This is a monthly newsletter I put together for an internal security awareness program. Feel Free to grab and use for your own program.

The Most Advanced ClickFix Yet (Push Security) 

Push Security researchers have uncovered a new and highly refined iteration of the “ClickFix” phishing framework, featuring modular capabilities for credential harvesting and session hijacking. This version uses advanced URL obfuscation, cloud-hosted redirects, and adaptive templates that mimic corporate login portals to bypass detection and deceive users more effectively. 

Key Insights 

• Framework evolution: ClickFix’s latest version integrates dynamic templates and tokenized redirects to evade pattern-based blocking. 

• Session hijacking: Stolen authentication cookies allow attackers to access corporate accounts even when multi-factor authentication is enabled. 

• Cloud abuse: Hosting payloads on legitimate cloud services gives attackers credibility and helps phishing links evade automated scanning. 

• Rapid deployment: The phishing kits are prepackaged for affiliates, enabling faster setup and broader campaign reach. 

• Enterprise risk: The sophistication and modularity of ClickFix underline a trend toward professionalized phishing-as-a-service ecosystems. 

Further Reading: Push Security 

Minecraft, Qwerty and India123 Among 2025’s Most Common Passwords (Comparitech) 

Comparitech’s latest report reveals that easily guessable passwords like “minecraft”, “qwerty”, and “india123” remain widely used despite increased awareness of password security. The findings underscore the persistent risk of weak authentication across individuals and organisations, particularly in enterprise contexts where password reuse and default credentials continue to expose systems to credential-dumping and brute-force attacks. 

Key Insights 

• Weak passwords persist: “minecraft” topped the list of most common passwords of 2025, followed by “qwerty” and “india123”. 

• Password-reuse risk: Many breached credentials show repeated reuse of these weak passwords across multiple services, amplifying breach impact. 

• Default and predictable credentials: A significant share of password sets were based on games, simple keyboard walks (qwerty), or culturally-common strings — all easily breached. 

• Enterprise & IoT exposure: Weak passwords are especially problematic in business systems and connected devices where password requirements are lax and monitoring is minimal. 

• Actionable x-fact: Organisations should block commonly used weak passwords, enforce passphrase complexity and implement password-less or MFA approaches to reduce risk. 

Further Reading: Comparitech 

New Phishing Campaign Exploits Meta Business Suite to Target SMBs Across the U.S. and Beyond (Check Point Research) 

Check Point Research uncovered a phishing campaign that abuses the Meta Business Suite JSON API flows to masquerade as legitimate business-management notifications. Through this abuse, attackers sent convincing lures to SMBs in the U.S. and globally, claiming billing issues or account suspension and directing victims to fake login portals. The campaign succeeded in bypassing detection by conforming to expected API patterns and dynamically generating URLs that appear unique per victim. 

Key Insights 

• API abuse for legitimacy: Attackers used Meta’s business-management JSON callbacks to fetch business names and tailor phishing messages, increasing trust and clicks. 

• Global SMB targeting: While initial hits were in the U.S., the campaign expanded to over 20 countries, focusing on small and mid-sized businesses with available business-suite integrations. 

• Dynamic URL generation: Each phishing link was unique and time-limited, preventing bulk blocking and defeating static URL reputation databases. 

• Credential theft via login proxy: Victims were redirected to an Azure-hosted login page that mirrored the Meta Business Suite sign-in interface, capturing both credentials and session cookies. 

• Evading detection: Because the attacker-generated callback requests resembled normal Meta API traffic, email filters reliant on anomaly detection struggled to flag the messages. 

Further Reading: Check Point Research – New Phishing Campaign Exploits Meta Business Suite to Target SMBs Across the U.S. and Beyond 

New Phishing Attack Leverages Popular Brands to Harvest Logins (Cybersecurity News) 

A recent phishing campaign delivers self-contained HTML attachments that impersonate trusted brands such as Microsoft 365, Adobe, FedEx, and DHL to harvest credentials. These attachments bypass external link filtering by embedding phishing pages directly in the email and use JavaScript to send stolen data to Telegram bots rather than traditional command-and-control servers. The campaign targets industries like agriculture, automotive, construction, and education in regions including the Czech Republic, Slovakia, Hungary, and Germany. 

