Welcome to this week’s edition of the Threat Source newsletter.
“Study hard what interests you the most in the most undisciplined, irreverent and original manner possible.” ― Richard Feynman
“I had discovered that learning something, no matter how complex, wasn’t hard when I had a reason to want to know it.” ― Homer Hickam, Rocket Boys
*looks around at – gestures – everything*
*opens a new tab in the browser, takes in the newest news on AI, a new tab on supply chains, a new tab on vulnerability, and a new tab on active exploitation and zero-days*
*closes tabs and throws laptop into the nearest bin, à la Ron Swanson*
*opens other laptop, avoids the internet*
*puts on headphones for deep work binaural audio*
*cracks knuckles*
I’m often asked about why I bring up board games and video games when interviewing perspective analysts or threat hunters, so I’m going to give the 8,000 foot view on my thoughts. With everything that is going on, now more than ever we need the most curious people on the planet on our side.
What’s the very first and most important step to securing any environment? Knowing the environment, inside and out. When you play any gameyou must understand the rules: the standard opening moves of chess, or Go, or perhaps the common resource-gathering patterns in strategy games. Once you understand what “normal” play looks like, you can immediately spot when an opponent makes a move that is inefficient or unusual — an anomalous trigger that, if spotted, can lead to victory.
When experienced players recognize patterns (a specific chess gambit, a defensive build in a strategy game, etc.), they don’t just react to the current move — they predict several moves into the future from both players, especially if they know their opponents’ tendencies. As players gain experience and play against other skilled players, they begin involving feints or decoys (false flags, if you will). A player might sacrifice a minor piece to distract you from their true objective. Learning to look past that “noise” to find the real motivation is the key to taking your experience and skill to the next level.
Threat actors rarely follow a predictable script. They constantly evolve tactics, techniques, and procedures (TTPs). Developing the mental flexibility to handle those unexpected, non-standard behaviors is essential in identifying the unknowns.
The transition from board games to threat hunting is rooted in the development of critical thinking and situational awareness. While board games provide a controlled environment to practice these skills, the core competency — that ability to identify the why behind a deviation — is exactly what will make you a successful threat hunter.
“I prefer to speak in metaphor: That way, no logic can trap me, and no rule can bind me, and no fact can limit me or decide for me what’s possible.” ― Claire Oshetsky, Chouette
The one big thing
Cisco Talos has observed threat actors weaponizing legitimate SaaS notification pipelines, such as those in GitHub and Jira, to deliver phishing and spam emails. By leveragingthese platforms’ official infrastructure, attackers bypass traditional email authentication protocols like SPF, DKIM, and DMARC. This “Platform-as-a-Proxy” (PaaP) technique exploits the implicit trust organizations place in system-generated notifications to facilitate credential harvesting. These campaigns effectively mask malicious intent behind the reputation of trusted enterprise tools.
Why do I care?
Traditional email security gateways are often blind to these attacks because the emails are technically authenticated and originate from verified, trusted domains. This technique exploits “automation fatigue,” where users are conditioned to reflexively trust system-generated alerts from business-critical platforms. Consequently, attackers can bypass standard perimeter defenses, making it harder to distinguish between legitimate business communications and sophisticated phishing attempts.
So now what?
Transition to a Zero-Trust approach by implementing instance-level verification and cross-referencing notifications against internal SaaS directories. Security teams should ingest SaaS API logs into their SIEM to detect anomalous precursor activities, such as suspicious project creation or mass invitations. Additionally, introduce friction for high-risk interactions by requiring out-of-band verification and apply semantic intent analysis to identify notifications that deviate from a platform’s established functional baseline.
Top security headlines of the week
Tech giants launch AI-powered “ProjectGlasswing” Major technology companies have joined forces in an effort to use advanced artificial intelligence to identify and address security flaws in the world’s most critical software systems. (CyberScoop)
Russian government hackers broke into thousands of home routers to steal passwords Fancy Bear, or APT 28, is known for its high-profile hacks and spying operations, including the breach of the U.S. Democratic National Committee in 2016 and the destructive hack that hit satellite provider Viasat in 2022. (TechCrunch)
Storm-1175 deploys Medusa ransomware at “high velocity” Storm-1175 has rapidly exploited more than a dozen n-days, the most recent of which is CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of the vendor’s Privileged Remote Access. (Dark Reading)
North Korean hackers poseastrading firm to steal $285M from Drift A group of individuals approached Drift staff at a “major crypto conference,” presenting as a professional quantitative trading firm. They went so far as to deposit $1M of their own money into a Drift Ecosystem Vault between December 2025 and January 2026. (HackRead)
Telehealth giant Hims & Hers says its customer support system was hacked A spokesperson for Hims & Hers said the company was hit by a social engineering attack, and the stolen data “primarily included customer names and email addresses.” (TechCrunch)
Can’t get enough Talos?
