Phishing

A widespread phishing campaign utilized 'code of conduct' lures, a multi-step attack chain, and legitimate email services to distribute authenticated messages from attacker-controlled domains, ultimately leading to adversary-in-the-middle (AiTM) token compromise, primarily targeting US-based organizations.

Adversaries may abuse RDP files delivered via phishing from suspicious locations to gain unauthorized access to systems.

In Q1 2026, email threats increased, including credential phishing, QR code phishing, and CAPTCHA-gated campaigns, with Microsoft's disruption of the Tycoon2FA phishing platform leading to a 15% volume decrease and shifts in threat actor tactics; BEC activity remained prevalent at 10.7 million attacks.

In early April 2026, Arctic Wolf tracked a large-scale device code phishing campaign across multiple regions and sectors where threat actors abused OAuth device code flow to trick victims into providing authentication codes.

This rule identifies attempts to open a remote desktop file from suspicious paths, indicative of adversaries abusing RDP files for initial access via phishing.

A phishing campaign is abusing legitimate Apple account change notifications to deliver fake iPhone purchase scams, tricking users into calling malicious support numbers.

Threat actors are abusing the n8n AI workflow automation platform to deliver malware and fingerprint devices via phishing campaigns, bypassing traditional security filters by leveraging trusted infrastructure.

Threat actors are weaponizing legitimate SaaS notification pipelines to deliver phishing and spam emails, bypassing traditional email authentication protocols, and Storm-1175 is exploiting CVE-2026-1731 to deploy Medusa ransomware.

Attackers are abusing notification pipelines in SaaS platforms like GitHub and Jira to deliver phishing and spam emails by exploiting legitimate platform features and bypassing traditional email security measures.

The Tycoon2FA phishing-as-a-service (PhaaS) platform, used to bypass MFA and compromise email accounts, saw a temporary decrease in activity after a law enforcement takedown, but cloud compromises have since returned to pre-disruption levels with unchanged TTPs, indicating continued threat actor activity.

The Tycoon2FA phishing-as-a-service (PhaaS) platform, disrupted in March 2026, has resurged with consistent tactics, employing adversary-in-the-middle (AITM) techniques to bypass MFA and compromise email accounts through phishing campaigns, credential theft, and session cookie hijacking.

The Tycoon2FA Phishing-as-a-Service platform, used to bypass multifactor authentication (MFA), has resurged to pre-takedown levels of activity following a disruption effort in March 2026, maintaining its original tactics, techniques, and procedures (TTPs) for credential harvesting and cloud compromise.

OpenBao versions before 2.5.2 lack user confirmation for OIDC direct callback mode, allowing attackers to perform remote phishing and bypass authentication.

Since August 2025, threat actors have been impersonating Palo Alto Networks talent acquisition staff in a sophisticated phishing campaign targeting senior professionals, using social engineering tactics to solicit fraudulent resume fees.

A phishing campaign abuses Microsoft's Device Code OAuth flow to gain access to cloud-based file storage and document workflow platforms, bypassing traditional credential harvesting.

The M-Trends 2026 report highlights the increasing sophistication of threat actors, including voice phishing attacks targeting SaaS environments, ransomware groups actively destroying recovery capabilities, and espionage groups exploiting edge devices for persistent access, revealing a shift towards faster hand-offs between initial access brokers and ransomware deployers.

Crunchyroll suffered a data breach after a Telus employee was phished, leading to Okta credential theft and exfiltration of 100GB of customer data.

A newly discovered Mark of the Web (MOTW) bypass technique utilizes a chain of CAB, TAR, and 7-Zip archives to circumvent SmartScreen and execute files without security warnings.

A phishing technique, potentially still viable due to incomplete patching, allows attackers to obtain NetNTLM hashes from archive extraction on Windows systems (CVE-2025-59284).

A fileless multi-stage Remcos RAT is delivered via phishing, achieving memory-resident execution, but specific technical details are not provided in this brief.

A phishing campaign leverages Google Cloud Storage as a redirect layer to serve victims scam pages related to surveys, giveaways, rewards, alerts, and job lures, primarily hosted on .autos domains.

This detection rule identifies downloaded .url shortcut files on Windows systems, often used in phishing campaigns, by monitoring their creation events and flagging those from non-local sources, enabling early threat detection.

This rule detects potentially malicious .lnk shortcut files downloaded from outside the local network on Windows systems, which are commonly used in phishing campaigns.

This rule detects suspicious execution of Microsoft Office applications launching Office Add-Ins from unusual paths or with atypical parent processes, potentially indicating an attempt to gain initial access via a malicious phishing campaign.

This detection identifies the creation of HTML files with high entropy and large size, followed by execution via a browser process, indicating potential HTML smuggling and malicious payload delivery on Windows systems.

Okta FastPass detected and prevented a phishing attempt, indicating a user was likely targeted with a credential harvesting attack.

This brief outlines a threat where Microsoft Defender for Office 365 identifies an email as malicious or suspicious but still delivers it to a user's inbox or junk folder, potentially bypassing initial security measures.

This brief outlines a threat involving the creation of new Office macro files, potentially indicating malicious activity such as phishing or malware distribution, targeting Windows systems.

Detection of suspicious child processes spawned by Microsoft Outlook, indicative of spear phishing and malicious file execution leading to potential initial access and further exploitation.