokens from a different machine. Organizations must move beyond traditional MFA and outdated awareness training and instead deploy phishing-resistant authentication, bind sessions to managed devices, and monitor post-authentication behavior.

🔐 In Episode 459 Graham Cluley and Paul Ducklin dissect a near-miss account takeover aimed at WordPress co-founder Matt Mullenweg that combined MFA prompt fatigue, authentic Apple alerts, a convincing support call and a phishing page. They draw practical lessons on resisting MFA prompt fatigue and social-engineering support scams. The episode also explores UK Biobank re-identification risks and the ethics of sharing lifetime medical data.

🔒 Aura confirmed an unauthorized party accessed nearly 900,000 records containing names and email addresses after a voice‑phishing attack targeted an employee. The company says the data came from an inherited marketing tool tied to a 2021 acquisition and affected roughly 20,000 current and 15,000 former customers, while noting Social Security numbers, account passwords, and financial data were not exposed. Have I Been Pwned added the leak to its database and observed customer service comments and IP addresses among the files. Aura is conducting an internal review with external experts, has notified law enforcement, and plans to send personalized notifications to affected individuals.

🛡️ Rapid7 and Microsoft researchers have documented a ClickFix operation that compromised over 250 WordPress sites to distribute fileless infostealers using counterfeit Cloudflare CAPTCHA prompts. The injected JavaScript hides from administrators and coerces visitors into pasting obfuscated commands that launch an in-memory DoubleDonut loader, which injects payloads into legitimate Windows processes. Observed payloads include a new Vidar variant and two previously undocumented stealers—Impure Stealer (.NET) and VodkaStealer (C++)—both using advanced encoding, encryption and sandbox-detection checks. Site owners are urged to restrict public admin access, tighten credentials and apply the published IOCs and YARA rules.

📦 Group-IB reports a rapid global escalation of fake shipment tracking scams during 2025, jumping from almost no activity in 2024 to more than 100 unique campaigns per month and peaks of 218 and 208 in June and December. Attackers use disposable and lookalike domains, SMS sender spoofing, local-looking numbers and URL masking to trick recipients into providing credentials or paying bogus fees. Many phishing sites share infrastructure linked to the Darcula PhaaS, which offers thousands of counterfeit domains and templates. The report urges organisations to strengthen domain authentication and increase customer alerts.

🛡️ Sophos researchers identified three ClickFix campaigns that used malicious search ads and trusted-host lures to coax macOS users into pasting and executing terminal commands, resulting in the deployment of the MacSync infostealer. The campaigns—first observed in November and December 2025 and refreshed in February 2026—leveraged fake Google Sites, ChatGPT conversation redirects, and GitHub-style pages. The February variant introduced dynamic AppleScript and in-memory execution to harvest credentials, keychain data, files, and crypto seed phrases while attempting to erase traces.

🔒 Researchers warn that criminals have scaled ClickFix social-engineering lures to deliver sophisticated, fileless infostealers via compromised WordPress sites. Rapid7 observed a campaign active since December 2025 that leveraged fake Cloudflare CAPTCHA prompts across more than 250 WordPress domains in 12 countries to trick victims into running obfuscated commands. The chain deploys an in-memory loader called DoubleDonut that injects payloads into legitimate Windows processes, and analysts also observed novel .NET and C++ stealers alongside a new Vidar variant. Microsoft noted a separate campaign that pivots from the Run dialog to Windows Terminal for execution.

🔍 Interpol coordinated Operation Synergia III from 18 July 2025 to 31 January 2026, involving law enforcement units in 72 countries and private partners. The action produced 94 arrests, the seizure of 212 electronic devices and servers, and the takedown of some 45,000 malicious IP addresses, while 110 individuals remain under investigation. The operation targeted phishing, ransomware, romance scams and credit card fraud and disrupted infrastructure used to impersonate banks, government sites and payment services. Private-sector partners including Group-IB, Trend Micro and S2W supplied intelligence that helped identify hosting and malware distribution points.

🛡️ INTERPOL announced the takedown of 45,000 malicious IP addresses and servers linked to phishing, malware, and ransomware campaigns across 72 countries. The effort, part of Operation Synergia's third phase, resulted in 94 arrests, 212 devices seized and 110 suspects under investigation. Targeted actions in Bangladesh, Togo and Macau uncovered large fraud rings and over 33,000 phishing sites.