Cybersecurity company Guardz is warning Microsoft 365 users about a new phishing scam backed by social engineering tactics making the rounds. This isn’t an average scam as attackers trick people into calling fake support numbers using Microsoft 365 infrastructure, putting their login details and accounts at risk.

How the Attack Works

Unlike typical phishing attempts using typosquatted domains, fake or misspelled email addresses, this campaign operates from within Microsoft’s cloud services. This makes the phishing attempts look convincing, easily bypassing email authentication checks like SPF, DKIM, and DMARC.

The attack also utilizes legitimate Microsoft domains (onmicrosoft.com)and manipulates tenant settings. The scammers also set up multiple Microsoft 365 organization tenants, either by creating new ones or compromising existing accounts. Each tenant has a specific role within the attack framework, allowing the threat actors to operate with anonymity.

One of these fake organizations is used to trigger actions that look like normal business activity, such as starting a subscription. Another fake organization is given a name that includes a fake warning message and a phone number. For example, the organization’s name might appear as something like, “(Microsoft Corporation) Your subscription has been successfully purchased… If you did not authorize this transaction, please call .”

When the attackers trigger an action, like a subscription change, Microsoft 365 automatically sends out legitimate emails about it. Because of how the attackers set up their fake organizations, these official Microsoft emails can end up including the fake warning message and phone number in the sender’s information or organization details.

So, you might receive an email that looks like it’s really from Microsoft, confirming a purchase you didn’t make. The email itself is real in the sense that it came through Microsoft’s systems.

But the alarming message asking you to call a number to dispute the charge? That’s the scam. If someone calls the number, they’re connected with the attackers, who then try to steal sensitive information like passwords or trick them into installing malicious software.

Why This Scam Is Effective

This approach is effective for several reasons. Since the emails come from Microsoft’s legitimate systems, they often pass standard security checks that look for fake domains or suspicious links. The emails look official, complete with Microsoft branding. And the urgent message about an unauthorized charge can cause people to act quickly without thinking.

According to Guardz’s report shared with Hackread.com ahead of its publishing on Thursday, this attack is tricky to spot because it uses legitimate services for malicious purposes. Traditional email security measures that check sender reputations or look for fake links might miss this.

The Possible Impact

The implications of this phishing campaign could be significant. Businesses and individuals who fall victim can suffer from credential theft, financial loss, account takeovers or installing malware on their systems. The attack’s dependence on voice channels also makes it more challenging to detect and prevent, as fewer security controls exist in direct phone communications.

Protecting Yourself and Your Business

A few key steps can help prevent these scams. Be wary of unexpected emails about purchases or subscriptions, even if they appear to come from Microsoft. Never call phone numbers listed in emails if something feels off, always verify contact details on Microsoft’s official website.

Pay close attention to sender details; while an email might look legitimate, unusual organization names or urgent wording can be red flags. Also, be cautious of messages from unfamiliar “.onmicrosoft.com” domains. Most importantly, train yourself and your employees to recognize phishing tactics, especially those designed to create a sense of urgency around financial threats.

RELATED TOPICS

1. Fake Facebook Copyright Notices to Hijacking Accounts
2. Hackers Using Fake YouTube Links to Steal Login Credentials
3. PayPal Phishing Exploits MS365 Tools, Genuine-Looking Emails
4. Phishing Attacks Can Bypass Microsoft 365 Email Safety Warnings
5. Astaroth Phishing Kit Bypasses 2FA, Hijacks Gmail, Microsoft Emails

OBSCURE#BAT malware campaign exploits social engineering & fake software downloads to evade detection, steal data and persist on systems. Learn how to stay safe.

Cybersecurity researchers at Securonix Threat Labs have spotted a new malware campaign called OBSCURE#BAT. This campaign uses social engineering tactics and fake software downloads to trick users into executing malicious code, enabling attackers to infect systems and avoid detection.

The attack begins with a user executing a malicious batch file, which is often disguised as legitimate security features or malicious software downloads. Once executed, the malware establishes itself by creating scheduled tasks and modifying the Windows Registry to operate even after the system reboots.

The malware then uses a user-mode rootkit to hide its presence on the system, making it difficult for users and security tools to detect. The rootkit can hide files, registry entries, and running processes, allowing the malware to embed further into legitimate system processes and services.

Fake Captchas and Malicious Software Downloads

As seen in recent similar campaigns, hackers have been leveraging typosquatting and social engineering tactics to present fake products as legitimate within their supply chains. This includes:

Masquerading Software: Attackers also disguise their malicious files as trustworthy applications, such as Tor Browser, SIP (VoIP) software or Adobe products, increasing the chances that users will execute them.