Key Insights 

• Attachment-based attack delivery: Phishing emails include HTML files with fake login portals, avoiding reliance on external links and reputation lists. 

• Brand impersonation at scale: Multiple major brands are mimicked to increase trust and widen the potential victim pool. 

• Direct data exfiltration using Telegram bots: Stolen credentials are sent directly through Telegram Bot API, reducing detection trace-paths. 

• Industry & regional targeting: Focused on sectors with frequent procurement flows and Central/Eastern European markets, showing deliberate target selection. 

• Technical evasion tactics: Use of RFC-compliant filenames (e.g., “RFQ_4460-INQUIRY.HTML”) helps disguise malicious attachments as legitimate business documents. 

Further Reading: Cybersecurity News 

Inside the Scattered Lapsus$ Hunters (Push Security) 

Push Security analyzed the resurgence of the Scattered Lapsus$ Hunters, a cybercrime group known for high-profile data breaches and social-engineering-driven attacks. The group has evolved its techniques, targeting enterprise collaboration platforms and cloud accounts to gain unauthorized access and exfiltrate sensitive data. 

Key Insights 

• Social engineering roots: The group continues to rely on credential theft and social manipulation rather than technical exploits. 

• Corporate infiltration: They focus on compromising employees with elevated permissions to reach critical systems. 

• Operational evolution: Recent campaigns show improved coordination and use of legitimate services for persistence and data transfer. 

• Brand targeting: The group’s activity spans technology, telecom, and SaaS sectors, emphasizing organizations with valuable data. 

Further Reading: Push Security – Inside the Scattered Lapsus$ Hunters 

New ClickFix Attack Tricks Users with ‘Fake OS Update’ to Execute Malicious Commands (Cybersecurity News) 

A new iteration of the ClickFix social-engineering campaign deploys a browser-based fake Windows update prompt that simulates a system crash or update screen. Victims who follow on-screen instructions end up executing malicious commands, leading to remote access, infostealer installations, or ransomware loaders. 

Key Insights 

• The deceptive overlay mimics a Windows update or Blue Screen of Death (BSOD) complete with progress bar and error codes, inducing urgency and fear. 

• Victims are instructed to perform “manual fixes” such as pressing Ctrl+Alt+Del, entering commands in a pseudo CLI, and downloading a “recovery tool” which is actually malware. 

• The campaign leverages both PCs and mobile devices, with full-screen simulations compatible across platforms. 

• Because the user initiates the commands themselves, many security tools fail to flag the activity as malicious. 

• This attack underlines the persistent importance of user awareness and a skeptical mindset toward unexpected system update prompts. 

Further Reading: Cybersecurity News 

Global Cyber Attacks Surge in October 2025 Amid Explosive Ransomware Growth and Rising GenAI Threats (Check Point Research) 

In October 2025, organizations saw a sharp rise in cyber attacks, with weekly averages nearing 2,000 per organization. Ransomware activity expanded significantly, and GenAI-related risks continued to emerge as organizations adopted newly integrated AI tools. 

Key Insights 

• Weekly attack volumes increased across most regions, with several sectors experiencing notable year-over-year growth. 

• Ransomware incidents rose substantially, reflecting broader adoption of opportunistic targeting. 

• GenAI usage introduced new exposure points, particularly around prompt-based data leakage. 

• Education, telecommunications, and government sectors experienced the highest attack frequency. 

Further Reading: Check Point Research 

DoorDash Data Breach Exposes Customer Information (USA Today) 

DoorDash disclosed a security incident that exposed customer data such as names, contact details, delivery addresses, birthdays, and partial payment information.  

Key Insights 

• Exposed data includes PII and partial payment card details. 

• Stolen information may be misused in phishing or fraud attempts. 

• Large consumer platforms remain attractive targets for attackers. 

