Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
Spain
Data Breach Data Leak Education ministry of science Online Platforms Spain

Spain’s Science Ministry Partially Shuts Online Systems After Suspected Cyber Incident

 



Spain’s Ministry of Science, Innovation and Universities has temporarily disabled parts of its digital infrastructure following what it described as a technical problem. The disruption has affected several online services used by citizens, universities, researchers, and businesses for official procedures and submissions. These platforms support important administrative functions and process sensitive information, which is why access was restricted as a precaution.

The ministry oversees national science policy, research programs, innovation initiatives, and higher education administration. Its systems handle high-value data, including academic and research records, application materials, and personal information linked to students and professionals. Because of the incident, multiple digital services were made unavailable, and active procedures were placed on hold to limit any potential risk to data or system integrity.

In a public notice on its official website, the ministry stated that the incident is under technical assessment and did not disclose further details at the time. The announcement clarified that the ministry’s online portal is only partially operational and that ongoing administrative processes have been paused to protect the rights and lawful interests of affected users. To reduce the impact of the outage, authorities confirmed that deadlines for affected procedures will be extended in line with Spain’s administrative law provisions, so applicants and institutions are not penalized for delays caused by the shutdown.

Separately, claims surfaced on underground online platforms from an individual alleging unauthorized access to the ministry’s systems. The person shared what they presented as sample data to support the claim and stated that additional information was available for sale. The material reportedly includes personal records, email information, application-related documents, and images of official paperwork. These claims have not been independently verified, and the online space where the samples were shared later became inaccessible.

The same individual alleged that access was gained by exploiting a security weakness that can allow users to reach restricted resources without proper authorization. Such flaws, when present in web applications, can expose internal systems if not properly secured. At this stage, the technical details of the claim remain unconfirmed by authorities.

Spanish media outlets have reported that a ministry spokesperson acknowledged that the service disruption is linked to a cybersecurity incident. However, officials have not confirmed whether any data was accessed or taken, nor have they outlined the scope of any potential compromise. The ministry has indicated that investigations are ongoing to determine what occurred and to restore services safely.

Cybersecurity experts consistently warn that public sector systems are frequent targets because of the volume and sensitivity of data they manage. Strong access controls, continuous monitoring, and timely security updates are critical to reducing exposure to such risks. Further updates from the ministry are expected once technical assessments are completed and the situation is fully clarified.

Read more »
Tribal Clinics
Data Breach Medical Data Leak Ransomware attack Rhysida Ransomware Tribal Clinics

Rhysida Ransomware Hits California Tribal Clinics, Leaks SSNs and Medical Data

 

A recent ransomware attack has disrupted healthcare services and exposed sensitive patient data at the MACT Health Board, which operates clinics serving American Indian communities in California’s Sierra Foothills. The cybercriminal group Rhysida has claimed responsibility for the November 2025 breach and has listed MACT on its data leak site, demanding a ransom of eight bitcoin, valued at about 662,000 dollars at the time. Although MACT has notified affected patients, the organization has not confirmed Rhysida’s claims or disclosed how many individuals were impacted.

According to MACT’s notice to victims, an unauthorized party accessed some files on its systems between November 12 and November 20, 2025, leading to serious exposure of personal and medical information. Compromised data includes names, Social Security numbers, and detailed medical information such as diagnoses, doctors, insurance details, medications, test results, images, and records of care and treatment. In response, MACT is offering eligible victims free identity monitoring, recognizing the heightened risk of identity theft and fraud.

The attack caused significant operational disruption across MACT’s clinics starting November 20, 2025, affecting phone services, prescription ordering, and appointment scheduling. Phone lines were restored by December 1, but some specialized imaging services were still offline as of January 22, illustrating the long-term impact such incidents can have on patient care. The Board declined to answer detailed questions about the breach, including whether a ransom was paid or how the attackers infiltrated the network.

Rhysida, which emerged in May 2023, runs a ransomware-as-a-service model, providing its malware and infrastructure to affiliates who carry out attacks. Its ransomware both steals data and encrypts systems, with victims pressured to pay for deletion of stolen information and for decryption keys. The group has claimed responsibility for 102 confirmed attacks and an additional 157 unacknowledged incidents, with an average ransom demand of around 884,000 dollars. At least 24 of its confirmed attacks have targeted healthcare entities, compromising about 3.83 million records, including high-profile breaches at MedStar Health, Spindletop Center, and Cytek Biosciences.

The MACT incident highlights a broader surge in ransomware targeting US healthcare providers. Comparitech researchers documented 109 confirmed ransomware attacks against hospitals, clinics, and other care providers in 2025 alone, affecting nearly 8.9 million records. These attacks can force organizations back to pen-and-paper operations, trigger appointment cancellations, and even require patient diversions, putting both safety and privacy at risk. MACT, which serves five California counties—Mariposa, Amador, Alpine, Calaveras, and Tuolumne—through about a dozen clinics offering medical, dental, behavioral, optometry, and chiropractic care, now faces the dual challenge of restoring services and rebuilding trust with its community.
Read more »
supply chain security
Data Breach developer credential theft GlassWorm malware malicious VS Code extensions Open VSX Registry attack supply chain security

Open VSX Supply Chain Breach Delivers GlassWorm Malware Through Trusted Developer Extensions

 

Cybersecurity experts have uncovered a supply chain compromise targeting the Open VSX Registry, where unknown attackers abused a legitimate developer’s account to distribute malicious updates to unsuspecting users.

According to findings from Socket, the attackers infiltrated the publishing environment of a trusted extension author and used that access to release tainted versions of widely used tools.

"On January 30, 2026, four established Open VSX extensions published by the oorzc author had malicious versions published to Open VSX that embed the GlassWorm malware loader," Socket security researcher Kirill Boychenko said in a Saturday report.

The compromised extensions had long been considered safe and were positioned as genuine developer utilities, with some having been available for more than two years.

"These extensions had previously been presented as legitimate developer utilities (some first published more than two years ago) and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases."

Socket noted that the incident stemmed from unauthorized access to the developer’s publishing credentials. The Open VSX security team believes the breach may have involved a leaked access token or similar misuse of credentials. All affected versions have since been taken down from the registry.

Impacted extensions include:
  • FTP/SFTP/SSH Sync Tool (oorzc.ssh-tools — version 0.5.1)
  • I18n Tools (oorzc.i18n-tools-plus — version 1.6.8)
  • vscode mindmap (oorzc.mind-map — version 1.0.61)
  • scss to css (oorzc.scss-to-css-compile — version 1.3.4)
The malicious updates were engineered to deploy GlassWorm, a loader malware linked to an ongoing campaign. The loader decrypts and executes payloads at runtime and relies on EtherHiding—a technique that conceals command-and-control infrastructure—to retrieve C2 endpoints. Its ultimate objective is to siphon Apple macOS credentials and cryptocurrency wallet information.

Before activating, the malware profiles the infected system and checks locale settings, avoiding execution on systems associated with Russian regions, a behavior often seen in malware tied to Russian-speaking threat groups.

The stolen data spans a broad range of sensitive assets, including browser credentials, cryptocurrency wallets, iCloud Keychain data, Safari cookies, Apple Notes, user documents, VPN configurations, and developer secrets such as AWS and SSH credentials.

The exposure of developer-related data is particularly dangerous, as it can lead to deeper enterprise breaches, cloud account takeovers, and lateral movement across networks.

"The payload includes routines to locate and extract authentication material used in common workflows, including inspecting npm configuration for _authToken and referencing GitHub authentication artifacts, which can provide access to private repositories, CI secrets, and release automation," Boychenko said.

What sets this incident apart is the delivery method. Instead of relying on fake or lookalike extensions, the attackers leveraged a real developer’s account to push the malware—an evolution from earlier GlassWorm campaigns that depended on typosquatting and brand impersonation.

"The threat actor blends into normal developer workflows, hides execution behind encrypted, runtime-decrypted loaders, and uses Solana memos as a dynamic dead drop to rotate staging infrastructure without republishing extensions," Socket said. "These design choices reduce the value of static indicators and shift defender advantage toward behavioral detection and rapid response."
Read more »
Dating Apps
Consumer Information Cyber Phishing Data Breach Data Leak data security Data Theft dating app security Dating Apps

ShinyHunters Claims Match Group Data Breach Exposing 10 Million Records

 

A new data theft has surfaced linked to ShinyHunters, which now claims it stole more than 10 million user records from Match Group, the U.S. company behind several major swipe-based dating platforms. The group has positioned the incident as another major addition to its breach history, alleging that personal data and internal materials were taken without authorization. 

According to ShinyHunters, the stolen data relates to users of Hinge, Match.com, and OkCupid, along with hundreds of internal documents. The Register reported seeing a listing on the group’s dark web leak site stating that “over 10 million lines” of data were involved. The exposure was also linked to AppsFlyer, a marketing analytics provider, which was referenced as the likely source connected to the incident. 

Match Group confirmed it is investigating what it described as a recently identified security incident, and said some user data may have been accessed. The company stated it acted quickly to terminate the unauthorized access and is continuing its investigation with external cybersecurity experts. Match Group also said there was no indication that login credentials, financial information, or private communications were accessed, and added that it believes only a limited amount of user data was affected. 

It said notifications are being issued to impacted individuals where appropriate. However, Match Group did not disclose what categories of data were accessed, how many users were impacted, or whether any ransom demand was made or paid, leaving key details about the scope and motivation unresolved. Cybernews, which reviewed samples associated with the listing, reported that the dataset appears to include customer personal data, some employee-related information, and internal corporate documents. 

The analysis also suggested the presence of Hinge subscription details, including user IDs, transaction IDs, payment amounts, and records linked to blocked installations, along with IP addresses and location-related data. In a separate post published the same week, ShinyHunters also claimed it had stolen data from Bumble. The group uploaded what it described as 30 GB of compressed files allegedly sourced from Google Drive and Slack. The claims come shortly after researchers reported that ShinyHunters targeted around 100 organizations by abusing stolen Okta single sign-on credentials. The alleged victim list included well-known SaaS and technology firms such as Atlassian, AppLovin, Canva, Epic Games, Genesys, HubSpot, Iron Mountain, RingCentral, and ZoomInfo, among others. 

Bumble has issued a statement saying that one contractor’s account had been compromised in a phishing incident. The company said the account had limited privileges but was used for brief unauthorized access to a small portion of Bumble’s network. Bumble stated its security team detected and removed the access quickly, confirmed the incident was contained, engaged external cybersecurity experts, and notified law enforcement. Bumble also emphasized that there was no access to its member database, member accounts, the Bumble app, or member direct messages or profiles.
Read more »
Third Party Risk
Cyber Risk Management Data Breach Healthcare cybersecurity Healthcare IT Systems Healthcare Ransomware Medical Data Security patient data protection ransomware attacks Third Party Risk

Cybercriminals Report Monetizing Stolen Data From US Medical Company


Modern healthcare operations are frequently plagued by ransomware attacks, but the recent attack on Change Healthcare marks a major turning point in terms of scale and consequence. In the context of an industry that is increasingly relying on digital platforms, there is a growing threat environment characterized by organized cybercrime, fragile third-party dependency, and an increasing data footprint as a result of an increasingly hostile threat environment. 

With hundreds of ransomware incidents and broader security incidents already occurring in a matter of months, recent figures from 2025 illustrate just how serious this shift is. It is important to note that a breach will not only disrupt clinical and administrative workflows, but also put highly sensitive patient information at risk, which can result in cascading operational, financial, and legal consequences for organizations. 

The developments highlighted here highlight a stark reality: safeguarding healthcare data does not just require technical safeguards; it now requires a coordinated risk management strategy that anticipates breaches, limits their impacts, and ensures institutional resilience should prevention fail. 

Connecticut's Community Health Center (CHC) recently disclosed a significant data breach that occurred when an unauthorized access to its internal systems was allowed to result in a significant data breach, which exemplifies the sector's ongoing vulnerability to cyber risk. 

In January 2025, the organization was alerted to irregular network activity, resulting in an urgent forensic investigation that confirmed there was a criminal on site. Upon further analysis, it was found that the attacker had maintained undetected access to the system from mid-October 2024, thereby allowing a longer window for data exfiltration before the breach was contained and publicly disclosed later that month. 

There was no ransomware or disruption of operations during the incident, but the extent of the data accessed was significant, including names, dates of birth, Social Security numbers, health insurance details, and clinical records of patients and employees, which included sensitive patient and employee information.

More than one million people, including several thousand employees, were affected according to CHC, demonstrating the difficulties that persist in early detection of threats and data protection across healthcare networks, and highlighting the urgent need for strengthened security measures as medical records continue to attract cybercriminals. 

According to Cytek Biosciences' notification to affected individuals, it was learned in early November 2025 that an outside party had gained access to portions of the Biotechnology company's systems and that the company later determined that personal information had been obtained by an outside party. 

As soon as the company became aware of the extent of the exposure, it took immediate steps to respond, including offering free identity theft protection and credit monitoring services for up to two years to eligible individuals, which the company said it had been working on. 

As part of efforts to mitigate potential harm resulting from the incident, enrollment in the program continues to be open up until the end of April 2026. Threat intelligence sources have identified the breach as being connected to Rhysida, which is known for being a ransomware group that first emerged in 2023 and has since established itself as a prolific operation within the cybercrime ecosystem.

A ransomware-as-a-service model is employed by the group which combines data theft with system encryption, as well as allowing affiliates to conduct attacks using its malware and infrastructure in return for a share of the revenue. 

The Rhysida malware has been responsible for a number of attacks across several sectors since its inception, and healthcare is one of the most frequent targets. A number of the group's intrusions have previously been credited to hospitals and care providers, but the Cytek incident is the group's first confirmed attack on a healthcare manufacturer, aligning with a trend which is increasingly involving ransomware activity that extends beyond direct patient care companies to include medical suppliers and technology companies. 

Research indicates that these types of attacks are capable of exposing millions of records, disrupting critical services, and amplifying risks to patient privacy as well as operational continuity, which highlights that the threat landscape facing the U.S. healthcare system is becoming increasingly complex. 

As a result of the disruption that occurred in the U.S. healthcare system, organizations and individuals affected by the incident have stepped back and examined how Change Healthcare fits into the system and why its outage was so widespread. 

With over 15 years of experience in healthcare technology and payment processing under the UnitedHealth Group umbrella, Change Healthcare has played a critical role as a vital intermediary between healthcare providers, insurers, and pharmacists by verifying eligibility, getting prior authorizations, submitting claims, and facilitating payment processes. 

A failure of this organization in its role at the heart of these transactions can lead to cascading delays in prescription, reimbursement, and claim processing across the country when its operational failure extends far beyond the institution at fault. 

According to findings from a survey conducted by the American Medical Association, which documented widespread financial and administrative stress among physician practices, this impact was of a significant magnitude. There have been numerous reports of suspended or delayed claims payments, the inability to submit claims, or the inability to receive electronic remittance advice, and widespread service interruptions as a consequence. 

Several practices cited significant revenue losses, forcing some to rely on personal funds or find an alternative clearinghouse in order to continue to operate. There have been some relief measures relating to emergency funding and advance payments, but disruptions continue to persist, prompting UnitedHealth Group to disburse more than $2 billion towards these efforts. 

Moreover, patients have suffered indirect effects not only through billing delays, unexpected charges, and notifications about potential data exposures but also outside the provider community. This has contributed to increased public concern and renewed scrutiny of the systemic risks posed by the compromise of an organization's central healthcare infrastructure provider. 

The fact that the incidents have been combined in this fashion highlights a clear and cautionary message for healthcare stakeholders: it is imperative to treat cyber resilience as a strategic priority, rather than a purely technical function. 

Considering that large-scale ransomware campaigns have been running for some time now, undetected intrusions for a prolonged period of time, as well as failures at critical intermediaries, it is evident that even a single breach can escalate into a systemic disruption that affects providers, manufacturers, and patients. 

A growing number of industry leaders and regulators are called upon to improve the oversight of third parties, enhance the tools available for breach detection, and integrate financial, legal, and operational preparedness into their cybersecurity strategies. 

It is imperative that healthcare organizations adopt proactive, enterprise-wide approaches to risk management as the volume and value of healthcare data continues to grow. Organizations that fail to adopt this approach may not only find themselves unable to cope with cyber incidents, but also struggle to maintain trust, continuity, and care delivery in the aftermath of them.
Read more »
patient portal phishing scam
Data Breach health data security Manage My Health data breach medical data breach NZ New Zealand healthcare cyberattack patient portal phishing scam

Manage My Health Warns of Impersonation Scams as Fallout From Major Data Breach Continues

 

The repercussions of the Manage My Health data breach are still unfolding, with the company cautioning that cybercriminals may now be targeting affected users by posing as the online patient portal.

Manage My Health, which runs a widely used digital health platform across New Zealand, has confirmed that the majority of individuals impacted by the incident have been notified. At the same time, the organization has raised concerns that opportunistic criminals are attempting to exploit the situation by circulating phishing or spam messages designed to look like official communications from Manage My Health.

“We’re also aware that secondary actors may impersonate MMH and send spam or phishing emails to prompt engagement. These communications are not from MMH,” the company said in a statement. It added that steps are being examined to curb this activity, alongside issuing safety guidance to help users avoid further harm.

The cyberattack, which took place toward the end of last year, involved unauthorized access to documents stored within a limited section of the platform. According to reports, the attackers demanded a ransom of several thousand dollars, threatening to publish sensitive data on the dark web. Had this occurred, personal medical information belonging to more than 120,000 New Zealanders could have been exposed.

Manage My Health clarified that core services remained unaffected by the breach. Live GP clinical systems, prescriptions, appointment bookings, secure messaging, and real-time medical records were not compromised. The intrusion was restricted to documents housed in the “My Health Documents” feature.

The affected files included user-uploaded materials such as correspondence, medical reports, and test results, along with certain clinical documents. These clinical records consisted of hospital discharge summaries and clinical letters linked to care provided in Northland Te Tai Tokerau. After detecting suspicious activity, the company said it swiftly locked down the affected feature, prevented further unauthorized access, and activated its incident response protocols. Independent cybersecurity experts were brought in to assess the breach and verify its extent.

Manage My Health has since confirmed that the incident is contained and that testing shows the vulnerability has been fully addressed.

Notifications and Regulatory Response

The company acknowledged that its early response resulted in some users being contacted before the full scope of the breach was understood. “When we first identified the breach, our priority was to promptly inform all potentially affected patients,” it said, explaining that this precautionary approach meant some individuals were later found not to be impacted.

Those users were subsequently advised that their data was not involved. Individuals can also verify their status by logging into the Manage My Health web application, where a green “No Impact” banner confirms no exposure.

Notification efforts are continuing, with the company citing the complexity of coordinating communications across patient groups, regulators, and data controllers while meeting obligations under the New Zealand Privacy Act.

The breach has drawn regulatory attention, with the Office of the Privacy Commissioner (OPC) launching an inquiry into the privacy implications of the incident. Manage My Health said it is cooperating closely with the OPC, Health New Zealand | Te Whatu Ora, the National Cyber Security Centre, and the New Zealand Police.

Legal Action and Monitoring Efforts

As part of its response, Manage My Health successfully obtained an interim injunction from the High Court, preventing any third party from accessing, publishing, or sharing the compromised data.

The company is also monitoring known data leak sites and stands ready to issue takedown notices if any information surfaces online. Additional steps include resetting compromised credentials, temporarily disabling the Health Documents module, and maintaining continuous system monitoring while wider security improvements are implemented. An independent forensic investigation is still underway, though the company has declined to disclose specific technical details at this time.

Manage My Health has reiterated that it will never request passwords or one-time security codes and has urged users to be cautious of unsolicited or urgent messages claiming to be from the platform.

Anyone contacted by individuals alleging they possess health data is advised not to engage and to report the matter to New Zealand Police via 105, or 111 in an emergency, and to inform Manage My Health support. To further assist users worried about identity misuse, the company has partnered with IDCARE to provide free and confidential cyber and identity support across Australia and New Zealand.

“We take the privacy of our clients and staff very seriously, and we sincerely apologise for any concern or inconvenience this incident may have caused,” Manage My Health said, adding that it remains committed to transparency as investigations into the cyberattack on Manage My Health continue.
Read more »
SoundCloud breach
Betterment data leak Crunchbase hack CyberCrime dark web leaks Data Breach ShinyHunters data leak SoundCloud breach

ShinyHunters Allege Massive Data Leaks from SoundCloud, Crunchbase, and Betterment After Extortion Refusals

 

The cybercrime group known as ShinyHunters has resurfaced, claiming responsibility for leaking millions of records allegedly taken from SoundCloud, Crunchbase, and Betterment after failed extortion efforts. The group has launched a new dark web (.onion) leak platform and has already shared what it says are partial databases connected to the three organizations.

The activity reportedly began on 22 January 2026, when ShinyHunters posted messages on its Telegram channel containing links to onion services where the data could be accessed freely. The hackers assert that the disclosures were carried out because the targeted companies refused to meet their extortion demands.

“We are after corporate regime change in all parts of the world. Pay or leak. We will aggressively and viciously come after you once we have your data. By the time you are listed here, it will be too late. Next time. You will learn from it. It will ALWAYS be your best decision, choice, and option to engage with us and come to an agreement with us. Proceed wisely,” the group’s message on the leak site says.

Among the affected firms, SoundCloud had previously acknowledged a breach in December 2025 that impacted roughly 20% of its users. With the platform reporting between 175 and 180 million users overall, this translates to approximately 35–36 million accounts—closely aligning with the volume of data ShinyHunters claims to possess.

According to the hackers, the leaked information includes more than 20 million records tied to Betterment containing Personally Identifiable Information, over 2 million alleged records associated with Crunchbase, and upwards of 30 million records linked to SoundCloud that are now circulating online.

On the same day the leaks emerged, 22 January 2026, Okta issued a security advisory warning of an ongoing Okta SSO vishing campaign that has already affected multiple victims, though the total number has not been disclosed. In a LinkedIn post, Alon Gal of Israel-based cybersecurity firm Hudson Rock stated that ShinyHunters contacted him, claiming responsibility for the Okta SSO vishing activity and suggesting that more data leaks are forthcoming.

This development has prompted speculation about whether the alleged breaches at all three companies are connected to Okta. At this stage, no definitive link has been confirmed. Hackread.com has reached out directly to ShinyHunters to seek clarification on the matter.

The purported datasets linked to SoundCloud, Crunchbase, and Betterment remain accessible for download, and Hackread.com reports that the links are now being widely shared across prominent cybercrime forums, including French- and Russian-language communities.

Hackread.com has also contacted all three companies for comment. Until the organizations involved verify the legitimacy of the leaked data, the incidents should be treated strictly as unconfirmed claims.

In a statement shared with Hackread.com, a SoundCloud spokesperson said the company detected unauthorized activity within an ancillary service dashboard in mid-December and acted immediately to contain the situation. The response included engaging third-party cybersecurity experts and launching a comprehensive investigation.

According to SoundCloud’s blog post, the investigation found that no sensitive information such as passwords or financial data was accessed. The exposure was limited to email addresses and details already visible on public profiles, affecting about one-fifth of its users. SoundCloud further stated that while a group claiming responsibility has made public accusations and carried out email flooding tactics, there is no evidence to support broader claims. The company says it is cooperating with law enforcement and continuing to strengthen monitoring, access controls, and other security defenses
Read more »
phishing
Credential Theft Data Breach Data Theft Emails IP Address Microsoft Microsoft SharePoint phishing

Attackers Hijack Microsoft Email Accounts to Launch Phishing Campaign Against Energy Firms

 


Cybercriminals have compromised Microsoft email accounts belonging to organizations in the energy sector and used those trusted inboxes to distribute large volumes of phishing emails. In at least one confirmed incident, more than 600 malicious messages were sent from a single hijacked account.

Microsoft security researchers explained that the attackers did not rely on technical exploits or system vulnerabilities. Instead, they gained access by using legitimate login credentials that were likely stolen earlier through unknown means. This allowed them to sign in as real users, making the activity harder to detect.

The attack began with emails that appeared routine and business-related. These messages included Microsoft SharePoint links and subject lines suggesting formal documents, such as proposals or confidentiality agreements. To view the files, recipients were asked to authenticate their accounts.

When users clicked the SharePoint link, they were redirected to a fraudulent website designed to look legitimate. The site prompted them to enter their Microsoft login details. By doing so, victims unknowingly handed over valid usernames and passwords to the attackers.

After collecting credentials, the attackers accessed the compromised email accounts from different IP addresses. They then created inbox rules that automatically deleted incoming emails and marked messages as read. This step helped conceal the intrusion and prevented account owners from noticing unusual activity.

Using these compromised inboxes, the attackers launched a second wave of phishing emails. These messages were sent not only to external contacts but also to colleagues and internal distribution lists. Recipients were selected based on recent email conversations found in the victim’s inbox, increasing the likelihood that the messages would appear trustworthy.

In this campaign, the attackers actively monitored inbox responses. They removed automated replies such as out-of-office messages and undeliverable notices. They also read replies from recipients and responded to questions about the legitimacy of the emails. All such exchanges were later deleted to erase evidence.

Any employee within an energy organization who interacted with the malicious links was also targeted for credential theft, allowing the attackers to expand their access further.

Microsoft confirmed that the activity began in January and described it as a short-duration, multi-stage phishing operation that was quickly disrupted. The company did not disclose how many organizations were affected, identify the attackers, or confirm whether the campaign is still active.

Security experts warn that simply resetting passwords may not be enough in these attacks. Because attackers can interfere with multi-factor authentication settings, they may maintain access even after credentials are changed. For example, attackers can register their own device to receive one-time authentication codes.

Despite these risks, multi-factor authentication remains a critical defense against account compromise. Microsoft also recommends using conditional access controls that assess login attempts based on factors such as location, device health, and user role. Suspicious sign-ins can then be blocked automatically.

Additional protection can be achieved by deploying anti-phishing solutions that scan emails and websites for malicious activity. These measures, combined with user awareness, are essential as attackers increasingly rely on stolen identities rather than software flaws.


Read more »
Subscribe to: Comments (Atom)