• Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact
Menu

Exploring Information Security

Securing the Future - A Journey into Cybersecurity Exploration
  • Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact

January 2026 - ExploreSec Cybersecurity Awareness Newsletter

January 6, 2026

This is a monthly newsletter I put together for an internal security awareness program. Feel Free to grab and use for your own program.

Fake “Calendly” Invites Used to Spoof Major Brands and Hijack Ad Manager Accounts 

A phishing campaign is impersonating well-known brands by sending fake Calendly-style meeting invites designed to harvest credentials. The invites lead users to a fraudulent scheduling page, followed by a CAPTCHA and a spoofed login prompt. Attackers target users with access to Google Workspace, Facebook Business, and other advertising platforms, aiming to steal credentials or session tokens and take over ad-manager accounts. 

Key Insights 

  • Attackers are weaponizing familiar scheduling tools and trusted brand names to increase credibility. 

  • Fake meeting invites tied to business outreach or job opportunities are being used as lures. 

  • CAPTCHA steps and attacker-in-the-middle techniques help bypass two-factor authentication. 

  • Compromised ad accounts can be abused for unauthorized spending, malvertising, or resale. 

Further Reading: BleepingComputer 

 

 

Cybercrime Goes SaaS: Renting Tools, Access, and Infrastructure 

Cybercriminals are increasingly operating like SaaS providers, offering subscription-based access to phishing kits, info-stealer data, malware loaders, OTP bots, and even compromised network access. This model lowers the technical barrier for newcomers, enabling less skilled attackers to run large-scale campaigns using ready-made tools and infrastructure. 

Key Insights 

  • Phishing-as-a-service operations provide complete kits and delivery mechanisms for recurring fees. 

  • Marketplaces now sell ongoing access to stolen credentials and session tokens as if they were data feeds. 

  • Initial-access brokers rent out compromised systems or credentials, giving threat actors an immediate foothold. 

  • Malware, RATs, and exploit kits can be purchased through short-term subscriptions for quick deployment. 

Further Reading: BleepingComputer 

 

 

California’s New Browser Privacy Requirement Could Have Nationwide Effects 

California’s upcoming “Opt Me Out” requirement will mandate that web browsers include a built-in setting allowing users to automatically signal that their data should not be sold or shared. While designed for California residents, browser makers are expected to roll this out broadly, which could result in nationwide changes to how websites handle data privacy and tracking. 

Key Insights 

  • Browsers will be required to include a simple, user-accessible opt-out preference toggle. 

  • Once enabled, the browser will automatically send a data-privacy opt-out signal to every site visited. 

  • Industry experts anticipate browsers will implement this globally to avoid patchwork configurations. 

  • Websites and advertisers will need to honor these opt-out signals, affecting tracking and targeted advertising models. 

Further Reading: The Record 

 

 

Storm-0900 Uses Fake Parking Tickets to Deliver Malware 

A recent campaign by Storm-0900 sent fake parking-ticket notices and fabricated medical-alert messages to lure people into interacting with a malicious site. The attackers used a bogus CAPTCHA page as the trigger for delivering XWorm, a remote-access malware designed for credential theft, surveillance, and persistent access. 

Key Insights 

  • Attackers used urgent, familiar themes (parking violations, medical alerts) to increase engagement. 

  • The malicious flow relied on a fake CAPTCHA page that initiated the malware delivery. 

  • XWorm provides remote-access capabilities that enable data theft and long-term compromise. 

  • The campaign shows continued use of real-world pretexts tied to everyday tasks to improve success rates. 

Further Reading: Cybersecurity News 

 

 

Threat Actors Exploit Foxit PDF Reader to Deliver Malware 

A recent campaign is targeting job-seekers with fake recruitment documents packaged in ZIP or RAR archives. The files impersonate a legitimate Foxit PDF Reader executable, but launching them triggers a multi-stage malware chain that ultimately installs ValleyRAT, enabling remote access and data theft. 

Key Insights 

  • Attackers disguise a malicious executable as a trusted PDF reader to increase the likelihood of execution. 

  • The infection sequence uses DLL side-loading and hidden Python components to download and run ValleyRAT. 

  • ValleyRAT provides attackers with credential theft, surveillance, and persistent remote-access capabilities. 

  • The campaign relies heavily on social engineering, using job-themed lures to target individuals likely to open unfamiliar files. 

Further Reading: Cybersecurity News 

 

 

Phishing Attack Leveraging Microsoft Teams Notifications 

A recent campaign abuses Microsoft Teams by adding users to fake Teams groups with names referencing invoices, payments, or account issues. The groups generate legitimate-looking Teams notification emails that prompt users to call a fraudulent support number. Because the messages originate from trusted Teams infrastructure, they are more likely to pass filtering and appear credible. 

