CyberheistNews Vol 16 #26 A New Extortion Scam Uses IT Impersonation to Breach Organizations

A New Extortion Scam Uses IT Impersonation to Breach Organizations

A newly surfaced extortion brand called "Pink" is using voice phishing and fake IT support calls to breach organizations, The Register reports. The threat actor may be a rebrand of prior extortion groups, including BlackFile and Redact, though its tactics remain the same.

Palo Alto Networks' Unit 42 said in a post on GitHub, "The threat actor leverages vishing for initial access, impersonating internal IT personnel to convince a user to input credentials into a phishing site, allowing the actor to gain access to the victim's account and MFA.

"After gaining access to the victim's account, the actor rapidly identifies and exfiltrates data from platforms like SharePoint and OneDrive, similar to other Com-affiliated groups.

"Shortly afterward, the actor leverages a compromised victim account to send their initial extortion email as well as internal Teams messages. The actor reuses second-level domains to target multiple organizations, and the third-level domain typically thematically represents the target. These domains have leveraged DDoS-Guard for hosting."

The Register notes that criminal gangs frequently go dark before resurfacing under different names, but these groups continue to grow more sophisticated over time.

"Despite multiple arrests across all three gangs, they keep coming back to victimize more organizations," the Register says. "Most incident responders, including Google's Mandiant and Unit 42, link many of these criminal collectives to The Com, a loosely knit group of primarily English speakers made up of several interconnected networks of hackers, SIM swappers and extortionists, with some of its subgroups offering real-life violent crime for hire."

Blog post with links:
https://blog.knowbe4.com/new-pink-extortion-group-vishing-it-support-scams

Your Attackers Are AI-Native, Are You?

Join security leaders worldwide on July 8 to see what securing a workforce of humans and AI agents looks like in practice. This session alone is worth showing up for.

Deepfakes. AI-generated phishing. Voice cloning. These aren't future threats; they're hitting your workforce right now, and they're getting harder to detect. In this session, you'll see how our AI Defense Agents work alongside the world's largest security awareness training library to deliver tailored content at scale, automatically orchestrated to reach the right users at exactly the right time.

You'll see how to:

• Create custom content with AI. Build custom modules, simulate deepfake scenarios and generate AI video training in 130+ languages - no production budget required.
• Take the manual work out of campaign management. See how AIDA Orchestration fully automates attack simulations and training and delivers relevant content without creating more work for your team.
• Unlock 1,000+ modules with AI-powered recommendations that drive targeted experiences and change behavior.

Date/Time: Wednesday, July 8, @ 1:00 - 3:00 PM ET

Save My Spot:
https://www.knowbe4.com/webinar-library/workforce-summit-na?partnerref=CHN2

Turn Account Takeover Into Real-Time Security Coaching

Account takeover is one of the most common ways organizations get breached and one of the hardest to train users on. Not because users don't care, but because training usually happens in unrealistic scenarios, long before or long after the moment it would actually matter.

Here's what most security teams don't realize: if you have KnowBe4's Real-Time Coaching, SecurityCoach, connected to Microsoft 365, Google Workspace, or your identity provider, you already have everything you need to coach users in the moment an account takeover attempt is happening against them.

How Account Takeover Attacks Unfold.
It usually begins with a phishing email. A user clicks a link, lands on a convincing fake login page, and types in their credentials. Or, increasingly, they complete MFA perfectly, and an adversary-in-the-middle attack silently steals their session token anyway.

From there, the attacker moves fast:

• They sign in from a new location or device
• They create a silent email forwarding rule so every email the user receives, including password reset links, goes to the attacker too
• They start exploring, escalating and eventually exfiltrating
• The whole chain can unfold in hours. And the user has no idea any of it happened.

Where SecurityCoach Fits In
SecurityCoach monitors signals your existing security tools are already generating from Microsoft 365, Entra ID and your endpoint protection, then fires a personalized security tip when something happens that the user needs to know about.

That tip isn't a generic phishing awareness video. It's a short, targeted message about what just happened to them, what it means and what to do right now.

