< ciso
brief />
Tag Banner

All news with #phishing tag

695 articles · page 9 of 35

The Threat Hunter’s Gambit: Skills, Signals, and Risks

🔍 William Largent frames threat hunting as a discipline akin to strategy games, where pattern recognition, prediction, and spotting feints reveal an adversary's intent. Cisco Talos warns of a growing Platform-as-a-Proxy (PaaP) tactic in which attackers weaponize legitimate SaaS notification pipelines such as GitHub and Jira to deliver authenticated phishing that circumvents SPF, DKIM, and DMARC. Because users habitually trust system-generated alerts, defenders should adopt zero‑trust controls, ingest SaaS API logs into SIEMs, and require out‑of‑band verification for high-risk actions.
read more →

Investigating Storm-2755: Payroll pirate attacks in Canada

🔒 Microsoft Incident Response researchers detail a Storm-2755 campaign that used malvertising and SEO poisoning to phish Canadian users and capture OAuth tokens and credentials via adversary-in-the-middle (AiTM) proxying. The actor replayed tokens (notably using the Axios/1.7.9 user-agent) to hijack authenticated sessions and bypass non-phishing-resistant MFA. Compromised accounts were used to search for payroll and HR data, create hidden inbox rules, and in some cases directly modify Workday payment information, resulting in at least one confirmed payroll diversion. Microsoft urges immediate token revocation, removal of malicious inbox rules, and adoption of phishing-resistant MFA and device-based conditional access.
read more →

Fake BTS ARIRANG Tour Ticket Websites Target Fans Worldwide

🎟️ Scammers are exploiting BTS's ARIRANG world tour pre-sales by cloning official ticket pages for multiple countries, creating at least 10 fraudulent domains observed in early April. These lookalike sites replicate the purchase flow and pressure fans into instant payments — in Brazil many victims are urged to pay via PIX, sending funds to mule accounts that are difficult to recover. To avoid fraud, fans should use only the official tour page, verify domains, confirm country-specific sales formats, and contact banks immediately if scammed. Enable banking alerts and use security software that blocks phishing sites.
read more →

Google Warns of Extortion Group Targeting BPOs and Helpdesks

🔒 Google Threat Intelligence Group warns that UNC6783, a financially motivated cluster possibly tied to the 'Raccoon' persona, is targeting business process outsourcers (BPOs) and large enterprises via live chat social engineering. The campaign directs employees to spoofed Okta login pages hosted on Zendesk-like domains such as [.]zendesk-support[.]com and uses a phishing kit that steals clipboard contents to bypass MFA and enroll attacker devices for persistence. GTIG also observed fake security updates delivering remote access malware and the use of Proton Mail to deliver ransom notes. Organizations should deploy phishing-resistant MFA like FIDO2 keys, monitor live chat, block unauthorized domains and audit new MFA enrollments.
read more →

Google: UNC6783 targets BPOs to steal Zendesk tickets

🔐 Google warns that UNC6783 is compromising business process outsourcing (BPO) providers to steal corporate support tickets and other sensitive data for extortion. Attackers use social engineering, live-chat phishing, and spoofed Zendesk-style domains plus fake Okta login pages; observed phishing kits can exfiltrate clipboard contents to bypass MFA and register devices. The group also distributes fake security updates to deliver remote access malware and then contacts victims via ProtonMail; Google recommends deploying FIDO2 keys, monitoring live chat, blocking spoofed domains, and auditing MFA enrollments.
read more →

Telehealth Risks in 2026: Medical Data and AI Scams

🔒 Telehealth offers fast, convenient access to care but creates persistent medical records that are highly valuable to criminals. Stolen health data — from diagnoses and prescriptions to insurance IDs and test results — often fetches far more than payment or social-login credentials and enables extortion, fraud, and identity theft. The rise of AI-driven fake clinics and diagnostic tools makes realistic phishing and data-harvesting sites easier to create. Protect yourself by using a dedicated medical email, avoiding social sign-in, enabling 2FA, using clinic-provided encrypted portals, and keeping health devices patched.
read more →