Key Insights 

  • Attackers exploit trust in collaboration platforms by using Teams notifications instead of traditional phishing emails. 

  • Notification emails appear legitimate, increasing the chances they bypass security filters. 

  • The campaign uses callback phishing, directing victims to call a phone number where attackers extract sensitive information. 

  • The technique shows how platform misuse and social engineering can blend to create effective phishing without malicious links or files. 

Further Reading: Cybersecurity News 

 

 

PowerShell 5.1 Now Warns Before Executing Scripts from Web Content 

Microsoft has updated Windows PowerShell 5.1 so that running Invoke-WebRequest (including the curl alias) against a webpage now triggers a security confirmation prompt. The prompt warns that embedded scripts in the retrieved content could run if processed using the legacy HTML parser. Users must choose to proceed or cancel, and declining halts the action. Using the -UseBasicParsing parameter avoids script execution entirely and prevents the prompt, making it the safer option for automation. 

Key Insights 

  • A new confirmation prompt appears when fetching web content that might contain executable scripts. 

  • The -UseBasicParsing parameter avoids script execution and prevents the prompt from interrupting automated workflows. 

  • Legacy HTML parsing now requires explicit user approval when running interactively. 

  • The update reduces the chance of unintentionally executing malicious code embedded in fetched web content. 

Further Reading: Microsoft Support 

 

 

ConsentFix: Browser-Native OAuth Consent Hijacking 

A newly identified phishing technique called ConsentFix combines ClickFix-style interaction tricks with OAuth consent abuse. Attackers direct victims to compromised, high-reputation sites where fake verification prompts are shown. Victims are manipulated into completing a legitimate OAuth authorization flow and then pasting the resulting authorization code into the attacker-controlled page. This grants persistent account access without stealing passwords or bypassing MFA, because the attacker leverages legitimate OAuth mechanisms used by trusted applications such as Azure CLI. 

Key Insights 

  • ConsentFix operates entirely within the browser, preventing endpoint security tools from detecting the takeover step. 

  • Victims can be compromised even while already signed in, with no credential or MFA submission required. 

  • The technique abuses inherently trusted OAuth flows from first-party applications. 

  • Delivery via search-engine results and compromised sites bypasses email-focused phishing defenses. 

  • Conditional loading and other evasion tactics make detection significantly harder. 

Further Reading: Push Security 

 

 

Is Your Android TV Streaming Box Part of a Botnet?  

An investigation has uncovered that many low-cost Android TV streaming boxes are being shipped with hidden malware that quietly enrolls devices into botnets. These compromised devices can be used for large-scale ad fraud, proxy abuse, credential stuffing, and other criminal activity — often without any visible signs to the owner. The issue largely affects off-brand devices sold online that run modified versions of Android and receive little to no security updates. 

Key Insights 

  • Some Android TV boxes arrive pre-infected, meaning users are compromised immediately after setup. 

  • Infected devices are commonly abused as residential proxies or for ad fraud operations. 

  • The malware is deeply embedded, making removal difficult or impossible without replacing the device. 

  • Affected devices often lack proper update mechanisms or certification, increasing long-term risk. 

Further Reading: Krebs on Security 

 

 

Uncovering a Calendly-Themed Phishing Campaign 

A recent phishing campaign uses fake Calendly-style scheduling pages to trick users into surrendering their credentials. Instead of a legitimate meeting invite, victims are shown a cloned scheduling interface that prompts them to log in with their corporate credentials. Behind the scenes, the attacker captures those credentials — and often MFA tokens or session cookies — enabling full account takeover or further abuse. 

Key Insights 

  • The phishing lure mimics familiar scheduling tools to lower users’ skepticism and increase the likelihood of interaction. 

  • Attackers often pair fake scheduling pages with urgent or compelling text (e.g., job interviews, client meetings) to induce hasty responses. 

  • The cloned interfaces capture credentials and may also harvest session data or MFA tokens for deeper access. 

  • Because the page appears legitimate — complete with branding and typical UI elements — it can evade cursory inspection by users. 

Further Reading: Push Security 

 

 

Access Granted: Phishing Abuse of Device Code Authorization 

A new phishing trend is exploiting Device Code Authorization flows — a common method many services use to let users sign in on shared or secondary devices (like TVs) by entering a code shown elsewhere. Attackers are crafting phishing lures that direct victims to fake “authorization” pages where they’re prompted to enter a device code. Once entered, the code links the attacker’s session to the victim’s account, giving the attacker instant access without the victim ever entering credentials or MFA codes. 

Key Insights 

  • Attackers misuse legitimate device-code sign-in flows to take over accounts without stealing passwords. 

