In many countries, spring is the traditional time for filing income tax returns. These documents are a goldmine for bad actors because they contain a wealth of personal data, such as employment history, income, assets, bank account details — the list goes on. It’s no surprise that scammers ramp up their efforts around this time; the internet is currently crawling with fake websites designed to look exactly like government resources and tax authorities.

With deadlines looming and numbers to crunch, the rush to get everything done in good time can cause people to let their guard down. In the shuffle, it’s easy to miss the signs that the site where you’re detailing your finances has zero connection to the revenue service, or that the file you just downloaded, supposedly from a tax inspector, is actually malware.

In this post, we break down how these fraudulent tax agency sites operate across different countries and what you should absolutely avoid doing to keep your money and sensitive information safe.

Taxpayer phishing

This season, attackers have been spoofing tax authority websites across numerous countries, including the official government portals of Germany, France, Austria, Switzerland, Brazil, Chile, and Colombia. On these fraudulent sites, scammers harvest credentials for legitimate services, and steal personal data before offering to process a tax deduction — provided the victim enters their credit card details. In some cases, they even charge a fee for this fraudulent service.

A site imitating the Chilean tax authority. The victim is prompted to enter their credit card information to receive a substantial tax refund — roughly US$375. Instead, the funds are siphoned from the victim’s account directly to the scammers

Sometimes, the tactic involves accusations issued on behalf of government bodies. In the image below, for example, a “head of tax audit” in Paris informs the victim that they provided incomplete income information. To avoid penalties, the user is told to download a document and make corrections immediately. However, the PDF file hides something much worse: malware.

Instead of an official document from the French tax service, the user finds malware waiting inside the PDF

In Colombia, a fake National Directorate of Taxes and Customs site similarly prompts users to download documents that must be “unlocked with a security key”. In reality, this is simply a password-protected, malicious ZIP archive.

After entering the password, the user opens a malicious archive that infects their device

Beyond phishing sites mimicking legitimate resources, our experts have discovered fraudulent websites promising paid services for filling out and auditing tax documents — and stealing high-value data, such as taxpayer identification numbers (TINs), instead.

Tax-free crypto earnings

Cryptocurrency holders have emerged as a specific target for attackers. Fake German tax authorities are demanding that wallet owners “verify their digital asset holdings”, citing EU regulations for tax calculation purposes. And of course, there’s a “silver lining”: it turns out crypto earnings are supposedly tax-exempt! However, to claim this generous benefit, users must go through a “verification” procedure. The site even promises to encrypt data using a “2048-bit SSL protocol”.

To complete the “verification” process, users are prompted to enter their seed phrase — the unique sequence of words tied to a crypto wallet that grants full recovery access. This request is paired with a threat: refusing to provide the data will lead to serious legal consequences, such as fines up to one million euros or criminal prosecution.

Attackers pulled a similar stunt on French users as well. They created a non-existent “Crypto Tax Compliance Portal”, which mimics the design of the French Ministry of Economy and Finance website. The phishing site aggressively demands that French residents submit a “digital asset declaration”.

After the user enters their personal information, the scammers prompt them to either manually enter their seed phrase, or “link” their crypto wallet to the portal. If they go through with this, their MetaMask, Binance, Coinbase, Trust Wallet, or WalletConnect wallets will be drained.

Can AI help with your tax returns?

When you have AI at your fingertips that can instantly generate text and fill out spreadsheets, there’s a serious temptation to delegate everything to it. Unfortunately, this can lead to  serious consequences. First, all popular chatbots process your data on their servers, which puts your sensitive information at risk of a leak. Second, they sometimes make incredibly foolish mistakes, and that can lead to actual trouble with the taxman.

Before you tell a chatbot or an AI agent how much money you made last year — complete with detailed personal and banking info — remember how frequently leaks occur within AI-powered services and consider the risks. Don’t discuss your income with AI, don’t give it personal details like your name or address, and under no circumstances should you upload photos or numbers of vital documents such as passports, insurance info, or social security numbers. Files containing confidential information should be kept in encrypted containers, such as Kaspersky Password Manager.

