Threat Intel

B ATHR Blog

Author Aaron Orchard

Aaron Orchard

Author Callie Hinman

Callie Baron

Author Piotr Wojtyla

Piotr Wojtyla

A cybercrime platform called ATHR uses AI vishing agents, credential harvesting panels, and built-in phishing mailers to execute and scale TOAD attacks.

AI Meets Voice Phishing: How ATHR Automates the Full TOAD Attack Chain

B VENOM Phaa S Blog

Author Alex Blinov

Alex Blinov

Author Ryan Devendorf

Ryan Devendorf

A previously undocumented phishing platform is targeting CEOs and CFOs by name, exploiting live Microsoft authentication to establish persistent access.

Meet VENOM: The PhaaS Platform That Neutralizes MFA

B Tracking Iran Aligned Cyber Operations

Iran-aligned groups are conducting cyber operations after strikes by the U.S. and Israel. Explore their tactics and how Abnormal can strengthen defenses.

Tracking Iran-Aligned Cyber Operations Following U.S.-Israel Strikes

Artificial Intelligence

1500x1500 MKT1427 SITE ONLY Blog Open Graphs When Behavioral AI Meets Threat Intelligence

Behavioral models live or die on the signals they see. The next frontier uses AI to connect normal user behavior with attack behavior, sharpening detection with each event.

When Behavioral AI Meets Threat Intelligence: The New Defense Against AI-Driven Attacks

Product

French VEC Attack Cover

See how attackers weaponized a legitimate vendor's Microsoft 365 account to deliver a French-language VEC attack that cleared every standard authentication check.

French-Language VEC Attack Exploits Compromised Vendor Account and Cloudflare-Hosted Portal

B Starkiller Blog

Go inside Starkiller's control panel to see how headless browsers and reverse proxies enable enterprise-grade phishing infrastructure with MFA bypass.

Starkiller: New Phishing Framework Proxies Real Login Pages to Bypass MFA

B Shiny Hunters SSO Attacks

Learn how ShinyHunters uses hybrid vishing, credential harvesting, and MFA abuse to compromise SSO and pivot into SaaS environments.

ShinyHunters SSO Attacks: How Social Engineering and MFA Abuse Drive Identity Compromise

B 2026 Threat Forecast

Attackers are exploiting trust, identity, and routine workflows. Get an in-depth look at the tactics and techniques threat actors will be refining in 2026.

2026 Threat Forecast: Top Attacks Set to Increase Enterprise Exposure

B HTMLMIX

Real threat actors are using AI-powered tools like HTMLMIX to bypass email filters at scale. Here's how the tool works and how to defend against it.

How HTMLMIX Uses AI to Help Cybercriminals Evade Email Security Filters

B Inbox Prime AI Blog

Discover how the InboxPrime AI phishing kit automates scalable, believable email attacks and highlights the growing sophistication of AI-driven cybercrime.

InboxPrime AI: New Phishing Kit Fueling Scalable, AI-Powered Cybercrime

B Cyber LNK

Cyber LNK Builder exploits Windows shortcuts to deliver malicious payloads. Learn how it works and why traditional defenses struggle against it.

Cyber LNK Weaponizes Windows Shortcuts for Malware

Impact Solutions Cover pptx

Impact Solutions is the new phishing toolkit making advanced malware delivery accessible to any threat actor. Explore its evasion tactics and payload tricks.

Impact Solutions: The Point-and-Click Toolkit Democratizing Malware Delivery

B EDU Duo MFA Threat Intel Report Blog

A phishing campaign targeting higher education steals credentials and Duo OTPs to compromise accounts, exfiltrate data, and launch lateral attacks.

Attackers Steal Duo OTPs to Compromise Higher Ed Accounts

B Salesloft Drift Breach Blog

The Salesloft Drift breach exploited OAuth to compromise Salesforce data across 700+ orgs, exposing SaaS integration and posture management risks.

When Integrations Become Exploits: What the Salesloft Drift Breach Reveals

B Microsoft Direct Send Abuse

Threat actors are abusing Microsoft Direct Send to spoof internal emails. See why legacy defenses fail and how Abnormal prevents these attacks.

Microsoft Direct Send Abuse: Why Legacy Defenses Fall Short

B Screen Connect Abuse

Phishing attacks impersonate Zoom and Teams to deliver ScreenConnect, exploiting the legitimate IT tool for stealthy, persistent system access.

ScreenConnect Abuse Highlights the Risks of Trusted IT Tools

B Compromised Police Government Accounts

Cybercriminals are selling active .gov and .police accounts, enabling identity takeover, fraudulent subpoenas, and access to sensitive law enforcement systems.

The Dark Web Economy for Compromised Government and Police Email Accounts

Tool Shell Cover

A newly discovered zero-day is affecting on-prem SharePoint environments. Here’s what CISOs need to know.

SharePoint “ToolShell” Exploit: Guidance for CISOs

Credential Phishing

B HTML and Java Script Phishing

Explore real phishing attacks that use HTML and JavaScript to bypass defenses and learn what makes these emails so hard to detect.

How HTML and JavaScript Fuel Modern Phishing: 3 Real-World Examples

B Custom Phishing Kits Blog

Brand-specific phishing kits are replacing generic templates. Learn how these custom phishing kits enable sophisticated impersonation attacks.

