Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials A large-scale credential harvesting campaign attributed to Cisco Talos cluster UAT-10608 exploits the React2Shell vulnerability in Next.js (CVE-2025-55182) to achieve remote code execution and deploy the NEXUS Listener framework that steals database credentials, SSH keys, cloud IAM tokens, API keys, and other secrets. At least 766 hosts across multiple regions and...

Hackers exploited CVE-2025-55182 (React2Shell) to breach 766 Next.js hosts, deploying NEXUS Listener to steal database credentials, SSH keys, and cloud tokens. Impact spans multiple regions and cloud providers. #NextjsBreach #CredentialTheft

Security Flaw in Popular Python Library Threatens User Machines   The software ecosystem experienced a brief but significant breach on March 24, 2026 that went almost unnoticed, underscoring how fragile even well-established development pipelines have become. As a result of a threat actor operating under the name TeamPCP successfully compromising the PyPI credentials of the maintainer, malicious code has been quietly seeded into newly published versions of the popular LiteLLM Python package versions 1.82.7 and 1.82.8. LiteLLM itself was not the victim of the intrusion, but rather a previous breach involving Trivy, an open source security scanner integrated into the project's CI/CD pipeline, which effectively made a defensive tool into a channel for an attack.  PyPI quarantined the tainted packages only after a limited period of approximately three hours when they were live, but the extent of potential exposure was significant due to the staggering number of downloads and installs of LiteLLM, which exceeds 3.4 million per day and 95 million per month, respectively.  A powerful and unified interface for interacting with multiple large language model providers is provided by LiteLLM, a tool deeply embedded within modern artificial intelligence development environments. LiteLLM frequently operates in environments containing highly sensitive assets such as API credentials, cloud configurations, and proprietary information.  The incident illustrates not only a fleeting compromise; it also illustrates a broader and increasingly urgent reality that the open source supply chain remains vulnerable to exactly the types of indirect, multi-stage attacks that are the most difficult to detect and the most damaging when they are successful in a global software development environment. This incident was not simply the result of code tampering; it was a carefully designed, multi-stage intrusion intended to exploit environments that are heavily automated and trusted.  The threat group TeamPCP leveraged its access in order to introduce two trojanized versions of LiteLLM - versions 1.82.7 and 1.82.8 - which contained obfuscated payloads embedded in core components of the package, namely within the module litellm/proxy/proxy_server.py.  While the insert was subtle, positioned between legitimate code paths, and encoded so as to evade immediate attention, it ensured execution at import, an important point in the development lifecycle that virtually ensures activation in production environments.  An even more durable mechanism was introduced in the subsequent version by the attackers as a malicious .pth file directly embedded within the site-packages directory, which was used to extend their foothold. As a result of exploiting Python's internal initialization behavior, the payload executed automatically upon every interpreter startup, regardless of whether LiteLLM itself was ever invoked again. Using detached subprocess calls, the malicious logic was able to operate without visibility, effectively bypassing conventional monitoring tools which focus on application execution.  Designing the payload reflected an in-depth understanding of cloud-native architectures and the dense concentrations of sensitive information contained within them. When activated, the code acted as a comprehensive orchestration layer capable of conducting reconnaissance, credential harvesting, and environment mapping. Through a systematic process of traversing the host system, SSH keys, cloud provider credentials, Kubernetes configurations, container registry secrets, and environment variables were extracted. Additionally, managed services were probed further for information. Cloud-based environments utilize native authentication mechanisms, such as AWS instance metadata, to generate signed requests and retrieve secrets directly from services such as Secrets Manager and Parameter Store, extending its reach beyond traditional disk-based storage or network access.  A comprehensive collection process was conducted, including infrastructure-as-code artifacts, continuous integration and continuous delivery configurations as well as cryptographic material, database credentials, and developer shell histories, effectively turning each compromised device into an extensive repository of exploitable information.  Data exfiltration was highly sophisticated, utilizing layered encryption and infrastructure that blended seamlessly into legitimate traffic patterns to exfiltrate data. After compression, encryption, and asymmetric key wrapping, stolen data was transmitted to a domain fabricated to resemble legitimate LiteLLM infrastructure before being encrypted. As a consequence, even intercepted traffic would be of little value without access to the attacker's private key, complicating the forensic analysis and response process. Furthermore, the operation demonstrated a clear emphasis on persistence and lateral expansion, particularly within Kubernetes environments.  As service account tokens were present in the payload, it initiated cluster-wide reconnaissance, deployed privileged pods across all nodes, including control-plane systems, and mounted host filesystems and bypassed scheduling restrictions. It then introduced a secondary persistence layer that was disguised as a benign system telemetry service within user-level configurations of systemd. During periodic communication with a remote command-and-control endpoint, this component provided operators with the ability to deliver additional payloads, update tooling, or terminate the activity by using a built-in kill switch. In summary, the incident indicates that operational maturity extends beyond opportunistic exploitation, demonstrating a level of operational maturity.  The team PCP successfully maximized the return on each compromised host by targeting LiteLLM, a gateway technology at the intersection of multiple artificial intelligence providers. This allowed them access not only to infrastructure credentials, but also to a wide variety of API keys that cover numerous large language model platforms.  As a result, the compromise of one, widely trusted component can have alarming ripple effects across entire development and production environments with alarming speed and precision in an ecosystem increasingly characterized by interconnected dependencies. Organizations must reevaluate trust boundaries within their software supply chains in the aftermath of the incident, as remediation is no longer the only priority for organizations. As security teams are increasingly being encouraged to adopt a zero-trust approach towards third-party dependencies, verification does not end when the product is installed, but continues throughout the entire execution lifecycle.  Among these measures are the enforcing of strict version pins, verifying package integrity using trusted sources, and developing continuous monitoring mechanisms that will detect anomalous behavior at runtime as opposed to simply relying on static analysis.  The strengthening of continuous integration/continuous delivery pipelines—especially their tools—has emerged as a critical control point, as this attack demonstrated how upstream compromise can cascade downstream without significant resistance.  An institutionalization of rapid response playbooks is equally important in order to ensure that credentials are rotated, systems are isolated, and forensic validation is conducted without delay when anomalies are discovered.  As the use of interconnected AI frameworks continues to increase, security responsibilities are shifting from reactive patching to proactive resilience, where detection, containment, and recovery of supply chain intrusions become as essential as preventing them.

