#aitm — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #aitm, aggregated by home.social.
-
Hook, Line, and Sinker: Why People Still Fall for “Official” Emails
3,206 words, 17 minutes read time.
The digital landscape is a cold, relentless stretch of asphalt where the rain never stops and the shadows are always reaching for your throat. It is an environment built on the fundamental architecture of trust, yet it is that very trust that serves as the primary vector for the modern grift. When we look at the evolution of the phishing landscape, we aren’t just looking at a series of technical failures or a lack of robust filtering; we are looking at the exploitation of the human operating system. Most analysts want to talk about SPF, DKIM, and DMARC as if they are the ultimate shields against the storm, but they often ignore the fact that the most sophisticated code in the world cannot patch a moment of panic. The “Official” email is the modern equivalent of a knock at the door at three in the morning; it carries an inherent authority that bypasses the logical gates of the brain and targets the raw, unrefined nerves of social obligation and fear of consequence.
Analyzing the recent waves of business email compromise and high-stakes credential harvesting, I see a clear pattern that suggests we are losing the war of attrition because we refuse to acknowledge the psychological heavy lifting being done by the adversary. The craft has moved far beyond the broken syntax and desperate pleas of a decade ago, evolving into a surgical instrument that mirrors the exact cadence of corporate bureaucracy. These attackers are not just hackers anymore; they are student of institutional behavior who understand that a well-placed “Urgent Action Required” notice from a spoofed human resources alias is more effective than any brute-force attack. By the time the target realizes the landing page is a mirror of a Microsoft 365 login, the credentials have already been spirited away into a database in a jurisdiction where the law doesn’t have a name.
The Psychological Mechanics of the Digital Ambush
The success of a phishing campaign relies on the deliberate manipulation of cognitive load and the exploitation of ingrained social hierarchies. When an individual receives an email that appears to originate from a high-level executive or a government entity like the Internal Revenue Service, the brain undergoes a shift from analytical processing to a reactive survival mode. This is not a matter of intelligence or technical savvy, as even seasoned administrators have been known to trip over a well-constructed lure when the timing is right. The adversary waits for the moment of highest friction—the end of a quarter, the middle of a migration, or the chaos of a public holiday—to drop a message that demands immediate attention. This creates a sense of urgency that effectively narrows the victim’s field of vision, making them ignore the subtle discrepancies in the sender’s address or the slightly off-kilter phrasing of the call to action.
Furthermore, the concept of social proof is weaponized within these emails to provide a false sense of security that lulls the victim into a state of compliance. Many of these “official” messages are designed to look like a small part of a larger, ongoing process, such as a mandatory security update or a routine document review. By framing the malicious link as a necessary step in a boring, everyday task, the attacker sidesteps the natural skepticism that usually accompanies an unexpected request. Consequently, the victim views the interaction not as a potential threat, but as a minor hurdle to be cleared so they can return to their actual work. This mundane nature of the attack is its greatest strength, allowing it to slip through the cracks of human intuition while the technical defenses are busy looking for more overt signs of intrusion.
Why Technical Defense Perimeters Often Fail the Human Test
We have spent billions of dollars on secure email gateways and advanced threat protection, yet the “official” email remains the most successful entry point for ransomware and data exfiltration. This failure is rooted in the inherent tension between usability and security, where the need for seamless communication often creates gaps that an attacker can drive a truck through. A secure email gateway is essentially a filter designed to catch known bad patterns, but the modern phisher is an expert at staying just beneath the threshold of detection. They use legitimate infrastructure, such as compromised Small Business Server accounts or reputable cloud hosting providers, to launch their campaigns. When a malicious email originates from a trusted IP address with valid cryptographic signatures, the technical gates swing wide open, leaving only the human at the keyboard to make the final call.
In addition to the subversion of trust, the rapid pace of digital transformation has outstripped the ability of the average user to verify the authenticity of their communications. As organizations move their operations to various third-party SaaS platforms, the number of “official” domains that a user interacts with on a daily basis has skyrocketed. It is no longer enough to look for a single corporate domain; employees are now expected to recognize notifications from payroll systems, project management tools, and cloud storage providers, all of which use different naming conventions and email templates. This fragmentation creates a smokescreen for the attacker, who can easily hide a malicious domain amidst the noise of a dozen legitimate ones. As a result, the mental fatigue of constantly verifying these sources leads to a state of “security nihilism,” where the user eventually stops checking altogether and simply clicks through to stay productive.
The anatomy of a modern credential harvest is a masterclass in deceptive minimalism, designed to exploit the very tools we use to stay organized and secure. Looking at the mechanics of the “Official” document lure, I see a devastatingly effective strategy that leverages the ubiquity of shared drives and collaborative platforms like SharePoint or DocuSign. The attacker doesn’t need to attach a piece of malware that might trigger an endpoint detection system; they simply provide a link to a legitimate-looking landing page that asks for a login to “view the protected file.” This transition from a trusted email environment to a browser-based authentication prompt is where the logic breaks down for most users. Because the initial email looked like a standard notification—complete with the correct legal disclaimers and corporate branding—the user’s brain has already cleared the transaction for takeoff. By the time they land on the spoofed login page, they aren’t looking for a scam; they are looking for their document, and they will hand over their credentials to get it.
