CyberheistNews Vol 15 #49 Ghost in the Machine: How a Multi-Stage Phishing Attack Evades M365 Security

Ghost in the Machine: How a Multi-Stage Phishing Attack Evades M365 Security

Since November 3, 2025, KnowBe4 Threat Labs has been monitoring a highly sophisticated, multi-stage phishing operation that is actively targeting orgs to steal employees' Microsoft 365 credentials. The campaign has been engineered to bypass traditional email security defenses, such as secure email gateways (SEGs) and multi-factor authentication (MFA) tools.

The campaign contains multiple advanced technical measures to obfuscate the payload from traditional defenses, including "nested" PDFs that leverage legitimate content delivery network (CDN) services and mouse tracking.

The end destination—a credential harvesting website—is also subject to advanced technical measures that are designed to block standard security tooling and filter out security analysts inspecting the page.

Finally, once the target enters their Microsoft 365 credentials, the webpage leverages legitimate Microsoft servers to bypass MFA and provide cybercriminals with immediate access to the victim's Microsoft 365 environment.

Phishing Attack Summary

• Vector and type: Email Phishing
• Bypassed SEG detection: Yes
• Targets: Microsoft 365 users in organizations globally

[CONTINUED] At the KnowBe4 blog:
https://blog.knowbe4.com/the-ghost-in-the-machine-how-a-multi-stage-phishing-campaign-evades-security-to-steal-microsoft-365-credentials

KnowBe4 Named a Leader in Gartner® Magic Quadrant™ for Email Security Platforms

KnowBe4 has been named a Leader in the 2025 Gartner Magic Quadrant™ for Email Security Platforms for the second consecutive year.

We believe this recognition as a Leader reflects our strength in:

• Advanced AI-enabled detection to mitigate the full spectrum of inbound phishing attacks and outbound data loss and exfiltration attempts
• Agentic Detection Engine that leverages sophisticated natural language processing (NLP) and natural language understanding (NLU) models to protect inboxes from advanced phishing, impersonation and account takeover attacks
• Integration in the KnowBe4 HRM+ platform that uses deep per-user behavioral analytics and threat intelligence to deliver personalized security at the point of risk
• Continuous behavioral-based training delivered through real-time nudges

In our opinion, this recognition acknowledges our dedication to developing innovative technologies that address sophisticated inbound phishing attacks. We believe it reflects our focus on preventing behavior-driven outbound data breaches in the evolving email security market.

Read the full report here:
https://info.knowbe4.com/gartner-magic-quadrant-email-security-platforms-chn

Phishing Campaign Uses Fake Party Invites to Deliver Remote Access Tools

A large phishing campaign is using phony seasonal party invites to trick users into installing remote management and monitoring (RMM) tools, according to researchers at Symantec.

"A highly active threat actor that specializes in using the ScreenConnect remote management and monitoring (RMM) software in its attacks has changed tactics and is now infecting its victims with multiple RMM tools, including LogMeIn Resolve and Naverisk," Symantec says.

"In many cases, the attackers install additional RMM tools on infected computers long after the initial compromise occurs. The motivation behind this new tactic remains unclear, although it appears that the attackers are attempting to increase their dwell time on networks in order to maximize their return on successful attacks."

The attackers recently began using party-themed lures, likely to target users during the holiday season. "Its attacks adhere to a consistent pattern, beginning with phishing emails employing a variety of lure tactics," the researchers write. "Recent emails have masqueraded as holiday party invites, such as 'Party Invitation' or 'December Holiday Party.'

"Other email lures have masqueraded as invoices, tax correspondence, payment overdue notices, Zoom meeting invites or documents to be signed."

Notably, the attackers rotate the remote access tools that are installed on infected systems, possibly to evade detection and maintain persistence.

"Most recently, since October, the attackers mainly seem to be using LogMeIn Resolve (formerly GoTo Resolve) and another RMM package, Naverisk, along with ScreenConnect. Interestingly, the RMM tools are usually not installed simultaneously.

"Instead, one is used to install another, and often a period of time can elapse between installations." It's not clear what the goal of these attacks is, but Symantec believes the hackers may be initial access brokers who sell the access to other criminals, such as ransomware gangs.

Blog post with links:
https://blog.knowbe4.com/phishing-campaign-uses-fake-party-invites-to-deliver-remote-access-tools

[NEW WEBINAR] AI & Quantum Attacks Exposed: Your Survival Guide for the Next-Gen Threat Era

Two technological forces are converging to reshape cybersecurity forever: AI and quantum computing. Most organizations are dangerously unprepared for what's coming next.

These aren't just buzzwords—they're fundamentally changing how attacks happen, who can launch them and which defenses will fail under pressure. While most security guidance offers surface-level awareness, attackers are already weaponizing these technologies against specific vulnerabilities in YOUR environment—from social engineering to ransomware to password cracking.

Join Roger A. Grimes, KnowBe4 CISO Advisor, for a no-nonsense deep dive into the specific threats you're facing and the exact defenses you need now. Roger cuts through the hype to deliver actionable intelligence on how AI and quantum will impact each attack vector in your organization.

Discover:

• What AI actually is (and isn't) and why that distinction matters for your security strategy
• The real quantum threats emerging now and which defenses become obsolete overnight
• Exactly how AI and quantum amplify social engineering, password cracking, ransomware and vulnerability exploitation against your systems
• How to protect against threats coming from AI and quantum while securing the AI and quantum tools you're already deploying
• Specific changes to implement in your security program to counter these advanced threats effectively

Stop preparing for yesterday's threats. Arm yourself with the precise intelligence and practical defenses that will actually protect your organization in the AI and quantum era, and earn CPE credit for attending!

Date/Time: TOMORROW, Wednesday, December 10 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/quantum-ai-na?partnerref=CHN2

New Criminal Toolkit Abuses Browser Push Notifications

A new criminal platform called "Matrix Push C2" is using browser notifications to launch social engineering attacks, according to researchers at BlackFog.

"This browser-native, fileless framework leverages push notifications, fake alerts and link redirects to target victims across operating systems," the researchers write. "It turns web browsers into an attack delivery vehicle: tricking users with fake system notifications, redirecting them to malicious sites, monitoring infected clients in real time and even scanning for cryptocurrency wallets."

The platform uses browser notifications to trick users into installing malware or visiting credential-harvesting sites.

"In a nutshell, Matrix Push C2 abuses the web push notification system (a legitimate browser feature) as a command-and-control (C2) channel," BlackFog explains.

"Attackers first trick users into allowing browser notifications (often via social engineering on malicious or compromised websites), and then, once a user subscribes to the attacker's notifications, the attacker gains a direct line to that user's desktop or mobile device via the browser.

"From that point on, the attacker can push out fake error messages or security alerts at will that look frighteningly real. These messages appear as if they are from the operating system or trusted software, complete with official sounding titles and icons."

Since the attack happens within the browser, no malware needs to be initially installed on the system.

"It's a fileless technique," the researchers write. "The unsuspecting user simply sees what looks like a normal system pop-up and might follow its instructions, not realizing they've stepped right into the attacker's trap."

Blog post with links:
https://blog.knowbe4.com/new-criminal-toolkit-abuses-browser-push-notifications

Intelligent Email Defense: Automate, Remediate and Train from One Platform

It's not a matter of if but when AI-powered attacks will breach your email defenses. Phishing attacks have surged 1,265% since 2022. With 31% of IT teams taking over five hours to respond, every delayed minute keeps active threats in your users' inboxes.

During this demo, you'll discover how PhishER Plus can help take control back from rising AI phishing risks by:

• NEW! Creating custom threat detection rules instantly using plain-English descriptions through AI-powered automation, no coding required
• Accelerating response times with AI-powered automation that reduces manual email review by 85-99%
• Providing comprehensive threat intelligence from a network of 13+ million global users and third-party integrations
• Removing threats automatically from all mailboxes with PhishRIP before users can interact with them
• Converting real attacks into targeted training opportunities with PhishFlip

Discover how PhishER Plus combines AI and human intelligence to transform your users from security risks into your most valuable defenders.

Date/Time: Wednesday, December 17 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/phisher-demo-3?partnerref=CHN

What is the Difference Between Authentication and Authorization in the New AI Agents Era?

Identity management companies spent decades building identity governance tools, but the next wave in "AI Agent land" is authorization: controlling what an identity can do after login. The industry fixates on authentication (SSO, MFA, passkeys), yet stolen credentials make post-login controls decisive. It's like entering a skyscraper (Authentication) versus accessing every floor and room (Authorization).

Authorization is difficult because entitlements multiply and each application models permissions differently. As attacks shift to credentials, identity governance is moving from compliance projects on a few regulated apps to security programs spanning the full portfolio, including long-tail SaaS, shadow IT and AI Agents.

Because integration depth varies, you need a three-tier connector strategy:

• Tier 1 discovery and basic visibility,
• Tier 2 lightweight compliance connectors and
• Tier 3 deep governance connectors with entitlement-level control and context.

In the near future, you need to look at three trends:

• Expanding "privileged" access beyond admins
• Replacing standing privileges with just-in-time access
• "Adaptive identity" where authorization decisions happen continuously at runtime.