  • Victims can inadvertently grant access simply by entering a displayed code on a malicious page. 

  • Because no credentials are entered, many defenses (including MFA) don’t block this technique. 

  • This method highlights the importance of educating users about out-of-band authentication flows and confirming unexpected prompts before entering codes. 

Further Reading: Proofpoint 

 

 

SMS Phishers Pivot to Points, Taxes, and Fake Retailers  

A surge in SMS phishing (smishing) campaigns is using new lures — including rewards-points alerts, tax refund notices, and “order issues” from well-known retailers — to trick recipients into clicking malicious links. These texts are crafted to look like legitimate communications from brands or government agencies, and they direct users to spoofed login pages or fake offers designed to capture credentials or financial information. The shift shows how attackers are evolving beyond traditional banking scams to exploit trends and behaviors that feel more routine or beneficial to users. 

Key Insights 

  • Smishing campaigns now leverage enticing themes such as reward-points expirations and tax refund notifications to increase engagement. 

  • Fake retail order alerts capitalize on widespread online shopping habits. 

  • Malicious links often lead to spoofed web pages that harvest credentials or sensitive personal data. 

  • Users are more likely to click when the message appears tied to a known brand or potential benefit. 

Further Reading: Krebs on Security 

 

 

Android Expands Pilot for In-Call Scam Protection for Financial Apps 

Google is expanding its Android in-call scam protection pilot specifically for interactions involving financial applications. This feature aims to intercept and block scam calls that impersonate banks, payment services, or other financial institutions before they reach users. By analyzing call metadata and patterns, the protection can warn users or automatically prevent known scam call types — reducing the likelihood that someone answers a phone-based phishing or social-engineering attempt targeting financial credentials or sensitive data. 

Key Insights 

  • The expanded pilot focuses on identifying and blocking scam calls tied to financial apps and services. 

  • By analyzing characteristics of known scam call patterns, Android can warn users before an interaction begins. 

  • Preventing scam calls before they connect reduces the success of phone-based social engineering and credential harvesting. 

  • This feature builds on broader Android protections that aim to reduce unwanted and malicious communications. 

Further Reading: Google Security Blog 

 

 

Cybercriminals Exploiting .onmicrosoft.com Domains to Launch TOAD Scam Attacks 

Cybercriminals are abusing legitimate Microsoft tenant domains that end in “.onmicrosoft.com” to deliver TOAD (Telephone-Oriented Attack Delivery) scams. By sending messages from these trusted-looking domains, attackers can bypass security filters and convince recipients that the communication is associated with Microsoft. Victims are then prompted to call fraudulent support numbers, where they are manipulated into disclosing credentials or other sensitive information. 

Key Insights 

  • Default “.onmicrosoft.com” tenant domains are being used to make scam messages appear legitimate. 

  • The trusted reputation of these domains helps attackers evade email and messaging security controls. 

  • Victims are often directed to call fake support numbers rather than click links. 

  • The activity demonstrates how legitimate cloud infrastructure can be repurposed to support social-engineering campaigns. 

Further Reading: Cybersecurity News 

 

 

Calendar-Invite Phishing Campaigns Use Meeting Invites as Lures 

Attackers are increasingly using fake calendar invitations as a phishing vector. These malicious invites may arrive by email or through synced calendar apps, often appearing to come from familiar contacts or trusted services. When a recipient interacts with the invite — for example, by clicking a link to join a “meeting” — they can be led to spoofed login pages designed to harvest credentials or other sensitive information. This technique leverages the trust people place in calendar events and routine scheduling workflows to bypass skepticism. 

Key Insights 

  • Malicious invites look like legitimate meeting requests: Attackers spoof sender names and use familiar branding to increase credibility. 

  • Links in calendar events can lead to credential-harvesting sites: Clicking “Join” or related links may redirect users to phishing pages. 

  • Attackers abuse calendar sync and notification features: Because events often appear automatically on connected devices, users may interact without verifying the source. 

  • This technique blends social engineering with platform abuse: It takes advantage of the routine nature of scheduling to reduce suspicion. 

Further Reading: HoxHunt 

 

 

Google Malvertising Attack Uses Search Ads to Deliver Phishing and Malware 

A recently analyzed campaign showed how attackers are abusing Google Search Ads to distribute malicious redirects and phishing lures. Instead of relying on compromised websites or email alone, the adversary purchased search ad placements that appeared for high-traffic queries. When users clicked these ads, they were taken through a chain of redirects and deceptive pages that ultimately led to credential-harvesting forms or malware delivery. Because the initial entry point came from legitimate ads, many victims didn’t suspect the content was malicious — and traditional web-filtering tools often trust paid search results by default. 