Here's what that looks like across the account takeover chain:

When a User Clicks a Malicious Link in an Email
Before they've even closed the browser tab, SecurityCoach can reach them: "Did you know? You just clicked a link flagged as malicious. Modern phishing attacks can capture your session even after you've completed MFA. Contact IT security now. Here's the link."

When a Suspicious Sign-In Appears on Their Account
The morning after an attacker tests stolen credentials, the real user gets a tip: "Did you know? A sign-in to your account was detected from an unexpected location. Here's how to check your active sessions and sign out of any device you don't recognize."

When an Email Forwarding Rule is Created
One of the most reliable post-compromise signals and most users have no idea it's even possible: "Did you know? A forwarding rule was set up on your account that sends your emails to an external address. If you didn't create this rule, your account may be compromised. Here's how to find and delete it right now."

Each of these moments is a coaching opportunity that would never exist in a once-a-year training module. But they happen naturally because the attack is already generating signals in your security stack.

You Probably Already Have What You Need
If your organization uses Microsoft 365, connecting it to SecurityCoach activates system detection rules covering the full account takeover chain from phishing delivery through to post-compromise persistence.

Add your identity provider, such as Microsoft Entra ID, Okta or Google IAM, and you pick up the sign-in risk signals: impossible travel, logins from malicious IP addresses, anomalous account behavior.

Most organizations already have these tools. SecurityCoach turns the signals they're already generating into real-time coaching moments their users will actually remember because the training arrives the moment it's relevant.

[CONTINUED] at the KnowBe4 blog:
https://blog.knowbe4.com/real-time-coaching-account-takeover

2026 Phishing Threat Trends Report

In the 2026 Phishing Threat Trends Report, we find out what happens when cybercriminals manipulate the AI systems you trust to summarize your inbox.

Plus, we explore the alarming rise of multi-channel attacks on Microsoft Teams and analyze one of the biggest trends of Q1 2026: the industrialized use of reverse proxies to bypass MFA.

Download now to discover:

• Why Microsoft Teams attacks have surged by 41% in just six months
• How "Machine-Speed" prompt injection can collapse the time-to-compromise to just four seconds
• What's driving the surge in Calendar Invite Phishing, which has increased by 49% as attackers move to the "quiet sanctuary" of your schedule
• Why 84.4% of all successful phishing attacks now pass DMARC, rendering traditional identity verification obsolete

Don't let your security posture fall behind an adversary that has fully embraced industrial-scale social engineering.

Download Now:
https://info.knowbe4.com/2026-phishing-threat-trends-vol-7?utm_source=chn_email&utm_medium=email&utm_campaign=dg-ces-campaign-26&utm_content=phishing_threat_trends_report

Report: Device Code Phishing is Surging

Multiple sophisticated phishing kits are now focusing on harvesting device codes to breach accounts without a password, according to researchers at LevelBlue.

"Device code phishing exploits a legitimate Microsoft authentication flow to harvest Microsoft 365 access and refresh tokens without ever capturing a password," the researchers explain. "The core mechanic is straightforward: whoever initiates the authentication request receives the resulting tokens.

"Once obtained, the tokens allow attackers to access Microsoft 365 services, maintain persistent access through refresh tokens, and conduct follow-on activities such as further reconnaissance, phishing and data extraction."

Top commodity phishing platforms, including Tycoon2FA, EvilTokens, Kali365, Ghost Hub and Cyb3r, have incorporated this ability, allowing unskilled threat actors to launch device code phishing attacks.

"Tycoon2FA provides the clearest example of how phishing kits mature over time," the researchers write. "What began in 2023 as a straightforward AiTM credential harvester evolved into one of the most sophisticated PhaaS platforms documented.

"Despite a coordinated Europol and Microsoft takedown in March 2026, Tycoon2FA resumed operations within weeks, now with device code flow capability layered on top of its existing AiTM infrastructure. EvilTokens and Kali365 follow a similar trajectory, launching in early 2026 with AI-augmented capabilities already integrated and continuing to improve their functionality since launch. Kits that survive their first year tend to become significantly more dangerous in their second."

The researchers expect commodity phishing kits to continue incorporating new techniques in order to overcome defenses.

