All news with #phishing tag

🔒 Threat actors are abusing the special-use .arpa reverse DNS namespace and IPv6 reverse zones to evade domain reputation checks and email gateways. By obtaining IPv6 address space and controlling reverse DNS, attackers can create nonstandard records (for example A records under ip6.arpa) that resolve to phishing infrastructure hosted behind reputable providers like Cloudflare or Hurricane Electric. Infoblox observed short-lived, image-linked URLs that redirect through traffic distribution systems to selectively deliver phishing pages and frustrate investigation.

🤖 Microsoft’s Threat Intelligence report warns that threat actors are increasingly using generative AI across all stages of cyberattacks to accelerate execution and lower technical barriers. Attackers employ models to draft phishing lures, generate realistic fake identities and resumes, produce or debug malware, and scaffold infrastructure. Groups like Jasper Sleet and Coral Sleet have used AI in remote IT worker schemes, while operators test jailbreaking and agentic techniques. Microsoft advises treating these campaigns as insider risks and strengthening identity controls, credential monitoring, and protections around AI systems.

⚠ Attackers have shifted ClickFix phishing to use the Windows + X → I shortcut to open Windows Terminal, prompting victims to paste malicious PowerShell via fake CAPTCHAs and verification prompts. This avoids detections focused on Run (Win+R) and undermines basic security training. Microsoft says the campaign launches layered, persistent chains that decode embedded hex, download a renamed 7-Zip binary to extract payloads, establish persistence, apply Defender exclusions, and exfiltrate data.

🔒In a coordinated takedown, law enforcement and industry partners dismantled Tycoon 2FA, a commercial phishing-as-a-service platform that automated MFA bypasses via a real-time proxy. The kit, sold for about US $120/month through private Telegram channels, forwarded credentials and one-time codes to legitimate sites to capture authenticated sessions. It was linked to tens of millions of phishing emails and widespread attacks on healthcare and education before seizures and blocks by Microsoft, multi-country law enforcement, and Cloudflare largely disrupted the operation. Users are reminded that not all MFA is equal: hardware security keys or passkeys provide stronger protection against proxying than SMS-based codes.

🎓 Ransomware groups have shifted from encrypting files to extortion via stolen data, putting schools and universities at higher risk. Incidents in 2025–2026 include an attack on Sapienza University of Rome in February 2026, a vocational center in Treviso and Blacon High School, causing outages and operational disruption. Affordable, set-and-forget security that blocks phishing links and automatically scans USB devices can materially reduce exposure.

🛡️ Researchers at Push Security detail an InstallFix scheme that clones legitimate CLI install pages to trick users into running malicious 'curl-to-bash' and PowerShell commands. A mirrored Claude Code documentation page was found delivering encoded download commands that launch mshta.exe and related processes to retrieve a binary. The active payload is Amatera, an info-stealer sold as a MaaS, and the phony pages are being promoted through Google Ads and hosted on legitimate platforms, increasing their evasiveness.

📰 This ThreatsDay bulletin summarizes a fast-moving week of cyber activity, covering phishing, malware, large-scale scraping, privacy actions, and research that changes operational risk. Notable items include a CERT-UA–reported phishing campaign delivering SHADOWSNIFF, SALATSTEALER, and a Go backdoor; a DDR5 scraping operation used for scalping RAM inventory; and a new Chrome two‑week release cadence. The update also highlights regulatory action against Reddit and privacy steps by Samsung.

🐾 ClearSky reports a Russian-linked campaign targeting Ukrainian entities that deploys a .NET loader named BadPaw and a backdoor called MeowMeow. The attack begins with a phishing message that lures victims to download a ZIP archive containing an HTA decoy presenting a Ukrainian border-crossing appeal while executing hidden stages. The HTA extracts a VBScript and a PNG-embedded loader, establishes persistence via a scheduled task, and orchestrates retrieval of the MeowMeow backdoor from a remote C2 server. Researchers attribute the operation to APT28 with moderate confidence based on targeting, lures, and tradecraft overlaps.

🛡️ A Europol-led coalition of law enforcement and private cybersecurity firms dismantled Tycoon 2FA, a subscription-based phishing-as-a-service toolkit that enabled adversary-in-the-middle credential and session harvesting at scale. The platform provided a web console for crafting campaigns, harvesting passwords, MFA codes and session cookies, and forwarding stolen data to Telegram for near-real-time monitoring. Authorities seized 330 domains and disrupted infrastructure that generated tens of millions of phishing emails per month, affecting organizations worldwide.

🔒 Microsoft led a court-authorized disruption of Tycoon2FA, a prominent phishing-as-a-service operation, seizing 330 active domains and coordinating infrastructure seizures with Europol and partner law enforcement. Private-sector partners including Cloudflare, Coinbase, Intel471, Proofpoint, the Shadowserver Foundation, SpyCloud and Trend Micro assisted in removing control panels and fraudulent login pages. Microsoft estimates Tycoon2FA accounted for roughly 62% of phishing attempts it blocked by mid-2025 and linked to about 96,000 victims since 2023.

