Executive Summary
Phishing continued to dominate attacker tradecraft this week, but the stories behind the lures are shifting. OAuth-consent abuse, internal relay via Microsoft 365 “Direct Send,” and repeated campaigns against Mozilla’s add-on ecosystem show that adversaries are investing in methods that sidestep or nullify MFA instead of trying to break it outright. CrowdStrike, Proofpoint, and others note that AI is lowering the barrier to craft convincing pretexts, whether through deep-fake audio, synthetic résumés, or perfectly worded emails.
Financial services, media/tech platforms, and professional-services firms were the primary targets, with North Korean and Scattered Spider operators particularly active. Business impact ranges from stolen crypto wallets to persistent tenant-wide Microsoft 365 access, threats that translate directly to revenue loss, legal exposure, and brand damage.
Top 5 This Week
Exploiting OAuth Apps: A New Frontier in Microsoft Account Compromise – Fake OAuth apps are bypassing MFA and surviving password resets. Disable user-consent flows and review existing grants now.
Hackers Abuse Microsoft 365 “Direct Send” for Internal Phishing – Internal-looking email that never leaves Microsoft’s network evades secure-email gateways; tighten authentication checks and monitor header anomalies.
North-Korean IT Workers Slip Into Western Firms – Fake contractors are funding DPRK ops. Strengthen identity vetting and watch for unusual remote-access patterns.
FraudOnTok Malware Campaign Targets TikTok Shop Users – Trojanized mobile apps and phishing sites siphon crypto wallets; educate marketing teams that run TikTok promos.
Azure AI Speech Update Sparks Deep-Fake Voice Risk – New model creates near-perfect voice clones from seconds of audio. Add call-back verification for any high-value phone requests.
Phishing & BEC
FraudOnTok: A Global Malware Campaign Targeting TikTok Shop Users (BleepingComputer)
SparkKitty spyware is delivered via phishing sites and sideloaded apps that impersonate TikTok Shop, stealing crypto wallets; high sophistication, media sector.
Mozilla Warns of Sophisticated Phishing Campaign Targeting Add-on Developers (Mozilla / multiple outlets)
Three separate advisories describe identical lures pushing devs to “update” AMO accounts; the risk is malicious extensions reaching millions. Sophistication: medium..
Exploiting OAuth Apps: A New Frontier in Microsoft Account Compromise (CSO Online / Proofpoint)
Attackers impersonate SharePoint and DocuSign apps, tricking users into granting long-lived tokens—MFA bypass included.
Microsoft 365 Direct Send Abused for Internal Phishing (Cybersecurity News)
Criminals use legitimate tenant relay to send spoofed internal messages, evading SEG and SPF checks; sophistication: high.
Vishing & Help Desk
Scattered Spider’s Advanced Social Engineering Hits Critical Infrastructure (CybersecurityNews)
Group blends SIM-swap, vishing, and push-bombing to access VMware ESXi and cloud consoles; utilities sector, sophistication: high.
MFA Fatigue & Identity Operations
Joint CISA *Updated* Advisory on Scattered Spider
Update stresses push-bombing and credential-stuffing success rates.
Updates:
Adds TTPs through June 2025 and notes Scattered Spider now deploying DragonForce ransomware alongside data-theft extortion.
Identity attacks still central: help-desk impersonation to reset passwords, push bombing and SIM swaps to move MFA, plus abuse of legit remote tools and new RattyRAT malware.
Mitigations: adopt phishing-resistant MFA (FIDO/WebAuthn), lock down and monitor remote access tools, and review updated IOCs/detections.
Scattered Spider Infiltrating Slack and Teams (ITPro)
Attackers pivot from initial phish into chat to harvest additional creds and move laterally; the retail sector is impacted.
Deepfakes & Impersonation
Microsoft Azure AI Speech Update Raises Deep-Fake Concerns (The Register)
New model clones voices from seconds of audio. Risk: phone BEC and vishing.
AI Tools Empowering Scammers in Crypto Thefts
Deep-fake video and malicious code drain wallets; financial sector, high sophistication.
Universal Deepfake Detector Hits 95-99 % Accuracy
Promising research but still lab-bound; consider piloting for high-risk comms.
Spear-Phishing & Targeted Malware
APT28’s LameHug AI-Powered Malware
Spear-phishing against Ukraine’s defense sector drops LLM-driven payloads that build commands on the fly; sophistication: high. ATT&CK: T1566, T1608.
0bj3ctivityStealer Unveiled
Phish delivers heavily obfuscated .NET stealer; gov/manufacturing targets.
Sector Spotlight
Financial Services: Phishing and wallet-drainer campaigns remain the fastest path to direct monetary loss.
Quick controls: Geo-fence crypto-related traffic; require out-of-band confirmation for any wallet changes.
Training Corner
A few ideas on how to spread awareness:
3-minute video: “How attackers abuse OAuth pop-ups—what to look for.”
Slack blurb: “Unexpected MFA prompt? Deny it and call the help desk immediately.”
Add a call-back script for finance to verify any voice request to change payment details.
Social Chat (Slack/Teams) & Internal Comms