New Lua-based malwareobservedin targeted attacks against Taiwanese organizations Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.”
Vulnerabilities old and new and something React2 2025 was characterized by an unending beat-down on infrastructure that relied on older enmeshed dependencies (e.g., Log4j and PHPUnit), while React2Shell rocketed to the highest percentage of attacks for the entire year within the last three weeks of the year.
From the field to the report and back again The same Year in Review report that Talos IR casework feeds into is the report that defenders should be feeding back into their own preparation cycles. Here’s how you can start.
Talos Takes:2025’sransomware trends and zombie vulnerabilities In this episode, Amy and Pierre Cadieux unpack the ransomware and vulnerability trends that defined 2025. From the persistent ransomware threats targeting the manufacturing sector to the rise of stealthy “living off the land” tactics, we break down what these shifts mean for your defense strategy.
The free Tubi TV video streamer now integrates with ChatGPT so you can ask the AI to search the site’s lineup of more than 300,000 movies and TV episodes.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-09 17:06:402026-04-09 17:06:40I use ChatGPT’s new Tubi app to find free movies and TV shows to watch – here’s how
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-09 15:09:582026-04-09 15:09:58The best dedicated web hosting of 2026: Expert tested and reviewed
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-09 13:06:422026-04-09 13:06:42My top 5 Linux desktops of 2026 (so far) – and I’ve tried them all
Austin, Texas, United States, 9th April 2026, CyberNewswire
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-09 13:06:412026-04-09 13:06:41Mallory Launches AI-Native Threat Intelligence Platform, Turning Global Threat Data Into Prioritized Action
BTS, a global K-pop phenomenon, has recently made a comeback from an almost four-year hiatus: the members of the group were completing mandatory military service in South Korea. For this reason it comes as no surprise that cybercriminals have taken advantage of the band’s highly anticipated world-tour — ARIRANG — to launch a campaign of fake websites targeting fans eager to buy tickets.
We’ve identified at least 10 fraudulent domains that mimic the official pre‑sale pages for the band’s concerts in Argentina, Brazil, Chile, Colombia, France, Mexico, Peru, Portugal, and Spain — all created in early April. We explain how the scammers operate, and how to avoid buying fake tickets.
How the fake ticket scam works
Due to the high demand for the world-tour tickets, some of the event organizers prepared additional measures to ensure there are no ticket scalpers. In Brazil, the ticketing services adopted a “pre‑booking” format: the user first makes an online reservation, and then pays in person at the box office. Although in essence a good idea, the change has caused confusion among fans and created an opportunity for criminals to commit fraud.
Scammers create pages that are nearly identical to the official ones, replicating the layout, design, and the entire purchasing journey. For ordinary users, the experience seems completely legitimate. The links to these websites are circulating on social media — mainly on Instagram.
In Brazil, victims are prompted to make payments via PIX — an instant payment system operated by the Central Bank of Brazil. In some cases, the sites even simulate a card‑payment option, but claim high demand or system errors to pressure users into choosing PIX. PIX payments are then directed to money mule accounts — making it difficult to recover the funds.
Fake website imitating the Brazilian Ticketmaster. The design is almost indistinguishable from the original
This fake Brazilian website makes it seem as if the user can choose between card payment and instant payment. In reality, choosing the bank card option always results in fake “errors”. In the end, the victim is left with no choice but to pay via the PIX system
This scam page targeted at Mexican fans is selling a fake BTS membership. It’s a fraudulent copy of Weverse — a legitimate website that hosts K-pop communities and sells fan-club memberships
This is the French version of a fake Ticketmaster
The scam is a perfect example of how social engineering works. It exploits a massive and highly engaged fanbase — leading many users to act impulsively. The fake “errors” that the website displays during payment create a sense of urgency and cause panic — the scammers are well aware of how quickly BTS tickets sell out. In addition, doubts about the new purchasing system established by the event organizers help criminals make fake websites even more convincing.
How to protect yourself from ticket scams
If you really want to get tickets to your favorite group’s concert but not fall victim to the scammers, it’s important to keep these basic cybersecurity rules in mind:
Access only official ticketing services, which you can find on the official page dedicated to BTS’s tour. Type the website address directly into your browser, and avoid links received via messages, social media, or email.
Check the domain carefully. Slight changes in the address often indicate fraud. This includes additional dashes, unusual territorial domains, and hardly-noticeable changes like replacing a lowercase “l” (L) with an uppercase “I” (i).
Check the website for Privacy Policy and Terms of Use pages. If they’re missing, you’re definitely visiting a fake website. But remember: their presence doesn’t guarantee that the site is legitimate. With modern AI, generating such pages takes only a few seconds.
