Multiple Social-Engineering Campaigns Abuse Trusted Platforms (Microsoft Teams, Vendor-Signed Email, Bing Ads/Azure)
Security researchers reported several social-engineering campaigns that abuse trusted platforms to increase credibility and bypass controls. One campaign targeted wedding planners and related vendors by hijacking trust in Microsoft Teams: attackers used compromised legitimate email threads and impersonated legal professionals (e.g., czimmerman@craigzlaw[.]com) to lure victims into clicking a fake Teams meeting link that ultimately redirected to ussh[.]life/connect/teamsfinal/9/windows, a site masquerading as a Teams download page. Victims were prompted to download Windows executables consistent with information-stealer behavior (credential/browser/session-token theft and C2 exfiltration), enabling follow-on account takeover and additional phishing.
Separately, a report highlighted DKIM replay-style phishing in which criminals abuse legitimate notification/invoice workflows from PayPal, Apple, and DocuSign to generate cryptographically signed emails that pass DKIM/DMARC checks; attackers place scam content (often a fake support phone number and urgency) into user-controlled fields, send the message to themselves to obtain a “clean” vendor-signed email, then forward it to targets. Another campaign used Bing search ads to funnel users through a newly registered domain (highswit[.]space) to scam pages hosted on Microsoft Azure Blob Storage (consistent path pattern including werrx01USAHTML/index.html and a phone-number parameter), presenting fake Microsoft security warnings and directing victims to call numbers such as 1-866-520-2041 and 1-833-445-4045; Netskope observed impact across dozens of US organizations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Kaseya and INKY detail DKIM replay phishing via PayPal and Apple
A Kaseya report using INKY data described a phishing technique called DKIM Replay Attacks, in which criminals abuse legitimate vendor email systems such as PayPal, Apple, and DocuSign to generate cryptographically signed messages containing scam content. The report explained that attackers place malicious text such as urgent warnings and fake support numbers in user-controlled fields, then forward the unmodified signed emails to victims so they pass DKIM and DMARC checks.
Teams-themed malware campaign targets U.S. wedding vendors
Threat actors began a phishing campaign against wedding planners and related vendors in the United States, using compromised legitimate email accounts and detailed wedding-themed conversations to build trust. Victims were later sent fake Microsoft Teams meeting links that redirected to a malicious download site serving stealer malware.
Microsoft notified and malicious Azure containers taken down
After the Azure-hosted tech support scam was identified, Microsoft was notified about the abuse of its Blob Storage service. The malicious containers referenced in the campaign reportedly no longer served harmful content afterward.
Azure-hosted Bing ad scam impacts 48 U.S. organizations
Netskope analysts observed the Bing ad and Azure Blob Storage scam campaign affecting users across 48 organizations in the United States, including healthcare, manufacturing, and technology sectors. The campaign used standardized URL patterns and multiple Azure Blob Storage containers, indicating automated deployment and rapid scaling.
Bing ad scam campaign begins redirecting users to Azure-hosted fake alerts
Around 16:00 UTC on February 2, 2026, a tech support scam campaign started abusing Bing search ads to send users searching common terms to the newly registered domain highswit[.]space and then to fraudulent pages hosted on Microsoft Azure Blob Storage. The pages impersonated Microsoft security warnings and attempted to coerce victims into calling scam phone numbers for remote-access or financial fraud.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Hackers Using Fake "Microsoft Teams" Domains to Attack Users Via Malicious Payload
cybersecuritynews.com
Open sourceSophisticated Cyber Attack Targets Wedding Industry With Teams-Based Malware Delivery
cybersecuritynews.com
Open sourceSigned" Sealed, Delivered: Cybercriminals Abuse PayPal and Apple to Bypass Email Security
securityonline.info
Open sourceThreat Actors Weaponizes Bing Ads Attack Users with Azure Tech Support Scams
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Threat Actors Abuse Trusted Cloud and Ad Platforms for Multi-Stage Phishing and Scam Delivery
Threat actors are increasingly using **trusted platforms**—including cloud hosting and major ad networks—to deliver multi-stage phishing and scam campaigns that evade traditional URL and domain reputation controls. Recent activity includes a **three-step malvertising chain** delivered via **Facebook paid ads** that redirects victims through a decoy site (e.g., a fake Italian restaurant page) before landing on a **tech support scam (TSS) kit** hosted on **Microsoft Azure** infrastructure (including `web.core.windows.net`). Researchers reported rapid infrastructure churn, with **100+ domains rotated in seven days**, and targeting focused on **U.S. users** with activity concentrated on weekdays. Parallel enterprise-focused campaigns are hosting phishing infrastructure on **Microsoft Azure Blob Storage**, **Google Firebase**, and **AWS CloudFront**, using **redirect chains, CAPTCHA gates, and QR codes** to bypass automated analysis and email defenses. Analysis highlighted the use of **Adversary-in-the-Middle (AiTM)** phishing-as-a-service kits—**Tycoon2FA**, **Sneaky2FA**, and **EvilProxy**—to steal credentials and **session tokens** even when MFA is enabled. Separately, researchers documented a “clean email” approach to steal **Dropbox** credentials: benign-looking procurement-themed emails deliver **PDF attachments** that hide clickable elements (e.g., via *AcroForms* and `FlateDecode`), which then route victims to a second-stage file hosted on **Vercel Blob** and ultimately to a fake Dropbox login page that captures credentials and collects victim telemetry (IP address, location, and device details).
