Mass email attacks on user platforms

You may have seen the news that Instagram's head, Adam Mosseri, was targeted by a phishing email that came from a legitimate Google address: forms-receipts-noreply@google.com. The immediate question for many is: How did an attacker get an email address on the google.com domain? Was Google hacked? The answer is no. And the method used was clever, but not technically sophisticated. This is a critical lesson in modern social engineering. Here's how the attacker did it: 1. Create: The attacker created a simple Google Form. 2. Craft: The content of the form itself was the phishing lure—likely with urgent language and a malicious link. 3. Target: Google Forms has a feature to "send a copy of the response" to an email address. The attacker filled out their own form and simply entered Adam Mosseri's email address in that field. 4. Execute: Upon submission, Google's own trusted infrastructure automatically sent the "receipt" (which was actually the phishing email) directly to the target. The Key Takeaways: 🔹 Google's infrastructure was not hacked. The email was authentic because Google's servers sent it as designed. The system worked perfectly; it was just used for a malicious purpose. 🔹 This was not a complex attack. It required no coding, no spoofing, and no high-tech wizardry. It was a low-tech, high-impact attack that relied on manipulating a trusted platform and human psychology. This incident is a powerful reminder that sender email addresses are no longer a foolproof sign of safety. Attackers are increasingly using the legitimate tools of major platforms (like Google, Microsoft, etc.) against us. Always question the context of an email. Were you expecting a receipt? Does the request make sense? When in doubt, don't click. Stay vigilant.

Gmail and Outlook 2FA Codes Hacked—Critical Security Warning A new and highly sophisticated cyberattack is targeting users of major email platforms, including Gmail, Outlook, AOL, and Yahoo, compromising even two-factor authentication (2FA) protections. The Astaroth phishing kit, first observed in December, deploys a man-in-the-middle attack to intercept login credentials, session cookies, and 2FA tokens in real time—effectively bypassing security measures users rely on to protect their accounts. How the Attack Works Cybersecurity firm SlashNext has revealed that Astaroth uses reverse proxy mechanisms to act as a middleman between users and legitimate sign-in pages. Here’s how it unfolds: • Phishing Link: The attack starts with a malicious link, often disguised as a login request or urgent security update. • Fake Login Page: Users are redirected to a nearly identical copy of their email provider’s login portal. • Real-Time Credential Theft: When a user enters their email and password, Astaroth captures this data in real time. • 2FA Interception: The phishing kit instantly intercepts one-time passcodes (OTP) sent via SMS or authentication apps. • Session Hijacking: Attackers gain full access to the victim’s account without needing additional login approvals. Why This is Dangerous • 2FA Bypass: Unlike traditional phishing attacks, Astaroth allows criminals to break into accounts even if users have strong two-factor authentication enabled. • Speed & Precision: The attack occurs in real time, meaning users unknowingly provide attackers with everything needed for immediate unauthorized access. • No Warning Signs: Since the victim technically logs into the real website, the attack leaves no visible trace. How to Protect Yourself 1. Avoid Clicking on Suspicious Links • Do not click on email links prompting you to log in urgently or verify your credentials. • Always go directly to the official website instead of using links in emails or messages. 2. Use Hardware Security Keys • Physical security keys like YubiKey or Google Titan provide an extra layer of protection against phishing. 3. Enable Advanced Account Protection • Gmail users should activate Google Advanced Protection, which requires security keys for login. • Microsoft users can enable Windows Hello or Authenticator app-based security. Final Thoughts The Astaroth phishing kit represents a major evolution in cybercrime, making traditional 2FA less effective against targeted attacks. Education, vigilance, and enhanced security measures are crucial to staying ahead of these threats. If you receive an unexpected sign-in request, avoid using links in emails and instead go directly to your account provider’s official website. Cybercriminals are getting smarter—make sure your security strategy evolves with them.