Carefully check the sales format for each country. In Brazil, payment should only be made in person, so any request for online payment during the pre‑sale is a strong indication of a scam. Other countries and event organizers may offer online payments.
If you’ve been scammed, immediately contact your bank. If you provided bank card information to the criminals, you should reissue your card to prevent further unauthorized payments.
Enable banking alerts. Real-time notifications allow you to quickly identify suspicious transactions.
Use cybersecurity protection that detects and automatically blocks fraudulent websites. Kaspersky Premium, our robust cybersecurity solution, also shuts down phishing attempts, protects your personal data, and helps safeguard your identity.
Beware of “free” or “discounted” tickets. Ultimately, there’s never such a thing as a free lunch — especially when it comes to world‑famous music groups.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-09 13:06:342026-04-09 13:06:34Fake BTS ARIRANG tour tickets: K-pop fans being targeted by scammers | Kaspersky official blog
Germany’s economy is a precision machine: finance fuels it, manufacturing builds it, telecom connects it, IT optimizes it, and healthcare sustains it. The country sits at the crossroads of industrial power and digital transformation, making it irresistibly attractive to attackers.
In this article, we explore real-world attacks targeting five critical German industries, analyzed by ANY.RUN’s analysts using Interactive Sandbox and Threat Intelligence Lookup. Each case is not theory. It is a live wire, recently observed, carefully dissected.
Executive Summary
Germany’s top industries are under coordinated pressure, not isolated attacks.
Identity is the new perimeter: attackers are bypassing infrastructure defenses by hijacking sessions and abusing legitimate authentication flows.
Phishing has evolved into real-time session interception, rendering traditional MFA insufficient on its own.
Attackers adapt lures to business context, increasing success rates against employees.
Threat intelligence is no longer optional: it is critical for reducing detection time, preventing escalation, and protecting revenue
Germany’s Digital Landscape: A High-Value Target
Why Germany?
Largest economy in Europe with strong global ties;
Highly digitized enterprise sector;
Deep reliance on Microsoft 365, cloud services, and SaaS ecosystems;
Critical industries interconnected across supply chains.
Germany’s industrial backbone — the Mittelstand of small and medium-sized enterprises, alongside globally recognized corporations in chemicals, automotive, and engineering — represents a vast attack surface. These organizations often store sensitive IP, manage critical infrastructure, and handle large financial transactions, yet historically have underinvested in cybersecurity relative to their size and importance.
Geopolitics adds fuel to the fire provoking a sharp increase in professional, often state-directed attacks by APT groups (Advanced Persistent Threats) linked to geopolitical conflicts. Germany’s role in the EU, NATO, and global trade makes it a high-value intelligence target for foreign actors.
In 2024, cyberattacks caused approximately €178.6 billion in financial losses to German businesses, equivalent to 67% of all damage from corporate crime. (Bitkom).
83% of German businesses fell victim to ransomware in 2024, according to the Cyber Security Report 2025 by Schwarz Digits.
The BSI’s 2024/2025 reports describe the IT security situation as “tense,” with 309,000 new malware variants appearing daily, ransomware attacks up 77%, and 22 state-sponsored APT groups active on German soil.
Phishing remains the most prevalent attack vector. The BSI confirmed that phishing attacks expanded well beyond the financial sector in 2024, with attackers impersonating streaming services, logistics firms, government agencies, and enterprise software platforms like Microsoft 365.
How German Companies Can Discover Industry-Specific Cyberattacks
ANY.RUN’s Threat Intelligence Lookup, a searchable database of threat data from live malware analysis by a community of over 15K SOC teams, supports the mapping of attack indicators to specific sectors and regions.
A local cyberthreat landscape can be revealed by combining lookups for an industry and a malware sample submission country, and by limiting the search period to see the most recent threats.
1. Finance: FlowerStorm Targets a German Investment Firm
Financial organizations in Germany operate in a high-trust, high-value environment:
Sensitive investment and client data;
Heavy use of cloud-based collaboration tools;
Strict compliance requirements
This makes employee credentials a golden key. Microsoft 365 credential theft is a dominant threat vector in this sector. Attackers seek to compromise corporate email accounts to intercept transactions, conduct Business Email Compromise (BEC) fraud, or use valid credentials as a launchpad for deeper network intrusion.
Threat in Focus: Spearphishing with FlowerStorm
FlowerStorm attack in ANY.RUN’s Interactive Sandbox
Target A German investment company managing portfolios in private equity, real estate, and hedge funds. The attack was precision-targeted: the victim’s corporate email address was embedded directly into the phishing link, encoded in Base64.
Email encoded in spearphishing link
Attack Type Spearphishing (targeted credential theft) for Microsoft 365 accounts. ANY.RUN’s sandbox classified this threat as FlowerStorm — a sophisticated phishing-as-a-service platform known for its multi-stage evasion techniques and precision targeting.