Key Insights 

  • Malicious actors are buying legitimate search ad placements for popular queries to maximize reach. 

  • Clicking the ad triggers redirects and cloaked landing pages that conceal the malicious intent until the final stage. 

  • Credential harvesting and malware downloads are delivered through deceptive page flows that mimic real services. 

  • Because the initial interaction comes from an ad, users may trust the link more than typical phishing emails or unknown sites. 

Further Reading: Push Security 

 

 

Top Phishing Trends for 2025 

Security researchers have identified several key phishing trends that defined 2025 — highlighting how attackers continue to evolve both their techniques and delivery mechanisms. These trends emphasize that phishing is no longer confined to simple email links, but increasingly combines social engineering with platform abuse, deceptive flows, and legitimate-looking vectors to bypass defenses and capture credentials, session tokens, and MFA responses. 

Key Insights 

  • Browser-in-the-Browser (BITB) attacks remain prevalent, using fake pop-ups that mimic legitimate login dialogs to harvest credentials and active sessions. 

  • Consent-based abuse techniques are growing, where attackers trick users into granting OAuth consent or other permissions that grant access without passwords. 

  • Search-engine and ad-based delivery shows attackers buying and manipulating legitimate channels to increase reach and bypass filters. 

  • Fake verification flows (CAPTCHAs, device codes, and human-verification prompts) continue to be effective in tricking users into executing commands or authorizing access. 

  • AiTM and proxy-style phishing remains a persistent threat, capturing session tokens even when MFA is present. 

Further Reading: Push Security 

 

 

Most Parked Domains Now Serving Malicious Content  

Security researchers report that a majority of parked domains — web addresses registered but not actively used for legitimate content — are now repurposed to serve malicious material. Cybercriminals are leveraging these unused or abandoned domains to host deceptive content that can deliver malware, phishing pages, or exploit kits. Because these domains often lack reputation and oversight, they present a growing risk to users who accidentally visit them through typos, shady links, or bundled ad networks. 

Key Insights 

  • A significant portion of parked domains are now used to host malicious content rather than benign placeholders. 

  • These domains often serve phishing pages, malware downloads, or exploit kits designed to compromise visitors. 

  • Users may encounter these threats through typosquatting, low-quality ads, or obscure links. 

  • Because parked domains typically lack established reputation, traditional filtering and reputation systems can struggle to detect and block them effectively. 

Further Reading: Krebs on Security 

 

 

The Kimwolf Botnet Is Stalking Local Networks  

The Kimwolf botnet highlights how modern botnets are expanding beyond traditional IoT targets to compromise consumer-grade devices such as Android TV boxes, set-top boxes, and other smart devices. Once infected, these systems are folded into a large distributed botnet and can be abused for activities like DDoS attacks and proxying traffic into private networks, weakening the assumption that home and small-office networks are naturally isolated. 

Key Insights 

  • Consumer devices are being mass-compromised and used as nodes in a large botnet. 

  • Infected devices can act as residential proxies, allowing attackers to route traffic into local networks. 

  • Weak default configurations, such as exposed debugging services, contribute to large-scale compromise. 

  • The botnet demonstrates resilience through adaptable infrastructure and recovery after disruption. 

Further Reading: Krebs on Security 

In News Tags Newsletter, security awareness, phishing, botnets
Comment

Latest PoDCASTS

Featured
Jan 6, 2026
Cybersecurity Career Panel: Transitioning from Technical to Leadership
Jan 6, 2026
Jan 6, 2026
Dec 30, 2025
What is React2Shell (CVE-2025-55182)?
Dec 30, 2025
Dec 30, 2025
Dec 23, 2025
[RERELEASE] What is application security?
Dec 23, 2025
Dec 23, 2025
Dec 16, 2025
The Final Frontier of Security: The State of Space Security with Tim Fowler
Dec 16, 2025
Dec 16, 2025
Dec 9, 2025
How to Manage Cybersecurity Awareness Month
Dec 9, 2025
Dec 9, 2025
Dec 2, 2025
Exploring the Next Frontier of IAM: Shared Signals and Data Analytics
Dec 2, 2025
Dec 2, 2025
Nov 25, 2025
How to Close the Cybersecurity Skills Gap with a Student Powered SOC
Nov 25, 2025
Nov 25, 2025
Nov 18, 2025
What is the 2025 State of the API Report From Postman?
Nov 18, 2025
Nov 18, 2025
Nov 11, 2025
How AI Will Transform Society and Affect the Cybersecurity Field
Nov 11, 2025
Nov 11, 2025
Nov 4, 2025
[RERELEASE] How Macs get Malware
Nov 4, 2025
Nov 4, 2025

Powered by Squarespace