Attackers used inbox noise and Teams calls to create the perfect distraction in an incident yesterday. Here's how it played out: The Attackers targeted a few users by signing them up for hundreds of random websites, flooding their inboxes with confirmation emails. It was intentional noise, meant to overwhelm and distract. Several users flagged the emails to support, recognizing something was wrong; one of them called 4 times in a matter of minutes. That was the goal. While the helpdesk was dealing with the flood, the attackers started calling and messaging through Microsoft Teams, trying to social engineer their way in. The chats originated from onmicrosoft.com domains, so disabling 'unmanaged external access' had no effect. The teams' external messaging settings were set to allow external access for convenience, and the calls were coming from VoIP to Teams Chat, not received on a Teams phone number, so we couldn’t use the usual features to block them. O365’s phishing submission portal was frustrating. No option to bulk delete or move the reported messages, only 'Taking Action' one-by-one. Avanan, The Cloud Security Platform wasn’t much better in terms of speed because I couldn't import a blocklist. I ended up increasing graymail filtering in Mimecast to hold most of the noise in quarantine. I funneled nearly 1,000 domains into the global blocklist, flushing out the registration notifications regularly before users could release them. With Teams, it got more complicated. Once a user clicked “accept chat,” the full sender address was no longer visible. One user was sharp enough to capture the full details and send them over. From there, I used the Teams Admin Center to block those specific emails, which cut off chats and Teams calls tied to that identity. The attackers were attempting to persuade users via phone calls and voicemails to install a “New Shield,” which was actually remote access tools such as AnyDesk and Quick Assist. That didn’t work either. We’re using ThreatLocker so nothing unapproved gets through, even if it’s legitimate software. No one was compromised. One user briefly spoke with the attacker on the phone, but no information was shared, and no software was installed. What worked here wasn’t just awareness, but users knowing how to respond when a threat was spotted. Users reported what they saw, including screenshots and listed phone numbers, which gave us something to act on. This wasn’t a spray-and-pray phishing attempt. It was layered and targeted, combining urgency, noise, and distraction to create an opening. It didn’t get through, but it was well orchestrated. Makes you think about how response plans and platform settings need to evolve, not just awareness. Is anyone else seeing this at their companies or clients? #phishing #socialengineering #emailflood #itsupport #managedservices #fakesupport

Just when you think you’ve seen it all in cybersecurity, along comes a 16 billion credential leak. No, that’s not a typo. Yes, it’s terrifying. Let me break down what actually happened, who’s to blame (and who’s not), and what you can do right now to stay safe. What actually happened: 1 -> This wasn’t one big hack of Google , Apple , Meta , or any major company, stop blaming or defaming them. 2 -> Instead, this massive data dump is the result of infostealer malware—malicious software that silently captures everything from your saved passwords to session tokens while you browse. 3 -> Cybercriminals stitched together data from around 30 different breaches and malware logs. Then, they either sold it or leaked it online. 4 -> The end result is a mega-dump of 16 billion credentials, including accounts for services like Gmail, Outlook, Netflix, PayPal, and even some government domains. Who’s at fault? 1 -> The platforms themselves (Google, Apple, etc.) weren’t directly breached, so this isn’t their fault. 2 -> The real culprits are infostealer malware operators who compromised infected devices—often due to poor endpoint hygiene, risky downloads, or phishing attacks. 3 -> Unfortunately, many people still reuse passwords across sites, which made this compilation incredibly potent. Why this matters: 1 -> These aren’t just old leaked passwords. This dump includes session cookies and tokens—things that can bypass MFA and allow direct login to your accounts. 2 -> A lot of the data is recent. That means attackers can weaponize it right now. 3 -> If you reuse passwords, a breach on one site can unlock your entire digital life. What you should do immediately: 1 -> Change your passwords—especially for email, banking, and cloud accounts. 2 -> Use a password manager to create unique and strong passwords for every account. 3 -> Turn on MFA (multi-factor authentication) everywhere. Prefer apps or hardware keys over SMS codes. 4 -> If your email is in the leaked data, log out from all devices and refresh session tokens. 5 -> Consider moving to passkeys or hardware-based login—it's where the future of secure authentication is heading. Final thoughts: This isn’t the kind of leak we can ignore. It shows that malware, poor digital hygiene, and password reuse are still major risks in 2025. If you're a business leader, CISO, or just someone who wants to protect their digital identity—now's the time to double down on your security basics. If you’re unsure whether your credentials were part of this leak, tools like Have I Been Pwned or Cybernews’ leak checker can help. Let’s not wait for the next massive breach to take security seriously. Stay safe, stay alert. #cybersecurity #databreach #informationsecurity #cybersecurityawareness #infosec #dataprotection