Kill Chain
In this case, the attacks starts with a malicious URL. However, as we can see in other analysis sessions, such links are usually delivered via phishing emails containing a PDF attachment. Inside the PDF is a QR code — a deliberate choice to bypass email-based URL scanners that cannot decode visual content.
The victim scans the QR code and is taken to a landing page with a salary-related lure.
Fake letter about a salary raise
The page loads a FingerprintJS script to profile the victim’s browser before showing any phishing content. This profiling helps attackers filter out security researchers and automated scanners.
Cloudflare Turnstile CAPTCHA is activated, blocking automated analysis tools and sandbox detection attempts.
The victim is redirected to the main phishing domain, which presents a pixel-perfect replica of the Microsoft 365 sign-in page, including a full OAuth flow simulation with client_id, redirect_uri, and response_type parameters.
Credentials entered by the victim are immediately exfiltrated to attacker-controlled infrastructure.
Why It Works FlowerStorm combines multiple layers of evasion (QR codes, browser fingerprinting, CAPTCHA, Base64 encoding) with surgical targeting. The salary-themed lure is psychologically effective: employees in a finance firm expect payroll-related communications, reducing suspicion. The Microsoft 365 OAuth imitation is technically convincing enough to fool even security-conscious users.
2. Healthcare: Microsoft OAuth Abuse Targets a Research Center
This creates a perfect storm for authentication abuse attacks.
Healthcare breaches carry compounded consequences: regulatory penalties under GDPR, reputational damage, potential disruption to patient care, and the loss of research data that may represent years of work and significant public investment.
Threat in Focus: Microsoft OAuth Abuse with Fake Outlook Login
Spearphishing attack personalized by email
Target Germany’s largest medical research center. The attack was highly targeted: the victim’s corporate email appeared in plaintext in the OAuth state parameter and in Base64 in the URL fragment of the phishing page.
Attack Type Phishing via Microsoft OAuth abuse combined with a fake Outlook login page. The attackers exploited Microsoft’s legitimate OAuth 2.0 authentication mechanism, substituting a malicious redirect_uri to capture credentials after the authentication handshake.
Kill Chain
The victim receives a link that begins as a legitimate request to login.microsoftonline.com. The redirect_uri, however, points to a compromised website. The state parameter contains the victim’s email address in plaintext.
If no active Microsoft session exists, Microsoft returns an error=interaction_required response and redirects the user to the redirect_uri, the compromised WordPress site (saicares.com.au), which loads an intermediate invoice.html page.
The intermediate page pulls content from ArDrive (a decentralized storage platform), adding another layer of obfuscation and hosting that is difficult to block.
The victim is redirected to ogbarberschool[.]com — the primary phishing page. The victim’s email appears in the URL fragment both in Base64 and in plaintext, creating a personalized login experience.
The phishing page contains obfuscated JavaScript and displays a convincing fake Outlook login form.
Forged Outlook page
Credentials entered by the victim are exfiltrated via a POST request to jewbreats[.]org/rexuzo/owa/apiowa[.]php. Suricata network rules flagged this as a suspicious unencrypted POST request transmitting an email address.
Personal data exfiltrated to attackers’ server
Why It Works This attack is particularly dangerous because it begins with a genuine Microsoft domain. A victim who inspects the initial link sees a legitimate login.microsoftonline.com URL, providing false reassurance. By the time the malicious redirect occurs, the victim is already engaged. The use of a compromised WordPress site and decentralized storage makes the infrastructure difficult to detect and take down quickly.
3. Technology: Reverse Proxy Phishing Targets an IT Company
IT companies:
Manage infrastructure and credentials;
Have privileged access across systems;
Are often stepping stones for supply chain attacks.
The sector’s familiarity with technology can create a paradoxical blind spot: IT professionals may be more likely to click links in emails that appear technical or work-related, assuming their technical knowledge makes them immune to social engineering.
Threat in Focus: EvilProxy + EvilGinx2 Combined Attack
Phishing detected by ANY.RUN Sandbox
Target A German IT company. The attack targeted a specific employee, whose email was extracted from the data parameter of a Microsoft Safe Links wrapper, indicating the attacker had prior visibility into the target’s email infrastructure.
Attack Type Phishing via a combination of EvilProxy and EvilGinx2: two reverse proxy tools used in tandem. EvilProxy serves as the primary credential harvesting platform, while EvilGinx2 handles session token interception. Together, they create a real-time proxy of Microsoft’s login infrastructure capable of bypassing multi-factor authentication.
Kill Chain
The victim receives a phishing email urging them to “Review document,” a work-relevant lure that fits the daily workflow of an IT professional.
Fake business email with call to action
The embedded link routes through a Mailchimp tracking URL (aviture[.]us7[.]list-manage[.]com), a legitimate email marketing service that lends the link apparent credibility and bypasses reputation-based URL filters.