🔒 LastPass warns of a targeted phishing campaign that spoofs support email threads to trick users into revealing vault credentials. The messages impersonate a LastPass representative by abusing the display name and use subject lines that mimic forwarded internal conversations about changing an account's primary email. Recipients are urged to click links such as “report suspicious activity” that lead to a fake login page on the domain "verify-lastpass[.]com". LastPass says its systems were not compromised and reminds users never to disclose their master password and to report suspicious messages to abuse@lastpass.com.

🔒 Europol coordinated an international law enforcement operation that disrupted Tycoon2FA, a prolific phishing-as-a-service platform that intercepted credentials and session cookies via reverse proxies to bypass MFA and hijack authenticated sessions. Authorities seized 330 domains and removed control panels and phishing pages across multiple countries, with technical disruption led by Microsoft and support from private partners including Trend Micro and Cloudflare. The action aims to curb tens of millions of monthly phishing messages and protect nearly 100,000 targeted organizations while urging defenders to revoke active sessions and monitor for unauthorized access.

🔎 Tycoon2FA emerged in August 2023 as a phishing-as-a-service platform that provided adversary-in-the-middle (AiTM) capabilities to relay authentication flows and capture session cookies. Its web-based admin panel centralized templates, redirects, hosting, CAPTCHA, and exfiltration controls while exposing real-time metrics. Fast-moving short-lived domains, Cloudflare hosting, and heavy obfuscation let low-skill operators run scalable campaigns against MFA-protected accounts worldwide.

🛡️ Microsoft and Europol, supported by industry partners, seized infrastructure linked to the phishing-as-a-service operator Tycoon2FA, removing over 300 domains used in large-scale MFA-bypass campaigns. The PhaaS offering used adversary-in-the-middle techniques to intercept live authentication sessions and capture credentials, one‑time passcodes and session cookies in real time. Investigators say Tycoon2FA had roughly 2,000 users and leveraged more than 24,000 domains since launching in August 2023. Security firms recommend adopting phishing‑resistant authentication, strict conditional access and advanced email protections.

🔒 Browser-in-the-browser (BitB) phishing renders convincing fake login pop-ups inside malicious pages, and Kaspersky reports attackers are now using this technique in real campaigns to steal Facebook credentials. Threat actors create counterfeit authentication dialogs and even fake address bars so visual inspection is unreliable. Use a password manager — it checks the actual origin before auto-filling — and enable 2FA, adopt passkeys, and use unique passwords to reduce risk.

🔒 Check Point disclosed an advanced persistent threat dubbed Silver Dragon, active since mid-2024 and assessed to operate under the APT41 umbrella. The group gains access via vulnerable public servers and phishing, deploying loaders such as MonikerLoader and the C++ BamboLoader to stage Cobalt Strike beacons. Post-exploitation tools include screen capture, SSH utilities, and a Google Drive backdoor used for file-based C2.

🔐 Microsoft warns that attackers are abusing legitimate OAuth error redirection to bypass email and browser phishing protections and deliver malware. Campaigns target government and public-sector organizations with lures such as e-signature requests, meeting invites, and financial notices that contain OAuth redirect URLs. Attackers register malicious OAuth apps and invoke silent-auth parameters or invalid scopes to trigger error redirects to attacker-controlled pages. Those pages can host credential-phishing frameworks or automatically deliver ZIP packages that launch PowerShell loaders and DLL side‑loading routines, enabling final payload execution.

⚠️ A new Cloudflare Threat Report warns that widespread access to large language models and AI tools has lowered the barrier to entry for cybercriminals, enabling rapid, scalable attacks. Attackers are using LLMs to craft convincing phishing, generate malware, and map networks in real time, increasing impact and reach. The report highlights AI-generated deepfakes and fraudulent IDs used to bypass hiring filters and embed malicious insiders, with state actors like North Korea exploiting this vector. Cloudflare urges organisations to adopt real-time intelligence and proactive defenses to counter the industrialisation of cyber threats.

🔐 Flare researchers found widespread trading of compromised cPanel credentials across fraudulent groups, observing over 200,000 posts in a seven-day sample that reveal a highly commoditized, templated marketplace. Sellers advertise tiered pricing and bulk discounts (e.g., bundles of 100–1,000 accounts), and buyers use panels to host phishing kits, create SMTP accounts, deploy backdoors, and exfiltrate data. Because access uses valid credentials, abuse often bypasses traditional defenses; organizations should enable MFA, enforce strong unique passwords, restrict admin IPs, and monitor file integrity and outbound SMTP.

🔗 Microsoft warns attackers are abusing a legitimate OAuth redirect behavior to send victims from trusted identity-provider endpoints—like Microsoft Entra ID and Google Workspace—to attacker-controlled landing pages. Phishing lures such as e-signature requests, HR notices, Teams invites and password resets embed links that point to real authorization endpoints but use broken parameters (for example, prompt=none plus invalid scopes) so the provider silently redirects to a malicious URI. Microsoft has disabled multiple malicious OAuth apps, published client IDs and initial redirect IOCs, and supplied KQL hunting queries for Defender XDR customers. Analysts say the old advice to “hover and check the link” is no longer sufficient and urge validating context and tightening OAuth governance.