phishing

Mirage2FA Phishing Kit Uses HTML Smuggling to Steal Microsoft 365 Credentials

Researchers at Fortra uncovered Mirage2FA, a phishing kit that uses HTML smuggling and obfuscated JavaScript to deploy fake Microsoft 365 login pages, tricking users into submitting credentials and multi-factor authentication details. The campaign employs business-themed lures and short-lived domains to carry out Microsoft 365 account takeovers, potentially exposing email, files, Teams messages, and other cloud resources. Users affected are advised to reset passwords, revoke sessions, review MFA methods, and check for unauthorized mailbox access.

https://www.helpnetsecurity.com/2026/06/26/mirage2fa-phishing-kit-microsoft-365-html-smuggling/

A Backdoor in a LinkedIn Job Offer

A LinkedIn message from a recruiter at a crypto startup led Roman Imankulov to analyze a suspicious GitHub repo purportedly needing a Node modules review. The repo contained a hidden backdoor in a test file that executed arbitrary code fetched from a remote server whenever dependencies were installed, triggered by an npm lifecycle script. The repo and recruiter used stolen identities, highlighting the risk of supply-chain and social engineering attacks via seemingly legitimate job offers.

https://roman.pt/posts/linkedin-backdoor/

These Convincing Copyright Notices Are Designed to Steal Google Logins

A new phishing scam targets Chrome extension developers with fake copyright removal notices designed to steal Google login credentials. The scam uses publicly available extension information to create convincing personalized warnings and a fake Google sign-in window, pressuring victims to enter their credentials before a fabricated deadline. Developers are advised to verify warnings only through their Chrome Web Store dashboard and to safeguard accounts with strong authentication and security software.

https://www.malwarebytes.com/blog/threat-intel/2026/06/these-convincing-copyright-notices-are-designed-to-steal-google-logins

ChatGPhish: The Page Is the Payload

Researchers discovered a new phishing and tracking attack called ChatGPhish that exploits ChatGPT's page summarization feature by injecting malicious Markdown links and images into web pages. When users summarize such pages in ChatGPT, the assistant renders active clickable links, spoofed alerts, and QR codes within its trusted interface, enabling phishing, cross-origin data leakage, and off-device attacks without traditional browser protections. This expands the attack surface from email to everyday browsing, highlighting risks in AI-generated outputs that automatically render untrusted external content inside trusted AI interfaces.

https://permiso.io/blog/chatgpt-markdown-rendering-vulnerability

Thousands of Facebook Accounts Stolen by Phishing Emails Sent Through Google

Researchers have uncovered a phishing operation using Google’s AppSheet platform to send deceptive emails that have compromised around 30,000 Facebook business and advertiser accounts, primarily targeting pages with financial value. This campaign abuses trusted Google services to bypass email filters, tricking users into providing Facebook credentials and 2FA codes, enabling attackers to monetize hijacked accounts by running scams or selling access.

https://www.malwarebytes.com/blog/news/2026/05/thousands-of-facebook-accounts-stolen-by-phishing-emails-sent-through-google

Phishing — Sometimes with AI’s Help — Topped Initial-Access Methods in Q1, Cisco Says

In the first quarter of 2026, phishing—sometimes aided by AI tools like the Softr platform—was the most common method hackers used to gain initial access, according to Cisco’s Talos threat intelligence report. Attackers leveraged AI to quickly create fake login pages for credential harvesting without coding, targeting mainly government and health-care sectors, with deficient multifactor authentication being the leading security weakness exploited.

https://www.cybersecuritydive.com/news/phishing-initial-access-ai-cisco/818185/

Hundreds of Orgs Compromised Daily in Microsoft Device Code Phishing Attacks

A widespread Microsoft device-code phishing campaign has been compromising hundreds of organizations daily since mid-March 2026, using AI and automation to bypass multi-factor authentication and gain access to corporate Microsoft 365 accounts. The attackers generate dynamic device codes to trick victims into authorizing access, enabling them to steal sensitive financial emails and data, with the phishing infrastructure leveraging legitimate cloud services to evade detection. Microsoft recommends limiting the use of device code authentication and training employees to recognize phishing attempts to mitigate such attacks.