"Device code flow phishing is accelerating rapidly and shows no signs of slowing," LevelBlue concludes. "What began as a relatively simple lure has evolved into a sophisticated process that is now easily accessible to threat actors. The affiliate programs offered by PaaS platforms further lower the barrier, enabling both experienced operators and less-skilled actors to launch targeted and opportunistic campaigns against organizations."

Blog post with links:
https://blog.knowbe4.com/device-code-phishing-tsunami

Do Your Users Know What To Do When They Receive a Suspicious Email?

Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning?

KnowBe4's FREE (yes, you read that right) Phish Alert Button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click! And now, supports Outlook Mobile!

Phish Alert Benefits

• Reinforces your organization's security culture
• Users can report suspicious emails with just one click
• Incident Response gets early phishing alerts from users, creating a network of "sensors"
• Email is deleted from the user's inbox to prevent future exposure
• Easy deployment via .EXE file for Outlook, Google Workspace deployment for Gmail (Chrome) and manifest install for Microsoft 365

Sign Up
https://info.knowbe4.com/free-tools/phish-alert-button-chn

Note: The Phish Alert Button supports Outlook 2010, 2013, 2016 & Outlook for Microsoft 365, Exchange 2013 & 2016, Chrome 54 and later (Linux, OS X and Windows) and Outlook Mobile!

FTC Report: Americans Lost $3.5 Billion to Imposter Scams Last Year

Imposter scams were the most commonly reported type of fraud in 2025, with Americans reporting $3.5 billion in losses, according to new data from the U.S. Federal Trade Commission (FTC).

Reported losses have increased nearly three times since 2020, and the true number is likely much higher since many scams go unreported. Losses across all types of fraud surged to $16 billion, a 25% increase compared to 2024.

"These scams lured consumers through text, phone, email, social media, search engine results and other means," the FTC says. "Some of the costliest impersonation scams start with a fake security alert, often from a bank. People are convinced to move money to 'protect' it, with their losses often limited only by their available funds."

A majority of these losses were caused by scammers who impersonated banks and governments. BleepingComputer notes that scammers have impersonated the FTC itself to trick victims into transferring money.

"Last year, people reported losing nearly $1 billion to business impersonators, with the highest reported losses to bank impersonators—and about $920 million to government impersonators, up from $866 million and $789 million respectively in 2024," the FTC says.

While impersonation was the most common category of fraud last year, the FTC "has seen a striking increase in reported fraud losses to all types of fraud; about $16 billion was reported lost in 2025, the highest on record and an increase of about 25% compared to the 2024 figure."

Blog post with links:
https://blog.knowbe4.com/ftc-report-imposter-scams-record-losses

Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: Forbes article by yours truly: "Your AI Agent Thinks It's Right, And That's Exactly The Problem":
https://www.forbes.com/councils/forbestechcouncil/2026/06/25/your-ai-agent-thinks-its-right-and-thats-exactly-the-problem/

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-26-a-new-extortion-scam-uses-it-impersonation-to-breach-organizations

INC Ransomware Gang Targets the Legal Sector

The INC ransomware-as-a-service (RaaS) operation has grown into one of the premier ransomware offerings, claiming hundreds of victims in 2026 alone, according to researchers at Acronis.

The attackers target a broad range of industries, but have recently prioritized entities in the legal sector. "The top five targets for 2026 are legal services, manufacturing, technology, health care and construction," the researchers write.

"Previously, the education sector was the main target of INC ransomware. However, several things make law firms a valuable target for ransomware groups. The files they hold include settlement documents, cases, NDAs and many more similar documents.

"If leaked, it could trigger malpractice claims and lawsuits from clients on top of reputational damage, which adds even more pressure to pay the ransom."

INC attackers gain initial access to victim organizations through spear phishing, valid account credentials obtained from initial access brokers, and exploitation of vulnerabilities in public-facing applications.

