phishing

CyberheistNews Vol 16 #07 Uncovering the Sophisticated Phishing Campaign Bypassing M365 MFA

Phishing campaign bypassing M365 MFA detected, compromising accounts by exploiting OAuth 2.0 flows. Attackers trick users into authenticating on legitimate Microsoft domains, stealing access tokens for persistent access to data. Key sectors targeted include tech, manufacturing, and finance. Immediate mitigation requires auditing OAuth apps and reviewing email logs. Additionally, there’s discussion on automation in incident response, AI-driven email security, and the evolution of romance scams using deepfake technology. New voice phishing kits enable real-time control over attacks, raising concerns over email security gaps in organizations.

https://blog.knowbe4.com/cyberheistnews-vol-16-07-uncovering-the-sophisticated-phishing-campaign-bypassing-m365-mfa

Global SaaS Abuse Surge: U.S., Europe & APAC Targeted in Large‑Scale Phone‑Based Phishing

Phishing campaign using legitimate SaaS platforms saw 133,260 emails target over 20,000 organizations. Attackers exploited platform features to send authentic-looking scam emails, bypassing traditional detection methods. Techniques included manipulating user fields to create legitimate notifications from companies like Microsoft and Amazon, urging victims to call attacker-controlled phone numbers instead of clicking links. This trend reflects a strategic shift towards trust-based attacks, highlighting vulnerabilities in widely-used enterprise services and the need for improved detection strategies.

https://blog.checkpoint.com/research/saas-abuse-at-scale-phone-based-scam-campaign-leveraging-trusted-platforms/

Inside RedVDS: How a Single Virtual Desktop Provider Fueled Worldwide Cybercriminal Operations

RedVDS Infiltration: Microsoft Threat Intelligence reveals RedVDS, a VDS provider, facilitated global cybercrime, enabling phishing and fraud. It operated with cloned Windows servers for low-cost, anonymous access. Investigations resulted in takedowns of its infrastructure, highlighting it employed basic software for phishing campaigns. Cybercriminals exploited it with mass email tools and VPNs, hiding their tracks. RedVDS’ structure, payment via cryptocurrency, and operational model aided criminal scalability, leading to significant fraud losses in various countries. Microsoft calls for increased vigilance against such threats.

https://www.microsoft.com/en-us/security/blog/2026/01/14/inside-redvds-how-a-single-virtual-desktop-provider-fueled-worldwide-cybercriminal-operations/

Why Attackers Are Phishing on LinkedIn (and How to Stop It)

Phishing attacks have expanded beyond emails to social media and messaging apps like LinkedIn, where they can be particularly effective due to the platform's professional trust and accessible target identification. LinkedIn phishing is rising because traditional email security measures often do not cover direct messages, allowing attackers to reach high-value targets easily. To mitigate risks, users should treat LinkedIn messages similarly to emails, verify requests through alternative channels, implement multi-factor authentication, and receive training on recognizing phishing attempts outside of email.

https://www.pandasecurity.com/en/mediacenter/why-attackers-are-phishing-on-linkedin-and-how-to-stop-it/

Phishing Campaign Abuses Google Cloud Services to Steal Microsoft 365 Logins

Phishing attacks exploit Google Cloud services to steal Microsoft 365 logins. Cybercriminals send fake Google emails, using trusted domains to redirect victims to a look-alike login page. Google acknowledges this abuse and has acted to mitigate such campaigns, advising users to verify URLs and use multi-factor authentication to enhance security.

https://www.malwarebytes.com/blog/news/2026/01/phishing-campaign-abuses-google-cloud-services-to-steal-microsoft-365-logins

Cybercriminals Abuse Google Cloud Email Feature in Multi-Stage Phishing Campaign

Cybercriminals exploit Google Cloud's email integration to conduct a multi-stage phishing campaign, sending 9,394 emails to over 3,200 targets globally. Using trusted Google-generated messages, attackers bypass security filters and mimic legitimate notifications to steal user credentials through deceptive links leading to fake verification and login pages. Google has responded by blocking these phishing attempts and enhancing protections.

https://thehackernews.com/2026/01/cybercriminals-abuse-google-cloud-email.html

27 Malicious Npm Packages Used as Phishing Infrastructure to Steal Login Credentials

27 malicious npm packages were discovered in a phishing campaign targeting U.S. and allied organizations, primarily in sales and commercial sectors. The campaign utilized these packages to host phishing infrastructure, mimicking document-sharing portals and Microsoft sign-in pages, to steal login credentials from their targets. Attackers embedded client-side scripts to avoid detection and included checks to filter out bots. Notably, the campaign hard-coded specific email addresses of individuals in targeted firms, raising concerns about the source of this information. To mitigate risks, strong dependency verification, logging unusual CDN requests, enforcing phishing-resistant multi-factor authentication, and monitoring for suspicious activities are recommended.

