Mirage Threat Radar: Week of Aug 4, 2025

This week saw an alarming escalation in AI-powered social engineering attacks, with deepfake technology becoming mainstream through tools like Grok's "spicy" mode enabling nonconsensual deepfakes. Threat actors are increasingly weaponizing legitimate platforms like Microsoft 365 Direct Send, Google Calendar, and social media for phishing campaigns that bypass traditional defenses. The convergence of AI sophistication with social engineering has reached a tipping point, with campaigns targeting everyone from Firefox developers to Fortune 500 companies through voice phishing and fake job recruitment schemes.

Financial services, government agencies, and technology companies faced the heaviest targeting, with North Korean threat groups particularly active in recruiting schemes and credential harvesting operations. The sophistication level has jumped significantly, with attackers using AI to generate convincing phishing content, create deepfake audio/video for impersonation, and automate large-scale credential theft operations affecting millions of users.

Microsoft 365 Direct Send Weaponized to Bypass Email Security Defenses (Microsoft/StrongestLayer)
Attackers are exploiting Microsoft 365's Direct Send feature to send emails that appear to come from within organizations, bypassing traditional email security filters. The campaign uses image-based lures and dual-payload delivery to harvest credentials while evading detection. High sophistication using legitimate Microsoft infrastructure.

Mozilla Issues Warning on Phishing Campaign Targeting Add-on Developer Accounts (Mozilla)
Mozilla warned Firefox add-on developers about a sophisticated phishing campaign targeting AMO accounts using deceptive emails claiming urgent account updates. The campaign exploits developer concerns about maintaining access to development features. Medium sophistication targeting trusted developer communities.

APT36 Hackers Attacking Indian Government Entities to Steal Login Credentials (APT36/Cyfirma)
Pakistan-linked APT36 is conducting spear-phishing against Indian government entities using typo-squatted domains that mimic official portals. The campaign harvests credentials and bypasses MFA by intercepting OTPs in real-time. High sophistication targeting government infrastructure with nation-state backing.

Google's Salesforce Environment Compromised – User Information Exfiltrated (Google/UNC6040)
Google confirmed a breach of its Salesforce instance by UNC6040 threat actors who used sophisticated voice phishing to deceive employees into authorizing malicious applications. The attack resulted in exfiltration of small and medium business contact information and demonstrates how even major tech companies remain vulnerable to human-centric attacks. High sophistication targeting cloud SaaS environments.

Hackers Exploit Social Engineering to Gain Remote Access in Just 5 Minutes (NCC Group)
NCC Group research demonstrates how threat actors can compromise corporate systems in under 5 minutes by impersonating IT support and using Windows QuickAssist for remote access. The attackers deployed PowerShell scripts and credential harvesting tools with remarkable speed. Medium to high sophistication using legitimate tools for malicious purposes.

Cisco Hacked – Attackers Stole Profile Details of Users Registered on Cisco.com (Cisco)
Cisco disclosed a data breach where attackers used voice phishing to gain access to a third-party CRM system containing user profile information. While no sensitive systems were compromised, the incident highlights how social engineering can bypass technical controls. Medium sophistication targeting customer service representatives.

Chinese Hackers Compromised Up To 115 Million Payment Cards In The US (SecAlliance)
Chinese cybercriminal syndicates conducted a massive smishing campaign potentially compromising 115 million US payment cards by exploiting digital wallet tokenization systems. The operation used fake USPS and toll service messages to harvest payment information and bypass traditional fraud detection. High sophistication affecting financial services nationwide.

Over 10,000 Malicious TikTok Shop Domains Target Users with Malware and Credential Theft (CTM360)
The ClickTok campaign uses over 10,000 malicious domains to target TikTok Shop users through phishing and malware distribution. Attackers use fake Meta ads and AI-generated videos to distribute SparkKitty spyware and steal cryptocurrency credentials. High sophistication exploiting social media platform trust.

OAuth-Apps für M365-Phishing missbraucht (Proofpoint)
Threat actors are creating fake OAuth applications that impersonate trusted brands like SharePoint and DocuSign to compromise Microsoft 365 accounts. These attacks bypass MFA and maintain access even after password resets, targeting cloud-first organizations. Medium sophistication exploiting OAuth trust relationships.

Cyber criminals would prefer businesses don't use Okta (Okta)
Cybercriminals are specifically instructing targets to avoid using Okta's phishing-resistant authentication in social engineering campaigns conducted through Slack. The attackers use fake executive messages to lure victims into entering credentials on phishing sites. Medium sophistication targeting identity infrastructure.

Sex is getting scrubbed from the internet, but a billionaire can sell you AI nudes (xAI/The Verge)
Elon Musk's xAI launched Grok Imagine with a "spicy" mode that creates nonconsensual deepfakes of real people, highlighting how mainstream AI tools are lowering barriers to deepfake creation. The tool operates in regulatory gray areas despite laws like the Take It Down Act. Medium sophistication with widespread availability.

The Liar's Dividend: Deepfakes, synthetic media, and the cybersecurity disinformation crisis (Biometric Update)
Analysis of deepfake threats shows how AI-generated media is creating a "liar's dividend" where misinformation thrives and trust erodes. Recent incidents include deepfake CEO impersonations targeting companies like Arup and infiltration attempts at firms like KnowBe4. High sophistication with enterprise-scale impact.

Risk Has Moved Beyond Your Inbox (Proofpoint)
Attackers are shifting focus from email to platforms like Slack, Teams, and LinkedIn, exploiting the trust and real-time nature of these platforms for credential theft and lateral movement. Traditional email defenses are insufficient against these emerging threat vectors. Medium sophistication exploiting platform trust.

New Promptware Attack Hijacks User's Gemini AI Via Google Calendar Invite (SafeBreach Labs)
Researchers identified a novel attack method using Google Calendar invitations to hijack Google Gemini AI agents through indirect prompt injections. The attack allows unauthorized access to smart home devices and sensitive data. High sophistication exploiting AI agent integrations.

A few ideas on how to spread awareness: