CyberheistNews Vol 15 #32 How Hackers Exploit Microsoft Teams in Social Engineering Attacks

How Hackers Exploit Microsoft Teams in Social Engineering Attacks

Attackers are using Microsoft Teams calls to trick users into installing the Matanbuchus malware loader, which frequently precedes ransomware deployment, according to researchers at Morphisec.

Matanbuchus is a malware-as-a-service offering that allows threat actors to install additional payloads onto infected Windows systems.

"Over the past nine months, Matanbuchus has been used in highly targeted campaigns that have potentially led to ransomware compromises," Morphisec says. "Recently, Matanbuchus 3.0 was introduced with significant updates to its arsenal.

"In one of the most recent cases (July 2025), a Morphisec customer was targeted through external Microsoft Teams calls impersonating an IT helpdesk. During this engagement, Quick Assist was activated, and employees were instructed to execute a script that deployed the Matanbuchus Loader."

The threat actors use social engineering to walk the employee through the download of a malicious file, which results in malware installation.

"Victims are carefully targeted and persuaded to execute a script that triggers the download of an archive," the researchers write. "This archive contains a renamed Notepad++ updater (GUP), a slightly modified configuration XML file and a malicious side-loaded DLL representing the Matanbuchus loader.

"In previous campaigns from September 2024, an MSI installer was downloaded, which ultimately led to a similar flow of Notepad++ updater sideloading execution." Once the malware is installed, it creates a stealthy foothold to maintain persistence on the infected system.

"To continuously dial home, Matanbuchus needs to create persistency; this is achieved by scheduling a task," Morphisec says. "While it sounds simple, Matanbuchus developers implemented advanced techniques to schedule a task through the usage of COM and injection of shellcode."

Blog post with links:
https://blog.knowbe4.com/how-hackers-exploit-microsoft-teams-in-social-engineering-attacks

Beyond DMARC: Closing Critical Gaps in Your Email Security Shield

Think your email is safe because you've implemented DMARC? Think again. While DMARC, SPF, and DKIM are essential standards for preventing domain spoofing, sophisticated attackers are exploiting hidden vulnerabilities that these protocols alone can't address. The result? Dangerous phishing emails are still landing in your users' inboxes, even when you think you've done everything right.

Join Roger Grimes, KnowBe4's Data-Driven Defense Evangelist, as he exposes the critical gaps in standard email authentication protocols and demonstrates how to build a truly comprehensive email security strategy combining proper DMARC implementation with advanced cloud email security.

You'll discover:

• Step-by-step guidance to properly implement DMARC, SPF and DKIM to maximize their effectiveness
• The six sophisticated techniques cybercriminals are using right now to bypass standard email authentication
• The common DMARC setup mistakes that are leaving your organization vulnerable without you realizing it
• How cloud email security works alongside DMARC to create an impenetrable defense
• Why security awareness training remains your critical last line of defense and how to optimize it

Don't let a false sense of security leave your organization exposed. Learn how to build a truly comprehensive email security strategy that combines technical controls with human vigilance and earn CPE credit for attending!

Date/Time: Wednesday, TOMORROW, August 13 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot:
https://info.knowbe4.com/dmarc-webinar-2025?partnerref=CHN2

[Heads Up] A Sneaky Novel 'Mailto' Phish Hacks Instagram Accounts

A phishing campaign is targeting Instagram users with phony notifications about failed login attempts, according to researchers at Malwarebytes. Notably, the emails contain "mailto" links rather than traditional URLs, which help the phishing messages avoid being flagged by security filters.

"Instead of linking to a phishing website, which is most common with emails like this, both the 'Report this user' and 'Remove your email address' links are mailto links," the researchers write.

"Clicking on a mailto link opens your default email program with a pre-addressed message with the subject line 'Report this user to secure your account' or 'Remove your email address from this account' for the second link. The email addresses in these links all had unsuspicious looking domains, made to look similar to legitimate ones."