Mailchimp redirects to larozada[.]com, a compromised WordPress site hosting an intermediate page with a Cloudflare Turnstile CAPTCHA.
After CAPTCHA verification, the victim is routed through a Cloudflare Workers serverless function, which performs additional routing to frustrate analysis and attribution.
The final destination is the main phishing domain (googlmicrozonfaceb0xfileshar3instacloud0fftkdoctormedixxqqw[.]digital) — an EvilProxy instance that reverse-proxies the real Microsoft Login page in real time. The victim sees an authentic Microsoft experience.
As the victim authenticates, EvilProxy intercepts the session cookie. The attacker now has a valid authenticated session. No password or MFA code required.
Why It Works The use of legitimate services (Mailchimp, Cloudflare Workers, WordPress) at each stage of the attack chain makes it nearly impossible for conventional email filters and web gateways to block. The final EvilProxy stage defeats MFA entirely by hijacking the post-authentication session rather than attempting to steal the second factor. This is an adversary-in-the-middle attack that neutralizes one of the most commonly recommended security controls.
Using TI Lookup, we can see that larozada[.]com is intensely correlated with this attack scenario:
Interactive Sandbox contains hundreds of malware samples using this domain
Integrate Threat Intelligence Feeds in your security stack to have it continuously updated with a real-time stream of indicators (domains, URLs, IPs) for early detection and timely response.
Protect revenue, reputation, and operations with enterprise-grade threat analysis and intelligence. Reduce risk with ANY.RUN
Sit at the heart of communications infrastructure;
Handle massive volumes of user data;
Operate complex, distributed environments.
Telecom companies are targeted for multiple strategic reasons: access to customer data at scale, the potential for SIM-swapping attacks, the ability to intercept communications, and the value of internal network access for espionage or infrastructure disruption.
Account takeover via Microsoft 365 credential theft is a priority threat for this sector, as telecom employees use cloud platforms extensively for internal communications, customer management, and operational coordination.
Threat in Focus: EvilProxy without personalization
Phishing page abusing Microsoft services
Target An employee of a German telecommunications company. Unlike the finance and healthcare cases, this campaign used a non-personalized phishing page (no email embedded in the URL) suggesting a broader campaign that may target multiple companies simultaneously rather than a single individual.
Attack Type Phishing via EvilProxy (Phishing-as-a-Service) — a commercial reverse proxy platform that proxies the real Microsoft login page in real time, intercepting session tokens and bypassing MFA without ever needing to steal a password.
Kill Chain
The victim receives a link pointing to portfolio-hrpcjqg[.]format.com/gallery — a legitimate portfolio hosting platform (Format.com). Using a reputable platform as the first hop bypasses domain reputation filters.
Non-personalized phishing page on a legitimate website
Format.com redirects to signin[.]securedocsportal.com/cyb3rusr131 — a phishing domain crafted to resemble a secure document signing portal, a plausible context for a telecom business user.
Cloudflare Turnstile CAPTCHA filters automated scanners and security tools.
After passing CAPTCHA, the victim reaches a page mimicking Microsoft 365 OAuth authorization, complete with client_id and redirect_uri parameters pointing to office.com for added legitimacy.
EvilProxy proxies the real Microsoft Login through its own subdomains, giving the victim a fully functional Microsoft login experience.
The victim enters credentials and completes MFA. EvilProxy intercepts the session cookie in real time, granting the attacker full authenticated access to the victim’s Microsoft 365 account without needing the password or MFA token.
Why It Works EvilProxy is commercially available as a service, dramatically lowering the skill threshold for attackers. The use of a legitimate portfolio platform as the initial URL makes detection by email gateways extremely difficult. The MFA bypass via session cookie theft is highly effective against organizations that believe MFA alone is sufficient protection.
5. Manufacturing: Brand-Impersonation and Teams Lure
Germany’s manufacturing sector:
Is globally dominant;
Relies on internal communication platforms;
Often integrates IT and OT environments.
Germany’s manufacturing sector is the engine of its economy, encompassing global leaders in chemicals, automotive, engineering, and consumer goods. They are also increasingly connected: Industry 4.0 technologies, IoT sensors, operational technology (OT), and cloud-integrated production systems have blurred the line between IT and physical operations.
The consequences of a successful attack extend beyond data loss to potential operational shutdown, physical equipment damage, and supply chain disruption.
Social engineering attacks targeting manufacturing employees are particularly effective because plant-floor and operations staff are not traditionally cybersecurity-trained, and Microsoft Teams has become a standard communication tool across these large organizations.