Fake Captchas: Users may encounter a fake captcha, especially the Cloudflare captcha feature, that tricks them into executing malicious code. These captchas often originate from typosquatted domains, resembling legitimate sites. When users attempt to pass the captcha, they are prompted to execute code that has been copied to their clipboard.

Evasion Techniques

The OBSCURE#BAT malware campaign is a major cybersecurity threat to both individuals and organizations, primarily due to its ability to compromise sensitive data through advanced evasion techniques. These include:

API Hooking: By using user-mode API hooking, the malware can hide files, registry entries, and running processes. This means that common tools like Windows Task Manager and command-line commands cannot see certain files or processes, particularly those that fit a specific naming scheme (e.g., those starting with “$nya-“).

Registry Manipulation: It registers a fake driver (ACPIx86.sys) in the registry to ensure further persistence. This driver is linked to a Windows service, allowing it to execute malicious code without raising suspicion.

Stealthy Logging: The malware monitors user interactions, such as clipboard activity, and regularly writes this data to encrypted files, further complicating detection and analysis.

Countries Targeted in the OBSCURE#BAT Attack

According to Securonix’s detailed technical report, shared with Hackread.com before its official release on Thursday, the malware appears to be financially motivated or aimed at espionage, targeting users primarily in the following countries:

• Canada
• Germany
• United States
• United Kingdom

How to Protect Yourself from the OBSCURE#BAT Attack

While common sense is a must when downloading software or clicking on unknown links, users and organizations should also follow these key security measures to protect their systems from OBSCURE#BAT and similar threats:

• Clean downloads: Only download software from legitimate websites, and be wary of fake captchas and other social engineering tactics.

• Use endpoint logging: For organizations, deploy endpoint logging tools, such as Sysmon and PowerShell logging, to enhance detection and response capabilities.

• Monitor for suspicious activity: Regularly monitor systems for suspicious activity, such as unusual network connections or process behaviour.

• Use threat detection tools: Consider using threat detection tools, such as behavioural analysis and machine learning-based systems, to detect and respond to threats like OBSCURE#BAT.

The US extradites LockBit ransomware developer, Rostislav Panev, from Israel. Learn how his arrest impacts the fight against cybercrime and understand LockBit’s devastating impact.

The United States has achieved a significant victory in its ongoing battle against cybercrime with the extradition of Rostislav Panev, a 51-year-old dual Russian and Israeli national, who is accused of being a key developer of the notorious LockBit ransomware. 

Panev is alleged to have been deeply involved in the development and maintenance of the LockBit ransomware from its inception around 2019 until at least February 2024. During this period, he and his co-conspirators are believed to have transformed LockBit into what the Department of Justice (DoJ) describes as “the most active and destructive ransomware group in the world.”

The group, operating as a ransomware-as-a-service (RaaS) model, is believed to have targeted over 2,500 victims across at least 120 countries, including approximately 1,800 victims within the United States. These victims spanned across critical sectors, encompassing hospitals, schools, and government agencies, causing widespread disruption and financial losses.

The financial impact of LockBit’s activities is staggering. According to the DoJ, the group successfully extracted at least $500 million in ransom payments, while causing billions of dollars in additional losses through lost revenue and recovery costs. Evidence uncovered by law enforcement indicates Panev’s direct involvement in the development of tools that facilitated these attacks.

“The LockBit group attacked more than 2,500 victims in at least 120 countries around the world, including 1,800 in the United States. Their victims ranged from individuals and small businesses to multinational corporations, including hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies,” the DoJ’s press release revealed.

Authorities discovered administrator credentials on his computer, granting access to a dark web repository containing the source code for multiple versions of the LockBit builder, which enabled affiliates to generate custom malware.

They also found source code for the StealBit tool, used to exfiltrate stolen data, and evidence of direct communications between Panev and Dmitry Yuryevich Khoroshev, the alleged primary administrator of LockBit. They were charged by the DoJ, discussing development work on the LockBit builder and control panel.

Furthermore, financial records revealed cryptocurrency transfers exceeding $230,000 from Khoroshev to Panev between June 2022 and February 2024, providing concrete evidence of their financial relationship. In interviews with Israeli authorities, Panev reportedly admitted to performing coding, development, and consulting work for LockBit, confirming the regular cryptocurrency payments he received.

Panev’s extradition from Israel, where he was apprehended in August 2024 following a US provisional arrest request, marks a crucial step in holding individuals accountable for their roles in the devastating ransomware attacks that have plagued organizations worldwide. He has since appeared before a US magistrate and will remain detained pending his trial.

Top/Featured Image: Pixabay/Maxleron

Symantec’s threat hunters have demonstrated how AI agents like OpenAI’s recently launched “Operator“ could be abused for cyberattacks. While AI agents are designed to boost productivity by automating routine tasks, Symantec’s research shows they could also execute complex attack sequences with minimal human input.

