CyberSecurity news

FlagThis - #credentialtheft

Shira Landau@Email Security - Blog //

OAuth Authentication Flaw Enables Perfect Phishing - A phishing campaign exploits authentication vulnerabilities in Microsoft Office 365, using OAuth applications to bypass security and harvest credentials via fake sign-in pages; the 'SessionShark' kit steals session tokens to bypass MFA.
A sophisticated phishing campaign is currently targeting Microsoft Office 365 users, leveraging OAuth application functionality to bypass traditional security measures and enterprise-grade spam filters. Attackers are creating applications with embedded phishing messages as the app name, allowing them to generate properly signed security notifications that appear legitimate. These deceptive emails bypass email authentication checks and appear to come from official "no-reply" addresses, successfully navigating through standard email security checks and creating a significant deception that threatens enterprise security frameworks. Security leaders are urged to reassess their defense strategies to address these emerging threats that specifically target authentication mechanisms.

Attackers register a domain and create an associated account to establish their malicious operation. They then create an OAuth app with the phishing message embedded in the app name. Granting their newly created account access to this OAuth app generates a properly signed security notification. This authenticated message is then forwarded to potential victims, directing them to fake sign-in pages that function as credential harvesting mechanisms under the guise of legitimate support pages. These pages, hosted on legitimate subdomains of the email service provider, prompt users to "upload additional documents" or "view case," both leading to credential harvesting.

The "SessionShark" phishing kit is also being used to target Microsoft Office 365 accounts, designed to bypass multi-factor authentication (MFA) by stealing session tokens. This kit operates as an adversary-in-the-middle, intercepting login credentials and user session tokens. It creates a webpage that closely mimics the legitimate Microsoft Office 365 login interface, dynamically adapting to various conditions to increase believability. Once a victim submits their credentials, including completing MFA, the sensitive details and session cookie are instantly logged and exfiltrated to the attacker via Telegram bot integration.

Recommended read:
References :
  • Email Security - Blog: Authentication Breach Alert: OAuth Flaw Enables “Perfect Phishing†Campaign
  • The DefendOps Diaries: Understanding and Mitigating OAuth 2.0 Exploitation in Microsoft 365
  • BleepingComputer: Hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts
  • hackread.com: New SessionShark Phishing Kit Bypasses MFA to Steal Office 365 Logins
Sam Bent@Sam Bent //

Hellcat Group Exploits Jira to Hit Ascom - The Hellcat ransomware group claimed responsibility for a cyberattack on Ascom, a Swiss global solutions provider, exploiting Jira server vulnerabilities to access the company’s IT infrastructure and steal data.
Ascom, a Swiss global solutions provider specializing in healthcare and enterprise communication systems, has confirmed a cyberattack on its IT infrastructure. The attack, suspected to be carried out by the Hellcat group, exploited vulnerabilities in Jira servers. The company revealed that hackers breached its technical ticketing system.

The Hellcat group claimed responsibility, stating they stole approximately 44GB of data potentially impacting all of Ascom's divisions. Hellcat hackers are known for using compromised credentials to infiltrate Jira systems, leading to data breaches in multiple organizations. Security experts advise implementing multi-factor authentication, regular security audits, prompt patching, and employee training to mitigate such attacks.

Recommended read:
References :
@The DefendOps Diaries //

Attackers Exploit Google Ads to Target SEO Professionals - Cybercriminals are exploiting Google Ads with malicious Semrush advertisements to steal Google account credentials from SEO professionals, redirecting users to deceptive login pages that harvest Google account information and exploit trust in Semrush.
Cybercriminals are actively targeting SEO professionals through a sophisticated phishing campaign that exploits Google Ads. The attackers are using fake Semrush advertisements to trick users into visiting deceptive login pages designed to steal their Google account credentials. This campaign is a new twist in phishing, going after users of the Semrush SaaS platform, which is popular among SEO professionals and businesses, and is trusted by 40% of Fortune 500 companies.

This scheme is effective due to the SEO professionals' trust in Semrush, a platform used for advertising and market research. The malicious ads appear when users search for Semrush and redirect them to counterfeit login pages, which look similar to legitimate Semrush URLs. The attackers register domain names that closely resemble real Semrush domains and the only login option is with a Google account, harvesting Google account information for further malicious activities. This provides the attackers with valuable access to Google Analytics and Google Search Console, giving them insight into the companies' financial performance.

