Phishing Campaigns Exploiting Email Trust Mechanisms for Credential Theft
Attackers have launched multiple sophisticated phishing campaigns targeting business users by exploiting trusted email mechanisms and brand impersonation. One campaign abused the legitimate @facebookmail.com domain and Meta Business Suite’s invitation feature to send convincing phishing emails to Facebook Business users, primarily targeting companies in sectors like automotive, education, real estate, hospitality, and finance. These emails, which appeared authentic due to their origin from Meta’s infrastructure, redirected victims to credential harvesting sites, with some organizations receiving thousands of such messages. The attackers created fake business pages and mimicked official branding to increase the likelihood of success, as confirmed by security researchers who reproduced the attack method.
Other campaigns have leveraged HTML attachments and spoofed internal notifications to bypass traditional email security. In Central and Eastern Europe, phishing emails with malicious HTML attachments embedded JavaScript to steal credentials, impersonating brands like Adobe and Microsoft and transmitting stolen data to attacker-controlled Telegram bots. Another campaign disguised phishing emails as spam filter alerts from within the victim’s own organization, using obfuscated code and personalized fake login screens to harvest credentials via websockets. These evolving tactics highlight the increasing sophistication of phishing operations and the need for organizations to monitor for unusual connections, inspect email content, and educate users about the risks of unsolicited attachments and internal-looking notifications.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Spam filter alert-themed phishing emails steal user logins
Researchers reported a phishing campaign in which emails masquerading as spam filter alerts were used to steal account credentials. The lures relied on fake security or email-administration notifications to pressure recipients into entering logins.
Credential theft campaign uses HTML attachment phishing
Security reporting described a credential theft campaign using HTML attachments as the phishing mechanism, reflecting an evolution in attachment-based phishing tactics. The campaign centered on harvesting user logins through malicious HTML files delivered by email.
Phishing campaign abuses @facebookmail.com invites to target business users
A phishing campaign was reported that exploited legitimate-looking @facebookmail.com invitation emails to trick Facebook Business users into surrendering credentials. The abuse of a trusted Facebook-related sender domain was the key development described in the reporting.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
@facebookmail.com Invites Exploited to Phish Facebook Business Users
hackread.com
Open sourceHTML attachment phishing used in new credential theft campaign
scworld.com
Open sourcePhishing emails disguised as spam filter alerts are stealing logins
malwarebytes.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Exploiting Trusted Brands and Services
Threat actors have intensified their use of phishing campaigns by impersonating well-known brands and trusted online services to deceive victims and steal sensitive credentials. In one campaign identified by the Cofense Phishing Defense Center, attackers targeted individuals in social media and marketing roles by sending fake job application emails that appeared to originate from major companies such as Red Bull, Tesla, Google, and Ferrari. These emails used convincing language and branding, including up-to-date logos and tailored subdomains, to increase their legitimacy and lure recipients into clicking malicious links. The attackers further enhanced the credibility of their messages by spoofing the sender address to appear as if it came from a legitimate domain, such as Xero, which has been abused in previous phishing incidents. The phishing process often began with a CAPTCHA page to create a sense of security before redirecting victims to fraudulent login pages designed to harvest credentials. This approach demonstrates a sophisticated understanding of social engineering tactics and the value of resume and personal information in targeting specific job seekers. In a separate but similarly themed incident, a Malwarebytes employee was targeted by a phishing email that impersonated 1Password, a popular password manager. The email falsely claimed that the recipient's 1Password account had been compromised and urged immediate action, including changing the account password and enabling two-factor authentication. The message mimicked legitimate security alerts, referencing 1Password's Watchtower feature, but included subtle red flags such as a sender address not associated with 1Password and a malicious link disguised as a legitimate action button. The phishing link directed users to a typosquatted domain, onepass-word[.]com, rather than the official 1Password website. Interestingly, the email's 'Contact us' link routed through a legitimate support page but used a redirect service, further complicating detection. The use of Mandrillapp, a transactional email delivery service, added another layer of apparent legitimacy to the phishing attempt. Both campaigns highlight the increasing sophistication of phishing attacks, with threat actors leveraging trusted brands and services to bypass security filters and exploit user trust. The attackers' use of brand-specific subdomains, authentic-looking graphics, and familiar communication styles makes these phishing emails particularly convincing. By targeting individuals with tailored messages, such as job seekers or users of specific online services, the campaigns increase the likelihood of successful credential theft. The abuse of legitimate infrastructure, such as Xero's email services and Mandrillapp, demonstrates how attackers can exploit trusted platforms to evade detection. Security teams are advised to educate users about the signs of phishing, including checking sender addresses, scrutinizing URLs, and being wary of urgent requests for sensitive information. Organizations should also monitor for abuse of their brand in phishing campaigns and work with email providers to block malicious domains. The incidents underscore the need for robust email security solutions and ongoing vigilance against evolving social engineering tactics. As phishing campaigns continue to evolve, both individuals and organizations must remain alert to the latest techniques used by cybercriminals to compromise accounts and steal valuable data.
Mar 21, 2026
Trusted Cloud Services Used in Large-Scale Facebook and Microsoft Phishing Campaigns
Researchers reported two large phishing operations that abused trusted platforms to improve delivery and evade defenses. Guardio said the **AccountDumpling** campaign used Google AppSheet to send emails from legitimate Google infrastructure while impersonating **Meta Support** and recruiters, luring Facebook Business users with fake account disablement notices, copyright complaints, and job offers. The operation compromised about **30,000 Facebook accounts** across roughly **50 countries**, stealing credentials, `2FA` codes, personal data, and government ID images; the stolen information was often funneled through Telegram channels, and the hijacked accounts were later sold or monetized through fraudulent advertising and scams. Evidence in generated PDF metadata linked the activity to Vietnam-based operators, including an individual identified as **PHẠM TÀI TÂN**. Microsoft separately disclosed an adversary-in-the-middle phishing campaign that used fake workplace compliance notices to target more than **35,000 users** at **13,000 organizations** in **26 countries**, with most activity concentrated in the United States. Attackers posed as internal HR and compliance teams, sent urgent messages with attached PDFs, and pushed victims through redirects, CAPTCHA checks, and a counterfeit Microsoft sign-in page designed to steal session tokens rather than just passwords, allowing account access without the victim's second factor. The incidents show how attackers are increasingly relying on legitimate cloud services and convincing enterprise-themed lures to bypass spam controls, defeat traditional authentication protections, and accelerate account takeover at scale.
May 5, 2026
Phishing Attacks Exploiting Business Communication Channels and Executive Impersonation
Cybercriminals are increasingly leveraging trusted business communication channels, such as company email accounts and professional networking platforms, to conduct sophisticated phishing attacks. By compromising legitimate email accounts, attackers can bypass authentication mechanisms like DMARC and remove typical signs of phishing, making it difficult for both security systems and individuals to detect malicious messages. These tactics often involve impersonation of trusted contacts or brands, exploiting pre-existing relationships or establishing new ones to socially engineer targets into divulging sensitive information. A recent campaign specifically targeted finance executives on LinkedIn with direct messages impersonating invitations to join an executive board for a fictitious investment fund. The phishing messages included malicious links that redirected victims through a series of sites, ultimately leading to a fake "LinkedIn Cloud Share" portal designed to steal Microsoft credentials. Attackers used domains such as `payrails-canaccord[.]icu` and `boardproposalmeet[.]com` and hosted their final phishing pages on Firebase, further increasing the credibility of the attack. These incidents highlight the evolving sophistication of phishing campaigns and the need for heightened vigilance among organizations and their executives.
Mar 21, 2026