• DoorDash is notifying affected users and has initiated incident response actions. 

Further Reading: USA Today 

Fake Windows-Update Screen Pushes Malware via ClickFix Campaign (BleepingComputer) 

A new iteration of the ClickFix phishing campaign employs a fake Windows update or error screen — complete with progress bars and warning messages — to trick victims into executing malicious commands. Once the user follows the on-screen instructions, the system launches malware capable of remote access or data theft. 

Key Insights 

• The fake update screen leverages urgency and system-failure anxiety to prompt user action. 

• Because execution is triggered manually by the user, many defenses fail to flag the activity. 

• Although targeting Windows, this style of UI-based deception could be adapted to other platforms. 

• The campaign highlights a shift toward interface-spoofing rather than traditional link-based phishing. 

Further Reading: 
BleepingComputer 

Phishing Scam Uses “rn” to Fake Microsoft (Cybersecurity News) 

A new phishing campaign is abusing a visual trick that replaces the letter “m” with the characters “r” and “n”, creating deceptive domains such as “rnicrosoft.com.” The substitution is subtle enough that many users overlook it, especially on mobile devices, where character spacing is tighter. Attackers use these lookalike domains to deliver convincing credential-harvesting emails and login pages that appear legitimate. 

Key Insights 

• Attackers rely on a visually deceptive domain swap (“m” → “rn”) that closely mimics legitimate Microsoft branding. 

• The technique increases success rates because users often skim URLs, especially on smaller screens. 

• This method reflects a broader shift toward domain-based deception rather than attachment-driven phishing. 

Further Reading: Cybersecurity News 

B2B Guest Access Creates an Unprotected Attack Vector (Ontinue) 

Microsoft’s “Chat with Anyone” capability in Teams allows users to chat with nearly any email address, but accepting a guest invite places them inside an external tenant where their organization’s security controls no longer apply. Attackers can exploit this gap to send phishing links or malicious files from low-security tenants, bypassing protections such as Safe Links and malware scanning. 

Key Insights 

• Guest access applies the host tenant’s security controls, not the user’s home organization. 

• Attackers can use low-cost or trial tenants to bypass URL scanning and attachment inspection. 

• The feature is enabled globally by default, increasing the risk of unnoticed exposure. 

• External chats can function like email-borne phishing but without standard enterprise safeguards. 

Further Reading: Ontinue 

Weaponized Google Meet Page Uses ClickFix to Deliver Malware 

Attackers are using a fake Google Meet landing page to trick users into executing malicious PowerShell commands. The site imitates the real Google Meet interface and displays a bogus camera or microphone error. It then instructs the user to run a “fix” that silently installs malware — often a Remote Access Trojan or infostealer — by copying a command to the clipboard and guiding the user to execute it through the Run dialog. Because the execution occurs outside the browser, typical browser-based protections are bypassed. 

Key Insights 

• The attack depends entirely on social engineering, prompting users to manually run attacker-supplied commands. 

• Browser protections are avoided because execution happens through the operating system rather than a webpage. 

• The campaign leverages trust in Google Meet to lend legitimacy to the fake interface. 

• Forensic artifacts on infected systems can trace activity back to the malicious site. 

Further Reading: Cybersecurity News 

This is a monthly newsletter I put together for an internal security awareness program. Feel Free to grab and use for your own program.

Healthcare Cyberattacks Surge 400%, Add 200K+ Victims Year-Over-Year 

The HIPAA Journal reports a striking 400% increase in healthcare cyberattacks over the past year, affecting over 200,000 individuals. This trend underscores how critical and vulnerable the healthcare sector remains to phishing, ransomware, data breaches, and other cyber threats. 

Key Insights 

• The healthcare industry continues to be a high-value target due to sensitive personal and medical data. 

• Attack vectors include ransomware, phishing, misconfiguration, and unauthorized data access. 

• The sharp rise highlights persistent gaps in cyber hygiene, patch management, and access controls in medical institutions. 

