Executive Summary
Social engineering activity spiked across SaaS and identity platforms this week. Attackers leaned on vishing and email pretexts to pry open third-party CRM systems (Salesforce, Workday) while abusing “trusted” security tooling such as Cisco Safe Links and FIDO sign-in flows. Generative AI continued to raise the bar for realism—both in phishing copy (multi-language Noodlophile lures) and in voice deepfakes aimed at OT operators.
Professional-services and information-media organisations were hit hardest, with notable incidents in finance (Allianz Life) and government (Indian energy-subsidy smish, DPRK embassy targeting). Business impact ranged from large-scale data exfiltration to credential reuse that could fuel follow-on BEC and ransomware.
Top 5 This Week
Workday & Salesforce vishing wave exposes CRM data — Attackers impersonated IT support by phone to obtain CRM credentials at multiple brands. Require live call-backs for any access requests and audit third-party SaaS scopes.
Hackers weaponise Cisco Safe Links — Malicious content wrapped in “secure-web.cisco.com” bypasses email filters. Add destination reputation checks and strip redirects at the proxy.
FIDO authentication downgrade attack — Adversary-in-the-middle tooling forces users off passkeys onto phishable methods. Block legacy auth and watch for user-agent spoofing tied to FIDO failures.
Android smish poses as Indian solar-subsidy scheme — YouTube videos and GitHub pages push a banking-credential stealer. Geo-fence SMS links and educate users to install apps only from official stores.
Noodlophile copyright-takedown lures — Multi-lingual legal threats deliver a DLL-side-loaded infostealer. Block inbound ZIPs with DLL/EXE and train comms teams on spotting fake legal notices.Phishing & BEC
Vishing & Help Desk
Wave of social-engineering breaches hits Workday, Allianz Life and others (CSO Online)
ShinyHunters actors phoned staff posing as IT/HR to reset CRM credentials, then pivoted across interconnected Salesforce instances at Workday, Allianz Life, Qantas and more. Exposure was limited to business-contact data but opens doors to follow-on BEC. Sophistication: medium. Sectors: professional services, finance, aviation.
Phishing & BEC
Noodlophile Stealer spear-phishing campaign (The Hacker News)
Emails threaten copyright lawsuits and link to “evidence” hosted on file-shares; opening the bundle triggers DLL side-loading and Telegram C2. Targets: marketing teams at media-heavy enterprises. Sophistication: high.
Hackers exploit Cisco Safe Links to mask malicious URLs (Cybersecurity News)
By generating genuine-looking Safe Links, phishers sneak past secure email gateways. High trust in the domain leads to clicks. Sophistication: high.
GenAI tools accelerate brand-clone phishing (Unit 42)
Attackers use AI site builders and writers to spin up convincing fake portals in minutes. Medium sophistication but massive scale.
Yubico survey: password reuse and MFA gaps
Nearly half of Americans still reuse passwords; only 3 % see hardware keys as best defence.
Smishing, QRishing & Callback
Android malware campaign piggybacks on India’s solar-subsidy program (GBHackers)
YouTube tutorials and GitHub-hosted sites push an APK that steals banking data, then auto-SMSes the contact list. Sophistication: high; sector: government/public.
MFA Fatigue & Identity Operations
FIDO downgrade attack against Microsoft Entra ID (CSO Online / Proofpoint)
A phishlet spoofs unsupported browsers, forcing users to fallback to legacy MFA which is then intercepted via Evilginx. Sophistication: high. ATT&CK: T1606.
Deepfakes & Impersonation
Generative-AI voice scams impersonate celebrities and execs (ComputerWeekly)
Pindrop reports a rise in deepfake calls that leverage recognisable voices to request payments or sensitive data. High sophistication; sectors: media, finance.
AI deception extends to OT via voice cloning & deepfake videos (Industrial Cyber)
Energy and manufacturing operators face deepfake vendor calls requesting remote access. High operational risk.