Security Flaw in Popular Python Library Threatens User Machines #CICDPipeline #CloudSecurity #CredentialTheft

AI-Powered 'DeepLoad' Steals Credentials, Evades Detection The massive amount of junk code that hides the malware's logic from security scans was almost certainly generated by AI, researchers say.

AI-powered Deepload is stealing credentials while evading detection - attackers are blending automation with stealth. Traditional defenses are increasingly outpaced. 🤖🔐 #CredentialTheft #AIDrivenThreats

The Unintentional Enabler: How Cloudflare Services are Abused for Credential Theft and Malware Distribution Cloudflare services — particularly Workers and Tunnels — are being abused by threat actors to host convincing AiTM phishing pages and to stage covert connections that deliver malware, including Xeno RAT and XWorm RAT. These attacks leverage trusted Cloudflare domains and free tiers (e.g., *.workers[.]dev, *.trycloudflare[.]com, *.pages[.]dev, *.r2[.]dev) to bypass email and network defenses and evade detection. #XenoRAT #XWormRAT

Cloudflare Workers and Tunnels are being exploited to host AiTM phishing pages and deliver malware like Xeno RAT and XWorm RAT, leveraging trusted domains to evade defenses and detection. #CredentialTheft #CloudAbuse #MalwareDelivery

TeamPCP Backdoors LiteLLM via Trivy
Read More: buff.ly/9DwmFvk

#TeamPCP #LiteLLM #Trivy #PyPI #SupplyChainSecurity #KubernetesSecurity #CredentialTheft #DevSecOps

Tycoon 2FA Still Active After Takedown
Read More: buff.ly/elJsmNc

#Tycoon2FA #PhishingAsAService #MFABypass #CredentialTheft #ThreatIntel #Cybercrime #AccountSecurity #InfosecAlert

Microsoft Warns IRS Phish Hits 29K Users
Read More: buff.ly/6iy0t9Q

#IRSPHISHING #TaxScam #PhishingAlert #CredentialTheft #MicrosoftSecurity #SocialEngineering #MalwareCampaign #CyberAwareness