Further Reading: HIPAA Journal – Healthcare Cyberattacks Up 400% 

Insecure Mobile VPNs: The Hidden Danger 

Security researchers at Zimperium highlight that many mobile VPN apps available on iOS and Android are insecure and expose users to serious privacy and security risks. These apps may lack proper encryption, include insecure or expired certificates, fail to verify server identities, or even embed trackers and third-party analytics that collect sensitive device data. 

Key Insights 

• Many mobile VPN apps do not enforce certificate validation, making them vulnerable to Man-in-the-Middle (MitM) attacks. 

• Insecure or hardcoded server endpoints are common, increasing risk of traffic capture or manipulation. 

• Some VPNs use weak or outdated encryption protocols, which fail to protect user data in transit. 

• Users may believe they are safe, but sensitive information—such as login credentials, email content, or personal data—can leak. 

• Choosing reputable VPN providers, checking for correct certificate practices, and avoiding free apps with murky privacy policies are essential. 

Further Reading: Zimperium – Insecure Mobile VPNs: The Hidden Danger 

Employees Sharing Company Secrets with ChatGPT: Rising AI Data-Leak Risk 

New research shows a worrying trend: about 77% of enterprise employees regularly paste sensitive corporate data into generative AI tools like ChatGPT. Even more concerning, around 82% of those interactions come from unmanaged personal accounts, putting oversight, compliance, and data protection at risk. The study also flagged that 40% of files uploaded to these tools contain sensitive info like payment data, and 22% of pasted content includes regulated or proprietary information. 

Key Insights 

• Using personal accounts to access AI tools creates blind spots for corporate IT and security teams. 

• Routine copying and pasting of internal data into AI tools bypasses traditional data loss prevention tools. 

• Sensitive data exposure isn’t limited to large uploads—small text snippets can still cause regulatory or competitive harm. 

• Employee training and strict AI usage policies are essential to protect company data. 

Further Reading: Cyber Security News – “Employees Share Company Secrets on ChatGPT” 

Healthcare Ransomware Roundup: Q1–Q3 2025 

According to Comparitech’s 2025 report, ransomware and data breaches in healthcare have continued their alarming trend. The first three quarters saw more than 350 publicly disclosed attacks, resulting in over 140 million records impacted and ransom demands totaling over $350 million. The report highlights the prevalence of vulnerabilities, misconfigurations, and operational dependencies that make healthcare systems a persistent target. 

Key Insights 

• Healthcare organizations face especially high ransomware pressure, given the value and sensitivity of patient data. 

• Large-scale attacks disproportionately impact smaller entities, which lack mature cyber resilience strategies. 

• Ransom demand sizes continue to escalate—multiple cases exceeded $10 million. 

• Attack vectors remain consistent: phishing, unpatched systems, remote desktop exploits, and misconfigured cloud services. 

Further Reading: Comparitech – Healthcare Ransomware Roundup Q1–Q3 2025 

Record DDoS Botnet Targets U.S. ISPs 

The Aisuru botnet, powered by hundreds of thousands of infected IoT devices, launched a record-breaking DDoS attack peaking at nearly 30 Tbps—impacting major U.S. ISPs such as AT&T, Comcast, and Verizon. Most compromised devices included routers and cameras running outdated firmware or default credentials. 

Key Insights 

• IoT exploitation: Aisuru spreads by scanning for unsecured consumer devices with weak or factory passwords. 

• Massive impact: Outbound attack traffic from U.S. networks degraded ISP and customer performance. 

• Mirai lineage: Built from the leaked Mirai code, Aisuru now dominates global IoT botnet activity. 

• Shared responsibility: ISPs and users must ensure devices are updated and secured to prevent botnet recruitment. 

Further Reading: Krebs on Security – DDoS Botnet Aisuru Blankets US ISPs in Record DDoS 

Fake “LastPass Hack” Emails Target Users (LastPass) 

LastPass has issued an alert about a phishing campaign impersonating the company and falsely claiming it was hacked. The emails urge recipients to download a supposed “desktop app update” to secure their vaults, but the links lead to malicious domains designed to steal credentials and install remote-access software. 

Key Insights 

• Impersonation tactic: Attackers use sender addresses like hello@lastpasspulse.blog and fake domains such as lastpassdesktop.com. 

• Emotional lure: Messages warn users of a fake breach to create urgency and prompt immediate action. 

• Malicious payload: The fake “update” installs remote management tools, granting attackers full system access. 

• Timing strategy: Campaign launched over a U.S. holiday weekend to reduce detection and response time. 

Further Reading: LastPass – Phishing Campaign Alert 

Global Smishing Campaign Targets Mobile Users (Unit 42 / Palo Alto Networks) 

A large-scale smishing (SMS phishing) campaign has been identified by Unit 42, targeting mobile users across multiple regions. Attackers are exploiting promotional hooks and limited oversight on mobile endpoints to deliver malicious links and credential-harvesting portals. 

Key Insights 

• Many messages impersonate banks, logistics firms, or retail brands and include URLs leading to credential-stealing sites or malicious apps. 

• The campaign spans numerous countries and uses localized language and brand cues to increase trust and response rates. 

• Because mobile devices often lack the endpoint protections found on desktops, the campaign leverages the low visibility of mobile threats to evade detection. 

• Tactics include use of short-link services, dynamic domains, and rapid rotation of landing pages to defeat static blocklists. 

Further Reading: Unit 42 

Hiring Scams Flourishing as Cybercriminals Exploit Job Seekers (DNSFilter) 

DNSFilter researchers report a surge in malicious domains posing as job portals and recruiting firms, exploiting individuals actively searching for employment. Cybercriminals are registering fake websites with keywords like “jobs,” “careers,” and “hiring” to steal credentials or distribute malware under the guise of legitimate job postings. 

Key Insights 

• More than 8,000 malicious domains containing job-related keywords were detected over a six-month period. 

• Nearly 90% of these phishing domains were newly registered or newly observed on DNSFilter’s network. 

• Common red flags include unusual domain extensions (.top, .tk, .ml, .xyz), excessive hyphens, and overly urgent job offers. 

• Both job seekers and HR professionals have been targeted as fake employment portals and phishing infrastructure continue to expand. 

Further Reading: DNSFilter 

Insider Threats Loom While Ransom Payment Rates Plummet (Coveware) 

Coveware’s latest report reveals that despite a sharp decline in ransom payments in Q3 2025, insider-caused incidents are growing in significance. Although organizations are less frequently paying ransoms, internal misuse, negligence, and compromised credentials by insiders are becoming key contributors to successful breaches. 

Key Insights 

• Ransom payment decline: Payment rates have fallen substantially, suggesting organizations are shifting to alternative recovery approaches. 

• Insider risk rise: The proportion of incidents involving insiders—whether malicious, negligent, or compromised—has increased notably. 

• Less money, more tactics: While the ransom amounts may drop, attackers are still achieving impact through stolen credentials, insider access, or supply-chain leverage. 

• Mitigation gap: Many organisations focused on external threat vectors but lack rigorous controls for internal access monitoring, exit protocols, and third-party liaison. 

Further Reading: Coveware – Insider Threats Loom While Ransom Payment Rates Plummet 

The YouTube Ghost Network (Unmasked – Check Point Research) 

Researchers at Check Point Research uncovered a large-scale malware-distribution operation on YouTube — dubbed the YouTube Ghost Network — which used compromised and fake channels to post over 3,000 videos offering game cheats and cracked software, but in fact delivering infostealers like Rhadamanthys and Lumma Stealer. Those videos amassed hundreds of thousands of views and were deliberately boosted with fake likes and comments to create trust. The network mapped multiple account-roles (video-uploads, community posts, interaction bots) and showed how malware actors are abusing platform trust and engagement tools to run self-infection traps at scale. 

Key Insights 

• Role-based account structure: The network divided labor across accounts: content uploaders, engagement bots, and link/post sharers — enabling resilience even when channels were banned. 

• High-engagement deception: Some videos had hundreds of thousands of views and positive comment streams, increasing perceived legitimacy. 