If you’re still determined to use AI tools, run them locally. This can be done for free even on a standard laptop, and we’ve previously covered how to set up local language models using DeepSeek as an example. However, the quality of the output from these models is often subpar. It’s quite possible that double-checking every digit in an AI-generated response will take more time than just filling out the paperwork manually. Remember, you’re the one accountable to the tax office for any errors — not the AI.

Finally, watch out for phishing AI models that offer “assistance” with tax filing. Kaspersky experts have discovered websites where users are prompted to upload tax invoices, supposedly for the automated generation of returns and deduction claims. Instead, attackers collect this personal data to resell on the dark web, or to use in future phishing attacks, blackmail, and extortion schemes.

The creators of a fake AI tool prompt users to upload tax documents, and kindly assure them that the site doesn’t store any user data. In reality, every piece of information entered — name, address, documents, contact person, phone number — ends up in the hands of cybercriminals

Remember that all legitimate AI services explicitly warn users not to share confidential data, and tax documents certainly fall into this category. Any AI tools promising to help you handle your tax paperwork are quite simply a scam.

How to protect yourself and your data

• File your taxes yourself. The risk of running into scammers is extremely high. Even if a consulting firm is legitimate, you’re inevitably handing over a complete dossier on yourself: passport details, employment and income info, your address, and more. Remember that even the most honest services aren’t immune to hacks and data breaches.
• Watch out for fake websites. Use a reliable security solution that prevents you from visiting phishing sites and blocks malicious file downloads.
• Keep all important documents encrypted. Storing photos, notes, or files on your desktop, or starred messages in a messaging app isn’t a secure way to handle sensitive data. A secure vault like Kaspersky Password Manager can store more than just passwords and credit card info; it can also safeguard documents and even photos.
• Don’t trust AI. Even the most advanced chatbots are prone to errors and hallucinations, and in theory, developers can read any conversation you have with their AI. If you absolutely must use AI, install and run a local version on your own computer.
• Stick to official channels only. The “chief tax inspector” of your country or city is definitely not going to message you: high-ranking officials have more important things to do. Only contact tax authorities through official channels, and carefully verify the sender of any emails you receive. Most often, even a slight deviation in the name or address is a telltale sign of a phishing campaign.

Further reading on phishing and data security:

• Phishing and spam: the wildest campaigns of 2025
• How phishers and scammers use AI
• What happens to data stolen using phishing?
• How to disappear from the internet
• Why data brokers build dossiers on you, and how to stop them doing so

Kaspersky official blog – ​Read More

Lately, hackers have been turning up the heat on software developers. On the surface, this might seem like a puzzling move — why go after someone who’s literally paid to understand tech when there are plenty of less-savvy targets in the office? As it turns out, compromising a developer’s machine offers a much bigger payoff for an attacker.

Why developers are such high-value targets

For starters, compromising a coder’s workstation can give attackers a direct line to source code, credentials, authentication tokens, or even the entire development infrastructure. If the company builds software for others, a hijacked dev environment allows attackers to launch a massive supply chain attack, using the company’s products to infect its customer base. If the developer works on internal services, their machine becomes a perfect beachhead for lateral movement, allowing hackers to spread deeper into the corporate network.

Even when attackers are purely chasing cryptocurrency (and let’s face it, tech pros are much more likely to hold crypto than the average person), the malware used in these hits doesn’t just swap out wallet addresses; it vacuums up every scrap of valuable data it can find — especially those login credentials and session tokens. Even if the original attackers don’t care about corporate access, they can easily flip those credentials to initial access brokers or more specialized threat actors on the dark web.

Why developers are sitting ducks

In practice, developers aren’t nearly as good at understanding cyberthreats and spotting social engineering as they think they are. This misconception is a big reason why they often fall prey to cybercriminals. Professional expertise can often create a false sense of digital invincibility. This often leads technical professionals to cut corners on security protocols, bypass restrictions set by the security team, or even disable security software on their corporate machines when it gets in the way of their workflow. That mindset, combined with a job that requires them to constantly download and run third-party code, makes them sitting ducks for cyberattackers.

Attack vectors targeting developers

Once an attacker sets their sights on a software engineer, their go-to move is usually finding a way to slip malicious code onto the machine. But that’s just the tip of the iceberg — hackers are also masters at rebranding classic, battle-tested tactics.