Deceptive VPN Websites Become Gateway for Corporate Data Theft   The financial motivation of a threat group tracked by Microsoft as Storm-2561 has been quietly exploiting the familiarity of enterprise VPN ecosystems in a campaign intended to demonstrate how easy it is to weaponize trust in routine IT processes.  Rather than rely solely on technical exploits, this group has adopted a more insidious approach that blends search engine manipulation with near-perfect impersonations of popular VPN products from companies such as Check Point Software Technologies, Cisco, Fortinet, and Ivanti. Storm-2561 has been active since May 2025 and is representative of an emerging class of cyber criminals that prioritize deception over disruption, leveraging SEO poisoning techniques to ensure fraudulent download pages appear indistinguishable from legitimate vendor resources. As a result of this strategy, malicious VPN installers have been positioned at the top of search results since mid-January, effectively transforming a routine search into an attack vector.  Users looking for common enterprise tools such as Pulse Secure are directed to convincingly spoofed websites instead of real-world enterprise tools. By blurring the distinction between legitimate software distribution and carefully orchestrated credential theft, the campaign extends its reach to SonicWall, Sophos, and WatchGuard Technologies products.  With the foundation of this initial access vector, the operation displays a carefully layered deception system capable of withstanding moderate user scrutiny. As a result of poisoning search engine results for queries such as "Pulse Secure client" or "Pulse VPN download," attackers ensure that fraudulent vendor portals occupy prime visibility, effectively intercepting users at the point of intent by poisoning search engine results.  A lookalike site designed to replicate legitimate branding and user experience is used to deliver malware rather than authentic software as a channel for malicious payloads. When victims attempt to download software, they are directed to ZIP archives hosted on public code repositories, which are resembling trusted VPN clients while trojanized installers are deployed.  The installer initiates a multistage infection chain when executed, dropping files into directories corresponding to actual installation paths and using DLL side-loading techniques to introduce malicious components into the system silently. Hyrax infostealer is an example of such a payload. Specifically designed to extract VPN credentials and session data, this payload is then exfiltrated to the threat actor's infrastructure.  Further reducing suspicion and bypassing conventional security controls, the malicious binaries were signed using a genuine digital certificate issued by Taiyuan Lihua Near Information Technology Co., Ltd, an approach that lends the malicious binaries a sense of authenticity and makes detection more difficult.  Despite its revoked validity, the certificate illustrates the increasing abuse of trusted code-signing mechanisms throughout the threat landscape. The campaign, as noted by Microsoft in their findings, demonstrates a broader shift toward combining social engineering with technical subversion, in which attackers do not need to breach hardened perimeters directly but instead manipulate user behavior and trust in widely used enterprise tools to accomplish the same objective.  In analyzing the intrusion chain in greater detail, it is evident that a carefully orchestrated execution flow was designed to appear comparable to legitimate software behavior. As documented, victims of the malicious attack are directed to a now-removed repository that hosts a compressed archive that contains a counterfeit VPN installer in the form of an MSI file.  Upon execution of the installer, Pulse.exe is installed within the standard %CommonFiles%/Pulse Secure directory, accompanied by additional components such as a loader (dwmapi.dll) and a malicious module known as the Hyrax infostealer (inspector.dll). As a result of incorporating itself into a directory structure consistent with authentic installation, the malware utilizes side-loading of DLL files in order to ensure that the payload is executed under the guise of trusted applications.  There is also a convincing replica of the Pulse Secure login screen provided by the rogue client, leading users to enter their credentials under the assumption that an authentication process is standard. In place of establishing a VPN session, the application intercepts these inputs and transmits them to the attacker-controlled infrastructure, along with additional sensitive data, such as VPN configuration information obtained from the connectionstore.dat file located in the C:/ProgramData/Pulse Secure/ConnectionStore location.  A once-valid certificate issued by Taiyuan Lihua Near Information Technology Co., Ltd. was used to sign the malicious binaries, further bolstering the perception of their legitimacy. After credential harvest, evasion mechanisms are employed immediately in order to maximize evasion. This application displays a plausible installation error instead of maintaining persistence or creating obvious system anomalies, which subtly attributes the failure to benign technical problems.  After receiving the genuine VPN client, users are redirected -often automatically - to the official vendor website. By redirecting traffic post-exploitation, the likelihood of being detected is significantly reduced, as successful installation of legitimate software masks the compromise completely, thereby obscuring any immediate suspicions from the standpoint of the user.  Microsoft disclosed that the campaign is accompanied by a defined set of indicators of compromise and defensive guidance, highlighting the need to pay close attention to software sourcing, code signing validation, and anomalous installation behaviors in enterprise environments.  In the end, the campaign emphasizes the necessity for organizations to reconsider how trust is established within the everyday operation of their business processes as a broader defensive imperative.  A security team should extend their awareness efforts beyond user awareness and enforce stricter controls regarding the acquisition of software, including limiting downloads to trusted sources, implementing application allowlistings, and validating digital signatures against trusted certificate authorities. The monitoring of anomalous process behavior, especially side loading patterns of DLLs and unexpected outbound connections, will lead to earlier detection.  The adoption of multi-factor authentication and conditional access policies, among other phishing-resistant authentication mechanisms, is equally critical to minimize credential exposure consequences. According to Microsoft, these types of attacks focus less on exploiting technical weaknesses and more on exploiting implicit trust, which makes using zero-trust and layered verification principles essential to reducing organizational risk.