Threat in Focus: Teams Voice Message Phishing
Fake Microsoft Teams phishing attack
Target A large German industrial conglomerate, a global producer of chemical products and consumer goods. This attack was unusually specific: the phishing domains were registered to include the target company’s name, and the fake login page was styled to match the company’s Microsoft Teams branding — indicating advance reconnaissance.
Attack Type Phishing via EvilProxy using a Microsoft Teams voice message as bait. The attack was delivered via Amazon SES, a legitimate email delivery infrastructure, making it difficult for email security tools to flag based on sender reputation.
Kill Chain
The victim receives an email sent through Amazon SES, notifying them of a missed voice message in Microsoft Teams — a common notification that workers in large organizations receive regularly
Fake email voice message notification
The link leads to voicbx[.]com, a redirect service mimicking a Teams voice notification interface.
Redirects to noncrappyandroidapps[.]com for an anti-bot verification step.
TinyURL then routes the victim to teams-ms365[.]cloud, a phishing domain mimicking Microsoft Teams infrastructure.
The victim lands on a fake Teams voice message page, styled specifically to match the target company’s branding — a degree of customization that indicates prior research into the target.
When the victim attempts to play the voice message, they are redirected to EvilProxy domains that also contain the company’s name in the URL.
The victim enters their credentials into a fake Okta authentication page and completes MFA. EvilProxy intercepts the session cookie, granting the attacker full access to the corporate Microsoft 365 environment without requiring the password or MFA factor.
Why It Works The combination of a highly plausible lure (missed Teams voice message), delivery via Amazon SES (bypassing sender reputation filters), and company-branded phishing pages makes this attack unusually convincing. The use of Okta for the fake authentication page suggests the attackers were aware of the target company’s specific identity infrastructure.
Food for Thought: What CISOs Need to Be Aware Of
1. Five Critical German Industries Are Under Active Attack Right Now
All five cases have been collected between January and March 2026. Finance, healthcare, IT, telecommunications, and manufacturing, the five most economically significant sectors in Germany, are not theoretical targets. They are active targets. This is systematic pressure on the German economy, not isolated incidents.
ANY.RUN’s Threat Intelligence Lookup data reinforces this: searching for EvilProxy and FlowerStorm threats linked to German organizations over the past 60 days returned more than 220 analyses, confirming that these campaigns are ongoing and widespread.
Industries targeted by modern phishing campaigns in Germany
2. Selective Targeting Is a Growing Trend
Several of these attacks show clear signs of advance reconnaissance. Phishing domains were registered with the target company’s name embedded, pages were styled to match corporate branding, and victim email addresses were pre-loaded into URLs. This level of preparation (particularly in the manufacturing case) goes beyond generic mass phishing and suggests attackers are investing in targeted intelligence gathering before launching campaigns. Some cases also used universal phishing pages, indicating a mix of targeted and mass-scale approaches within the same threat actor ecosystem.
3. Social Engineering Is Being Adapted to Professional Context
The lures used in these attacks are not generic. A salary-themed document for a finance employee, a missed Teams voice message for a manufacturing executive, a “Review document” prompt for an IT professional. Attackers appear to be selecting bait that fits the professional context of their targets, increasing click rates and reducing suspicion. This contextual adaptation of social engineering is a significant evolution in phishing tradecraft.
4. Phishing-as-a-Service Platforms Have Democratized MFA Bypass
EvilProxy, EvilGinx2, and FlowerStorm are not bespoke tools used by elite threat actors. They are commercially available phishing platforms sold as services. This means the barrier to launching a sophisticated, MFA-bypassing attack against a German enterprise is now accessible to a broad range of cybercriminals. These platforms proxy real Microsoft login pages in real time, intercept session cookies after successful MFA completion, and provide the attacker with a fully authenticated session — all without ever knowing the victim’s password or one-time code.
Organizations that rely on MFA as their primary defense against credential theft need to understand that adversary-in-the-middle phishing renders standard MFA ineffective. Phishing-resistant MFA (such as FIDO2 hardware keys) and Zero Trust session validation are required to defend against these techniques.
Protecting High-Risk Organizations: A Practical Approach for Decision-Makers
For executives across finance, healthcare, telecom, IT, and manufacturing, cybersecurity is no longer just a technical function. It is a business continuity and risk management discipline.
The attacks described in this article share a common trait: they move fast, abuse trusted services, and bypass traditional defenses.
To counter this, organizations need more than tools. They need a workflow-driven approach, where threat intelligence and malware analysis directly improve how the SOC operates.
Here is how this translates into measurable protection across core SOC workflows.
1. Monitoring: Detect Earlier, Reduce Exposure
The Challenge: Detection gaps, delayed visibility into new campaigns, and high volumes of low-context alerts.
The Challenge: Limited visibility into attack scope and delayed containment decisions.