Mar 21, 2026
Inbound Social Engineering and Malware Delivery Campaigns Targeting Crypto, Web3, and Enterprises
Multiple reports describe **social-engineering-led initial access** that pivots into malware execution and credential/financial theft. A documented “pig butchering” approach abuses the higher-trust dynamics of matrimonial platforms to build rapport and then steer victims toward cryptocurrency-related actions. Separately, an “inbound” recruitment lure targets **Web3/crypto professionals** by impersonating legitimate companies and driving candidates to install fake interview software (e.g., `collaborex_setup.msi`) that initiates command-and-control to infrastructure such as `179.43.159.106`, with the added risk that victims often use corporate endpoints that also have personal wallets installed. In parallel, technical reporting highlights enterprise-focused malware delivery via trojanized software and email. **ValleyRAT_S2** (a C++ second-stage backdoor/RAT) is being distributed via fake Chinese-language productivity tools, cracked software, and trojanized installers, including **DLL side-loading** (e.g., a malicious `steam_api64.dll`) and C2 over custom TCP (e.g., `27.124.3.175:14852`), enabling long-term control and theft of financial data. Kaspersky also reported a malicious-email wave against Russian private-sector organizations using a PDF-icon masquerade that drops a .NET downloader, installs a persistent service, and stages payloads under `C:\ProgramData\Microsoft Diagnostic\Tasks` before delivering an **infostealer**. A separate blog post discusses phishing enabled by **misconfigured Microsoft 365/hybrid Exchange mail routing and weak SPF/DKIM/DMARC enforcement**, allowing spoofed “internal” emails that can facilitate credential theft and BEC; while related in theme (phishing), it is not clearly tied to the same malware campaigns described elsewhere.
Apr 12, 2026
Phishing and social-engineering campaigns increasingly abuse trusted channels and identities to deliver malware
Multiple reports highlight a surge in **social-engineering-led initial access**, with attackers increasingly relying on trusted-looking delivery mechanisms rather than novel exploits. Microsoft-described activity impersonates *Zoom*, *Microsoft Teams*, and *Adobe Reader* updates and uses **stolen Extended Validation (EV) code-signing certificates** (including one issued to **TrustConnect Software PTY LTD**) to make malicious executables appear legitimate; lures include fake meeting invites and deceptive download sites, and payloads commonly install **RMM tooling** such as *ScreenConnect* and *MeshAgent* for persistent access, followed by additional tooling via encoded PowerShell. Separately, Moonlock reported a **ClickFix**-style operation targeting crypto/Web3 professionals via **fake venture capital personas on LinkedIn**, redirecting victims through Calendly to spoofed video-conferencing pages to induce execution of attacker-supplied commands, with infrastructure tied to multiple fake firms (e.g., *SolidBit Capital*, *MegaBit*, *Lumax Capital*) and domains attributed to a single registrant. In parallel, NCC Group’s Fox-IT assessed that **messaging platforms** (e.g., WhatsApp, Telegram, Discord, Signal, LinkedIn messaging) are increasingly used to deliver phishing links, malicious attachments, QR codes, and fake invitations while bypassing traditional email controls, and that Telegram in particular is also used to host phishing infrastructure, malware repositories, and bot-enabled fraud services. One referenced item is materially different from the above social-engineering theme: reporting on suspected **DPRK-linked intrusions** into cryptocurrency organizations describes web-app exploitation (including `CVE-2025-55182` in *React2Shell*) and the use of pre-obtained **AWS access tokens** to steal source code, private keys, and cloud secrets—an intrusion set focused on direct compromise and theft rather than the phishing/update-impersonation and messaging-platform delivery techniques described elsewhere.
Mar 21, 2026