The danger is compounded by the rise of “Living off the Land” techniques in the phishing world, where attackers use the victim’s own tools against them. When an adversary compromises a legitimate account within a supply chain, they can send “official” emails from a truly valid source to that person’s entire contact list. This lateral movement within a trusted ecosystem is the nightmare scenario for any security operations center because the traditional red flags simply do not exist. There is no mismatched “From” header to inspect, and the link often points to a real file hosted on a real corporate server that happens to contain a malicious redirect. In this context, the victim isn’t falling for a fake; they are being misled by a compromised reality. This level of deception makes it nearly impossible for the average employee to distinguish between a routine request and a high-stakes heist, especially when the message arrives in the middle of a high-pressure workday.
The Institutional Cost of Authority-Based Exploitation
When we break down the damage, we see that the financial toll of these “official” phishes is often eclipsed by the erosion of internal culture and institutional trust. Every time a successful campaign rips through a department, the aftermath involves a heavy-handed response from IT that usually includes more restrictive policies and mandatory, often condescending, training modules. This creates a friction-filled environment where employees start to view their own security team as an adversary or a hurdle to their productivity. Furthermore, the psychological impact on the individual who clicked the link can be profound, leading to a loss of confidence that hampers their work performance and makes them less likely to report future suspicious activity for fear of further embarrassment. Consequently, the organization becomes more brittle, hiding its vulnerabilities behind a facade of compliance while the actual risk remains unaddressed and festering in the shadows.
Looking at the broader economic landscape, the industrialization of phishing kits has lowered the barrier to entry for low-level criminals, allowing them to masquerade as sophisticated entities with the click of a button. These kits come pre-loaded with high-fidelity templates for every major bank, government agency, and tech giant, ensuring that even a novice operator can launch an “official” campaign that looks professional. This democratization of high-end social engineering means that the volume of attacks is constantly increasing, creating a background radiation of fraud that everyone must navigate daily. The sheer frequency of these encounters leads to a desensitization of the workforce, where the warning signs that used to trigger an alarm are now ignored as part of the digital noise. This saturation of the communication channel is exactly what the adversary wants, as it ensures that eventually, someone, somewhere, will be tired or distracted enough to swallow the hook.
The Illusion of Multi-Factor Authentication as a Total Shield
One of the most dangerous myths in the current security climate is the idea that Multi-Factor Authentication is an unhackable barrier that renders phishing obsolete. While MFA is a critical layer of defense, the “official” email has evolved to bypass it through sophisticated techniques like adversary-in-the-middle attacks and session hijacking. In a standard MFA-bypass scenario, the malicious email leads the victim to a proxy server that mimics the real login page in real-time. As the victim enters their username, password, and the subsequent one-time code from their phone, the attacker’s server passes those credentials to the actual service and steals the resulting session cookie. To the user, the experience is seamless and appears entirely “official,” but behind the scenes, the attacker now has a persistent foothold that bypasses the need for a password entirely. This proves that even our most robust technical solutions can be undermined by a well-executed social engineering play that targets the moment of authentication.
Moreover, the phenomenon of “MFA Fatigue” has become a potent weapon in the attacker’s arsenal, turning a security feature into a vulnerability. After sending a series of “official” emails claiming there is a problem with an account, the attacker will trigger a barrage of push notifications to the victim’s mobile device. The goal is to wear the person down until they hit “Approve” just to make the buzzing stop, assuming it’s a glitch in the “official” system. This exploit doesn’t require technical brilliance; it requires an understanding of human frustration and the tendency to take the path of least resistance. It demonstrates that as long as there is a human in the loop, the adversary will find a way to manipulate that person into opening the door, no matter how many locks we put on it. The “official” email is merely the first step in a psychological siege designed to break the victim’s resolve.
The strategy of the modern phisher has moved beyond the simple theft of credentials and into the territory of high-stakes narrative control. When we analyze the rise of Business Email Compromise, it becomes clear that the “Official” email is often just the opening act in a long-form con that can last for weeks. The attacker doesn’t just want a password; they want to insert themselves into the financial workflow of an organization. By mimicking the tone, the signature blocks, and the specific jargon of a vendor or a high-level partner, the adversary creates a secondary reality where a change in banking details or a diverted wire transfer seems like a routine administrative adjustment. The horror of this approach lies in its banality. There are no flashing red lights or “Access Denied” screens; there is only a quiet, professional-looking email that follows every established rule of corporate etiquette while it drains the company’s accounts.
Furthermore, the integration of generative AI into the attacker’s toolkit has eliminated the last remaining red flags that used to give these “Official” lures away. Gone are the days when a sharp-eyed employee could spot a phishing attempt by its poor grammar or awkward phrasing. Today’s lures are syntactically perfect, culturally nuanced, and tailored to the specific industry of the target. An attacker can now feed a few public interviews or LinkedIn posts from an executive into a model and generate an email that captures that individual’s unique “voice” with terrifying precision. This makes the “Official” email even more dangerous because it appeals to the victim’s sense of familiarity. Consequently, the gap between a legitimate internal communication and a fraudulent one has narrowed to the point of invisibility, leaving the human target to navigate a minefield where every step looks like solid ground.
The Weaponization of Compliance and Legal Fear
A significant portion of why people still fall for these lures is the strategic use of “regulatory theater” to induce a state of compliance-driven panic. Attackers have realized that the modern professional is terrified of three things: HR violations, tax audits, and data breaches. By framing a phishing lure as a “Mandatory Data Privacy Attestation” or an “Immediate Tax Compliance Notice,” the attacker leverages the weight of the law to bypass the user’s skepticism. These emails often include realistic references to actual legislation, such as GDPR or the CCPA, which adds a layer of superficial credibility that is hard to ignore. The victim isn’t just clicking a link; they are attempting to protect themselves or their company from a perceived legal threat. This flip of the script—making the scam look like a security measure—is a calculated move that turns a person’s best intentions into their greatest vulnerability.
In addition to legal threats, the “Official” lure often exploits the internal power dynamics of the modern workplace. In a high-pressure environment where “performance” is everything, the fear of failing to respond to a superior is a powerful motivator. I see this play out in “Urgent Request” scenarios where the email appears to come from a CEO or a Board Member who is “stuck in a meeting” and needs a quick favor. The victim is often so focused on the social reward of being helpful or the fear of appearing incompetent that they fail to perform even basic due diligence. The adversary knows that in a hierarchy, authority flows downward with a force that can flatten common sense. By the time the employee thinks to call the executive to verify the request, the gift cards have been drained or the sensitive spreadsheet has been uploaded to a command-and-control server.
Rebuilding the Perimeter on a Foundation of Radical Skepticism
If we are going to survive in this environment, we have to move past the idea that we can train the human element out of the equation. The “Official” email works because it is designed to work on humans, and humans are fundamentally social, cooperative, and prone to pressure. The solution isn’t another hour of boring slide decks; it’s a fundamental shift toward an “Assume Breach” mentality at the individual level. This means moving away from a culture of blind trust and toward one of verified communication, where no request involving data or money is ever handled through a single, unverified channel. We need to normalize the “Double-Check”—the idea that calling a coworker to verify an unusual email is not a sign of paranoia, but a standard operating procedure. This cultural shift is far harder to implement than a new firewall, but it is the only thing that can stand against the psychological precision of the modern phisher.
Moreover, organizations must stop relying on the visual “polish” of an email as a proxy for its legitimacy. We need to strip away the corporate logos and the fancy signatures in our minds and look at the raw intent of the message. If an email creates a sense of urgency, demands a bypass of standard procedures, or directs you to an external site to enter credentials, it should be treated as hostile until proven otherwise. The “Official” email is a mask, and the only way to beat it is to stop being impressed by the mask. We have to start valuing the friction in our systems—the extra steps, the out-of-band verifications, and the healthy skepticism—because that friction is the only thing that slows the attacker down long enough for us to see the hook beneath the bait. The rain is still falling on the digital asphalt, and the shadows are still reaching, but they only win when we let them lead us where they want us to go.
The persistence of the “Official” email as a top-tier threat vector is ultimately a testament to the fact that technical solutions are being applied to a non-technical problem. We are trying to use cryptographic signatures and automated filters to solve for the human desire to be helpful, the fear of authority, and the exhaustion of the modern workday. It is a mismatch of resources that the adversary exploits with predatory efficiency. When I look at the wreckage left behind by these campaigns, it is rarely the result of a single catastrophic failure; rather, it is a series of small, logical concessions made by a tired person just trying to get through their inbox. The attacker doesn’t need to be a digital ghost or a coding prodigy; they just need to be a better actor than you are a skeptic. They understand that if they can control the narrative, they can control the network, and they use the “Official” branding as the stage on which they perform their heist.
To break this cycle, we have to stop treating phishing as a “user error” and start treating it as an inevitable environmental hazard. This requires a defensive architecture that doesn’t just look for bad files, but looks for suspicious behaviors and anomalies in the flow of authority. If an executive who never handles wire transfers suddenly sends an “Official” urgent request for one, the system should be smart enough to flag the deviation, regardless of how clean the email headers look. We need to build systems that protect people from their own instinct to comply, creating hard stops and out-of-band verification requirements for any high-value transaction. The goal is to move the burden of defense off the shoulders of the individual and into the design of the workflow itself. Until we accept that the “Official” email is the most dangerous weapon in the digital world, we will continue to find ourselves staring at the empty accounts and compromised servers that are the hallmark of a successful hook, line, and sinker.
Call to Action
The time for treating phishing as a minor IT nuisance is over; it is a predatory psychological war, and you are currently the primary target. If you are a leader, you need to stop hiding behind automated filters and start building a culture where a healthy “no” is valued more than a rushed “yes.” Stop the assembly line long enough to verify the source, pick up the phone when an email feels even slightly off-kilter, and demand that your organization implements out-of-band verification for every high-stakes transaction. Don’t wait for the post-mortem report to realize your “official” communication was a ghost in the machine. Audit your workflows today, tighten your authentication protocols, and train your eyes to see the hook beneath the polish—because the next “urgent” email in your inbox isn’t looking to help you, it’s looking to gut you.
SUPPORTSUBSCRIBECONTACT MED. Bryan King
Sources
- FBI IC3 2023 Internet Crime Report
- Verizon 2024 Data Breach Investigations Report (DBIR)
- CISA: Phishing Campaigns Targeting Government Entities
- Microsoft Digital Defense Report: The Evolution of Phishing
- Proofpoint 2024 State of the Phish Report
- ENISA Threat Landscape 2023
- NIST SP 800-63 Digital Identity Guidelines
- Trellix Cyber Readiness Report: Email Security Trends
- KnowBe4 2023 Phishing by Industry Benchmarking Report
- IBM Cost of a Data Breach Report 2023
- Unit 42 Cloud Threat Report: Credential Harvesting
- CrowdStrike 2024 Global Threat Report
- Zscaler ThreatLabz 2023 Phishing Report
- Mandiant M-Trends 2024 Special Report
- Dark Reading: How Modern Phishing Bypasses MFA
- BleepingComputer: AiTM Phishing Kits Targeting M365
- SecurityWeek: BEC Attacks Leveraging Generative AI
- Wired: The Psychology Behind the Phish
- SANS Institute: Defeating Social Engineering in the Modern Office
- ZDNet: Anatomy of a BEC Attack
- Kroll Q3 2023 Cyber Threat Landscape
- McAfee Labs: The Science of Social Engineering
- F-Secure: How Criminals Exploit Human Emotions
- Kaspersky: Spam and Phishing in 2023 Analysis
- Sophos 2023 Active Adversary Report
- SC Magazine: Phishing as a Ransomware Vector
- Threatpost: Business Email Compromise – The Invisible Threat
- Infosecurity Magazine: AI-Generated Phishing Success Rates
- CSO Online: Psychological Principles Attackers Exploit
- Help Net Security: The Democratization of Phishing Kits
- Fortinet: The Evolution of Spear Phishing
- Check Point: Common Phishing Examples and Tactics
- Rapid7: Fundamentals of Phishing and Social Engineering
- Malwarebytes: Why People Click on Malicious Links
- Bitdefender Labs: Targeting Financial Institutions
- Trend Micro: The Art of the Lure
- ESET 2023 Phishing Trends Report
- Symantec: Phishing Tactics That Evade Detection
- Cloudflare: What is Phishing? Guide for Teams
- IT Governance: Top 5 Phishing Scams of 2023
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
Related Posts
Rate this:
#adversaryInTheMiddle #AiTM #AuthorityBias #BEC #businessEmailCompromise #CEOFraud #CognitiveLoad #corporateEspionage #corporateSecurity #credentialHarvesting #cyberDefense #cyberResilience #cyberRiskManagement #cyberThreats #cybercrime #cybersecurityBlog #cybersecurityTraining #dataBreach #DigitalAmbush #DKIM #DMARC #DocuSignScams #emailSecurity #financialFraud #HumanError #identityTheft #incidentResponse #informationSecurity #IRSPhishing #LivingOffTheLand #MalwareFreeAttacks #MFABypass #MFAFatigue #Microsoft365Security #OfficialEmailScams #phishing #PsychologicalExploitation #RegulatoryPhishing #secureEmailGateway #securityAwareness #SecurityNihilism #sessionHijacking #SharePointPhishing #socialEngineering #spearPhishing #SPF #threatIntelligence #TrustArchitecture #UrgencyTactics #vendorImpersonation #zeroTrust -
📢 FlowerStorm adopte KrakVM : un PhaaS combine VM JavaScript et hameçonnage MFA
📝 ## 🔍 ContextePublié le 14 mai 2026 par Sublime Threat Intelligence and Research (STIR), cet article document...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-19-flowerstorm-adopte-krakvm-un-phaas-combine-vm-javascript-et-hameconnage-mfa/
🌐 source : https://sublime.security/blog/flowerstorm-unleashes-the-krakvm-phaas-operators-turn-to-vm-based-obfuscation/
#AITM #FlowerStorm #Cyberveille -
📢 UNC6671 / BlackFile : campagne d'extorsion par vishing et compromission SSO
📝 ## 🔍 ContexteSource : Google Threat Intelligence Group (GTIG), publié le 15 mai 2026 sur le blog officiel Google Cloud.
📖 cyberveille : https://cyberveille.ch/posts/2026-05-19-unc6671-blackfile-campagne-d-extorsion-par-vishing-et-compromission-sso/
🌐 source : https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation
#AiTM #BlackFile #Cyberveille -
Google Exposes BlackFile Extortion Operation's Tactics
Google's Threat Intelligence Group just exposed the clever tactics of the notorious BlackFile extortion operation, revealing how they use voice phishing and sneaky tech tricks to swindle dozens of organizations worldwide. Their clever scheme starts with a simple phone call, where fake IT helpers trick victims into spilling their secrets.
#Adversaryinthemiddle #Vishing #Aitm #Unc6671 #GoogleThreatIntelligenceGroup
-
📢 Infiltration d'un panel de phishing criminel lié à ShinyHunters et BlackFile
📝 ## 🔍 ContextePublié le 7 mai 2026 par la Push Security Research Team, cet article présente les résultats d'une infiltration directe de panels de phishing crim...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-11-infiltration-d-un-panel-de-phishing-criminel-lie-a-shinyhunters-et-blackfile/
🌐 source : https://pushsecurity.com/blog/inside-criminal-phishing-panel
#AiTM #BlackFile #Cyberveille -
@eelcoa : helaas is het allemaal niet zo simpel.
DigiD is beslist niet perfect. En het is absurd als het in handen van een bedrijf, dat aan de VS-wetgeving moet voldoen, valt.
Een niet te onderschatten voordeel van DigiD is dat de server(s) van de partij waar de burger wil inloggen (zoals abp.nl), aan allerlei beveiligingseisen moeten voldoen (en zo'n server met de server(s) van DigiD communiceert).
Als je online authenticatie op (servers van) willekeurige partijen toestaat, zullen AitM (Attacker in the Middle) aanvallen een groot probleem worden (phishing vormt nu al een gigantisch probleem).
Voor betrouwbare authenticatie is het noodzakelijk dat degene die bewijst te zijn wie zij/hij zegt te zijn, de authenticeerder kan vertrouwen. Dat begint ermee dat *jij* weet *wie* de verifieerder is.
In https://tweakers.net/nieuws/204138/nederland-krijgt-een-paspoort-voor-op-internet-hoe-gaat-dat-werken.html#r_18249704 en verder vind je een discussie die ik had met Ivo Jansch (EDIW) en verderop "denan" (IRMA/Yivi). Nb. mijn Tweakers account is afgesloten na ruzie met een vervelende moderator.
Interessant, uit https://yivi.app/privacy_and_security/:
❝
Raak je je telefoon kwijt? Dan kun je in een mum van tijd je Yivi-app blokkeren via Mijn Yivi.
❞
Dat lijkt mij onmogelijk zonder tussenkomst van een centrale server tijdens inloggen.
-
@eelcoa : helaas is het allemaal niet zo simpel.
DigiD is beslist niet perfect. En het is absurd als het in handen van een bedrijf, dat aan de VS-wetgeving moet voldoen, valt.
Een niet te onderschatten voordeel van DigiD is dat de server(s) van de partij waar de burger wil inloggen (zoals abp.nl), aan allerlei beveiligingseisen moeten voldoen (en zo'n server met de server(s) van DigiD communiceert).
Als je online authenticatie op (servers van) willekeurige partijen toestaat, zullen AitM (Attacker in the Middle) aanvallen een groot probleem worden (phishing vormt nu al een gigantisch probleem).
Voor betrouwbare authenticatie is het noodzakelijk dat degene die bewijst te zijn wie zij/hij zegt te zijn, de authenticeerder kan vertrouwen. Dat begint ermee dat *jij* weet *wie* de verifieerder is.
In https://tweakers.net/nieuws/204138/nederland-krijgt-een-paspoort-voor-op-internet-hoe-gaat-dat-werken.html#r_18249704 en verder vind je een discussie die ik had met Ivo Jansch (EDIW) en verderop "denan" (IRMA/Yivi). Nb. mijn Tweakers account is afgesloten na ruzie met een vervelende moderator.
Interessant, uit https://yivi.app/privacy_and_security/:
❝
Raak je je telefoon kwijt? Dan kun je in een mum van tijd je Yivi-app blokkeren via Mijn Yivi.
❞
Dat lijkt mij onmogelijk zonder tussenkomst van een centrale server tijdens inloggen.
-
@eelcoa : helaas is het allemaal niet zo simpel.
DigiD is beslist niet perfect. En het is absurd als het in handen van een bedrijf, dat aan de VS-wetgeving moet voldoen, valt.
Een niet te onderschatten voordeel van DigiD is dat de server(s) van de partij waar de burger wil inloggen (zoals abp.nl), aan allerlei beveiligingseisen moeten voldoen (en zo'n server met de server(s) van DigiD communiceert).
Als je online authenticatie op (servers van) willekeurige partijen toestaat, zullen AitM (Attacker in the Middle) aanvallen een groot probleem worden (phishing vormt nu al een gigantisch probleem).
Voor betrouwbare authenticatie is het noodzakelijk dat degene die bewijst te zijn wie zij/hij zegt te zijn, de authenticeerder kan vertrouwen. Dat begint ermee dat *jij* weet *wie* de verifieerder is.
In https://tweakers.net/nieuws/204138/nederland-krijgt-een-paspoort-voor-op-internet-hoe-gaat-dat-werken.html#r_18249704 en verder vind je een discussie die ik had met Ivo Jansch (EDIW) en verderop "denan" (IRMA/Yivi). Nb. mijn Tweakers account is afgesloten na ruzie met een vervelende moderator.
Interessant, uit https://yivi.app/privacy_and_security/:
❝
Raak je je telefoon kwijt? Dan kun je in een mum van tijd je Yivi-app blokkeren via Mijn Yivi.
❞
Dat lijkt mij onmogelijk zonder tussenkomst van een centrale server tijdens inloggen.
-
@eelcoa : helaas is het allemaal niet zo simpel.
DigiD is beslist niet perfect. En het is absurd als het in handen van een bedrijf, dat aan de VS-wetgeving moet voldoen, valt.
Een niet te onderschatten voordeel van DigiD is dat de server(s) van de partij waar de burger wil inloggen (zoals abp.nl), aan allerlei beveiligingseisen moeten voldoen (en zo'n server met de server(s) van DigiD communiceert).
Als je online authenticatie op (servers van) willekeurige partijen toestaat, zullen AitM (Attacker in the Middle) aanvallen een groot probleem worden (phishing vormt nu al een gigantisch probleem).
Voor betrouwbare authenticatie is het noodzakelijk dat degene die bewijst te zijn wie zij/hij zegt te zijn, de authenticeerder kan vertrouwen. Dat begint ermee dat *jij* weet *wie* de verifieerder is.
In https://tweakers.net/nieuws/204138/nederland-krijgt-een-paspoort-voor-op-internet-hoe-gaat-dat-werken.html#r_18249704 en verder vind je een discussie die ik had met Ivo Jansch (EDIW) en verderop "denan" (IRMA/Yivi). Nb. mijn Tweakers account is afgesloten na ruzie met een vervelende moderator.
Interessant, uit https://yivi.app/privacy_and_security/:
❝
Raak je je telefoon kwijt? Dan kun je in een mum van tijd je Yivi-app blokkeren via Mijn Yivi.
❞
Dat lijkt mij onmogelijk zonder tussenkomst van een centrale server tijdens inloggen.
-
Alternatively, use the NoScript plugin (Firefox on Android and desktop operating systems) and do not trust (default behaviour is to block, explicit blocking is possible too) Cloudflare.
Note that this method does not prevent Cloudflare from knowing your IP-address, but effectively this tells them that they suck if you do not enable their invasive JavaScript code "to detetmine whether the connection is safe".
