All news with #proofpoint tag

📧 Cybersecurity firm Cyberproof has identified a surge of “silent subject” phishing attacks in Q1 2026 that deliberately omit email subjects to evade filters and trigger recipient curiosity. These campaigns target executives and high-value accounts, delivering links, QR codes and attachments that often redirect to spoofed sites or mobile interactions. Attackers rotate domains, use shortened URLs and deploy legitimate tools like Datto RMM to persist. Organizations are advised to enforce MFA, inspect full sender addresses and deploy advanced content-aware email defenses.

🔍 A China-aligned threat cluster identified as TA416 has resumed focused operations against European government and diplomatic entities since mid-2025, according to Proofpoint. The campaign combined web bugs and malware delivery to deploy the PlugX backdoor via Azure Blob, Google Drive, compromised SharePoint, and attacker-controlled domains. Attackers repeatedly altered infection chains—abusing Cloudflare Turnstile pages, OAuth redirection through Microsoft Entra ID, and MSBuild-based C# project files with DLL side-loading—to enhance stealth and persistence. The group also expanded targeting to Middle Eastern governments following the February 2026 regional conflict.

🔒 Microsoft led a court-authorized disruption of Tycoon2FA, a prominent phishing-as-a-service operation, seizing 330 active domains and coordinating infrastructure seizures with Europol and partner law enforcement. Private-sector partners including Cloudflare, Coinbase, Intel471, Proofpoint, the Shadowserver Foundation, SpyCloud and Trend Micro assisted in removing control panels and fraudulent login pages. Microsoft estimates Tycoon2FA accounted for roughly 62% of phishing attempts it blocked by mid-2025 and linked to about 96,000 victims since 2023.

⚠️ Proofpoint uncovered TrustConnect, a malware-as-a-service that masquerades as a legitimate remote monitoring and management (RMM) product and is advertised at about $300 per month. The operation uses a polished public website and a backend portal that functions as a web-based command-and-control dashboard for paying customers. Attackers primarily rely on social engineering — phishing lures and signed installers impersonating Zoom, Teams, Adobe Reader and others — to trick victims into running the RAT, which auto-registers infected hosts in the portal. Researchers disrupted parts of the infrastructure but observed resilient activity and a related variant called DocConnect.

🔒 Security firm Proofpoint reports attackers are abusing the OAuth 2.0 device-code flow to bypass MFA. Scammers trick users into entering one-time device codes into malicious Microsoft authentication links, allowing the attackers to capture codes and gain full access to the victim's Microsoft 365 accounts and content. Proofpoint observed both Russian and Chinese threat actors using this technique.

🔒 Proofpoint links a September 2025 phishing campaign to a suspected Russia-aligned cluster called UNK_AcademicFlare that exploits device code authentication to seize Microsoft 365 accounts. The group leverages compromised government and military email addresses to build rapport and send Cloudflare Worker links that mimic OneDrive, asking victims to copy and enter a short code. When users input the code on Microsoft's device code page, the service issues an access token that attackers can capture to take over accounts.

🚚 Proofpoint warns of a spear‑phishing campaign targeting North American freight firms that installs remote monitoring and access tools to enable cargo theft. Actors compromise broker load boards, insert themselves into carrier email threads, or pose as brokers to deliver signed installers that harvest credentials and establish persistent access. The attackers have deployed a range of RMM/RAS solutions (for example ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N‑able, and LogMeIn Resolve) and use them to bid on or reroute high‑value loads; Proofpoint urges blocking unauthorized RMMs, enforcing endpoint/network detection and MFA, disallowing external executables, and expanding phishing awareness training.