Microsoft Seizes 240 Websites to Disrupt Global Distribution of Phish Kits
Microsoft has seized 240 websites associated with the “ONXX” phishing-as-a-service operation, and has sued the developer of this service
Phishing uses deceptive messages to steal credentials or deliver malware, while user verification, MFA, and email filtering reduce the risk.
Search across headline titles and summaries.
Background for this topic.
Phishing is deceptive communication—by email, text, phone, or a fake website—that impersonates a trusted person or service to make someone disclose credentials, approve a transaction, reveal sensitive information, or run harmful software. Attackers use it to bypass technical controls by persuading a legitimate user to perform an action, and may target employees, customers, administrators, or suppliers.
Its impact can include account takeover, unauthorized payments, exposure of personal or business data, and access to internal systems. The most effective control for stolen-password phishing is phishing-resistant multi-factor authentication, such as hardware-backed passkeys or security keys, which binds authentication to the legitimate site. Organizations should also filter and authenticate messaging where possible, use password managers, restrict risky actions, train users to verify unusual requests through a separate channel, and provide rapid reporting so suspected credentials or sessions can be revoked.
Microsoft has seized 240 websites associated with the “ONXX” phishing-as-a-service operation, and has sued the developer of this service
Meta Platforms, Microsoft, and the U.S. Department of Justice (DoJ) have announced independent actions to tackle cybercrime and disrupt services that enable scams, fraud, and phishing attacks
Phishing attacks, business email compromise and vendor email compromise attacks on manufacturing have surged in the past 12 months
The ONNX infrastructure has been servicing criminal actors as far back as 2017.
Microsoft has seized 240 domains used by customers of ONNX, a phishing-as-a-service (PhaaS) platform, to target companies and individuals across the United States and worldwide since at least 2017. [...]
DoJ also shutters allleged crimeware and credit card mart PopeyeTools The US Department of Justice has issued an indictment that names five people accused of stealing millions in cryptocurrency – and we are told they are suspected members of cyber-gang Scattered Spider.…
A phishing email claims to be from the New York Times with a story about an assassination attempt against President-elect Donald Trump
Phishing attacks using DocuSign impersonations targeting state agencies have surged 98% since Nov 8
BeaverTail malware has been used to target tech job seekers through fake recruiters, Palo Alto Networks’ Unit 42 has found
A new phishing campaign is targeting e-commerce shoppers in Europe and the United States with bogus pages that mimic legitimate brands with the goal of stealing their personal information ahead of the Black Friday shopping season
Threat actors increasingly use Scalable Vector Graphics (SVG) attachments to display phishing forms or deploy malware while evading detection. [...]