Category
Specific phishing campaigns, actor activity, and the lures and chains behind them.
Rising
Geofencing, user-agent checks, host profiling, and manual validation before payload release.
Persistent
Fake setup, verification, troubleshooting, and support flows that convince users to run commands.
Accelerating
Developer packages, SaaS integrations, RMM tools, and legitimate infrastructure used as delivery or persistence paths.
Durable
Harvested credentials or sessions used to read mail, map relationships, and send more credible lures.
Field Analysis
SentinelOne's writeup of the SHub Reaper macOS stealer shows the ClickFix family adapting to platform hardening. When macOS Tahoe 26.4 closed the Terminal-based path, the operators moved to the applescript:// URL scheme and Script Editor instead.
Read more:SentinelOneBleepingComputer
Field Analysis
Recent exploitation of CVE-2026-35616 turned FortiClient EMS into a malware delivery channel, pushing an EKZ credential stealer through trusted endpoint management paths.
Read more:Arctic WolfArctic Wolf
Field Analysis
A reported exploitation wave against Ghost CMS pushed malicious JavaScript onto more than 700 sites, sending visitors into fake verification flows that used ClickFix-style paste-and-run instructions.
Read more:The Hacker NewsMalwarebytes Labs
Field Analysis
A phishing wave impersonating Signal Support pressures targets to hand over the 64-character recovery key that protects their encrypted backups, harvesting a secret directly inside the trusted app with no link to detonate.
Read more:TechCrunchMalwarebytes
Field Analysis
Microsoft detailed an April 2026 campaign that wrapped credential theft in HR disciplinary language, used a CAPTCHA as an anti-analysis gate, and stole tokens through an adversary-in-the-middle proxy.
Read more:Microsoft Security BlogThe Hacker News
Field Analysis
Recent code-of-conduct phishing campaigns show how attackers blend HR pressure, PDF staging, CAPTCHA gates, and AiTM flows to steal session tokens.
Field Analysis
Actor reporting on Octo Tempest and Scattered Spider shows how phishing, help desk social engineering, MFA reset abuse, and remote access tooling combine into identity-first intrusion chains.
Read more:CISAMicrosoft Security Blog
Field Analysis
Storm-1747 sells Tycoon 2FA - one of the most prolific reverse-proxy phishing kits in current circulation. This brief is what a defender team needs to know about the operator class.
Read more:Microsoft Threat IntelligenceSekoia
Field Analysis
Attackers are blending push prompts, urgent collaboration lures, and identity fatigue to move users from suspicion to accidental approval.
Read more:The Hacker NewsThe Hacker News
Field Analysis
Recent package compromises show how developer trust can be abused to harvest credentials and seed downstream phishing risk.
Read more:BleepingComputerCISA
Field Analysis
Enterprise responders are seeing invoice fraud migrate from bulk spoofing to thread-hijacking and linguistically adaptive payloads.
Read more:BleepingComputerKrebsOnSecurity
Field Analysis
Storm-1811 chained voice phishing, Microsoft Teams external chats, and Quick Assist into a remote-control persistence path that ended in Black Basta deployments. Here is the chain step by step.
Read more:Microsoft Threat IntelligenceRapid7
Field Analysis
What started as a niche fake-CAPTCHA gimmick became one of 2026's most common stage-one execution pivots. This is what defenders are seeing in telemetry and what the response patterns look like.
Read more:Microsoft Threat IntelligenceProofpoint