Phishing and BEC Campaigns Abusing Trusted Platforms and Infrastructure
A wave of phishing activity is leveraging trusted brands and legitimate platform features to increase click-through and evade security controls. LinkedIn users are being targeted via fake “reply” comments posted on public threads that impersonate LinkedIn policy enforcement, claim an account violation, and push victims to external credential-harvesting pages. The lures mimic official branding and sometimes use LinkedIn’s own lnkd.in shortener to obscure destinations; reported redirect chains include Netlify-hosted pages (e.g., very1929412.netlify[.]app) leading to additional domains (e.g., very128918[.]site) designed to capture credentials. LinkedIn stated it is aware of the campaign and emphasized it does not communicate policy violations via public comments.
Separately, RavenMail reported a large-scale email phishing campaign impacting 3,000+ organizations (notably manufacturing) that abused Google infrastructure to bypass defenses: messages were sent via legitimate Google services, passed SPF/DKIM/DMARC, and used trusted Google-hosted URLs and Google Cloud Storage to host payloads and redirectors—without requiring a compromise of Google itself. In parallel trend reporting, LevelBlue SpiderLabs observed BEC volume rising 15% in 2025 based on MailMarshal telemetry (averaging 3,000 intercepted BEC messages per month), with evolving social engineering such as “contact details swapping,” where attackers impersonate finance teams to “update” official contact information to divert payments or data; this underscores continued attacker focus on impersonation and trust exploitation across both social platforms and email ecosystems.
Related Entities
Organizations
Affected Products
Sources
Related Stories
Phishing and BEC Trends Show Increased Impersonation and Evolving Social Engineering
Threat researchers reported continued growth and diversification in **impersonation-driven phishing**. Guardio data cited by KnowBe4 identified **Microsoft** as the most impersonated brand in phishing during **Q4 2025**, followed by **Facebook, Roblox, McAfee, Steam, AT&T, Amazon, Google, Yahoo, and Coinbase**. The activity reportedly surged around high-traffic seasonal moments (e.g., Black Friday “storefront” scams, December delivery scams, and January job-search lures), reflecting attackers’ focus on exploiting predictable user behavior and time-sensitive themes. Separately, LevelBlue **SpiderLabs** reported **BEC** activity increased **15% in 2025 vs. 2024** based on *MailMarshal* telemetry, averaging **3,000+ BEC messages/month** (peaking at **4,300** in July). The report noted seasonal/operational timing effects (e.g., quarter transitions and summer vacation staffing gaps) and highlighted evolving tactics including **“contact details swapping,”** where attackers impersonate finance teams to “update” official contact information to redirect payments or communications. Together, the reporting indicates sustained growth in **impersonation and social engineering** as a primary driver of fraud and account compromise risk, with attackers adapting lures to business cycles and consumer seasons.
2 months ago
Multiple Social-Engineering Campaigns Abuse Trusted Platforms (Microsoft Teams, Vendor-Signed Email, Bing Ads/Azure)
Security researchers reported several **social-engineering campaigns** that abuse trusted platforms to increase credibility and bypass controls. One campaign targeted wedding planners and related vendors by hijacking trust in *Microsoft Teams*: attackers used compromised legitimate email threads and impersonated legal professionals (e.g., `czimmerman@craigzlaw[.]com`) to lure victims into clicking a fake Teams meeting link that ultimately redirected to `ussh[.]life/connect/teamsfinal/9/windows`, a site masquerading as a Teams download page. Victims were prompted to download Windows executables consistent with **information-stealer** behavior (credential/browser/session-token theft and C2 exfiltration), enabling follow-on account takeover and additional phishing. Separately, a report highlighted **DKIM replay**-style phishing in which criminals abuse legitimate notification/invoice workflows from **PayPal, Apple, and DocuSign** to generate cryptographically signed emails that pass DKIM/DMARC checks; attackers place scam content (often a fake support phone number and urgency) into user-controlled fields, send the message to themselves to obtain a “clean” vendor-signed email, then forward it to targets. Another campaign used **Bing search ads** to funnel users through a newly registered domain (`highswit[.]space`) to scam pages hosted on **Microsoft Azure Blob Storage** (consistent path pattern including `werrx01USAHTML/index.html` and a phone-number parameter), presenting fake Microsoft security warnings and directing victims to call numbers such as `1-866-520-2041` and `1-833-445-4045`; Netskope observed impact across dozens of US organizations.
1 months ago
Phishing and fraud campaigns abusing trusted infrastructure and communications
Threat actors are increasingly improving phishing success rates by abusing *trusted* channels and infrastructure rather than relying on generic lures. One observed intrusion hijacked an active executive email thread via a compromised contractor account, allowing the attacker to reply inline with a link to a Microsoft 365 lookalike login flow; analysis of detonated samples indicated use of the **EvilProxy** adversary-in-the-middle phishkit, with layered anti-bot gating (e.g., Cloudflare Turnstile) and dynamic HTML/PDF content to capture credentials without exploiting software vulnerabilities. Separately, Rapid7 documented a cloud-abuse incident where attackers used **compromised AWS credentials** to stand up phishing/spam operations using **AWS WorkMail**, leveraging Amazon’s sender reputation and sidestepping typical **SES** anti-abuse controls while generating limited, service-native telemetry that can blend into normal administrative activity. A parallel, large-scale consumer fraud operation aligned with the **“PayTool”** ecosystem was reported targeting Canadian residents through SMS-driven lures (e.g., unpaid fines) that route victims through high-fidelity impersonations of the **Government of Canada**, **Air Canada**, and **Canada Post**, including province-selection workflows designed to mimic legitimate federal-to-provincial service handoffs before directing victims to localized scam domains. In contrast, LevelBlue SpiderLabs’ write-up is broader sector telemetry on education-targeted attacks (e.g., brute force `T1110`, credential dumping `T1003`, Kerberos ticket forgery `T1558`) and does not describe the same specific phishing/fraud campaigns, though it reinforces that credential theft remains a dominant initial access path across industries.
1 months ago