What to do:
Use Interactive Sandbox to analyze full attack chains (redirects, payloads, exfiltration);
Correlate findings with TI Lookup to understand spread and related infrastructure;
Generate detailed reports for response and compliance.
Incidents are no longer black boxes. Teams gain full kill-chain visibility within seconds and reduce response time significantly
Business impact:
Faster containment and remediation (90% of threats visible in 60 seconds);
Reduced operational disruption;
Lower likelihood of repeat incidents.
Executive outcome: minimized financial and operational impact from active threats.
4. Threat Hunting: Shift from Reactive to Proactive Security
The Challenge: Outdated data, manual validation, and lack of prioritization based on business risk.
What to do:
Use TI Feeds to track emerging threats targeting your industry and region;
Pivot with TI Lookup across related indicators and campaigns;
Use sandbox insights to refine detection logic and hunt hypotheses.
Threat hunting becomes data-driven and context-aware, leveraging live attack activity across thousands of organizations.
Business impact:
Detection of threats before alerts trigger;
Reduced attacker dwell time;
More precise prioritization of high-risk threats.
Executive outcome: improved risk visibility and proactive defense posture.
Operational Impact → Business Outcomes
When these capabilities are aligned across workflows, the effect compounds:
Operational gains:
Faster case processing (minutes saved per investigation);
Higher detection rates (up to +36%);
Fewer escalations and analyst overload;
Shorter incident lifecycle.
Business outcomes:
Reduced risk of breaches and account takeover;
Lower cost of security operations;
Minimized downtime and service disruption;
Stronger compliance and audit readiness;
The difference between a resilient organization and a vulnerable one is not whether attacks happen. It is whether your teams can see threats early, understand them instantly, and act before impact spreads.
By combining TI Feeds (visibility), TI Lookup (context), and Interactive Sandbox (depth), you turn security operations into a measurable business advantage, not just a defensive necessity.
Accelerate investigations and stop threats earlier.
Leverage sandbox visibility and TI to improve SOC performance.
The five attacks documented in this report share a common thread: they are sophisticated, targeted, and actively exploiting the trust that German employees place in familiar platforms like Microsoft 365, Outlook, and Teams. They represent a new generation of phishing campaigns that have moved far beyond bulk spam — into precision-engineered operations that research their targets, customize their lures, and deploy infrastructure specifically designed to survive detection.
The good news is that these attacks are detectable. ANY.RUN’s Interactive Sandbox can analyze suspicious URLs and files in real time, tracing every redirect, every script, every network connection in the attack chain. The Threat Intelligence Lookup provides historical context — showing how many organizations have seen the same indicators, which industries are most targeted, and what threat families are most active.
In an economy where a single successful breach can cost billions and disrupt national supply chains, visibility and speed of response will define resilience.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.
It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.
ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls.
FAQ
Why are German companies increasingly targeted by cybercriminals?
Germany’s strong economy, high digitalization, and reliance on cloud services make its organizations high-value targets with scalable attack surfaces.
What industries are most at risk?
Finance, healthcare, IT, telecom, and manufacturing show consistently high risk due to data sensitivity, operational complexity, and business impact.
What makes modern phishing attacks more dangerous?
They now use reverse proxy tools and OAuth abuse to capture authenticated sessions, allowing attackers to bypass MFA and access accounts in real time.
What is session hijacking and why does it matter?
Session hijacking allows attackers to steal active login sessions instead of credentials, granting immediate access without needing passwords again.
How does threat intelligence help prevent attacks?
It provides context, detection speed, and visibility into attacker infrastructure, enabling faster decisions and proactive defense.
What is the difference between TI Lookup and TI Feeds?
TI Lookup is used for investigating specific indicators in real time, while TI Feeds provide continuous streams of threat data for proactive blocking.
Can these attacks be stopped before impact?
Yes, with the right combination of threat intelligence, sandboxing, and fast-response workflows, organizations can detect and contain threats early.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-09 13:06:342026-04-09 13:06:34How Phishing Is Targeting Germany’s Economy: Active Threats from Finance to Manufacturing
Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions.
Cyble Research & Intelligence Labs (CRIL) weekly vulnerability report tracked 1,960 vulnerabilities last week, reflecting a continued surge in vulnerability disclosures across enterprise and cloud ecosystems.
Of these, 248 vulnerabilities have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of real-world attacks and accelerating exploitation timelines.
Additionally, at least 5 vulnerabilities were actively discussed across underground forums, indicating strong attacker interest and rapid weaponization.
A total of 214 vulnerabilitieswere rated critical under CVSS v3.1, while 57 were rated critical under CVSS v4.0.
Furthermore, CISA added 4 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.
On the industrial side, CISA issued 7 ICS advisories covering 10 vulnerabilities, impacting vendors such as Schneider Electric, WAGO, and PTC.
