Threat Actor Uses Phishing to Breach Orgs for Ransomware Gangs

KnowBe4 Team | Jul 10, 2026

An initial access broker associated with the Payouts King ransomware group is using Microsoft Teams phishing to deploy a malicious Microsoft Edge web browser extension, according to researchers at Zscaler. Once the hackers have a foothold within an organization, they sell the access to the ransomware gang to conduct follow-on attacks.

“In recent attacks, the threat actor leverages social engineering tactics paired with an innovative malware delivery mechanism,” the researchers write. “The technique utilizes a malicious Microsoft Edge browser extension that exploits the Chrome native messaging protocol to interact with host-native applications beyond the confines of the browser sandbox. By abusing this interface, the attackers gain direct host access, enabling them to manipulate the local filesystem, launch processes, and execute arbitrary code on the compromised host.”

The attackers begin by sending the victim a Teams message that impersonates the organization’s IT staff, telling the user that they need a spam filter update. The user is sent to a fake Microsoft website with a series of buttons designed to install the malware, eventually requesting the victim’s Microsoft365/Outlook password.

“As threat actors like those affiliated with Payouts King continue to leverage social engineering, such as spam bombing and vishing, in tandem with innovative delivery mechanisms, organizations must adopt a defense-in-depth posture,” Zscaler says. “This includes robust monitoring of browser extension installations, strict control over native messaging host configurations, and comprehensive user training to recognize and report suspicious prompts, especially when they mimic legitimate IT administrative updates or management consoles.”

Zscaler has the story: Payouts King Ransomware Initial Access Broker Deploys New Edgecution Malware

 

See KnowBe4 Security Awareness Training in Action

See how you can efficiently safeguard your organization from sophisticated social engineering threats.

Request a Demo

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.