Compromising open-source packages

One of the most common ways to hit a developer is by poisoning open-source software. We’ve seen a flood of these attacks over the past year. A prime example hit in March 2026, when attackers managed to inject malicious code into LiteLLM, a popular Python library hosted in the PyPI repository. Because this library acts as a versatile gateway for connecting various AI agents, it’s baked into a massive number of projects. These trojanized versions of LiteLLM delivered scripts designed to hunt for credentials across the victim’s system. Once stolen, that data serves as a skeleton key for attackers to infiltrate any company that was unlucky enough to download the infected packages.

Malware hidden in technical assignments

Every so often, attackers post enticing job openings for developers, complete with take-home test assignments that are laced with malicious code. For instance, in late February 2026, malicious actors pushed out web application projects built on Next.js via several malicious repositories, framing them as coding tests. Once a developer cloned the repo and fired up the project locally, a script would trigger automatically to download and install a backdoor. The attackers gained full remote access to the developer’s machine.

Fake development tools

Recently, our experts described an attack where hackers used paid search-engine ads to push malware disguised as popular AI tools. One of the primary baits was Claude Code, an AI coding assistant. This campaign specifically targeted developers looking for a way to use AI-assistants under the radar, without getting the green light from their company’s infosec team. The ads directed users to a malicious site that perfectly mimicked the official Claude Code documentation. It even included “installation instructions”, which prompted the user to copy and run a command. In reality, running that command installed an infostealer that harvested credentials and shuttled them off to a remote server.

Social engineering tactics

That said, attackers often stick to the basics when trying to plant malware. A recent investigation into a compromised npm package — Axios — revealed that hackers had gained access to a maintainer’s system using a shockingly simple “outdated software” ruse. The attackers reached out to the Axios repository maintainer while posing as the founder of a well-known company. After some back-and-forth, they invited him to a video interview. When the developer tried to join the meeting on what looked like Microsoft Teams, he hit a fake notification claiming his software was out of date and needed an immediate update. That “update” was actually a Remote Access Trojan, giving the attackers access to his machine.

Niche spam

Sometimes, even a blast of fake notifications does the trick, especially when it’s tailored to the audience. For example, just recently, attackers were caught posting fake alerts in the Discussions tabs of various GitHub projects, claiming there was a critical vulnerability in Visual Studio Code that required an immediate update. Because developers subscribed to those discussions received these alerts directly via email, the notifications looked like legitimate security warnings. Of course, the link in the message didn’t lead to an official patch; it pointed to a “fixed” version of VS Code that was actually laced with malware.

How to safeguard an organization

To minimize the risk of a breach, companies should lean into the following best practices:

• Make security a native part of your workflow. Use specialized solutions to vet your images, packages, dependencies, and components.
• Use threat intelligence feeds specifically focused on open-source components to check the packages used in software development.
• Make sure security awareness training covers everyone — including developers. Leverage specialized solutions like Kaspersky Automated Security Awareness Platform.
• Make sure developers are aware of the latest attack patterns — you can keep them in the loop by following the Development tag right here on this

Kaspersky official blog – ​Read More

• Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined. Phishing has not been the top vector for initial access since Q2 2025.
• Public administration and health care tied as the most targeted industry verticals, each accounting for 24 percent of all engagements. This is the third consecutive quarter where public administration has been the most targeted industry vertical.  
• Pre-ransomware incidents made up just 18 percent of engagements this quarter, and we did not observe any ransomware deployment due to early and swift mitigation from Cisco Talos Incident Response (Talos IR). This is a slight increase from last quarter but overall very low compared to Q1 and Q2 2025, when we observed ransomware in 50 percent of engagements.

AI tool leveraged in phishing campaign 

Talos IR responded to a campaign that leveraged phishing, the most common means of initial access this quarter, to compromise the most targeted industry vertical this quarter: public administration. Notably, the actors leveraged the SoftrAI-based web application development service, marking the first time we have documented the use of a specific AI tool by an adversary in a phishing campaign. Softr was used to generate a credential harvesting page targeting users’ Microsoft Exchange and Outlook Web Access (OWA) accounts. 