AI agents increase urgency, marking an "authorization era" your next focus, and you also better get those agents trained to not fall for social engineering attacks.

Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: [MUST SEE!] Google DeepMind released "The Thinking Game," a documentary chronicling the development of AlphaFold and the quest for AGI
youtube.com/watch?v=d95J8yzvjbQ&utm_source=x&utm_medium=social&utm_campaign=&utm_content

PPS: Come see my fireside chat about AI in Cybersecurity and Marketing in 2026, Dec 9-16 at this free event!:
https://www.linkedin.com/posts/stusjouwerman_come-see-my-fireside-chat-about-ai-in-cybersecurity-share-7403047501785747456-kVEW?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAAPfJQBvS9BarKh7SL3DN32NgygskTFqi8

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-49-ghost-in-the-machine-how-a-multi-stage-phishing-attack-evades-m365-security

Malicious AI Tools Assist in Phishing and Ransomware Attacks

Researchers at Palo Alto Networks' Unit 42 are tracking two new malicious AI tools, WormGPT 4 and KawaiiGPT, that allow threat actors to craft phishing lures and generate ransomware code.

These tools are criminal alternatives to mainstream AI tools like ChatGPT, with no safety guardrails to prevent users from using them for malicious activities. The latest version of WormGPT offers lifetime access for $220, or a monthly fee of $50.

"WormGPT 4's language capabilities are not just about producing convincing text," Unit 42 says. "By eliminating the tell-tale grammatical errors and awkward phrasing that often flag traditional phishing attempts, WormGPT 4 can generate a message that persuasively mimics a CEO or trusted vendor.

"This capability allows low-skilled attackers to launch sophisticated campaigns that are far more likely to bypass both automated email filters and human scrutiny. WormGPT 4's availability is driven by a clear commercial strategy, contrasting sharply with the often free, unreliable nature of simple jailbreaks.

"The tool is highly accessible due to its easy-to-use platform and cheap subscription cost." KawaiiGPT offers similar functionalities, but is completely free on GitHub. Users can easily set up the tool on a Linux system and begin using it to assist in attacks.

"This removes the technical complexity associated with sourcing, configuring and running custom LLMs, which often deters new users," Unit 42 writes. "This ease of deployment and a ready-to-use command-line interface (CLI) lowers the required technical skills, background and experience, potentially reaching a broader spectrum of users.

"This spectrum includes users who previously lacked the specialized expertise to engage with other malicious LLMs." KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

Unit 42 has the story:
https://unit42.paloaltonetworks.com/dilemma-of-ai-malicious-llms/

Notorious Cybercrime Group is Now Targeting Zendesk Users

ReliaQuest warns that the cybercriminal collective "Scattered Lapsus$ Hunters" appears to be using social engineering attacks to target organizations' Zendesk instances.

This group was behind a widespread campaign earlier this year that used voice phishing attacks to compromise dozens of companies' Salesforce portals.

"ReliaQuest's Threat Research team identified Zendesk-related domains, including more than 40 typosquatted domains and impersonating URLs, created within the past six months," the researchers write. "These domains, such as znedesk[.]com or vpn-zendesk[.]com, are clearly designed to mimic legitimate Zendesk environments.

"Some host phishing pages, like fake single sign-on (SSO) portals that appear before Zendesk authentication. It's a classic tactic probably aimed at stealing credentials from unsuspecting users. We also identified Zendesk-related impersonating domains that contained multiple different organizations' names or brands within the URL, making it even more likely that unsuspecting users would trust and click on these links."

The Scattered Lapsus$ Hunters group is very skilled in these types of social engineering attacks and uses the access to gain a foothold within organizations. Once inside, they steal as much data as possible and attempt to extort the victims by listing them on leak sites.

"We also have evidence to suggest that fraudulent tickets are being submitted directly to legitimate Zendesk portals operated by organizations using the platform for customer service," Reliaquest says.

"These fake submissions are crafted to target support and help-desk personnel, infecting them with remote access trojans (RATs) and other types of malware. Targeting help-desk teams with these kinds of tactics often involves well crafted pretexts, like urgent system administration requests or fake password reset inquiries.

"The goal is to trick support staff into handing over credentials or compromising their endpoints."

KnowBe4 empowers your workforce to make smarter security decisions every day.

ReliaQuest has the story:
https://reliaquest.com/blog/zendesk-scattered-lapsus-hunters-latest-target/

What KnowBe4 Customers Say

"Hi Bryan, yes, we are more than satisfied with KnowBe4. Setting up campaigns is quick, the content is top-notch and our employees respond well to the trainings and simulations.

"We looked at the market before making our decision, and honestly, you simply offer the best overall package in terms of scope, quality and timeliness.

"What I particularly appreciate is that your support team is fantastic! Fast, competent and always friendly.

- P.C., Chief Information Security Officer

"Hi Bryan, we are all happy, thank you. The platform is meeting all of our current requirements. Our Account Manager, Sophie, was very helpful in getting it all set up and it's now just running on a schedule."

- L.R., IT Manager

1. North Korea is targeting engineers to assist in fraudulent IT worker scenes:
   https://www.bleepingcomputer.com/news/security/north-korea-lures-engineers-to-rent-identities-in-fake-it-worker-scheme/
   
   
2. Chinese spies Brickstormed their way into critical U.S. networks and remained hidden for years:
   https://www.theregister.com/2025/12/04/prc_spies_brickstorm_cisa/
   
   
3. Russian spear phishing attacks target Reporters Without Borders:
   https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/
   
   
4. Cambodia Shuts Down Group That Laundered Billions in Scam Profits:
   https://www.nytimes.com/2025/12/04/world/asia/cambodia-huione-shuts-money-laundering.html
   
   
5. Europol and partners shut down 'Cryptomixer':
   https://www.europol.europa.eu/media-press/newsroom/news/europol-and-partners-shut-down-cryptomixer
   
   
6. Marquis breach affects dozens of banks and credit unions:
   https://www.bleepingcomputer.com/news/security/marquis-data-breach-impacts-over-74-us-banks-credit-unions/
   
   
7. Amid rising threats, NATO holds its largest-ever cyberdefense exercise:
   https://therecord.media/nato-holds-largest-ever-cyberdefense-exercise-estonia
   
   
8. Chinese Hackers Exploiting React2Shell Vulnerability:
   https://www.securityweek.com/chinese-hackers-exploiting-react2shell-vulnerability/
   
   
9. Iranian threat actor launches spear phishing campaign against Israel and Egypt:
   https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
   
   
10. Threat actors are increasingly using legitimate remote monitoring tools in attacks:
    https://www.malwarebytes.com/blog/news/2025/12/how-attackers-use-real-it-tools-to-take-over-your-computer
    
    

• Virtual Vaca #1 to Top 10 Places To Visit in Africa:
  https://youtu.be/Dx3TAGjaSJ0
  
  
• Virtual Vaca #2 to Hallstatt – Autumn in 8K:
  https://youtu.be/QJrKGGe6fok
  
  
• Curaçao, Caribbean | Little Big World | An already small island made much smaller:
  https://youtu.be/rM0EyRm3xK8
  
  
• The Bridge Changing the Map of China:
  https://youtu.be/79xontgRjyU
  
  
• LockPickingLawyer - A $25 Smart Lock?!? Defiant Keypad Deadbolt:
  https://youtu.be/oGgAlM9928A
  
  
• The Loneliest Wingsuit Flight in America | Notch Peak:
  https://youtu.be/viP4-Fo2G84
  
  
• Best of Guinness World Records Day 2025:
  https://youtu.be/NeQRX8BGfMU
  
  
• World's Steepest Cogwheel Train | Switzerland's Mt Pilatus Golden Round Trip:
  https://youtu.be/oRJXUTLuJeY
  
  
• MAGIC by Alexander Krist meets Legends – My appearance on Penn & Teller!:
  https://www.flixxy.com/alexander-krist-fools-penn-and-teller-with-mind-blowing-stage-magic.htm?utm_source=chn&utm_medium=email
  
  
• Monet's Impressionist Masterpiece Brought to Life Through Visual Poetry:
  https://www.flixxy.com/monets-impressionist-masterpiece-brought-to-life-through-visual-poetry.htm?utm_source=chn&utm_medium=email
  
  
• INCREDIBLE Snowboard Obstacle Course (one take trick shots):
  https://youtu.be/JMmwC5wOp0Y
  
  
• For Da Kids #1 - Pigeon Shows Up On Woman's Balcony And Forces Them To Be Friends:
  https://youtu.be/_nH8ykeMYTg
  
  
• For Da Kids #2 - Veterinarian Dad Brings Home "Broken" Kitty For His Daughter's Birthday:
  https://youtu.be/MOq4cJ7fy5gk
  
  
• For Da Kids #3 - Moose plays in water to children's delight:
  https://youtu.be/JOZjr1I8q7U
  
  
• For Da Kids #4 - They Said a Prairie Dog and a Cat Couldn't Be Friends… They Were Wrong:
  https://youtu.be/2upJI-GiPRs
  
  
• For Da Kids #5 - The Unlikely Friendship Between a Cat and a Bird That Defied Nature:
  https://youtu.be/owRPKUzZCSc