{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/bec/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Storm-1747"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender"],"_cs_severities":["high"],"_cs_tags":["email","phishing","credential-theft","Tycoon2FA","BEC"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eIn the first quarter of 2026, Microsoft Threat Intelligence observed a significant rise in email-based phishing threats, totaling approximately 8.3 billion. This increase was driven by surges in QR code phishing (more than doubling over the period), CAPTCHA-gated phishing, and credential phishing attacks. Microsoft\u0026rsquo;s Digital Crime Unit successfully disrupted the Tycoon2FA phishing-as-a-service (PhaaS) platform in early March, leading to a 15% reduction in associated email volume. However, threat actors adapted by shifting hosting providers and domain registration patterns. Business email compromise (BEC) also remained a prevalent threat, with approximately 10.7 million attacks recorded during the quarter, often characterized by low-effort, generic outreach messages. Microsoft Defender Research has also noted the emergence of AI-enabled device code phishing campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Email Delivery:\u003c/strong\u003e Attackers send phishing emails impersonating legitimate services or organizations. These emails may contain links, QR codes, or HTML attachments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVictim Interaction:\u003c/strong\u003e The victim opens the email and clicks on a malicious link or scans a QR code, redirecting them to a phishing page.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePhishing Page Redirection:\u003c/strong\u003e The phishing page mimics a legitimate login portal, such as Microsoft 365 or other enterprise applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting:\u003c/strong\u003e The victim enters their username and password on the phishing page, which are then captured by the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMFA Bypass (AiTM):\u003c/strong\u003e For attacks using adversary-in-the-middle (AiTM) techniques (like those facilitated by Tycoon2FA), the attacker intercepts the MFA code and uses it to authenticate.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Compromise:\u003c/strong\u003e With the stolen credentials and MFA code (if applicable), the attacker gains unauthorized access to the victim\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Theft:\u003c/strong\u003e The attacker uses the compromised account to access sensitive data, send further phishing emails, or move laterally within the organization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBusiness Email Compromise:\u003c/strong\u003e In BEC attacks, attackers use compromised accounts or spoofed email addresses to send fraudulent invoices or requests for wire transfers.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe observed email threats in Q1 2026 led to a high risk of credential compromise, financial loss through BEC attacks, and potential data breaches across various sectors. Although the total number of victims is not specified, the billions of phishing attempts indicate a widespread impact. Microsoft\u0026rsquo;s disruption of Tycoon2FA temporarily reduced phishing volumes by 15%, demonstrating the potential for proactive intervention to mitigate these threats. However, threat actors are quickly adapting their techniques, indicating the need for continued vigilance and enhanced security measures. The 10.7 million BEC attacks alone represent a significant financial threat to businesses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Tycoon2FA Phishing Attempts\u0026rdquo; Sigma rule to identify email campaigns associated with the Tycoon2FA platform.\u003c/li\u003e\n\u003cli\u003eEnable Microsoft Defender detections to improve detection of phishing emails and malicious payloads.\u003c/li\u003e\n\u003cli\u003eMonitor email traffic for suspicious domain registrations, particularly those using newer generic top-level domains (TLDs) such as .DIGITAL, .BUSINESS, .CONTRACTORS, .CEO, and .COMPANY, and the resurgence of .RU registrations, to identify potential Tycoon2FA infrastructure shifts.\u003c/li\u003e\n\u003cli\u003eEducate users about the dangers of QR code phishing and CAPTCHA-gated attacks, emphasizing the importance of verifying the legitimacy of login pages and email senders, to reduce the effectiveness of phishing campaigns (T1566).