PIXM Blog

  Mid October saw astonishingly widespread phishing campaigns, with a single OneDrive phishing link clicked by over 70 users within 24 hours. Similar to attacks reported in September and early October, these were hosted on Backblaze infrastructure and exfiltrated detailed information about their victims. The same period saw surges in Attack-in-the-Middle (AiTM) phishing, also hosted […]

  Early October and late September saw a concentrated wave of phishing campaigns using document share and billing updates lures, particularly across Outlook, Sharepoint and OneDrive. Many of these were hosted on legitimate infrastructure like Backblaze, Azure, and compromised small business domains, with near 100% adoption of MFA phishing flows and kits. Here are some […]

  Phishing campaigns hosted on Backblaze infrastructure seen earlier in the September substantially ratchetted up in the second half, complete with credential exfiltration through Telegram and lures referencing purchase orders. Other widespread phishing campaigns that hit half a dozen organizations during this period used Attack in the Middle (AiTM) tools to exfiltrate two factor codes […]

  The first half of September witnessed yet new records of Microsoft spearphish volume, with threat actors employing advanced evasion techniques, including payload encryption, device fingerprinting, and infrastructure abuse of reputable hosts like Backblaze, Hostinger, and Telegram’s Bot API. The same period saw sustained phishing targeting of personal accounts on work devices like American Express […]

Later August saw records of phishing activity spanning Microsoft support scams, Adobe file shares and Paperless Post deliveries. Tactics involved MFA relay kits and usage of CloudFlare infrastructure to evade detection. The same period saw continued targeting of personal accounts like Amazon and Yahoo on work devices. Below are some examples and highlights. tgcj86gcjyp[.]z13[.]web[.]core[.]windows[.]net hdbn46dhu[.]z13[.]web[.]core[.]windows[.]net […]

The first half of August has seen a major surge in Microsoft support scams using keyboard locks and other tactics to prod users to calling targeted call centers. Other Microsoft phishing attacks during this period made use of aggressive device fingerprinting, MFA relay tactics, and deliveries through event invites and PDFs. We also observed similar […]

  Phishing targeting users on work devices is not slowing down over the summer, with many employees taking their laptops home for the summer vacation months. The second half of July saw a pronounced surge in Microsoft and Outlook spearphish that demonstrated a number of interesting tactics, including multi-factor authentication phishing kits and distributed phishing […]

  The last week of June and early July saw a surge in zero-day phishing attacks targeting both corporate Microsoft/Outlook logins and personal web services (e-commerce, streaming, and email) on work devices.  Threat actors employed sophisticated tactics – from obfuscated JavaScript and fake OAuth login flows to Telegram-based exfiltration – allowing many of these phishing […]

  Early-mid June saw a surge of phishing campaigns targeting Amazon, Microsoft and Netflix accounts, including phishing kits capable of harvesting extensive personal data, like social security numbers and bank access numbers. Many Microsoft-themed attacks employed advanced evasive tactics – such as heavily obfuscated scripts, anti-scanning measures, and simulated multi-factor authentication steps. Meanwhile, an Amazon […]

  The end of May and first week of June 2025 saw a sharp uptick in zero-day phishing campaigns targeting corporate login credentials, with additional campaigns impersonating Amazon and even U.S. government login services (ID.me for IRS). Threat actors employed sophisticated evasive techniques – from multi-layer code encryption and clipboard hijacking to spoofing Microsoft’s own […]