Executive Summary
Phishing volume dominated the week, but three trends stood out: (1) adversaries are bypassing “phishing-resistant” FIDO keys by abusing cross-device QR logins; (2) deepfake and LLM-generated content is moving from novelty to operational tool, powering both voice-phishing scripts and synthetic job applicants; (3) financially-motivated actors continue to exploit trust in cloud SaaS (Google Forms, Microsoft 365) to evade security stacks.
Financial services, technology, and media were the most targeted sectors, with notable hits on WOO X ($14 M loss) and Allianz Life (1.4 M customers exposed). Education and government portals also saw tailored phishing using look-alike domains. Business impact centers on direct fraud, credential loss feeding later intrusions, and increased pressure on help desks that remain an entry point of choice.
Top 5 This Week
PoisonSeed attackers bypass FIDO keys via QR-code phishing — Shows that social engineering can still defeat hardware tokens. Disable cross-device sign-in where possible and alert on unexpected QR logins.
UNC3944 social-engineers help desks to seize vSphere environments — Retail and airline firms were hit; verify all help-desk calls with call-back and manager approval before resetting privileged accounts.
Phishing attack drains $14 M from WOO X crypto exchange — Reinforces that one compromised employee mailbox can trigger large, fast cashouts; rehearse rapid withdrawal freezes.
LLM-generated voice phishing evades ML detectors — Expect more convincing vishing; add caller-ID callbacks and keyword monitoring to fraud lines.
Deepfake job candidates infiltrate hiring pipelines — HR is now a front-line defense; mandate secondary ID checks during remote interviews.
Vishing & Help Desk
UNC3944 social-engineering campaign against vSphere (Google Threat Intelligence)
Attackers impersonated IT to convince help-desk staff to reset privileged AD accounts, then abused vSphere APIs for ransomware staging. Targets: retail, airlines, insurance. Sophistication: high. ATT&CK: T1566 + living-off-the-land.
Phishing & BEC
Exploiting Google Forms for Cryptocurrency Phishing(GBHackers)
Attackers embed malicious Google Forms links in emails to bypass filters and harvest wallet keys from finance users. Sophistication: medium.
Phishing leads to $14 M theft from WOO X (Protos)
Credential theft let intruders coordinate mass withdrawals before the exchange noticed. Highlights the speed gap between compromise and fraud.
What to do:
Browser-in-the-Browser attack spoofs Facebook login (GBHackers)
A fake CAPTCHA leads to a pop-up that perfectly mimics Facebook but lives inside the same tab, stealing credentials. Sophistication: high.
What to do:
Instagram phishing uses mailto: links to dodge filters (Malwarebytes)
Mailto: links start a human email thread that extracts credentials, bypassing URL reputation checks. Sophistication: medium.
Inside the Phisher’s Mind: How Deceptive Links Are Built (InfosecWriteups)
Breaks down psychological triggers attackers layer into URLs. Applicable across sectors.
npm package ‘is’ hijacked after maintainer phishing (The Register)
Supply-chain compromise began with a typosquatted npm login page emailed to package maintainers. Millions of downloads impacted.
Q2 2025 phishing brands report (Check Point via HackRead)
Microsoft and Spotify topped impersonation charts; entertainment services rising again.
Look-alike domains target U.S. Department of Education G5 portal (Help Net Security)
Smaller schools fall for credential theft. Region: US; sector: Education.
Patchwork APT uses malicious LNK files against Turkish defense (The Hacker News)
State actor leverages PowerShell via LNK shortcuts. Sophistication: high.
Dropping Elephant multi-stage attack chain (GBHackers)
Uses DLL side-loading with VLC to evade AV. Sector: manufacturing defense.
What to do:
Allianz Life breach via third-party CRM social engineering (Security Affairs)
1.4 M customers affected; attack originated at vendor.
Smishing, QRishing & Callback
SMS blasters exploit legacy 2G networks for mass smishing(Smashing Security podcast)
Suitcase-sized equipment lets attackers send spoofed texts while driving through cities. Medium sophistication.
MFA Fatigue & Identity Operations
PoisonSeed FIDO QR-code adversary-in-the-middle attacks(Expel / The Hacker News)
Attackers host look-alike Okta portals, prompt users to scan a legitimate-looking QR, then proxy the session to bypass hardware tokens. Sophistication: high.
Deepfakes & Impersonation
Deepfake candidates target HR pipelines(ComputerWeekly)
North-Korean actors used AI-generated video and voice to pass interviews for IT roles. High sophistication; sector: professional services.
Biometric firms secure funding to fight deepfakes (BiometricUpdate)
IdentifAI, Keyless, and Reality Defender expand tooling; Pindrop reports deepfake hiring scams.
Microsoft releases open deepfake detection benchmark (BiometricUpdate)
50 k-sample dataset enables apples-to-apples comparison of detection models.
Deepfakes keep AI leaders awake at night (The Verge podcast)
Captions CEO warns of escalating realism and regulatory gaps.
Heartbeat detection unmasking video deepfakes (ComputerWeekly)
Remote photoplethysmography spots unnatural blood-flow patterns.
Sector Spotlight
Financial Services: Crypto exchanges and insurers faced seven separate credential-theft incidents.
Education & Government: Look-alike domains targeting the G5 portal illustrate resource gaps.
Training Corner
A few ideas on how to spread awareness:
Push a 90-second video: “Spot the Browser-in-the-Browser phish.”
Slack blurb: “Never scan a QR code displayed on a login page unless you typed the URL yourself.”
Update the help-desk script to include a mandatory call-back to the requester’s manager for privilege resets.
HR reminder: Require government-issued ID to be held up to the camera and a spontaneous code read-back during remote interviews.
Micro-lesson for developers: “Typosquatting on package managers — how to verify real domains.”