Phishing and BEC Campaigns Abusing Trusted Platforms and Infrastructure
A wave of phishing activity is leveraging trusted brands and legitimate platform features to increase click-through and evade security controls. LinkedIn users are being targeted via fake “reply” comments posted on public threads that impersonate LinkedIn policy enforcement, claim an account violation, and push victims to external credential-harvesting pages. The lures mimic official branding and sometimes use LinkedIn’s own lnkd.in shortener to obscure destinations; reported redirect chains include Netlify-hosted pages (e.g., very1929412.netlify[.]app) leading to additional domains (e.g., very128918[.]site) designed to capture credentials. LinkedIn stated it is aware of the campaign and emphasized it does not communicate policy violations via public comments.
Separately, RavenMail reported a large-scale email phishing campaign impacting 3,000+ organizations (notably manufacturing) that abused Google infrastructure to bypass defenses: messages were sent via legitimate Google services, passed SPF/DKIM/DMARC, and used trusted Google-hosted URLs and Google Cloud Storage to host payloads and redirectors—without requiring a compromise of Google itself. In parallel trend reporting, LevelBlue SpiderLabs observed BEC volume rising 15% in 2025 based on MailMarshal telemetry (averaging 3,000 intercepted BEC messages per month), with evolving social engineering such as “contact details swapping,” where attackers impersonate finance teams to “update” official contact information to divert payments or data; this underscores continued attacker focus on impersonation and trust exploitation across both social platforms and email ecosystems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
LinkedIn acknowledges scam campaign and begins response
LinkedIn said it was aware of the fake policy-violation comment campaign, was working to address it, and clarified that it does not communicate policy violations through public comments. This marked the platform's official response to the ongoing phishing activity.
Fake LinkedIn policy-violation comment scam targets users
Attackers began flooding LinkedIn posts with fake reply comments impersonating LinkedIn and alleging bogus policy violations or temporary account restrictions. The scam used malicious external links, sometimes obscured with LinkedIn's lnkd.in shortener, to lead victims through phishing pages that harvested credentials.
Phishing campaign abuses Google infrastructure against 3,000+ organizations
RavenMail researchers reported that in December 2025, attackers targeted more than 3,000 organizations, primarily in the manufacturing sector, with phishing emails impersonating routine business notifications. The campaign used legitimate Google-hosted URLs and workflow services to deliver credential-harvesting pages while passing SPF, DKIM, and DMARC checks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and BEC Trends Show Increased Impersonation and Evolving Social Engineering
Threat researchers reported continued growth and diversification in **impersonation-driven phishing**. Guardio data cited by KnowBe4 identified **Microsoft** as the most impersonated brand in phishing during **Q4 2025**, followed by **Facebook, Roblox, McAfee, Steam, AT&T, Amazon, Google, Yahoo, and Coinbase**. The activity reportedly surged around high-traffic seasonal moments (e.g., Black Friday “storefront” scams, December delivery scams, and January job-search lures), reflecting attackers’ focus on exploiting predictable user behavior and time-sensitive themes. Separately, LevelBlue **SpiderLabs** reported **BEC** activity increased **15% in 2025 vs. 2024** based on *MailMarshal* telemetry, averaging **3,000+ BEC messages/month** (peaking at **4,300** in July). The report noted seasonal/operational timing effects (e.g., quarter transitions and summer vacation staffing gaps) and highlighted evolving tactics including **“contact details swapping,”** where attackers impersonate finance teams to “update” official contact information to redirect payments or communications. Together, the reporting indicates sustained growth in **impersonation and social engineering** as a primary driver of fraud and account compromise risk, with attackers adapting lures to business cycles and consumer seasons.
Mar 21, 2026
Multiple Social-Engineering Campaigns Abuse Trusted Platforms (Microsoft Teams, Vendor-Signed Email, Bing Ads/Azure)
Security researchers reported several **social-engineering campaigns** that abuse trusted platforms to increase credibility and bypass controls. One campaign targeted wedding planners and related vendors by hijacking trust in *Microsoft Teams*: attackers used compromised legitimate email threads and impersonated legal professionals (e.g., `czimmerman@craigzlaw[.]com`) to lure victims into clicking a fake Teams meeting link that ultimately redirected to `ussh[.]life/connect/teamsfinal/9/windows`, a site masquerading as a Teams download page. Victims were prompted to download Windows executables consistent with **information-stealer** behavior (credential/browser/session-token theft and C2 exfiltration), enabling follow-on account takeover and additional phishing. Separately, a report highlighted **DKIM replay**-style phishing in which criminals abuse legitimate notification/invoice workflows from **PayPal, Apple, and DocuSign** to generate cryptographically signed emails that pass DKIM/DMARC checks; attackers place scam content (often a fake support phone number and urgency) into user-controlled fields, send the message to themselves to obtain a “clean” vendor-signed email, then forward it to targets. Another campaign used **Bing search ads** to funnel users through a newly registered domain (`highswit[.]space`) to scam pages hosted on **Microsoft Azure Blob Storage** (consistent path pattern including `werrx01USAHTML/index.html` and a phone-number parameter), presenting fake Microsoft security warnings and directing victims to call numbers such as `1-866-520-2041` and `1-833-445-4045`; Netskope observed impact across dozens of US organizations.
Mar 21, 2026
Phishing and fraud campaigns abusing trusted infrastructure and communications
Threat actors are increasingly improving phishing success rates by abusing *trusted* channels and infrastructure rather than relying on generic lures. One observed intrusion hijacked an active executive email thread via a compromised contractor account, allowing the attacker to reply inline with a link to a Microsoft 365 lookalike login flow; analysis of detonated samples indicated use of the **EvilProxy** adversary-in-the-middle phishkit, with layered anti-bot gating (e.g., Cloudflare Turnstile) and dynamic HTML/PDF content to capture credentials without exploiting software vulnerabilities. Separately, Rapid7 documented a cloud-abuse incident where attackers used **compromised AWS credentials** to stand up phishing/spam operations using **AWS WorkMail**, leveraging Amazon’s sender reputation and sidestepping typical **SES** anti-abuse controls while generating limited, service-native telemetry that can blend into normal administrative activity. A parallel, large-scale consumer fraud operation aligned with the **“PayTool”** ecosystem was reported targeting Canadian residents through SMS-driven lures (e.g., unpaid fines) that route victims through high-fidelity impersonations of the **Government of Canada**, **Air Canada**, and **Canada Post**, including province-selection workflows designed to mimic legitimate federal-to-provincial service handoffs before directing victims to localized scam domains. In contrast, LevelBlue SpiderLabs’ write-up is broader sector telemetry on education-targeted attacks (e.g., brute force `T1110`, credential dumping `T1003`, Kerberos ticket forgery `T1558`) and does not describe the same specific phishing/fraud campaigns, though it reinforces that credential theft remains a dominant initial access path across industries.
Mar 21, 2026