Malwarebytes offers the following advice to help users avoid falling for these scams:

• "As with regular links, scrutinize the destination of an email link. Even if the domain looks legitimate, your Instagram account isn't secured by a shoe maker or vacation provider, or someone using a Gmail address. The email address should be one that belongs to Instagram or Meta.
• Remember that legitimate companies will not ask you to mail them your account details, credentials, or other sensitive information.
• If there's an urgency to respond to an email, take a pause before you do. This is a classic scammer trick to get you to act before you can think.
• Don't reply if the warning looks suspicious in any way. Sending an email will tell the phishers that your email address is active, and it will be targeted even more.
• Do an online search about the email you received, in case others are posting about similar scams."

Blog post with links:
https://blog.knowbe4.com/warning-new-phishing-campaign-targets-instagram-users

[Live Demo] Intelligent Email Defense: Automate, Remediate and Train from One Platform

As cyber attackers continue to outpace traditional defenses, it's not a question of if, but when sophisticated attacks will bypass your email security controls.

Phishing attacks are surging at an unprecedented 1,265% rate since 2022, largely driven by AI advancements. Most concerning, 31% of IT teams take more than five hours to respond to reported security issues, leaving your organization vulnerable during those critical hours when threats remain active in your users' inboxes.

During this demo, you'll discover how PhishER Plus can help take control back from rising AI phishing risks by:

• Transforming your users into active threat sensors with one-click reporting via the Phish Alert Button
• Accelerating response times with AI-powered automation that reduces manual email review by 85-99%
• Providing comprehensive threat intelligence from a network of 13+ million global users and third-party integrations
• Removing threats automatically from all mailboxes with PhishRIP before users can interact with them
• Converting real attacks into targeted training opportunities with PhishFlip

Discover how PhishER Plus combines AI and human intelligence to transform your users from security risks into your most valuable defenders.

Date/Time: Wednesday, August 20 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/phisher-demo-2?partnerref=CHN

Anatomy of a Vishing Scam

By Roger Grimes

I hear about a ton of similar-sounding scam calls, where the scammer is pretending to be from a service you use (or used), offering you a substantial monthly discount (30% or more) if you pay some fee ahead of time.

Sometimes they take the advance fee using your credit card, and sometimes they tell you that you have to get store gift cards.

Who would possibly believe that a legitimate vendor would want them to pay with store gift cards? Hundreds of thousands of people. The scammers wouldn't do it if it didn't work.

The scammers usually have some information on the victims (e.g., name, address, account number) and in some cases, they can actually make payments to their account, which they can verify on the legitimate vendor's website, that later on bounces because they used a fraudulent payment method.

I wrote in the past about this type of scam happening to a close friend, branded in his case as originating from T-Mobile and a similar Comcast scam.

Well, I got one myself today and decided to write about it.

I get a handful of unwanted phone calls each day. It's the majority of my calls almost every day. Like you, I never answer unless I already know the number or have them in my contact list. In the middle of my busy day, I ended up with a random voicemail (see image below).

[CONTINUED] At the KnowBe4 blog with links and screenshots:
https://blog.knowbe4.com/anatomy-of-a-vishing-scam

Re-check Your Email Attack Surface Now

Cybercriminals are actively exploiting exposed user data to initiate sophisticated attacks against organizations, including yours. If your employees' email addresses have potentially fallen into the hands of adversaries, the threat of a targeted breach becomes immediate, and every second counts.

It's time to recheck your email attack surface.

Discover your current email attack surface now with KnowBe4's Email Exposure Check Pro (EEC Pro). EEC Pro identifies your at-risk users by crawling business social media information and thousands of breach databases.

EEC Pro helps you find your users' compromised accounts that have been exposed in the most recent data breaches — fast.

Get your EEC Pro Report in less than five minutes. It's often an eye-opening discovery. You are probably not going to like the results...

