Phishing Campaigns Abuse Trusted Platforms and Collaboration Tools to Steal Credentials
Multiple reports describe a broader credential-theft trend in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used compromised WordPress sites and redirects through skimresources[.]com to deliver pixel-perfect fake login pages for Microsoft Teams, Xfinity, and UAE Pass, with lures such as missed voicemail and shared-document alerts. Another campaign abused LiveChat's lc[.]chat infrastructure to impersonate brands like PayPal and Amazon, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues.
A separate industry report reinforces the same operational pattern: attackers increasingly rely on valid credentials and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using Microsoft Teams voice phishing and Quick Assist to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the CamelClone espionage operation, a FancyBear/APT28 infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is not fluff because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers uncover phishing campaign on compromised WordPress sites
Researchers reported a multi-vector phishing campaign that used compromised WordPress websites to host fake Microsoft Teams, Xfinity, and UAE Pass login pages. Victims were redirected through skimresources[.]com to credential-harvesting pages designed for account takeover.
Researchers identify LiveChat-based phishing campaign impersonating major brands
Cofense researchers identified a phishing campaign abusing LiveChat's lc[.]chat infrastructure to impersonate brands including PayPal and Amazon in fake support interactions. The operation used refund and order-confirmation lures to harvest credentials, MFA codes, personal information, and payment card data.
Cloud identity compromise drives most incident alerts in 2025
Field Effect's 2026 Cyber Threat Outlook found that compromised cloud identities were the primary cause of more than 80% of the incident-related alerts it investigated during 2025. The report said attackers increasingly relied on valid credentials and trusted collaboration tools rather than software exploits.
Attackers begin Teams voice-phishing campaign using fake IT help desks
Field Effect reported a campaign tracked since September 2025 in which attackers impersonated IT help desks, created Microsoft 365 tenants, and used Microsoft Teams voice phishing to persuade employees to grant remote access through Quick Assist. The intrusions led to credential theft, lateral movement, and ransomware deployment.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Attackers Hijacking Legitimate Websites to Attack Microsoft Teams users
cybersecuritynews.com
Open sourcePhishers Abuse LiveChat Support Tools to Steal Sensitive Data in New SaaS-Based Attack Tactic
cybersecuritynews.com
Open sourceReport: Cloud identity compromise drove 80% of 2025 incidents | brief | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Credential Theft and Evasion Techniques Across Phishing, Webmail Exploitation, and Commodity Malware
Threat actors are continuing to prioritize **credential theft** while using defensive and trusted services to evade detection. DomainTools reported a Microsoft 365 phishing operation that **weaponizes Cloudflare protections** (including *Turnstile* human verification) to block automated analysis and security crawlers, then selectively serves a credential-harvesting flow only to “clean” visitors. The infrastructure used additional gatekeeping such as IP reputation checks (including lookups via `api.ipify.org`), hardcoded blocks for security-vendor and cloud-provider ranges, and user-agent filtering that returns a fake `404` page to bots, with the theft logic hidden behind heavy obfuscation. Separately, Hunt.io documented **Operation Roundish**, assessed with medium-high confidence as aligned to **APT28 (Fancy Bear)**, after discovering an exposed open directory hosting a Roundcube exploitation toolkit used against Ukrainian targets (including `mail.dmsu.gov.ua`). The toolkit included XSS payloads, a Flask-based C2, and modules for credential harvesting, mail forwarding persistence, bulk email exfiltration, address book theft, and 2FA secret extraction, plus a Go-based Linux implant (`httd`) found on a compromised Ukrainian web application. In parallel reporting on credential-access tradecraft, Flashpoint analysis highlighted the low-cost **DarkCloud infostealer** (sold for about **$30**) that steals browser logins/cookies and other data and exfiltrates via common channels (email/FTP/Telegram/HTTP), while Aryaka Threat Labs described the **BlackSanta** campaign using steganographic lures and **BYOVD** techniques to disable EDR and enable stealthy data theft over HTTPS—underscoring that credential access and defense evasion remain common precursors to broader enterprise compromise.
Mar 26, 2026
Phishing and fraud campaigns abusing trusted infrastructure and communications
Threat actors are increasingly improving phishing success rates by abusing *trusted* channels and infrastructure rather than relying on generic lures. One observed intrusion hijacked an active executive email thread via a compromised contractor account, allowing the attacker to reply inline with a link to a Microsoft 365 lookalike login flow; analysis of detonated samples indicated use of the **EvilProxy** adversary-in-the-middle phishkit, with layered anti-bot gating (e.g., Cloudflare Turnstile) and dynamic HTML/PDF content to capture credentials without exploiting software vulnerabilities. Separately, Rapid7 documented a cloud-abuse incident where attackers used **compromised AWS credentials** to stand up phishing/spam operations using **AWS WorkMail**, leveraging Amazon’s sender reputation and sidestepping typical **SES** anti-abuse controls while generating limited, service-native telemetry that can blend into normal administrative activity. A parallel, large-scale consumer fraud operation aligned with the **“PayTool”** ecosystem was reported targeting Canadian residents through SMS-driven lures (e.g., unpaid fines) that route victims through high-fidelity impersonations of the **Government of Canada**, **Air Canada**, and **Canada Post**, including province-selection workflows designed to mimic legitimate federal-to-provincial service handoffs before directing victims to localized scam domains. In contrast, LevelBlue SpiderLabs’ write-up is broader sector telemetry on education-targeted attacks (e.g., brute force `T1110`, credential dumping `T1003`, Kerberos ticket forgery `T1558`) and does not describe the same specific phishing/fraud campaigns, though it reinforces that credential theft remains a dominant initial access path across industries.
Mar 21, 2026
Credential Theft and Identity-Based Intrusions Surge Across Enterprises
**Credential compromise** and identity abuse are increasing as attackers rely more on stolen logins, session artifacts, and phishing rather than noisy exploitation alone. Recorded Future reported a sharp rise in exposed credentials during 2025, including nearly **2 billion** credentials indexed from malware combo lists, with the second half of the year up **50%** over the first and Q4 up **90%** over Q1. The trend is being driven by the industrialization of **infostealer malware**, malware-as-a-service ecosystems, and AI-enabled phishing and social engineering, while weak identity governance continues to expand the attack surface. A separate survey of UK organizations found **77%** fail to promptly disable former employees' accounts, **34%** grant overly broad access, and many still use manual processes such as spreadsheets for account validation, creating persistent opportunities for unauthorized access. A targeted phishing attempt against **Outpost24** illustrates how these identity-focused attacks are being operationalized against even security vendors. Attackers used a convincing fake JP Morgan email, valid **DKIM** authentication via Amazon SES infrastructure, and a **seven-stage redirect chain** leveraging trusted brands including Cisco to steer a C-suite executive toward a Microsoft Office credential-harvesting page while evading email defenses. The broader threat environment shows the same shift toward access abuse and stealthier post-compromise tradecraft: Google Threat Intelligence Group found ransomware actors increasingly favor native Windows tools over **Cobalt Strike**, with data theft present in **77%** of incidents and exploitation of VPNs and firewalls still common for initial access. Together, the reporting shows attackers are increasingly **logging in rather than breaking in**, then using legitimate access and built-in tools to deepen compromise and extort victims.
Apr 24, 2026