Weaponizing SaaS Notification Pipelines for Phishing

🔔 Cisco Talos observed a rise in campaigns that weaponize SaaS notification pipelines in collaboration platforms to deliver phishing and credential‑harvesting lures. Attackers embed malicious content in GitHub commit messages and in user‑configurable Jira project fields so automated notifications, signed by the platforms, bypass SPF, DKIM, and DMARC checks. Talos describes this as a Platform‑as‑a‑Proxy (PaaP) abuse and recommends moving to Zero‑Trust, instance‑level verification, and API telemetry to detect and block these attacks.
read more →

AI-Enabled Device Code Phishing Campaign Analysis Report

🔒 Microsoft Defender Security Research describes an AI-enabled campaign that abused the OAuth Device Code flow to compromise organizational accounts at scale. Actors used generative AI to craft hyper-personalized lures and automated backend infrastructure (including Railway.com and other PaaS) to generate dynamic device codes at click time, defeating the standard 15-minute expiry. The activity is linked to the PhaaS toolkit EvilToken and shows a marked escalation in automation and scale versus earlier device code phishing campaigns. Post-compromise actions focused on device registration, Microsoft Graph reconnaissance, malicious inbox rules, and email exfiltration.
read more →

DPRK-Linked Hackers Use GitHub as C2 in LNK Attacks

🔒 Fortinet FortiGuard Labs reports DPRK-linked actors using GitHub as command-and-control infrastructure in multi-stage LNK-based phishing attacks targeting South Korea. Obfuscated Windows shortcut files drop a decoy PDF and a silent PowerShell script that performs anti-analysis checks, extracts a VBScript, and creates persistence via a scheduled task running every 30 minutes. The script profiles hosts, exfiltrates the data to a GitHub repo under an account such as 'motoralis' with a hard-coded token, and retrieves additional modules or commands from files in the repository to maintain control.
read more →

DPRK-linked campaign uses LNK files and GitHub C2 channels

🛡️ Fortinet reports a DPRK-linked espionage campaign leveraging weaponized Windows shortcut (.LNK) files and GitHub repositories as command-and-control channels to target South Korean organizations. The attackers rely on multi-stage PowerShell scripts, progressively embedding decoding functions and encoded payloads inside LNK arguments to evade detection. This approach reflects a living off the land strategy that abuses native Windows utilities and legitimate services.
read more →

Traffic violation phishing texts switch to QR codes

🚨 Scammers are sending fake "Notice of Default" traffic violation texts impersonating state courts and urging recipients to scan an embedded QR code to pay a $6.99 balance. Scanning the code leads to an intermediary site with a CAPTCHA, then redirects to phishing pages posing as state DMVs that harvest personal and credit card data. These campaigns have targeted multiple states; ignore unexpected payment texts and never provide payment details to unknown senders.
read more →

Device-code phishing attacks surge as kits spread online

🔐 Device-code phishing attacks that exploit the OAuth 2.0 Device Authorization Grant flow have surged sharply this year, driven by commodity phishing kits. Researchers report a 37.5x increase in detected pages and identify at least 11 kits, with the PhaaS offering EvilTokens the most prominent. These kits mimic legitimate SaaS flows, use anti-bot protections and cloud hosting, and trick victims into entering device codes that grant attackers valid access and refresh tokens. Security teams are advised to disable unused device-code flows and monitor authentication logs and sessions closely.
read more →

Venom PhaaS Used in Global C-Suite Credential Theft

🔍 Abnormal researchers uncovered a targeted credential theft campaign active from November 2025 to March 2026 that focused on C‑suite and senior personnel across more than 20 industry verticals. The operation was powered by a previously undocumented phishing-as-a-service platform, Venom, and used SharePoint-themed lures with embedded QR codes. The phishing emails employed randomized HTML, fabricated multi-message threads and persona spoofing to evade detection and isolate human targets. Attackers used both AiTM relays and Microsoft’s device code flow to bypass MFA and achieve persistent access.
read more →