Get Your Free Report:
https://info.knowbe4.com/email-exposure-check-pro-chn-2

Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: KnowBe4 Named a 2025 Gartner Peer Insights™ Customers' Choice for Email Security Platforms:
https://blog.knowbe4.com/knowbe4-named-a-2025-gartner-peer-insights-customers-choice-for-email-security-platforms

PPS: Your KnowBe4 Fresh Content Updates from July 2025:
https://blog.knowbe4.com/your-knowbe4-fresh-content-updates-from-july-2025

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-32-how-hackers-exploit-microsoft-teams-in-social-engineering-attacks

UK Fraud Cases Reached a Record High in the First Half of 2025

A record 217,000 cases of fraud were filed with the National Fraud Database during the first half of 2025, according to a new report from UK antifraud not-for-profit Cifas.

Account takeover attacks rose slightly compared to last year, with a significant surge in attacks targeting telecom services.

"Between January-June 2025, filings in relation to facility (account) takeover increased to more than 38,000, a 1% rise on the same period in 2024," Cifas says. "These cases account for a significant proportion of all filing to the NFD, comprising 18% of all cases.

"Cifas members reported a steep increase in cases relating to telecommunications products and services, which now account for 69% of all facility takeover filings, up 40% on the same period for 2024."

Phishing remains the top technique for conducting account takeovers, with threat actors using phishing kits to easily spin up sophisticated spoofed sites.

"Phishing is the most common method of taking control of existing accounts, with member organizations reporting high-quality spoofed websites, brand impersonations and even spoofed LinkedIn accounts used to enable intensive and prolonged social engineering activity," Cifas says.

Cifas warns that criminals are adopting deepfakes to conduct social engineering attacks. "A high prevalence of account takeovers are now facilitated by remote access technology, and there is widespread concern around how AI will be used to create persuasive and reactive social engineering scripts, which can be shared or paid for as a service," the researchers write.

"An emerging concern is audio fakes, with organizations already reporting voiceovers being used to answer security questions." Relevant and engaging security awareness training gives your organization an essential layer of defense against social engineering attacks.

KnowBe4 empowers your workforce to make smarter security decisions every day.

Infosecurity Magazine has the story:
https://www.infosecurity-magazine.com/news/ai-fuels-record-number-of-fraud/

SafePay Ransomware Attacks Start With Social Engineering

The SafePay ransomware gang is using social engineering attacks to gain initial access to organizations' networks, researchers at Barracuda warn. The threat actors use "email bombs" to trick employees into thinking there's a problem with the network, then pose as tech support and offer to fix the problem.

"One of the group's signature moves is to disrupt a company's workforce by sending a large volume of spam emails to the employees," Barracuda says. "Researchers observed one attack deliver over 3,000 of these spam messages within 45 minutes.

"The attackers then take advantage of the chaos caused by the spam attack by using Microsoft Teams to contact the employees through an audio or video call or a text message. The threat actor impersonates a member of the company's tech support and offers to resolve the problems caused by the email attack.

"If the threat actor/caller is successful, he will convince the employee to provide remote access to the system through something like Microsoft Quick Assist."

Notably, the threat actors often hire third-party criminals who specialize in social engineering to carry out these attacks. "Voice phishing (vishing) attacks are often carried out by threat actors that specialize in phone fraud," Barracuda says.

"These 'callers' or 'talkers' advertise their services on crime forums or marketplaces. Organized caller groups may offer vishing-as-a-service and specialized scams like getting victims to approve MFA prompts."

Other ransomware actors also rely on this technique, and employees need to be trained to recognize this tactic. "[T]his is an example of threat actors turning the company help desk into an attack vector," the researchers write.

"In this attack, the help desk is being impersonated, and the threat actor is depending on the employee not knowing the difference between a threat actor and legitimate tech support. Chaos ransomware is currently using a variation of this attack, and we've seen this in the past with Black Basta and others.

"You can combat this type of attack through employee training and security policies that require verification for help desk support."