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T15:00:00Z","date_published":"2026-04-30T15:00:00Z","id":"/briefs/2026-05-email-phishing-trends/","summary":"In Q1 2026, email threats increased, including credential phishing, QR code phishing, and CAPTCHA-gated campaigns, with Microsoft's disruption of the Tycoon2FA phishing platform leading to a 15% volume decrease and shifts in threat actor tactics; BEC activity remained prevalent at 10.7 million attacks.","title":"Q1 2026 Email Threat Landscape: Rise in Phishing Techniques and Tycoon2FA Disruption","url":"https://feed.craftedsignal.io/briefs/2026-05-email-phishing-trends/"},{"_cs_actors":[],"_cs_cves":[{"cvss":10,"id":"CVE-2025-55182"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["business-email-compromise","bec","ai","social-engineering","credential-harvesting","exploitation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBusiness Email Compromise (BEC) attacks have historically targeted large organizations with significant payouts justifying the required time investment. However, recent trends indicate a democratization of BEC, with smaller organizations becoming increasingly targeted. This shift is largely driven by the adoption of AI, enabling attackers to rapidly reconnoiter and tailor content for smaller organizations at scale. Attackers are now targeting smaller community associations, charities, and businesses, recognizing that scamming smaller sums from many victims can be as profitable as scamming large sums from a few. These organizations are often less aware of the threat and thus more vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e Attackers use AI-powered tools to gather information about target organizations and key personnel (e.g., community associations, small businesses).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpersonation:\u003c/strong\u003e Attackers craft emails impersonating trusted individuals within the organization (e.g., the chair of the association).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRequest Initiation:\u003c/strong\u003e The attacker sends an email requesting a fund transfer to an account they control, relying on social engineering to trick someone with payment authority.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvasion:\u003c/strong\u003e The initial email is often sent from a plausible email address or a compromised genuine account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Compromise\u003c/strong\u003e: Exploit React2Shell vulnerability (CVE-2025-55182) in Next.js applications to gain access to sensitive data, including cloud tokens, database credentials, and SSH keys, which are used for lateral movement.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration\u003c/strong\u003e: Sensitive data, including cloud tokens, database credentials, and SSH keys, is exfiltrated using custom framework called \u0026ldquo;NEXUS Listener\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObfuscation:\u003c/strong\u003e Once received, funds typically pass through money mules or compromised personal accounts before being rapidly shuffled through multiple transfers, obscuring the trail.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFinancial Gain:\u003c/strong\u003e The attacker successfully initiates the fund transfer and receives the money.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe democratization of BEC attacks expands the threat landscape to include vulnerable small organizations. While the individual sums may be smaller, the cumulative impact of successful attacks can be significant. If successful, organizations suffer financial losses, potential data breaches through stolen credentials (related to CVE-2025-55182), and reputational damage. The European Commission investigated a breach after an Amazon cloud account hack, highlighting the potential for data leaks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEducate employees, especially those with payment authority, about the signs of BEC scams, emphasizing unexpected requests for payment and the importance of verifying requests through separate channels (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eImplement and enforce strict procurement rules that prevent any last-minute urgent payments (reference: Overview section).\u003c/li\u003e\n\u003cli\u003ePatch Next.js applications against React2Shell vulnerability (CVE-2025-55182) immediately and rotate potentially compromised credentials including API keys and SSH keys (reference: \u0026ldquo;The one big thing\u0026rdquo; section).\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect suspicious process creation activity (reference: rules section).\u003c/li\u003e\n\u003cli\u003eMonitor for the presence of the malware files identified in the report using the provided SHA256 hashes (reference: IOCs section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T12:00:00Z","date_published":"2026-04-03T12:00:00Z","id":"/briefs/2026-04-democratized-bec/","summary":"Attackers are leveraging AI to rapidly reconnoiter and tailor content for smaller organizations, making it easier to execute business email compromise (BEC) scams and scam smaller sums from many victims, as demonstrated by a recent attack targeting a small community organization.","title":"Democratization of Business Email Compromise (BEC) Attacks","url":"https://feed.craftedsignal.io/briefs/2026-04-democratized-bec/"}],"language":"en","title":"CraftedSignal Threat Feed — BEC","version":"https://jsonfeed.org/version/1.1"}