Democratisation of Business Email Compromise Fraud Trends

🔒 The Talos Threat Source newsletter warns that business email compromise (BEC) attacks have been democratised by AI, enabling attackers to cheaply and rapidly craft convincing payment requests that target small community organisations, charities, and businesses. Attackers can automate reconnaissance and generate tailored messages referencing projects, tone, and terminology. Defenders should verify unexpected payment requests via independent channels, enforce procurement controls, and increase awareness. The briefing also flags an automated credential-harvesting campaign exploiting React2Shell in Next.js applications that risks wide-scale token and key theft.
read more →

AI-Enabled Attacks Transform Cyber Threat Operations

🤖 Microsoft describes a shift from AI as a tool to AI as an embedded attack surface, accelerating tempo, precision, and scale across reconnaissance, malware development, and post-compromise activity. AI-enhanced phishing campaigns now report click-through rates near 54% versus roughly 12% for traditional campaigns, a 450% increase. The blog highlights Tycoon2FA, tied to Storm-1747, as an industrialized, subscription-based phishing ecosystem that automated MFA bypass at scale. Microsoft’s Digital Crimes Unit disrupted the operation, seizing 330 domains with Europol and partners, and urges organizations to prioritize agent inventory, agentic accountability, and lifecycle-integrated intelligence and defenses.
read more →

Tax Season 2026: Cybercriminals Prepare Attacks Early

🔍 Check Point Research reports that cyber criminals systematically prepared for Tax Season 2026, registering hundreds of tax‑related domains each month from September 2025 through February 2026. These prebuilt infrastructures fueled phishing campaigns, fraudulent tax portals and malware designed to harvest credentials and financial data. Organizations and individuals should prioritize domain monitoring, DNS filtering, email authentication and targeted employee training to reduce exposure.
read more →

EvilTokens Abuses Microsoft Device-Code Flow for Takeovers

⚠️ Sekoia researchers uncovered a phishing-as-a-service toolkit named EvilTokens that abuses Microsoft's device code authentication flow to capture valid access tokens by tricking victims into entering device codes on official Microsoft login pages. The kit bundles phishing lures, AI-driven automation, inbox harvesting and post-compromise modules to weaponize access. Operators distribute the service through Telegram bots and channels, and Sekoia observed activity since at least mid-February targeting countries including the US, Australia, Canada, France, India, Switzerland and the UAE.
read more →

WhatsApp Alerts 200 Users After Fake iOS App Spyware

⚠️ Meta-owned WhatsApp said it alerted about 200 users, largely in Italy, who were fooled into installing a counterfeit iOS app infected with spyware. The company logged affected accounts out, advised victims to uninstall the malicious app and reinstall the official WhatsApp client, and said it is taking action against Italian firm Asigint, an alleged SIO subsidiary. The alert follows earlier campaigns targeting users with Graphite and chained zero-day exploits in 2025, highlighting persistent misuse of surveillance tools in Europe.
read more →

EvilTokens kit powers Microsoft device-code phishing

⚠️ EvilTokens is a commercially sold phishing kit that abuses the device code authorization flow to hijack Microsoft accounts and enable advanced BEC operations. Distributed via Telegram, campaigns deliver document lures with QR codes or links to phishing templates impersonating trusted services and workflows. Victims are prompted to authenticate on the real Microsoft device login, producing short-lived access tokens and refresh tokens that give attackers immediate and persistent access. Sekoia reported global campaigns and published IoCs and YARA rules; the author says support for Gmail and Okta is planned.
read more →

CERT-UA Impersonation Campaign Distributes AGEWHEEZE RAT

📢 CERT-UA disclosed a phishing campaign in which attackers impersonated the agency to distribute a remote access trojan, AGEWHEEZE, via a password-protected ZIP hosted on Files.fm sent March 26–27, 2026. Emails, some originating from incidents@cert-ua.tech, targeted state bodies, medical centers, security firms, educational institutions, financial organizations and developers, urging installation of a purported "protection tool." The Go-based RAT communicates with 54.36.237.92 over WebSockets, supports extensive remote commands and persistence mechanisms, but CERT-UA reports only a handful of personal device infections and provided remediation assistance.
read more →