Barracuda has the story:
https://blog.barracuda.com/2025/07/25/safepay--email-bombs--phone-scams--and-really-big-ransoms

1. What Keeps Cyber Experts Up at Night? TechRepublic Goes Inside Black Hat 25:
   https://www.techrepublic.com/article/news-black-hat-2025-what-keeps-cyber-experts-up-at-night/
   
   
2. WhatsApp Takes Down 6.8 Million Accounts Linked to Criminal Scam Centers, Meta Says:
   https://www.securityweek.com/whatsapp-takes-down-6-8-million-accounts-linked-to-criminal-scam-centers-meta-says/
   
   
3. Smishing campaign stole millions of payment cards in the United States:
   https://hackread.com/chinese-stole-115-million-us-cards-smishing-campaign/
   
   
4. Mozilla warns of phishing attacks targeting add-on developers:
   https://www.bleepingcomputer.com/news/security/mozilla-warns-of-phishing-attacks-targeting-add-on-developers/
   
   
5. CTM360 spots Malicious 'FraudOnTok' Campaign Targeting TikTok Shop user:
   https://www.bleepingcomputer.com/news/security/ctm360-spots-malicious-fraudontok-campaign-targeting-tiktok-shop-users/
   
   
6. Hacker extradited to US for stealing $3.3 million from taxpayers:
   https://www.bleepingcomputer.com/news/security/hacker-extradited-to-us-for-stealing-33-million-from-taxpayers/
   
   
7. OpenAI to give federal agencies ChatGPT access at $1 per year:
   https://www.nextgov.com/acquisition/2025/08/openai-give-federal-agencies-chatgpt-access-1-year/407266/
   
   
8. Hackers Hijacked Google's Gemini AI With a Poisoned Calendar Invite to Take Over a Smart Home:
   https://www.wired.com/story/google-gemini-calendar-invite-hijack-smart-home/
   
   
9. Jury Duty Scams Are Back, With a Digital Twist, the FTC Warns:
   https://www.bitdefender.com/en-us/blog/hotforsecurity/jury-duty-scams-are-back-with-a-digital-twist-the-ftc-warns
   
   
10. Google Confirms Salesforce Data Breach by ShinyHunters via Vishing Scam recommends training employees:
    https://www.infosecurity-magazine.com/news/google-salesforce-data-theft/

• Virtual Vaca #1 - Top Places & Things To Do in Zakynthos - Travel Guide:
  https://youtu.be/a5nIKnexEpM
  
  
• Virtual Vaca #2 - Spain in 4K - Incredible Scenes & Hidden Gems:
  https://youtu.be/_pZGAkTP3W4
  
  
• Virtual Vaca #3 - Africa Unseen | Cinematic 8K:
  https://youtu.be/0YEfe9bN8pw
  
  
• Quite Possibly the Most Amazing Thing I've Ever Seen:
  https://www.youtube.com/shorts/QnLivdm65UI
  
  
• World's Only $20 million Goldfinger Rolls-Royce:
  https://youtu.be/LPm6SqeZs6w
  
  
• Loen 6 Way Birthday jump / Norway / 2024:
  https://youtu.be/1YJeug9OO2Q
  
  
• Unitree Introducing their A2 Stellar Explorer. Whoa. Reminds me of the spiders in Minority Report:
  https://youtu.be/ve9USu7zpLU
  
  
• This Hole Should've Been America's Tallest Skyscraper: 14:43
  https://youtu.be/1h648ZlJFtM
  
  
• 4K HDR That Redefines Visual Brilliance - Dolby Vision OLED (60FPS):
  https://youtu.be/1BGUxPULq34
  
  
• For Da Kids #1 - Woman Saves Baby Fox Who's Head Gets Stuck In A Jar:
  https://youtu.be/OjJf9oLs2kw
  
  
• For Da Kids #2 - Quirky Camel Dances When He Sees The Snow:
  https://youtu.be/VXr2w1QGgq0
  
  
• For Da Kids #3- So Many Ducks Move Into Woman's House And Take Over:
  https://youtu.be/LVe1EDXUp8k
  
  
• For Da Kids #4 - Lamb Comes To Work With Mom And Headbutts Her Coworkers:
  https://youtu.be/PIPQ_AYDaus
  
  
• For Da Kids #5 - Stray Cat Walked Into A Fire Station And Ran It For 10 Years!:
  https://youtu.be/Q9OD6y36-Tc