A connection that is actually very much NOT safe; there's an Attacker in the Middle spying on everything bit exchanged if you continue. They even collect every password you enter on websites proxied by Cloudflare (https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/).
-
Alternatively, use the NoScript plugin (Firefox on Android and desktop operating systems) and do not trust (default behaviour is to block, explicit blocking is possible too) Cloudflare.
Note that this method does not prevent Cloudflare from knowing your IP-address, but effectively this tells them that they suck if you do not enable their invasive JavaScript code "to detetmine whether the connection is safe".
A connection that is actually very much NOT safe; there's an Attacker in the Middle spying on everything bit exchanged if you continue. They even collect every password you enter on websites proxied by Cloudflare (https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/).
-
Alternatively, use the NoScript plugin (Firefox on Android and desktop operating systems) and do not trust (default behaviour is to block, explicit blocking is possible too) Cloudflare.
Note that this method does not prevent Cloudflare from knowing your IP-address, but effectively this tells them that they suck if you do not enable their invasive JavaScript code "to detetmine whether the connection is safe".
A connection that is actually very much NOT safe; there's an Attacker in the Middle spying on everything bit exchanged if you continue. They even collect every password you enter on websites proxied by Cloudflare (https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/).
-
Alternatively, use the NoScript plugin (Firefox on Android and desktop operating systems) and do not trust (default behaviour is to block, explicit blocking is possible too) Cloudflare.
Note that this method does not prevent Cloudflare from knowing your IP-address, but effectively this tells them that they suck if you do not enable their invasive JavaScript code "to detetmine whether the connection is safe".
A connection that is actually very much NOT safe; there's an Attacker in the Middle spying on everything bit exchanged if you continue. They even collect every password you enter on websites proxied by Cloudflare (https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/).
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6a90ea09bac209a0af4a
Pulse Link: https://otx.alienvault.com/pulse/69fd6a90ea09bac209a0af4a
Pulse Author: Tr1sa111
Created: 2026-05-08 04:46:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6a90ea09bac209a0af4a
Pulse Link: https://otx.alienvault.com/pulse/69fd6a90ea09bac209a0af4a
Pulse Author: Tr1sa111
Created: 2026-05-08 04:46:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6a90ea09bac209a0af4a
Pulse Link: https://otx.alienvault.com/pulse/69fd6a90ea09bac209a0af4a
Pulse Author: Tr1sa111
Created: 2026-05-08 04:46:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6a90ea09bac209a0af4a
Pulse Link: https://otx.alienvault.com/pulse/69fd6a90ea09bac209a0af4a
Pulse Author: Tr1sa111
Created: 2026-05-08 04:46:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6a90ea09bac209a0af4a
Pulse Link: https://otx.alienvault.com/pulse/69fd6a90ea09bac209a0af4a
Pulse Author: Tr1sa111
Created: 2026-05-08 04:46:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6ab1d93fddbc4eca0a5a
Pulse Link: https://otx.alienvault.com/pulse/69fd6ab1d93fddbc4eca0a5a
Pulse Author: Tr1sa111
Created: 2026-05-08 04:46:41Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6ab1d93fddbc4eca0a5a
Pulse Link: https://otx.alienvault.com/pulse/69fd6ab1d93fddbc4eca0a5a
Pulse Author: Tr1sa111
Created: 2026-05-08 04:46:41Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6ab1d93fddbc4eca0a5a
Pulse Link: https://otx.alienvault.com/pulse/69fd6ab1d93fddbc4eca0a5a
Pulse Author: Tr1sa111
Created: 2026-05-08 04:46:41Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6ab1d93fddbc4eca0a5a
Pulse Link: https://otx.alienvault.com/pulse/69fd6ab1d93fddbc4eca0a5a
Pulse Author: Tr1sa111
Created: 2026-05-08 04:46:41Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6ab1d93fddbc4eca0a5a
Pulse Link: https://otx.alienvault.com/pulse/69fd6ab1d93fddbc4eca0a5a
Pulse Author: Tr1sa111
Created: 2026-05-08 04:46:41Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6ace7eb0b90ae5e0bad1
Pulse Link: https://otx.alienvault.com/pulse/69fd6ace7eb0b90ae5e0bad1
Pulse Author: Tr1sa111
Created: 2026-05-08 04:47:10Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6ace7eb0b90ae5e0bad1
Pulse Link: https://otx.alienvault.com/pulse/69fd6ace7eb0b90ae5e0bad1
Pulse Author: Tr1sa111
Created: 2026-05-08 04:47:10Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6ace7eb0b90ae5e0bad1
Pulse Link: https://otx.alienvault.com/pulse/69fd6ace7eb0b90ae5e0bad1
Pulse Author: Tr1sa111
Created: 2026-05-08 04:47:10Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6ace7eb0b90ae5e0bad1
Pulse Link: https://otx.alienvault.com/pulse/69fd6ace7eb0b90ae5e0bad1
Pulse Author: Tr1sa111
Created: 2026-05-08 04:47:10Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6ace7eb0b90ae5e0bad1
Pulse Link: https://otx.alienvault.com/pulse/69fd6ace7eb0b90ae5e0bad1
Pulse Author: Tr1sa111
Created: 2026-05-08 04:47:10Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
A sophisticated credential theft campaign targeting over 35,000 users across 13,000 organizations was observed between April 14-16, 2026. The operation primarily impacted the United States, particularly healthcare and financial services sectors. Attackers used code of conduct themed phishing emails masquerading as internal compliance communications, sent through legitimate email delivery services from attacker-controlled domains. Victims received polished HTML emails with PDF attachments containing fake disciplinary logs and CAPTCHA gates to evade automated analysis. The multi-stage attack chain ultimately directed users to counterfeit Microsoft authentication pages operating as adversary-in-the-middle infrastructure, enabling real-time interception of credentials and session tokens while bypassing multi-factor authentication defenses.