• Infostealer distribution via “free” software lure: The campaigns baited users with cracked software or game hacks, directing them to archives hiding infostealers. 

• Massive scale and rapid growth: Over 3,000 malicious videos were identified, with 2025 upload volume tripling from prior years. 

• Platform-trust exploitation: Attackers leveraged YouTube’s social features to amplify reach and bypass traditional detection systems. 

Further Reading: Check Point Research 

Exploiting Trust in Collaboration: Microsoft Teams Vulnerabilities Uncovered (Check Point Research) 

Check Point Research found multiple vulnerabilities in Microsoft Teams that let attackers manipulate conversations and notifications to impersonate colleagues, alter message content silently, and forge caller identities. The flaws exploit trust built into collaboration features—such as message identifiers, conversation topics, and call initiation fields—allowing attackers to mislead recipients without obvious signs of tampering. 

Key Insights 

• Invisible message edits: Attackers can rewrite previously sent messages without triggering the “Edited” label, undermining the integrity of chat history. 

• Spoofed notifications: Notification fields can be manipulated so alerts appear to originate from trusted executives or colleagues. 

• Display-name manipulation: Conversation topics in private chats can be changed to alter displayed participant names, misleading recipients about who they’re speaking with. 

• Forged caller identity: Call initiation fields can be abused to present arbitrary names during audio/video calls, enabling convincing impersonation. 

• Platform-trust attack surface: Collaboration apps’ built-in trust signals (notifications, display names, edit markers) can be weaponized to bypass user assumptions and social-engineering defenses. 

Further Reading: Check Point Research 

Phishing Campaign Abuses Cloudflare Services (Cyber Security News) 

A new large-scale phishing campaign has been discovered exploiting the infrastructure of Cloudflare Pages and ZenDesk to host malicious login portals, leveraging trusted cloud platforms to evade detection and harvest credentials. Over 600 malicious *.pages.dev domains were involved, using typosquatting of support portals and live chat operators to further trick victims. Cyber Security News 

Key Insights 

• Trusted-platform exploitation: Attackers register domains under *.pages.dev (Cloudflare Pages) and use Zendesk hubs to make pages appear legitimate, thereby defeating reputation-based defenses. 

• Mass-scale credential harvest: More than 600 malicious domains were identified in the campaign, showing rapid registration and deployment of phishing infrastructure. 

• Live-chat assault vector: In some cases, human operators engaged victims via embedded chat interfaces, requesting phone numbers and convincing them to install remote tools under the guise of “support.” 

• Technical advance in delivery: The attackers used Google Site Verification and Microsoft Bing Webmaster tokens to validate fake pages and improve its search legitimacy and SSO poisoning potential. 

• Multi-vector exit stratagem: Beyond credential theft, the campaign steered victims to install legitimate remote-monitoring tools repurposed for malicious access, increasing post-compromise risk. 

Further Reading: Cyber Security News 

Inside the Rise of AI-Powered Pharmaceutical Scams (Check Point Research) 

Check Point Research identified an escalating threat involving scams that impersonate licensed healthcare professionals and pharmacies to promote counterfeit medications. These operations leverage AI, deepfake media, and fake credentials to market unregulated treatments—particularly in weight-loss and diabetes domains—and redirect victims toward illicit online pharmacies. 

Key Insights 

• Deepfake endorsements: AI-generated videos and voice recordings of purported doctors are used to build trust and legitimacy around illicit drug promotions. 

• Mass industrialization: Over 500 fraudulent pages are reportedly created daily, showing how automation has scaled these scams. 

• Health and safety risks: Victims may rely on unapproved or unsafe substances, posing serious physical dangers beyond financial loss. 

• Fraud-kit commoditization: Scammers use templated websites, shared hosting, and automated scripts—lowering the barrier for entry. 

• Brand and platform abuse: Campaigns imitate legitimate clinics and leverage social media ads, fake logos, and stolen professional identities to bypass trust cues. 

Further Reading: Check Point Research