State-sponsored and criminal actors have been observed abusing large language models (LLMs) to aid in the development of phishing lures, malicious scripts, and other tasks. DDoS-as-a-service actors have adopted AI algorithms for defense evasion and attack orchestration. While this is the first time we have documented the use of a specific AI tool in a Talos IR incident, we have moderate confidence that malicious actors have used Softr’s AI-powered web application creation platform since at May 2023, based on Cisco Umbrella data and other telemetry, and have done so with increasing frequency to date.    

This incident demonstrates how AI tools can lower the barrier to entry for less sophisticated actors and/or accelerate the speed of phishing and credential-harvesting campaigns. Using a form template and the “vibe coding” feature, a phishing page like the one used in this attack could be quickly created with a few AI prompts and no code. Phishing pages built with Softr can direct data to a disposable external data store, such as Google Sheets, and send alerts for new captures via email — all without code.    

Crimson Collective seen for the first time   

Talos IR experienced its first case involving Crimson Collective, a cyber extortion group that appeared in September 2025. This attack highlighted the use of valid accounts for initial access, the second most commonly observed means of initial access this quarter. This attack also notably involved targeting exploit weaknesses, the second-most observed security weakness, accounting for 25 percent of all engagements. We attribute this activity to Crimson Collective based on IPs associated with the group that were used to scan the victim’s ASA firewalls, as well as an overlap of observed tactics and techniques with publicly reported Crimson Collective attacks. 

The incident began when a GitHub Personal Access Token (PAT) was inadvertently published on a public-facing website, exposing the organization to adversaries for several months. Upon obtaining access, the adversary used TruffleHog, an open-source tool commonly utilized by security professionals, to scan thousands of victim GitHub repositories for additional secrets and sensitive information. This approach allows attackers to perform reconnaissance without triggering suspicion, as they are leveraging standard, legitimate tools. The attacker’s discovery of client secrets through TruffleHog enabled further access to the victim’s Azure cloud storage, where they used Microsoft Graph API calls to authenticate, explore, and exfiltrate data. The abuse of legitimate cloud APIs demonstrates a growing trend where threat actors use native platform functionality to blend into normal user activity, making detection more challenging. 

In addition to exfiltrating data, the adversary attempted to inject malicious code into multiple GitHub repositories. This code was designed to harvest any new secrets committed in the future, sending them to adversary-controlled infrastructure. Though these attempts were largely thwarted by the expiration of targeted secrets and effective security controls, the tactic reflects an emerging trend of supply chain and development environment attacks.  

Ransomware trends 

Ransomware experiences slight increase, remains low overall  

Pre-ransomware incidents made up just 18 percent of engagements this quarter, and we did not observe any ransomware encryption due to early and swift mitigation from Talos IR. This is a slight increase from last quarter, when ransomware and pre-ransomware collectively comprised 13 percent of engagements, but overall very low compared to Q1 and Q2 2025, when we observed ransomware in 50 percent of engagements. Attribution is challenging in pre-ransomware events because there are no encryptors or ransom notes, but we assess that Rhysida ransomware and MoneyMessage ransomware accounted for two of the engagements. 

While we did not observe many active and prolific ransomware-as-a-service (RaaS) operations, like Qilin or Akira, this likely does not indicate these major players are decreasing operations, as their data leak sites remain consistently active.    

Rhysida ransomware actors use uncommon backdoor, Meowbackconn  

Talos IR responded to a ransomware incident where the adversary attempted to deploy Rhysida ransomware. While the attack was mitigated in the pre-ransomware stage, we attribute this activity with moderate confidence to Rhysidabased on observed infrastructure that is associated with Rhysida activity and the use of Gootloader, which is commonly leveraged in Rhysida attacks during initial access. Notably, the actors deployed proxy-related DLLs (e.g., “meow_eu.dll”), which we assess were likely related to MeowBackConn, an uncommon backdoor that is closely associated with Gootloader, based on public reporting. 

This attack represents several trends that we observed throughout Talos IR engagements in Q1 2026. The environmental weaknesses that enabled this intrusion — exposed WinRM management ports, over-privileged service accounts, and critical logging gaps — directly echo this quarter’s most prominent security weaknesses, including vulnerable or exposed infrastructure, accounting for 25 percent of engagements. Furthermore, the adversary’s use of Remote Desktop Protocol (RDP) for lateral movement is consistent with RDP being the top technique for lateral movement for the previous two quarters (Q3 and Q4 2025).