Deceptive VPN Websites Become Gateway for Corporate Data Theft #CredentialTheft #CyberAttacks #Cybersecurity

Invoice - Themed Phishing Campaign Targeting Financial Workflows Amid Fiscal Year-End Activity - CYFIRMA CYFIRMA identified an ongoing phishing campaign using invoice- and payment-themed emails with malicious PDF attachments and QR codes that redirect finance and procurement staff to credential-harvesting sites. The campaign employs multi-stage document-based delivery, reusable phishing templates, and rotating backend infrastructure to evade detection and sustain credential theft. #CYFIRMA #Quishing

A phishing campaign targets finance and procurement teams using invoice-themed emails with malicious PDFs and QR codes that lead to credential-harvesting sites. Multi-stage tactics and rotating infrastructure help evade detection. #InvoiceFraud #CredentialTheft

Darksword Ios Kit Uses 3 Zero-Days
Read More: buff.ly/rBqNXNR

#DarkSword #iOSZeroDay #ExploitKit #MobileSecurity #SpywareThreat #CredentialTheft #CryptoTheft #AppleSecurity

Security stat: Credential theft accounts for 61% of all data breaches. MFA + Conditional Access + Password Protection = your M365 defense trifecta.

#CredentialTheft #MFA #M365Security
https://365securityassessment.com

Beware! Cybercriminals are using SEO poisoning to distribute trojanized VPN clients, stealing user credentials. Stay vigilant and download software only from trusted sources. #CyberSecurity #VPN #CredentialTheft Link: thedailytechfeed.com/cybercrimina...

Tycoon 2FA Phishing Platform Disrupted
Read More: buff.ly/jehcYZi

#Tycoon2FA #PhishingAsAService #MFABypass #Europol #MicrosoftSecurity #CybercrimeCrackdown #CredentialTheft #GlobalCyber

GitHub Malware Campaign Spreads BoryptGrab
Read More: buff.ly/H9DFqqP

#BoryptGrab #GitHubMalware #InfoStealer #ReverseSSH #SupplyChainAttack #CredentialTheft #ThreatResearch #Infosec

Web Exploits, Mimikatz Hit Asian Infra
Read More: buff.ly/h47sDZt

#CLUNK1068 #CyberEspionage #Mimikatz #AsianCyber #CriticalInfrastructure #CredentialTheft #ThreatIntel #NationStateThreat

Europol Busts Tycoon 2FA Phishing Service
Read More: buff.ly/oNb3sJB

#Tycoon2FA #PhishingAsAService #MFABypass #Europol #LawEnforcement #CredentialTheft #CybercrimeCrackdown #InfosecNews

Malicious Go Module Drops Rekoobe
Read More: buff.ly/QeSSpFz

#GoModuleMalware #Rekoobe #LinuxSecurity #BackdoorThreat #OpenSourceRisk #CredentialTheft #SupplyChainSecurity #ThreatResearch

Punchbowl Phishing

~Cofense~
Fake digital invites are redirecting users to branded phishing pages to steal credentials.
-
IOCs: dry. za. com, t. ly/KwKzQ
-
#CredentialTheft #Phishing #ThreatIntel

Phishing Hits US, Europe Logistics
Read More: www.cybermaterial.com/p/phishing-h...

#DieselVortex #LogisticsCyber #Typosquatting #PhishingCampaign #CredentialTheft #SupplyChainSecurity #ThreatIntel #Infosec