Weekly Vulnerability Report’s Top 5 CVE’s
CVE-2026-32917 — OpenClaw (Critical)
CVE-2026-32917 is a critical remote command injection vulnerability affecting OpenClaw, an AI agent framework.
The flaw occurs in the iMessage attachment staging workflow, allowing attackers to inject commands into remote systems. Successful exploitation enables arbitrary command execution, potentially leading to full system compromise.
CVE-2026-4747 — FreeBSD RPCSEC_GSS (Critical)
CVE-2026-4747 is a critical stack-based buffer overflow vulnerability in FreeBSD caused by improper bounds checking in packet handling.
Attackers can send specially crafted requests to trigger a stack overflow, resulting in remote code execution with kernel-level privileges, enabling full system takeover.
CVE-2026-31883 — FreeRDP (Critical)
CVE-2026-31883 is a heap-based buffer overflow vulnerability in FreeRDP’s audio decoding components.
A malicious RDP server or man-in-the-middle attacker can exploit this flaw to execute arbitrary code, potentially compromising remote desktop clients and enterprise environments.
CVE-2026-1207 — Django (High)
CVE-2026-1207 is a SQL injection vulnerability in Django applications using PostGIS RasterField lookups.
Insufficient input validation allows attackers to inject malicious SQL queries, leading to data exposure, modification, and potential lateral movement within backend systems.
CVE-2025-53521 — F5 BIG-IP APM (Critical)
CVE-2025-53521 is a critical vulnerability in F5 BIG-IP Access Policy Manager, initially classified as a DoS flaw but later reclassified as unauthenticated remote code execution following active exploitation.
This vulnerability allows attackers to gain full control of access management systems, posing significant risks to enterprise networks.
Data Source: Cyble Vision
Vulnerabilities Added to CISA KEV
CISA continued expanding its KEV catalog, reflecting active exploitation trends.
Notable addition:
CVE-2025-53521 — F5 BIG-IP APM Initially considered a denial-of-service flaw, it was reclassified as a remote code execution vulnerability after evidence of active exploitation emerged.
This shows how vulnerabilities can evolve in severity over time, reinforcing the need for continuous reassessment and monitoring.
Critical ICS Vulnerabilities
CISA issued 7 ICS advisories covering 10 vulnerabilities, with several rated critical.
Data Source: Cyble Vision
CVE-2026-2417 — Pharos Controls (Critical)
This vulnerability involves missing authentication for critical functions in Mosaic Show Controller firmware.
Attackers can exploit this flaw to gain unauthorized control over industrial systems, potentially disrupting operations.
CVE-2025-49844 — Schneider Electric Plant iT/Brewmaxx (Critical)
A use-after-free vulnerability in Schneider Electric’s industrial automation platform can lead to memory corruption and system compromise.
The presence of multiple vulnerabilities in this platform reflects systemic risk across widely deployed industrial environments.
CVE-2026-3587 — WAGO Managed Switches (Critical)
This vulnerability exposes hidden functionality in industrial switches, potentially enabling attackers to bypass controls and gain unauthorized access.
CVE-2026-4681 — PTC Windchill PDMLink (Critical)
This vulnerability involves improper control of code generation and currently has no available patch, leaving organizations exposed.
Grassroots DICOM (High, Unpatched)
A memory management flaw in Grassroots DICOM impacts healthcare imaging systems, with no vendor patch available, increasing risk to medical infrastructure.
Impacted Critical Infrastructure Sectors
Analysis shows that:
Commercial Facilities appear in 70% of ICS vulnerabilities
Critical Manufacturing and Energy each account for 60%
Healthcare, communications, and transportation sectors also face exposure.
Data Source: Cyble Vision
This distribution shows the strong cross-sector dependencies, where vulnerabilities in industrial platforms can cascade into multiple critical infrastructure domains.
Conclusion
This week’s findings highlight a convergence of:
Increasing vulnerability volume and severity
Rapid exploitation cycles driven by PoC availability
Active underground discussion and weaponization
Persistent weaknesses in industrial control systems
With 248 publicly available PoCs, KEV additions confirming active exploitation, and unpatched ICS vulnerabilities, organizations face significant risk across both enterprise IT and operational technology environments.
Key Recommendations
Prioritize vulnerabilities based on exploit availability and operational impact
Patch critical enterprise systems and externally exposed services immediately
Implement strong input validation and secure coding practices
Harden remote access and RDP environments
Segment IT and OT networks to limit lateral movement
Apply compensating controls for unpatched ICS vulnerabilities
Conduct regular vulnerability assessments and penetration testing
Cyble’s attack surface management and vulnerability intelligence solutions enable organizations to identify exposed assets, prioritize remediation, and detect early indicators of compromise. By combining threat intelligence with proactive defense strategies, organizations can effectively mitigate evolving risks across enterprise and critical infrastructure environments