Recommended read:
References :
  • The DefendOps Diaries: Cybercriminals exploit Google Ads to target SEO pros, using fake Semrush ads to steal Google credentials.
  • Help Net Security: Malicious ads target Semrush users to steal Google account credentials
  • Malwarebytes: Semrush impersonation scam hits Google Ads
  • www.tripwire.com: Tech support scams leverage Google ads again and again, fleecing unsuspecting internet users
  • BleepingComputer: A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.
  • BleepingComputer: A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.
  • bsky.app: Fake Semrush ads used to steal SEO professionals’ Google accounts
  • BleepingComputer: A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.
  • : Threat actors are looking to compromise Google accounts to further malvertising and data theft
  • Email Security - Blog: Cyber criminals have launched a sophisticated phishing campaign that exploits the trusted reputation of Semrush — an SEO firm that's captured of Fortune 500 brands as customers — to compromise Google account credentials.
  • gbhackers.com: Hackers Deploy Fake Semrush Ads to Steal Google Account Credentials
Microsoft Threat@Microsoft Security Blog //

Phishing Campaign Impersonates Booking.com - A phishing campaign impersonating Booking.com targets hospitality employees with credential-stealing malware using ClickFix to conduct financial fraud.
An ongoing phishing campaign impersonating Booking.com is targeting hospitality employees with credential-stealing malware. Microsoft Threat Intelligence has identified the campaign, which began in December 2024 and is ongoing as of February 2025. Cybercriminals are sending malicious emails to employees likely to work with Booking.com, in North America, Oceania, South and Southeast Asia, and Europe, using a social engineering technique called ClickFix to deliver the malware. This campaign aims to conduct financial fraud and theft by compromising employee credentials.

The ClickFix technique involves fake error messages and prompts that instruct users to fix issues by copying and pasting commands, leading to malware downloads. The phishing emails vary in content, referencing negative guest reviews, requests from prospective guests, online promotion opportunities, and account verification to induce clicks. The threat actor, tracked as Storm-1865, has evolved its tactics to bypass security measures.

Recommended read:
References :
  • krebsonsecurity.com: Booking.com Phishers May Leave You With Reservations
  • Source Asia: Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware
  • The DefendOps Diaries: Understanding the ClickFix Phishing Threat to the Hospitality Industry
  • The Hacker News: Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails
  • : ‘ClickFix’ Phishing Scam Impersonates Booking.com to Target Hospitality
  • The Record: Cybercriminals are sending malicious emails to hospitality employees who are likely to work with Booking.com
  • bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
  • The Register - Security: That 'angry guest' email from Booking.com? It's a scam, not a 1-star review
  • www.techradar.com: Microsoft warns about a new phishing campaign impersonating Booking.com
  • TARNKAPPE.INFO: ClickFix-Phishing: Neue Kampagne richtet sich gegen die Hotellerie
  • bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
  • Virus Bulletin: Microsoft researchers identified a phishing campaign (Storm-1865) that uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft.
  • BleepingComputer: Microsoft warns that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
  • Email Security - Blog: "ClickFix" Phishing Impersonation Campaign Targets Hospitality Sector
  • eSecurity Planet: Phishing Campaign Impersonates Booking.com, Plants Malware
  • Security Risk Advisors: 🚩Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFixâ€� to Deliver Credential-Stealing Malware
  • Blog: Phishing campaign impersonates Booking.com, plants malware
  • Davey Winder: Booking.com CAPTCHA attack impacts customers—but systems not breached, a spokesperson has said.
  • www.computerworld.com: Description of the ClickFix phishing campaign targeting the hospitality industry via fake Booking.com emails.
  • www.cysecurity.news: A phishing campaign impersonates Booking.com, targeting organizations in hospitality, using the ClickFix method to spread credential-stealing malware.
  • www.cybersecurity-insiders.com: Malware Impersonating Booking.com Targets Hospitality Sector
  • thecyberexpress.com: Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFix” to Deliver Credential-Stealing Malware
  • securityonline.info: Booking.com Impersonated in Phishing Campaign Delivering Credential-Stealing Malware
  • gbhackers.com: Microsoft Threat Intelligence has identified an ongoing phishing campaign that began in December 2024, targeting organizations in the hospitality industry by impersonating the online travel agency Booking.com. The campaign, tracked as Storm-1865, employs a sophisticated social engineering technique called ClickFix to deliver credential-stealing malware designed to conduct financial fraud and theft. This attack specifically targets
  • Metacurity: The attackers are impersonating Booking.com to deliver credential-stealing malware.
  • Talkback Resources: Storm-1865 Impersonates Booking.com in Phishing Scheme
  • Blog: Storm-1865 leverages ‘ClickFix’ technique in new phishing campaign

Posts

Blogs

Research Tools