Pulse ID: 69fb1736879a4a945346b9ba
Pulse Link: https://otx.alienvault.com/pulse/69fb1736879a4a945346b9ba
Pulse Author: AlienVault
Created: 2026-05-06 10:25:58Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #Microsoft #OTX #OpenThreatExchange #PDF #Phishing #RAT #RCE #Troll #UnitedStates #bot #AlienVault
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
A sophisticated credential theft campaign targeting over 35,000 users across 13,000 organizations was observed between April 14-16, 2026. The operation primarily impacted the United States, particularly healthcare and financial services sectors. Attackers used code of conduct themed phishing emails masquerading as internal compliance communications, sent through legitimate email delivery services from attacker-controlled domains. Victims received polished HTML emails with PDF attachments containing fake disciplinary logs and CAPTCHA gates to evade automated analysis. The multi-stage attack chain ultimately directed users to counterfeit Microsoft authentication pages operating as adversary-in-the-middle infrastructure, enabling real-time interception of credentials and session tokens while bypassing multi-factor authentication defenses.
Pulse ID: 69fb1736879a4a945346b9ba
Pulse Link: https://otx.alienvault.com/pulse/69fb1736879a4a945346b9ba
Pulse Author: AlienVault
Created: 2026-05-06 10:25:58Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #Microsoft #OTX #OpenThreatExchange #PDF #Phishing #RAT #RCE #Troll #UnitedStates #bot #AlienVault
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
A sophisticated credential theft campaign targeting over 35,000 users across 13,000 organizations was observed between April 14-16, 2026. The operation primarily impacted the United States, particularly healthcare and financial services sectors. Attackers used code of conduct themed phishing emails masquerading as internal compliance communications, sent through legitimate email delivery services from attacker-controlled domains. Victims received polished HTML emails with PDF attachments containing fake disciplinary logs and CAPTCHA gates to evade automated analysis. The multi-stage attack chain ultimately directed users to counterfeit Microsoft authentication pages operating as adversary-in-the-middle infrastructure, enabling real-time interception of credentials and session tokens while bypassing multi-factor authentication defenses.
Pulse ID: 69fb1736879a4a945346b9ba
Pulse Link: https://otx.alienvault.com/pulse/69fb1736879a4a945346b9ba
Pulse Author: AlienVault
Created: 2026-05-06 10:25:58Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #Microsoft #OTX #OpenThreatExchange #PDF #Phishing #RAT #RCE #Troll #UnitedStates #bot #AlienVault
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
A sophisticated credential theft campaign targeting over 35,000 users across 13,000 organizations was observed between April 14-16, 2026. The operation primarily impacted the United States, particularly healthcare and financial services sectors. Attackers used code of conduct themed phishing emails masquerading as internal compliance communications, sent through legitimate email delivery services from attacker-controlled domains. Victims received polished HTML emails with PDF attachments containing fake disciplinary logs and CAPTCHA gates to evade automated analysis. The multi-stage attack chain ultimately directed users to counterfeit Microsoft authentication pages operating as adversary-in-the-middle infrastructure, enabling real-time interception of credentials and session tokens while bypassing multi-factor authentication defenses.
Pulse ID: 69fb1736879a4a945346b9ba
Pulse Link: https://otx.alienvault.com/pulse/69fb1736879a4a945346b9ba
Pulse Author: AlienVault
Created: 2026-05-06 10:25:58Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #Microsoft #OTX #OpenThreatExchange #PDF #Phishing #RAT #RCE #Troll #UnitedStates #bot #AlienVault
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
A sophisticated credential theft campaign targeting over 35,000 users across 13,000 organizations was observed between April 14-16, 2026. The operation primarily impacted the United States, particularly healthcare and financial services sectors. Attackers used code of conduct themed phishing emails masquerading as internal compliance communications, sent through legitimate email delivery services from attacker-controlled domains. Victims received polished HTML emails with PDF attachments containing fake disciplinary logs and CAPTCHA gates to evade automated analysis. The multi-stage attack chain ultimately directed users to counterfeit Microsoft authentication pages operating as adversary-in-the-middle infrastructure, enabling real-time interception of credentials and session tokens while bypassing multi-factor authentication defenses.