Targeting

Public administration and health care were tied as the most targeted industry verticals. Notably, Q3 2025 marked the first time public administration emerged as the most targeted sector in Talos IR engagements, and it has retained that position since. Organizations within the public administration sector are attractive targets as they are often underfunded and use legacy equipment. These entities may have access to sensitive data as well as a low downtime tolerance, making them attractive to financially motivated and espionage-focused threat groups.

Initial access

Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined. Phishing was the top initial access vector in the first half of 2025, at which point it was surpassed by exploitation of public-facing applications, likely due to the widespread exploitation of vulnerabilities in on-premises Microsoft SharePoint servers, collectively referred to as ToolShell. Since then, we have observeda steady decrease in the exploitation of public-facing applications as an initial access vector from a high of 62 percent to only 18 percent in Q1 2026. Similarly, in this quarter, valid accounts returned to its pre-ToolShell baseline as the second most observed means of gaining initial access, comprising 24 percent of Talos IR engagements. We assess the decline in ToolShell exploitation is likely due to the widespread availability of emergency patches and enhanced security detections, highlighting the importance of timely patching.

Recommendations for addressing top security weaknesses

Implement properly configured MFA and other access control solutions  

35 percent of engagements this quarter involved multi-factor authentication (MFA) weaknesses, an increase from last quarter. This includes incidents where threat actors bypassed MFA and where MFA was either missing or only partially enabled, particularly on remote access services. Adversaries were able to bypass MFA by registering new devices to previously compromised accounts, and in one instance, by configuring Outlook clients to connect directly to Exchange servers, circumventing MFA requirements. Addressing these weaknesses, especially by restricting self-service MFA enrollment and enforcing strong, centralized authentication policies, is essential to reducing risk and strengthening organizational resilience. 

Conduct robust patch management   

Vulnerable or exposed infrastructure was another top security weakness accounting for 25 percent of all engagements, a slight decrease from last quarter. This included exploiting a vulnerability (CVE-2025-20393) in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, as well as a vulnerability (CVE-2023-20198) in the web UI feature in Cisco IOS XE Software. Talos also observed exposed management ports (such as WinRM open to the internet), which enabled rapid attacker movement and reconnaissance.  

Configure centralized logging capabilities across the environment   

Finally, 18 percent of engagements this quarter involved organizations with insufficient logging capabilities, which hindered investigative efforts. Understanding the full context and chain of events performed by an adversary on a targeted host is vital not only for remediation but also for enhancing defenses and addressing any system vulnerabilities for the future. To address this issue, Talos IR recommends organizations implement a security information and event management (SIEM) solution for centralized logging. In the event an adversary deletes or modifies logs on the host, the SIEM will contain the original logs to support a forensics investigation. Additionally, Talos IR offers a Log Architecture Assessment service, which provides a focused review of an organization’s logs and overall log strategy to identify gaps and offer recommendations that give a complete view of the security environment and strengthen incident response readiness 

MITRE ATT&CK appendix 

The tables below represent the MITRE ATT&CK techniques observed in this quarter’s IR engagements and includes relevant examples and the number of times seen. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic based on the way they were leveraged. Please note that this is not an exhaustive list. 

Key findings from the MITRE ATT&CK framework include: 

• Phishing was the top method of initial access, replacing exploitation of public-facing applications which was dominant in the prior two quarters. 
• Web-based C2 was the most common C2 pattern. Application Layer Protocol over web protocols was observed most often, indicating adversaries frequently blended C2 into normal-looking traffic. 
• Lateral movement primarily relied on common remote administration channels. SMB/Windows Admin Shares was the top lateral movement technique, with WMI and RDP also heavily used, suggesting attackers repeatedly leveragedstandard enterprise remote management paths once inside. RDP was the top technique for lateral movement in the prior two quarters.  
• Defense evasion frequently focused on weakening visibility and endpoint protections. Impair defenses by disabling/modifying tools appeared multiple times, alongside log/trace reduction behaviors (e.g., clear command history and file deletion), indicating a recurring emphasis on reducing detection and forensic evidence.

Cisco Talos Blog – ​Read More

In 2025, attackers increasingly targeted weaknesses in multi-factor authentication (MFA) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. The trends focused entirely on trust, or the lack thereof, in everyday business operations.