Group-IB Warns Supply Chain Attacks Are Becoming a Self-Reinforcing Cybercrime Ecosystem  Cybercrime outfits now reshape supply chain intrusions into sprawling, linked assaults - spinning out data leaks, stolen login details, and ransomware in relentless loops, says fresh research by Group-IB. With each trend report, the security group highlights how standalone hacks have evolved: today’s strikes follow blueprints meant to ripple through corporate systems, setting off chains of further break-ins.  Instead of going after one company just to make money fast, hackers now aim at suppliers, support services, or common software tools - gaining trust-based entry to many users at once. Cases highlighted in recent reports - the Shai-Hulud NPM worm, the break-in at Salesloft, and the corrupted OpenClaw package - all show how problems upstream spread quickly across systems. Not limited to isolated targets, these attacks ripple outward when shared platforms get hit.  Modern supply chain attacks unfold in linked phases, says Group-IB. One stage might begin with a tainted open-source component spreading malicious code while quietly collecting login details. Following that, attackers may launch phishing efforts - alongside misuse of OAuth tokens - to seize user identities, opening doors to cloud services and development pipelines. Breached data feeds these steps, supplying access keys, corporate connections, and situational awareness required to move sideways across systems. Later comes ransomware, sometimes followed by threats - built on insights gathered during earlier stages of breach. One step enables another, creating loops experts call self-sustaining networks of attack.  Soon, Group-IB expects artificial intelligence to push this shift further. Because of AI-powered tools, scanning for flaws in vendor networks, software workflows, or browser add-on stores happens almost instantly. These systems let hackers find gaps faster - operating at speeds humans cannot match.  Expectations point to declining reliance on classic malware, favoring tactics centered on stolen identities. Rather than using obvious harmful software, attackers now mimic authorized personnel, slipping into everyday operational processes. Moving quietly through standard behaviors allows them to stay hidden longer, gradually reaching linked environments. Because they handle sensitive operations like human resources, customer data, enterprise planning, or outsourced IT support, certain platforms draw strong interest from threat actors.  When a compromise occurs at that level, it opens doors not just to one company but potentially hundreds connected through shared services - multiplying consequences far beyond the initial point of failure. Cases like Salesloft and the breach tied to Oracle in March 2025 show shifts in how data intrusions unfold. Rather than seeking quick payouts, hackers often collect OAuth credentials first. Missteps in third-party connections give them room to move inward.  Once inside client systems, fresh opportunities open up. Data copying follows naturally. Trust-based communication chains become tools for disguise later. Infected updates spread quietly through established channels. Fraud grows without drawing early attention. Fault lines in digital confidence now shape modern cyber threats, according to Dmitry Volkov, who leads Group-IB. Rather than one-off breaches, what unfolds are ripple effects across systems. Because outside providers act like open doors, companies should treat them as part of their own risk landscape.  Instead of reacting late, they build models for supply chain risks early. Automated scans track software links continuously. Insight into how information moves becomes essential - without it, gaps stay hidden until exploited. With breaches in supply chains turning into routine operations, protecting confidence among users, collaborations, and code links has shifted from being a backup measure to a core part of today’s security planning.  What once seemed secondary now shapes the foundation. Trust must hold firm where systems connect - because failure at one point pulls down many. Security can no longer treat relationships as external risks; they are built-in conditions. When components rely on each other, weakness spreads fast. The report frames this shift clearly: resilience lives not just in tools but in verified connections. Not adding layers matters most - it is about strengthening what already ties everything together.

Group-IB Warns Supply Chain Attacks Are Becoming a Self-Reinforcing Cybercrime Ecosystem #CredentialTheft #CyberAttacks #Cyberbreaches

📰 Kampanye Phishing “Diesel Vortex” Targetkan Perusahaan Logistik AS dan Eropa

👉 Baca artikel lengkap di sini: ahmandonk.com/2026/02/25/phishing-dies...

#credentialTheft #cybersecurity #keamananSiber #logistik #phishing #socialEngineering

Malicious Npm Packages Steal Secrets
Read More: buff.ly/ZvuFHlP

#SANDWORMMODE #npmSecurity #SupplyChainAttack #PromptInjection #GitHubAbuse #CredentialTheft #AIcodingRisk #ThreatIntel

New Microsoft Edge Android Flaw Enables Spoofing Attacks Microsoft has disclosed CVE-2026-0391, a UI spoofing vulnerability in Edge for Android that enables network attacks and phishing campaigns targeting mobile users.

winbuzzer.com/2026/02/06/c...

CVE-2026-0391: Edge Android Flaw Enables Spoofing Attacks

#MicrosoftEdge #Security #Cybersecurity #Microsoft #Android #WebBrowsers #Phishing #CredentialTheft #ZeroDayVulnerabilities #Chromium

New Microsoft Edge Android Flaw Enables Spoofing Attacks Microsoft has disclosed CVE-2026-0391, a UI spoofing vulnerability in Edge for Android that enables network attacks and phishing campaigns targeting mobile users.

winbuzzer.com/2026/02/06/c...