Pulse ID: 69fb1736879a4a945346b9ba
Pulse Link: https://otx.alienvault.com/pulse/69fb1736879a4a945346b9ba
Pulse Author: AlienVault
Created: 2026-05-06 10:25:58Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #Microsoft #OTX #OpenThreatExchange #PDF #Phishing #RAT #RCE #Troll #UnitedStates #bot #AlienVault
-
📢 Alerte CCCS : campagnes de compromission SaaS par ingénierie sociale ciblant les identités d'entreprise
📝 ...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-05-alerte-cccs-campagnes-de-compromission-saas-par-ingenierie-sociale-ciblant-les-identites-d-entreprise/
🌐 source : https://www.cyber.gc.ca/fr/alertes-avis/al26-0010-compromission-denvironnements-saas-dentreprise-cybercriminelles-cybercriminels-se-livrant-activites-piratage-psychologique
#AiTM #OAuth #Cyberveille -
📢 Campagne de phishing AiTM multi-étapes ciblant 35 000 utilisateurs via leurres 'code de conduite'
📝 📅 **Source et contexte** : Analyse...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-06-campagne-de-phishing-aitm-multi-etapes-ciblant-35-000-utilisateurs-via-leurres-code-de-conduite/
🌐 source : https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/
#AiTM #IOC #Cyberveille -
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
Pulse ID: 69fabb38dc54c806b7504109
Pulse Link: https://otx.alienvault.com/pulse/69fabb38dc54c806b7504109
Pulse Author: Tr1sa111
Created: 2026-05-06 03:53:28Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
Pulse ID: 69fabb38dc54c806b7504109
Pulse Link: https://otx.alienvault.com/pulse/69fabb38dc54c806b7504109
Pulse Author: Tr1sa111
Created: 2026-05-06 03:53:28Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
Pulse ID: 69fabb38dc54c806b7504109
Pulse Link: https://otx.alienvault.com/pulse/69fabb38dc54c806b7504109
Pulse Author: Tr1sa111
Created: 2026-05-06 03:53:28Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
Pulse ID: 69fabb38dc54c806b7504109
Pulse Link: https://otx.alienvault.com/pulse/69fabb38dc54c806b7504109
Pulse Author: Tr1sa111
Created: 2026-05-06 03:53:28Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
Pulse ID: 69fabb38dc54c806b7504109
Pulse Link: https://otx.alienvault.com/pulse/69fabb38dc54c806b7504109
Pulse Author: Tr1sa111
Created: 2026-05-06 03:53:28Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise | Microsoft Security Blog
Pulse ID: 69f9fbfae3ba66bbf5cff9d8
Pulse Link: https://otx.alienvault.com/pulse/69f9fbfae3ba66bbf5cff9d8
Pulse Author: CyberHunter_NL
Created: 2026-05-05 14:17:30Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #bot #CyberHunter_NL
-
Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise | Microsoft Security Blog
Pulse ID: 69f9fbfae3ba66bbf5cff9d8
Pulse Link: https://otx.alienvault.com/pulse/69f9fbfae3ba66bbf5cff9d8
Pulse Author: CyberHunter_NL
Created: 2026-05-05 14:17:30Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #bot #CyberHunter_NL
-
Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise | Microsoft Security Blog
Pulse ID: 69f9fbfae3ba66bbf5cff9d8
Pulse Link: https://otx.alienvault.com/pulse/69f9fbfae3ba66bbf5cff9d8
Pulse Author: CyberHunter_NL
Created: 2026-05-05 14:17:30Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #bot #CyberHunter_NL
-
Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise | Microsoft Security Blog
Pulse ID: 69f9fbfae3ba66bbf5cff9d8
Pulse Link: https://otx.alienvault.com/pulse/69f9fbfae3ba66bbf5cff9d8
Pulse Author: CyberHunter_NL
Created: 2026-05-05 14:17:30Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #bot #CyberHunter_NL
-
Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise | Microsoft Security Blog
Pulse ID: 69f9fbfae3ba66bbf5cff9d8
Pulse Link: https://otx.alienvault.com/pulse/69f9fbfae3ba66bbf5cff9d8
Pulse Author: CyberHunter_NL
Created: 2026-05-05 14:17:30Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #bot #CyberHunter_NL
-
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The multi-stage attack chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using social engineering techniques that created urgency through time-bound prompts and concerning accusations.
Pulse ID: 69f8f1230f0bda494499b941
Pulse Link: https://otx.alienvault.com/pulse/69f8f1230f0bda494499b941
Pulse Author: AlienVault
Created: 2026-05-04 19:18:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #MultiFactorAuthentication #OTX #OpenThreatExchange #PDF #Phishing #SocialEngineering #UnitedStates #bot #AlienVault
-
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The multi-stage attack chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using social engineering techniques that created urgency through time-bound prompts and concerning accusations.
Pulse ID: 69f8f1230f0bda494499b941
Pulse Link: https://otx.alienvault.com/pulse/69f8f1230f0bda494499b941
Pulse Author: AlienVault
Created: 2026-05-04 19:18:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #MultiFactorAuthentication #OTX #OpenThreatExchange #PDF #Phishing #SocialEngineering #UnitedStates #bot #AlienVault
-
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The multi-stage attack chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using social engineering techniques that created urgency through time-bound prompts and concerning accusations.
Pulse ID: 69f8f1230f0bda494499b941
Pulse Link: https://otx.alienvault.com/pulse/69f8f1230f0bda494499b941
Pulse Author: AlienVault
Created: 2026-05-04 19:18:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #MultiFactorAuthentication #OTX #OpenThreatExchange #PDF #Phishing #SocialEngineering #UnitedStates #bot #AlienVault
-
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The multi-stage attack chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using social engineering techniques that created urgency through time-bound prompts and concerning accusations.
Pulse ID: 69f8f1230f0bda494499b941
Pulse Link: https://otx.alienvault.com/pulse/69f8f1230f0bda494499b941
Pulse Author: AlienVault
Created: 2026-05-04 19:18:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #MultiFactorAuthentication #OTX #OpenThreatExchange #PDF #Phishing #SocialEngineering #UnitedStates #bot #AlienVault
-
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The multi-stage attack chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using social engineering techniques that created urgency through time-bound prompts and concerning accusations.
Pulse ID: 69f8f1230f0bda494499b941
Pulse Link: https://otx.alienvault.com/pulse/69f8f1230f0bda494499b941
Pulse Author: AlienVault
Created: 2026-05-04 19:18:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #MultiFactorAuthentication #OTX #OpenThreatExchange #PDF #Phishing #SocialEngineering #UnitedStates #bot #AlienVault