Phishing and fraud campaigns abusing trusted infrastructure and communications
Threat actors are increasingly improving phishing success rates by abusing trusted channels and infrastructure rather than relying on generic lures. One observed intrusion hijacked an active executive email thread via a compromised contractor account, allowing the attacker to reply inline with a link to a Microsoft 365 lookalike login flow; analysis of detonated samples indicated use of the EvilProxy adversary-in-the-middle phishkit, with layered anti-bot gating (e.g., Cloudflare Turnstile) and dynamic HTML/PDF content to capture credentials without exploiting software vulnerabilities. Separately, Rapid7 documented a cloud-abuse incident where attackers used compromised AWS credentials to stand up phishing/spam operations using AWS WorkMail, leveraging Amazon’s sender reputation and sidestepping typical SES anti-abuse controls while generating limited, service-native telemetry that can blend into normal administrative activity.
A parallel, large-scale consumer fraud operation aligned with the “PayTool” ecosystem was reported targeting Canadian residents through SMS-driven lures (e.g., unpaid fines) that route victims through high-fidelity impersonations of the Government of Canada, Air Canada, and Canada Post, including province-selection workflows designed to mimic legitimate federal-to-provincial service handoffs before directing victims to localized scam domains. In contrast, LevelBlue SpiderLabs’ write-up is broader sector telemetry on education-targeted attacks (e.g., brute force T1110, credential dumping T1003, Kerberos ticket forgery T1558) and does not describe the same specific phishing/fraud campaigns, though it reinforces that credential theft remains a dominant initial access path across industries.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
CloudSEK attributes phishing-kit sales to 'theghostorder01'
CloudSEK assessed that the Canadian impersonation campaign was being commoditized through a phishing-as-a-service model advertised on dark web forums. A threat actor using the handle 'theghostorder01' was identified as selling kits mimicking services such as Ontario driver's license renewal and targeting Interac e-Transfer credentials.
CloudSEK reports PayTool-aligned fraud clusters targeting Canadians
CloudSEK reported interconnected fraud clusters impersonating the Government of Canada, Canada Post, and Air Canada to steal personal and financial data from Canadian citizens. The operation used SMS lures, SEO poisoning, typosquatting, province-specific payment phishing pages, and rotating domains, and was assessed as part of the PayTool phishing ecosystem.
Rapid7 publicly discloses AWS WorkMail abuse technique
Rapid7 published its investigation showing that attackers can abuse AWS WorkMail inside compromised AWS accounts to bypass SES anti-abuse controls and send phishing email with reduced visibility because WorkMail SMTP activity does not generate CloudTrail events. The report also recommended guardrails such as blocking unused WorkMail with SCPs and tightening WorkMail and SES permissions.
Attackers pivot to AWS WorkMail to bypass SES sandbox limits
Rather than wait for SES approval, the attackers created AWS WorkMail organizations, verified domains through SES APIs invoked by WorkMail, and provisioned mailbox users to send email immediately to external recipients. Rapid7 found this pivot let the actors use victim-owned AWS infrastructure for phishing while avoiding SES sandbox friction and some logging visibility.
Attackers attempt to expand SES sending capacity via AWS support
After finding Amazon SES constrained by sandbox restrictions and unverified identities, the attackers opened an AWS support case requesting removal from the SES sandbox and a quota increase to 100,000 emails per day. This showed an effort to legitimize and scale phishing or spam operations from the compromised AWS environment.
Attackers abuse exposed AWS keys to build phishing infrastructure
In a cloud abuse incident investigated by Rapid7, threat actors used compromised long-term AWS access keys to access a victim AWS account, perform IAM and SES reconnaissance, and escalate privileges by creating a new IAM user with AdministratorAccess and console access. The attackers were likely validating leaked credentials from public exposure such as repositories scanned with tools like TruffleHog.
Analysts link thread-hijacking phishing to wider campaign
In early January 2026, analysis connected a supply-chain phishing incident involving a hijacked executive email thread to a broader campaign through infrastructure overlap. Testing also identified use of the EvilProxy phishkit with anti-bot measures, credential interception, and session-token theft.
Phishing campaign targeting Middle Eastern organizations begins
A broader phishing campaign that later used hijacked enterprise email threads was assessed as active since December 2025, primarily targeting organizations in the Middle East. The activity used rented infrastructure and phishing techniques consistent with phishing-as-a-service operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
The "WorkMail Pivot": Hackers Abuse AWS WorkMail to Bypass SES Sandbox
securityonline.info
Open sourceThreat Actors Leverage Real Enterprise Email Threads to Deliver Phishing Links
cybersecuritynews.com
Open sourceThe "PayTool" Trap: Massive Fraud Cluster Impersonates Canada Gov & Air Canada
securityonline.info
Open sourceThreat Actors Using AWS WorkMail in Phishing Campaigns
rapid7.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Abuse Trusted Platforms and Collaboration Tools to Steal Credentials
Multiple reports describe a broader **credential-theft trend** in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used **compromised WordPress sites** and redirects through `skimresources[.]com` to deliver pixel-perfect fake login pages for **Microsoft Teams**, **Xfinity**, and **UAE Pass**, with lures such as missed voicemail and shared-document alerts. Another campaign abused **LiveChat**'s `lc[.]chat` infrastructure to impersonate brands like **PayPal** and **Amazon**, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues. A separate industry report reinforces the same operational pattern: attackers increasingly rely on **valid credentials** and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using **Microsoft Teams voice phishing** and **Quick Assist** to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the **CamelClone** espionage operation, a **FancyBear/APT28** infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is **not fluff** because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.
Mar 21, 2026
Credential Theft and Evasion Techniques Across Phishing, Webmail Exploitation, and Commodity Malware
Threat actors are continuing to prioritize **credential theft** while using defensive and trusted services to evade detection. DomainTools reported a Microsoft 365 phishing operation that **weaponizes Cloudflare protections** (including *Turnstile* human verification) to block automated analysis and security crawlers, then selectively serves a credential-harvesting flow only to “clean” visitors. The infrastructure used additional gatekeeping such as IP reputation checks (including lookups via `api.ipify.org`), hardcoded blocks for security-vendor and cloud-provider ranges, and user-agent filtering that returns a fake `404` page to bots, with the theft logic hidden behind heavy obfuscation. Separately, Hunt.io documented **Operation Roundish**, assessed with medium-high confidence as aligned to **APT28 (Fancy Bear)**, after discovering an exposed open directory hosting a Roundcube exploitation toolkit used against Ukrainian targets (including `mail.dmsu.gov.ua`). The toolkit included XSS payloads, a Flask-based C2, and modules for credential harvesting, mail forwarding persistence, bulk email exfiltration, address book theft, and 2FA secret extraction, plus a Go-based Linux implant (`httd`) found on a compromised Ukrainian web application. In parallel reporting on credential-access tradecraft, Flashpoint analysis highlighted the low-cost **DarkCloud infostealer** (sold for about **$30**) that steals browser logins/cookies and other data and exfiltrates via common channels (email/FTP/Telegram/HTTP), while Aryaka Threat Labs described the **BlackSanta** campaign using steganographic lures and **BYOVD** techniques to disable EDR and enable stealthy data theft over HTTPS—underscoring that credential access and defense evasion remain common precursors to broader enterprise compromise.
Mar 26, 2026
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
Mar 21, 2026