https://www.theregister.com/2026/04/07/microsoft_device_code_phishing/

New VENOM Phishing Attacks Steal Senior Executives’ Microsoft Logins

Threat actors using a new phishing-as-a-service platform called VENOM have been targeting Microsoft logins of senior executives since at least last November. The attacks impersonate Microsoft SharePoint notifications with highly personalized emails and QR codes leading victims to sophisticated credential-harvesting pages that bypass traditional protections like MFA, highlighting the need for stronger authentication measures such as FIDO2 and stricter access policies.

https://www.bleepingcomputer.com/news/security/new-venom-phishing-attacks-steal-senior-executives-microsoft-logins/

Tycoon2FA Phishing Platform Returns After Recent Police Disruption

The Tycoon2FA phishing-as-a-service platform, disrupted by Europol and partners through the seizure of 330 domains in early March 2026, has quickly resumed operations to pre-disruption levels. Despite the takedown, CrowdStrike observed a rapid recovery using largely unchanged tactics, highlighting that without arrests or physical seizures, cybercriminals can swiftly restore their infrastructure due to continued demand in the phishing ecosystem.

https://www.bleepingcomputer.com/news/security/tycoon2fa-phishing-platform-returns-after-recent-police-disruption/

Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish

Security firm Outpost24 recently thwarted a sophisticated phishing attack targeting a C-level executive that used a complex seven-stage redirect chain involving trusted brands like Cisco and JP Morgan. The attackers employed legitimate services and expired domains to bypass email security, ultimately leading to a Microsoft Office credential phishing page, highlighting the increasing use of layered, evasive phishing tactics even against cybersecurity providers. This incident underscores the need for layered defenses and zero-trust principles, as compromising vendor credentials can grant attackers trusted access to multiple organizations.

https://www.darkreading.com/threat-intelligence/hackers-target-cybersecurity-firm-outpost24-phish

Abusing .arpa: The TLD That Isn’t Supposed to Host Anything

Threat actors are exploiting the .arpa top-level domain (TLD), typically not meant for hosting content, to conduct phishing attacks. By using IPv6 tunnels, they create malicious domains that bypass security controls. These phishing campaigns employ tricks like embedding hyperlinks in images, leading victims to malicious sites through a series of redirects. The attack involves manipulating DNS record management to host phishing content, taking advantage of the .arpa domain’s trusted nature. This novel exploitation complicates detection since these domains appear legitimate and are often unblocked by security policies.

https://www.infoblox.com/blog/threat-intelligence/abusing-arpa-the-tld-that-isnt-supposed-to-host-anything/

Inside Tycoon2FA: How a Leading AiTM Phishing Kit Operated at Scale

The article analyzes Tycoon2FA, a phishing-as-a-service platform that enabled large-scale adversary-in-the-middle (AiTM) attacks capable of bypassing multifactor authentication. It explains how the service intercepted login credentials and session cookies through proxy phishing pages that mimicked services such as Microsoft 365 and Gmail. The platform included evasion techniques and user-friendly infrastructure, enabling less-skilled attackers to run campaigns that reached hundreds of thousands of organizations each month. The article concludes with guidance on layered defenses, including improved authentication methods, phishing detection, and coordinated disruption efforts. 

https://www.microsoft.com/en-us/security/blog/2026/03/04/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale/

Global Phishing-as-a-service Platform Taken Down in Coordinated Public-private Action

Tycoon 2FA, a major phishing-as-a-service platform, was disrupted in a coordinated international operation led by Europol. The platform, which enabled large-scale account compromise, was taken down with the help of law enforcement and private sector partners, including Microsoft and Trend Micro. This operation highlights the importance of public-private partnerships in combating cybercrime.

https://www.europol.europa.eu/media-press/newsroom/news/global-phishing-service-platform-taken-down-in-coordinated-public-private-action

Hackers Target Microsoft Entra Accounts in Device Code Vishing Attacks

Hackers are targeting Microsoft Entra accounts using device code phishing and voice vishing, compromising accounts through legitimate Microsoft OAuth flows without needing traditional phishing methods. This allows attackers to gain valid authentication tokens and access victims' accounts, enabling corporate data theft. The ShinyHunters gang is suspected to be behind these attacks, with recommendations for organizations to monitor OAuth apps, revoke suspicious consents, and consider disabling device code flows when unnecessary.

https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/

Scroll to Top