CVE-2026-0391: Edge Android Flaw Enables Spoofing Attacks

#MicrosoftEdge #Security #Cybersecurity #Microsoft #Android #WebBrowsers #Phishing #CredentialTheft #ZeroDayVulnerabilities #Chromium

Microsoft Warns Python Infostealers On macOS
Read More: buff.ly/sA1LZdJ

#macOSMalware #PythonMalware #InfoStealer #ThreatIntel #SocialEngineering #Malvertising #MicrosoftSecurity #CredentialTheft

Malicious MoltBot skills used to push password-stealing malware More than 230 malicious packages for the personal AI assistant OpenClaw (formerly known as Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub.

Malicious MoltBot skills are pushing password-stealing malware — voice assistants are becoming a new social engineering vector. Convenience can be compromised. 🎙️🔓 #CredentialTheft #AttackSurface

Beware! Fake ChatGPT browser extensions are stealing your login credentials If you've installed a browser extension to enhance your ChatGPT experience, you might want to think again.

Fake ChatGPT browser extensions are stealing login credentials — AI hype is being weaponized to hijack accounts. Install less, verify more. 🧩⚠️ #ExtensionSecurity #CredentialTheft

buff.ly/iIQlF5G

Malware Service Pushes Chrome Phishing
Read More: buff.ly/GctIu2h

#CyberSecurity #ChromeExtensions #MalwareAsAService #Phishing #CredentialTheft #BrowserSecurity #Infosec #CyberCrime #SupplyChainSecurity #ThreatIntel

Attackers Hijack Microsoft Email Accounts to Launch Phishing Campaign Against Energy Firms   Cybercriminals have compromised Microsoft email accounts belonging to organizations in the energy sector and used those trusted inboxes to distribute large volumes of phishing emails. In at least one confirmed incident, more than 600 malicious messages were sent from a single hijacked account. Microsoft security researchers explained that the attackers did not rely on technical exploits or system vulnerabilities. Instead, they gained access by using legitimate login credentials that were likely stolen earlier through unknown means. This allowed them to sign in as real users, making the activity harder to detect. The attack began with emails that appeared routine and business-related. These messages included Microsoft SharePoint links and subject lines suggesting formal documents, such as proposals or confidentiality agreements. To view the files, recipients were asked to authenticate their accounts. When users clicked the SharePoint link, they were redirected to a fraudulent website designed to look legitimate. The site prompted them to enter their Microsoft login details. By doing so, victims unknowingly handed over valid usernames and passwords to the attackers. After collecting credentials, the attackers accessed the compromised email accounts from different IP addresses. They then created inbox rules that automatically deleted incoming emails and marked messages as read. This step helped conceal the intrusion and prevented account owners from noticing unusual activity. Using these compromised inboxes, the attackers launched a second wave of phishing emails. These messages were sent not only to external contacts but also to colleagues and internal distribution lists. Recipients were selected based on recent email conversations found in the victim’s inbox, increasing the likelihood that the messages would appear trustworthy. In this campaign, the attackers actively monitored inbox responses. They removed automated replies such as out-of-office messages and undeliverable notices. They also read replies from recipients and responded to questions about the legitimacy of the emails. All such exchanges were later deleted to erase evidence. Any employee within an energy organization who interacted with the malicious links was also targeted for credential theft, allowing the attackers to expand their access further. Microsoft confirmed that the activity began in January and described it as a short-duration, multi-stage phishing operation that was quickly disrupted. The company did not disclose how many organizations were affected, identify the attackers, or confirm whether the campaign is still active. Security experts warn that simply resetting passwords may not be enough in these attacks. Because attackers can interfere with multi-factor authentication settings, they may maintain access even after credentials are changed. For example, attackers can register their own device to receive one-time authentication codes. Despite these risks, multi-factor authentication remains a critical defense against account compromise. Microsoft also recommends using conditional access controls that assess login attempts based on factors such as location, device health, and user role. Suspicious sign-ins can then be blocked automatically. Additional protection can be achieved by deploying anti-phishing solutions that scan emails and websites for malicious activity. These measures, combined with user awareness, are essential as attackers increasingly rely on stolen identities rather than software flaws.

Attackers Hijack Microsoft Email Accounts to Launch Phishing Campaign Against Energy Firms #CredentialTheft #DataBreach #DataTheft

Cybercriminals are exploiting stolen credentials to install LogMeIn RMM software, gaining stealthy access to systems. Stay vigilant! #CyberSecurity #Phishing #RMM #LogMeIn #CredentialTheft Link: thedailytechfeed.com/cybercrimina...