Acronis recommends that organizations implement the following measures to establish a defense-in-depth strategy against ransomware attacks:

• "Backups and recovery. Follow the 3-2-1 backup rule by keeping at least three copies of data on two different media types, with one copy stored off-site, and ensure backups are offline or immutable and regularly tested for reliable restoration.
• Endpoint and ransomware protection. Deploy EDR and ransomware protection capable of detecting unauthorized encryption and exfiltration attempts and ensure all security tools are kept up to date with behavioral detections and anti-tamper protections enabled.
• Identity and access controls. Require multifactor authentication (MFA) and enforce the use of strong, complex alphanumeric passwords that are updated regularly.
• Network segmentation and hardening. Reduce attack surface by segmenting networks, disabling unnecessary services and ports and restricting outbound traffic.
• Patch and vulnerability management. Implement a robust patch and vulnerability management program across all systems, prioritizing fixes for vulnerabilities known to be exploited by ransomware.
• User Awareness Training. Regularly educate staff on phishing, social engineering and other tactics used by ransomware operators. Include conducting regular phishing simulations to reinforce awareness."

AI-native security awareness training gives your organization an essential layer of defense against social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 orgs worldwide trust the KnowBe4 Platform to strengthen their security culture and reduce workforce risk.

Acronis has the story:
https://www.acronis.com/en/tru/posts/from-emerging-threat-to-top-tier-ransomware-as-a-service-the-evolution-of-inc-ransomware/

Criminals Are Increasingly Interested in “Deepfake-as-a-Service” Offerings

Deepfake-related conversations on criminal forums surged in the first half of 2026, signaling an increased interest in the technology for malicious purposes, according to a new report from NordStellar.

"New data from the dark web shows that deepfake-as-a-service has become one of the fastest-growing areas of underground cybercrime this year," NordStellar says. "In the first five months of 2026 alone, discussions about deepfake fraud already exceeded the total for all of 2025 by 39%.

"If the current pace holds, DFaaS discussions for the full year will be roughly 3.3 times the total for 2025. Deepfake-as-a-service (DFaaS) is a market label for turnkey voice cloning, face swapping, synthetic videos, virtual cameras, fake documents and synthetic profiles sold on the dark web.

"The trend might point to a new wave of business email compromise (BEC) attacks that use AI-generated video and audio."

Vakaris Noreika, a cybersecurity expert at NordStellar, stated, "The rapid growth in popularity of deepfakes-as-a-service is likely accelerated by advancements in generative AI, which help cybercriminals in two ways: by speeding up the creation of deepfakes and making them hyper-realistic.

"Ultimately, this service lowers the barrier to entry for deepfake technology, enabling threat actors to deploy highly deceptive attacks on a larger scale, regardless of their personal technical skills."

Noreika added that deepfake technology will greatly increase the effectiveness of business email compromise (BEC) attacks, since threat actors can easily craft videos and audio to impersonate executives.

"Deepfakes can be used to elevate business email compromise attacks to make them even harder to spot," Noreika said. "Instead of fake payment instructions in an email, employees can now be targeted via highly realistic video and voice calls impersonating partners or managers asking them to transfer funds.

"As AI tools grow more sophisticated, deepfakes are evolving rapidly. It is now easier than ever to create convincing video or audio that lacks the usual telltale signs of AI generation, making it extremely challenging for users to spot the deception, especially when a sense of urgency is involved."

NordStellar has the story:
https://nordstellar.com/blog/deepfake-as-a-service-cybercrime-2026/

What KnowBe4 Customers Say

"I wanted to say a quick thank you for completing the integrations across our four schools in Thailand. I really appreciate you resolving the issues with the Teams calls and for running the sessions smoothly and efficiently.

"It’s been a pleasure working with you, and we truly appreciate the effort you’ve put in to get this over the line. Completing integrations across four schools is no small feat - well done!"