Phishing

In 2025, phishing attacks were used for initial access in 40% of incidents, maintaining their prevalence. Attackers ramped up cascaded phishing campaigns, where attackers leveraged the trust of the initial compromised account to create specialized phishing attempts, within the network and out of it, aimed at trusted partners and third parties.

Email composition trends

The content of phishing emails changed somewhat. Transitioning away from spam offers, they took the form of workflow-style emails — IT, travel, and other everyday business tasks that look familiar to employees and executives. Travel and logistics lures in particular surged, while political lures dropped off. Internal expensing and travel emails, even when legitimate, are often repetitive and come from disparate sources with changeable formats or poorly-rendered templates, leading to a lowered guard toward spotting malicious intent. Attackers were likely aiming to steal credentials, payment information, or MFA tokens via fake single sign-on (SSO) pages.

In reviews of thousands of blocked-email keywords, 60% contained subject lines with “request,” “invoice,” “fwd,” “report,” and similar. IT-focused phishing keywords turned more technical, to words like “tampering,” “domain,” “configuration,” “token,” and others, showing that attackers were making plays toward IT and security workflows.

Attackers also abused Microsoft 365 Direct Send to capitalize on internal email trust. Direct Send is the method by which networked devices like printers and scanners deliver documents to users. The messages appear to be sent and received by the same email address. These internal messages do not receive the same scrutiny that external emails do, from employees or automated email filters. Direct Send allowed attackers to spoof internal email addresses and deliver highly convincing lures from inside the organization, without compromising real accounts, to target key attack services and deliver high-impact damage.

MFA and identity attacks

Identity and access management (IAM) applications have grown popular with organizations hoping to consolidate user privileges. Unfortunately, it has also grown in popularity with attackers. Nearly a third of 2025 MFA spray attacks targeted IAM, turning the tools companies used to maintain access control into a point of failure. Device compromise surged by 178%, largely driven by voice phishing designed to trick administrators into registering malicious devices.

MFA spray and device compromise

MFA attack strategy changed by sector. A successful attack could glean SSO tokens and give adversaries the ability to change user roles and credentials, or even the MFA policies themselves. Attackers increasingly exploited authentication workflows to gain and maintain access.

Spray attacks were deployed against networks with predictable identity behavior, while diverse, unmanaged, or high-turnover device ecosystems proved weaker to device compromise attacks.

Notably, higher education was the most targeted device compromise sector. Several factors could contribute to the trend:

·       Diverse unmanaged device population

·       Poorly patched and managed operating systems

·       Necessarily low new-device verification policies

·       Large, public-facing directories for targeted phishing

Higher education was a very unfavorable target for MFA spray attacks, however. Passwords and MFA are also highly varied and segmented, and most universities have strong login portal policies, enforced lockouts, and login attempt limits.

Guidance for defenders

As always, prioritize based on your own environment.

Organizations should keep in mind that living-off-the-land binaries (LOLBins) and open-source and dual-use tools, which are not inherently malicious, are key to further exploitation. Blocking external IPs from using a feature, enabling Microsoft’s newer “Reject Direct Send” control, tightening SPF/DMARC enforcement, and treating “internal-looking” emails with the same scrutiny as inbound mail are currently the most effective defenses.

Likewise, MFA attack protection should be tailored to the style of environment and sector.

MFA spray attacks work well on stable, scaled identity controls. Counter these attacks with strong lockout policies, good password hygiene, and conditional access.

Device compromise works best on variable networks where devices change over fast and MFA use is spotty. Work on establishing better device hardening and management, session controls, and strict phishing-resistant MFA with enrollment governance. Solutions such as Cisco Duo provide controls for phishing-resistant MFA, device trust, and secure enrollment, helping reduce risk from phishing and identity-based attacks. Solutions such as Cisco Duo provide controls for phishing-resistant MFA, device trust, and secure enrollment, helping reduce risk from phishing and identity-based attacks.

This blog only scratched the surface on 2025 threat trends. See the full Year in Review report for a detailed explanation of Microsoft 365 Direct Send and how it was used for attacks, infographic breakdowns of MFA spray vs. device compromise attacks, the full list of targeted tools and sectors by percentage, and more.

Cisco Talos Blog – ​Read More