https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html

State-linked and Criminal Hackers Use Device Code Phishing Against M365 Users

State-linked hackers exploit device code phishing to target Microsoft 365 users, using techniques that impersonate legitimate access workflows. Groups from Russia and China lead recent attacks, employing tools like SquarePhish2 and Graphish phishing kits. This method involves users entering a device code, granting hackers access to their accounts. Cybersecurity firm Proofpoint notes the increased use of this tactic for attacks on various sectors, including government and education.

https://www.cybersecuritydive.com/news/state-linked-criminal-hackers-device-code-phishing-m365/808396/

Microsoft 365 Users Targeted in Device Code Phishing Attacks

Microsoft 365 users are targeted by phishing attacks exploiting OAuth 2.0 device authorization. Attackers trick users into granting access tokens via emails with misleading content. Tools like Squarephish and Graphish facilitate these campaigns, allowing low-skilled actors to launch sophisticated attacks. Mitigation strategies include implementing Conditional Access policies to block or restrict device code flows.

https://www.helpnetsecurity.com/2025/12/18/microsoft-365-device-code-phishing/

New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale

TLDR: New phishing kits like BlackForce, GhostFrame, InboxPrime AI, and Spiderman use advanced tactics, including AI and MFA bypass, to steal credentials at scale. BlackForce targets brands, GhostFrame hides in iframes, InboxPrime automates email campaigns, and Spiderman replicates bank pages for European targets. These innovations make phishing attacks easier to execute and more difficult to detect.

https://thehackernews.com/2025/12/new-advanced-phishing-kits-use-ai-and.html

The Biggest Catch: How Whaling Attacks Target Top Executives

Whaling attacks target senior executives, exploiting their time constraints, online visibility, and access to sensitive information. Attackers often use phishing tactics, enabling them to execute large financial frauds. AI enhances these threats by facilitating data gathering and creating convincing communication. Mitigation strategies include personalized training, strong approval processes for fund transfers, and robust email security measures. Protecting against whaling not only safeguards financial assets but also corporate reputations.

https://www.welivesecurity.com/en/business-security/big-catch-how-whaling-attacks-target-top-executives/

Silver Fox’s Russian Ruse: ValleyRAT Hits China Via Fake Microsoft Teams Attack

Silver Fox, a Chinese APT group, is misrepresenting itself as a Russian threat actor through a fake Microsoft Teams SEO poisoning campaign targeting organizations in China. Utilizing “ValleyRAT” malware, it conducts state-sponsored espionage and financial fraud. The attack employs false flags, like Cyrillic characters, to mislead attribution, while aiming for sensitive intelligence and financial gains. Organizations, especially those with Chinese operations, need to fortify their defenses by enabling logging and monitoring to counter these evolving threats.

https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack

French NGO Reporters Without Borders Targeted by Calisto in Recent Campaign

Sekoia’s TDR team uncovered spear-phishing campaigns by the Russian-linked group Calisto in May-June 2025, targeting Reporters Without Borders and others. Calisto, associated with Russian intelligence, focused on organizations linked to Ukraine and the West. Their phishing tactics involved fake trusted contacts, missing attachments, or non-working files to trick victims into requesting follow-up documents containing malicious links or decoy PDFs. The phishing kits employed advanced techniques like Adversary-in-the-Middle, intercepting credentials, and 2FA. Calisto’s campaigns make extensive use of compromised websites, redirectors, and numerous custom domains for phishing and credential harvesting. NGOs aiding Ukraine and associated researchers remain high-risk targets.

https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/

Advanced Security Isn’t Stopping Old Phishing Tactics

Phishing attacks consistently evade modern enterprise security, according to Okta’s multi-organization study. Even mature companies with advanced defenses remain vulnerable, especially since many do not regularly use phishing-resistant authentication. Attackers rely on widely available proxy tools, and breaches often go undetected until system alerts are triggered. U.S. companies and Office 365 accounts are prime targets. Increased cross-company information sharing shows promise as a defense, but evolving phishing techniques keep the threat persistent.

https://www.darkreading.com/cyberattacks-data-breaches/advanced-security-phishing-tactics

Scroll to Top