- W.L.,Group Cyber Security Culture and Awareness Manager

1. Scammers continue to target World Cup fans with increasingly sophisticated tactics:
   https://www.wired.com/story/world-cup-scams-are-getting-harder-to-spot/
   
   
2. Document delivery scams: What are they and what’s their goal?:
   https://www.malwarebytes.com/blog/scams/2026/06/document-delivery-scams-what-are-they-and-whats-their-goal
   
   
3. Two Britons plead guilty to £39m 2024 cyber-attack on Transport for London:
   https://www.theguardian.com/technology/2026/jun/22/two-britons-plead-guilty-to-39m-2024-cyber-attack-on-transport-for-london
   
   
4. Malvertising campaign abuses Claude.ai's shared chat feature:
   https://www.trendmicro.com/en_us/research/26/f/claudeai-shared-chat-abused-in-malvertising.html
   
   
5. Top VC Andreessen Horowitz: "How to Win a Space War." Yes, for realz:
   https://open.substack.com/pub/a16z/p/how-to-win-a-space-war?
   
   
6. Five Eyes agencies sound alarm about AI’s threat to cybersecurity:
   https://therecord.media/five-eyes-alert-artificial-intelligence
   
   
7. Schneier on Security: Interesting Paper Exploring Prompt Injection:
   https://www.schneier.com/blog/archives/2026/06/interesting-paper-exploring-prompt-injection.html
   
   
8. FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys:
   https://thehackernews.com/2026/06/fbi-warns-russian-intelligence-hackers.html
   
   
9. Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant:
   https://www.microsoft.com/en-us/security/blog/2026/06/25/photo-zip-campaign-targeting-hospitality-industry-delivers-node-js-implant-persistent-access/
   
   
10. Beware of “Parcel Expert” job offers: They’re parcel mule scams:
    https://www.malwarebytes.com/blog/scams/2026/06/beware-of-parcel-expert-job-offers-theyre-parcel-mule-scams
    
    

• Virtual Vaca #1 - Nicaragua: Land of Volcanoes, Lakes & Colonial Towns:
  https://youtu.be/2_uYcyVimJw?si=jwuNRtqG6FU2x2Lu
  
  
• Virtual Vaca #2 - Turkey in 4K | Istanbul, Cappadocia, Mardin & More:
  https://youtu.be/N7WIcrYYsEs
  
  
• Virtual Vaca #3 - Feels Like Walking into Heaven, Seceda, Dolomites:
  https://youtu.be/pdXTsvTM8rE
  
  
• Slate Truck First Look: The $25,000 Modular EV!:
  https://youtu.be/d0t7wpkFc6U
  
  
• A fabulous wingsuit Helicopter Drop over the EIGER mountain:
  https://www.instagram.com/reels/DZ95GfTKXey/
  
  
• World's First Longest-ever wingsuit formation down a mountain:
  https://www.instagram.com/reel/DaAFqutu760/?igsh=MTJpbzR3YmMxN2x5YQ==
  
  
• Best World Records Of The Week - 18 May 2026 From Guinness World Records:
  https://youtu.be/vI0M_ARdKaM
  
  
• [MythBusters Classic] Can A Sewer Explosion Really Launch 100-Pound Manhole Covers Like Missiles?
  https://youtu.be/u6vr2553OM8
  
  
• New York’s Insane $119BN Mega Sea Wall:
  https://youtu.be/VV-C2EGfocE
  
  
• Inside The $50,000,000 Secret Pininfarina Wind Tunnel!:
  https://youtu.be/H3FjE_Jllqo
  
  
• Ultimate Mountain Bike Compilation:
  https://youtu.be/tepACxEf7e8
  
  
• Beautiful Wingsuit Ski-Hut Flyby over the Glecksteinhütte:
  https://youtu.be/FsBszGYcNjg
  
  
• For Da Kids #1 - Couple Went for a Donkey, Now Zebra Is Glued to Them 24/7:
  https://youtu.be/DElfoYxXCJw
  
  
• For Da Kids #2 - Baby Foxes Roll Over for Belly Rubs Like Little Dogs:
  https://youtu.be/bV1ANEYmtTU
  
  
• For Da Kids #3- Little Boy Been Sneaking Out Of Home To Feed Stray Puppies:
  https://youtu.be/eJ1ZTq-BUc0
  
  
• For Da Kids #4 - Baby Sloth Clings To Mom After Being Saved From Traffickers:
  https://youtu.be/cyUm8vAghNw
  
  
• For Da Kids #5 - Giant Tortoise Takes Over Human’s House:
  https://youtu.be/u5F3eC101VQ