This is a big change from older AI models, which could only provide limited help in making harmful content. Symantec’s research came just a day after Tenable Research revealed that the AI chatbot DeepSeek R1 can be misused to generate code for keyloggers and ransomware.

In Symantec’s experiment, the researchers tested Operator’s capabilities by requesting it to:

• Obtain their email address
• Create a malicious PowerShell script
• Send a phishing email containing the script
• Find a specific employee within their organization

According to Symantec’s blog post, though the “Operator“ initially refused these tasks citing privacy concerns, researchers found that simply stating they had authorization was enough to bypass these ethical safeguards. The AI agent then successfully:

• Composed and sent a convincing phishing email
• Determined the email address through pattern analysis
• Located the target’s information through online searches
• Created a PowerShell script after researching online resources

Watch as it’s done:

J Stephen Kowski, Field CTO at SlashNext Email Security+, notes that this development requires organizations to strengthen their security measures: “Organizations need to implement robust security controls that assume AI will be used against them, including enhanced email filtering that detects AI-generated content, zero-trust access policies, and continuous security awareness training.”

While current AI agents’ capabilities may seem basic compared to skilled human attackers, their rapid evolution suggests more sophisticated attack scenarios could soon become reality. This might include automated network breaches, infrastructure setup, and prolonged system compromises – all with minimal human intervention.

This research shows that companies need to update their security strategies because AI tools designed to boost productivity can be misused for harmful purposes.

The Hague, the Netherlands, March 13th, 2025, CyberNewsWire

Founded in 2024, Modat – the European-crafted, research-driven, AI-powered cybersecurity company, has announced the launch of its premier product, Modat Magnify.   

Designed by and for cybersecurity professionals, the team behind the product aims to speed up the lives of these individuals easier by giving them access to the largest Internet ‘Device DNA’ dataset available. The ‘Device DNA’ catalogues the essential attributes of each internet-connected device to create a unique profile.

• FAST. AI-powered for unparalleled speed. Continuously scanning the entire internet and identify adversary infrastructure in real-time. 
• SMART. Research enhances the development of the platform and offers contextualized data, historical context, and predictive insights. 
• EASY. User-centric UI designed from firsthand experience as cybersecurity professionals From the initial query to the findings result pages, easy-to-filter, read and use.  

“It starts with research to gain insight and build,” says Soufian El Yadmani, CEO & Founder of Modat. “Offensive and defensive professionals shared what solutions they need to be faster and to focus on what they do best. Scanning the internet is just a beginning. Speed, contextual data, and insight is vital to our products and services. Our ‘Device DNA’ gives value in the results to increase proactive efforts and build cyber resilience.” 

“Protecting your country takes clear insight into internet connected devices. Modat helps you to protect your country’s infrastructure with this insight,” emphasized Vincent Thiele, COO & Co-Founder of Modat. “We support communities to improve the health of the Internet and deliver products to help make the internet a safer place.”

Recent research covered by 35+ media outlets Global Impact:

Users can learn more:

Pricing & Access:  

• FREE:  covers most basic use cases. Solid start for many security professionals 
• Practitioner: €20/m  
• Professional: €60/m 
• Business: €400/m 
• Enterprise: tailored solutions for more complex needs of organisations and governments 

About Modat

Modat, founded in 2024 is the European-crafted, AI-powered, research-driven cybersecurity company dedicated to helping security professionals outpace adversaries and stay ahead of evolving threats. Their flagship product, Modat Magnify, provides access to the world’s largest Internet “Device DNA” dataset.  

Modat was created by researching, listening to, and directly experiencing the needs and challenges of security professionals. Their products enable the security community by giving access to unparalleled speed, contextualized data, and predictive insights.  

By design, the Modat Magnify platform helps offensive and defensive professionals by giving them a fast, smart, easy way to stop searching and start finding. Our ‘Device DNA’ catalogues the essential attributes of each internet-connected device to create a unique profile to support proactive cybersecurity. 

Modat empowers individuals, companies, and governments to strengthen their security posture and increase cyber resiliency. The team actively joining the fight to get ahead of cyber-attacks by narrowing the growing gap between digital threats and resilience. Join us to outpace and outlast.

Contact:

modat.io

LIn:

Bluesky:

For quotes/to schedule an interview, users can reach: 

Soufian El Yadmani – CEO & Founder 

Email: [email protected]  

LinkedIn: 

Vincent Thiele – COO & Co-Founder 

Email: [email protected]  

LinkedIn:

Contact

Head of Marketing
Bessie Schenk
Modat
[email protected]