Take action on the latest cybersecurity events

Cybersecurity advisories and events as they happen, with a clear action you can take.

The Fake Invoice That Bites Back: Multi-Stage Malware Hidden Behind a Purchase Order
published: April 3, 2026
On April 2, 2026, a phishing campaign targeting Balkans-region businesses was identified, using a local language fake invoice email with a spoofed attachment image that links to a malicious JavaScript file hosted on Discord's CDN. The multi-stage infection chain is consistent with a broader Malware-as-a-Service operation documented since late 2025.
Take action: If you receive emails with invoices or shipping documents - especially if it's unexpected or from free email addresses like Gmail claiming to be a company - don't click on any attachments or links! Instead, verify directly with the sender through their official company website or phone number.
DocuSign impersonation phishing with stolen email thread and fake Google login
published: March 21, 2026
A phishing campaign spoofs DocuSign notifications to redirect victims through a fake CAPTCHA gate to a cloned Google login page, aiming to steal Google Workspace credentials. The attack gains credibility and evades spam filters by appending a stolen legitimate email thread below the phishing lure and by sending to noreply@docusign.com which is only useful for the victim to recognize the domain.
Take action: If you receive a DocuSign email, don't click any links in it. Go directly to docusign.com and log in manually to check for pending documents. Always verify the sender address and the URL bar before entering any credentials; if the login page URL isn't accounts.google.com, close the tab immediately. Finally, don't trust huge email chains, they can be faked or stolen from another conversation.
WhatsApp users targeted in account takeover attack dubbed GhostPairing
published: Dec. 22, 2025
The "GhostPairing Attack" is a social engineering campaign that exploits WhatsApp's device pairing feature by tricking victims into entering WhatsApp authentication codes via fake Facebook pages, authorizing attackers' browsers as linked devices with full access to messages and contacts. Most victims remain unaware that they have been compromised and their WhatsApp account becomes a vector to scam others.
Take action: Never trust unexpected cryptic messages on your messaging platforms, even from contacts you trust, especially if they have links or phone numbers to call. They are most probably phishing. Check your WhatsApp Settings → Linked Devices and remove any sessions you don't recognize.
Expired cloud storage scam using Google Cloud Storage domain to host scam page
published: Nov. 29, 2025
An active phishing campaign uses weaponized Google Cloud Storage links and fake urgency warnings about account blocking to steal credentials and payment information from cloud storage users. The attack uses legitimate Google infrastructure to bypass email filters and firewalls.
Take action: Don't panic over urgent "account blocked" warnings in unexpected emails. Never click links or open files in these messages. Instead, type the official website address of your cloud provider directly into your browser to check your actual account status.
Microsoft & Atlassian Impersonation Campaigns through typosquatting
published: Nov. 9, 2025
Two phishing campaigns are reported targeting Microsoft and Atlassian users through homoglyph (typosquatting) domain spoofing using visually similar domains. The attacks use fake security alerts and ticket notifications to direct victims to credential-harvesting login pages. The scammers created valid SPF, DKIM, and SSL configurations, making them appear legitimate to both automated filters and users.
Take action: There are a multiple of ways to type a string that looks like a major vendor name but is fake, and scammers are using them to steal your credentials. Don't click links in unexpected emails claiming to be from major vendors like Microsoft or Atlassian, even if they look urgent. Type the official website address directly into your browser or use your bookmarks. If you use a password manager and it doesn't automatically fill in your password on a login page, STOP immediately! That is a strong sign you're on a fake site.
SMS Based scam impersonating Apple, leading victims to fake support numbers for social engineering
published: Nov. 3, 2025
An active SMS and voice phishing campaign is targeting Apple users with fraudulent text messages impersonating Apple Support that claim suspicious transactions and direct victims to call a fake support number (+1 833-608-3976 instead of the legitimate 1-877-571-0223). Scammers attempt to steal Apple ID credentials, payment card information, or gain remote device access through social engineering tactics exploiting urgency and fear.
Take action: If you get unexpected SMS messages about Apple ID suspicious activity, never call phone numbers or follow links provided in the message - they're scams designed to steal your credentials and payment info. Log directly into appleid.apple.com to check your account, or call Apple's real support number from their official website.
Disabled facebook account campaign tries to get users to install malware
published: Sept. 12, 2025
A malware campaign targeting Facebook users pushes fake account lockout warnings in advertisements that redirected victims to fraudulent support pages, where they are guided to copy and run PowerShell commands that download multi-stage malware hidden in images using steganography techniques.
Take action: Never trust Facebook ads or messages claiming your account will be "permanently locked". Don't rush, think about the issue and consult with people. If you're concerned about your account, go directly to Facebook.com (don't click any links) and check your account status there instead.
Checkpoint warns of phishing campaign that emulates potential customers and vendor evaluation process
published: Sept. 2, 2025
Check Point Research identified the "ZipLine" social engineering campaign that uses extended multi-week professional conversations initiated through legitimate contact forms to build trust before delivering malicious ZIP files. The campaign has targeted dozens of U.S. industrial manufacturing and technology companies since May 2025, using legitimate domains and trusted file-sharing platforms to bypass security controls and impersonating potential business partners requesting NDAs or AI assessments.
Take action: Now it's time to be suspicious of any "potential customers" who contact you out of the blue. Verify their provenance through multiple channels, like corporate registrations, phone call from official directories and business forums. Finally, BE VERY SUSPICIOUS of ZIP files for documents.
Google Salesforce data breach triggers widespread phishing campaign against gmail users
published: Aug. 26, 2025
Attackers from the ShinyHunters group breached Google's corporate Salesforce instance through social engineering that convinced employees to authorize malicious applications, and are now exploiting the stolen data to launch widespread phishing and voice phishing campaigns against Gmail users worldwide. Attackers impersonate Google employees to trick users into resetting passwords and sharing credentials.
Take action: Google NEVER calls users to request password resets or account information and never asks them to share the password - if someone calls claiming to be from Google asking you to reset your password or share credentials, it's a scam and you should hang up immediately. Instead of trusting any unexpected calls, go directly to your Gmail account and use Google's Security Checkup tool to verify your account security and update your recovery options.
How hacker gangs abuse Microsoft Teams for social engineering attacks to target companies
published: Aug. 18, 2025
Ransomware gangs are exploiting Microsoft Teams' default permissive external access settings to conduct sophisticated social engineering attacks. They flood victims with spam emails, then impersonate IT support via fake Microsoft tenants to trick users into executing malicious PowerShell commands that steal data and compromise systems.
Take action: Share this technique with your employees. The targeted people will not be IT. Consider blocking external Teams access in your admin settings to avoid fake "help desk" accounts. Advise that teams should check back with their IT via a well known channel and never run commands or programs sent via Teams messages from an unknown person, even if they claim to be from IT support.