Custom Phishing Kits: How Cybercriminals Create Bespoke Brand Impersonation Attacks

B Flux Panel Ecommerce Checkout Hijacking via Phishing

FluxPanel turns legitimate ecommerce checkouts into live data theft operations. Learn how this dark web tool works, the role phishing plays, and how to stop attacks at their source.

Inside FluxPanel: How Phishing Enables Real-Time Ecommerce Checkout Hijacks

Attack Stories

B Flask Phishing Kit

Learn how threat actors used Flask, a popular Python framework, to build a versatile phishing kit for evasive campaigns that bypass traditional defenses.

Flask Phishing Kit: Targeted Credential Theft Using Open-Source Technology

B Evil Panel Blog

EvilPanel is a new phishing toolkit built on Evilginx that provides a full-featured web interface for launching MFA-bypassing attacks.

EvilPanel: The New Face of Automated AiTM Phishing

B Bypassing Safeguards in Leading AI Tools

Can generative AI be manipulated for cybercrime? Our research shows how attackers can bypass safeguards in today’s top AI tools.

Bypassing Safeguards in Leading AI Tools: ChatGPT, Gemini, Claude

B Byte Dance Live Panel Blog

With live session hijacking, OTP interception, and dynamic targeting, the ByteDance Live Panel phishing-as-a-service kit gives attackers the upper hand against traditional defenses.

ByteDance Live Panel: An Advanced Phishing-as-a-Service Kit with Real-Time Monitoring

B DKIM Replay Google Phishing Attack

Threat actors used DKIM replay to send Google-branded phishing emails that passed authentication checks. Here’s how the attack worked and why it’s hard to catch.

Replay, Reuse, and Rob: How Attackers Exploit DKIM and Turn Google OAuth Alerts into Phishing Lures

B Pig Butchering

Learn about pig butchering fraud, a new threat to organizational security. Explore operational tactics, warning signs, and strategies to safeguard your business.

Inside Pig Butchering: A Behavioral Breakdown of a Global Fraud Operation

B Gamma Attack Story Blog

Attackers exploit Gamma in a multi-stage phishing attack using Cloudflare Turnstile and AiTM tactics to evade detection and steal Microsoft credentials.

Multi-Stage Phishing Attack Exploits Gamma, an AI-Powered Presentation Tool

B Exploiting Trusted AI Tools Blog

Malicious AI is rewriting the rules of cybercrime. Learn how traditional GPTs are being exploited and why security teams need to act now.

When Good GPTs Go Bad: How Trusted AI Tools Are Exploited for Attacks

B X Files Fileless Malware

Learn how XFiles uses fileless malware, Cloudflare Turnstile widgets, and phishing emails to steal login details, cryptocurrency wallets, and access to corporate systems.

XFiles: A Fileless Malware Delivered via Phishing Campaigns

B Atlantis AIO Blog

Discover how cybercriminals use Atlantis AIO to automate credential stuffing attacks—and how AI-driven security can stop them before accounts are compromised.

Inside Atlantis AIO: Credential Stuffing Across 140+ Platforms

B Black Basta

Black Basta is a highly active ransomware-as-a-service (RaaS) group that has been linked to dozens of high-profile attacks against organizations worldwide. See how they utilize generative AI to support their campaigns.

Exploring Black Basta’s Use of Generative AI to Supercharge Cybercrime

B AI Generated Zoom Impersonation Phishing Attack

Threat actors impersonated Zoom using an AI-generated phishing page to deliver a remote monitoring and management tool.

AI-Generated Zoom Impersonation Attack Exploits Tax Season to Deploy Remote Desktop Tool

B Design and Diagramming Tools Phishing Attack

Cybercriminals are exploiting trusted tools like Canva, Figma, and Lucidchart for phishing. Learn how these attacks work—and how to protect your business.

Inside the New Wave of Phishing Attacks Exploiting Trusted Design and Diagramming Tools

B PDF Annotations Mask Malicious QR Codes Blog

Attackers are exploiting PDF annotations to disguise phishing QR codes, bypassing security and deceiving users. Learn how this sophisticated threat works.

Hiding in Plain Sight: How Attackers Use PDF Annotations to Mask Malicious QR Codes

B Crypto Grab Blog

CryptoGrab, a global cryptocurrency affiliate network, has been defrauding users of millions for more than 5 years using phishing emails and other tactics.

Multi-Layered Cryptocurrency Fraud: How CryptoGrab Drains Millions Through Scam Websites and Phishing

B Corrupted Word Doc QR Code Phishing Attack

Attackers exploit Microsoft Word’s file recovery to evade detection, using corrupted docs for QR code phishing. Learn how this tactic bypasses legacy security.

That Word Document Isn’t Broken—It’s a Phishing Attack in Disguise

B Exploiting Google Services Blog

Cybercriminals misuse Google services for phishing, ad hijacking, and more. Learn five attack methods and how to protect your accounts.

Protect Your Google Accounts: 5 Ways Cybercriminals Exploit Google Services

B Phishing Loop Bypass MFA Compromise Accounts Blog

A new phishing campaign targeting Microsoft ADFS bypasses MFA with social engineering and technical deception. Learn how attackers take over accounts—and how to stop them.

The Never-Ending Loop of Phishing: How Attackers Exploit Psychology to Bypass MFA and Compromise Accounts

B Ghost GPT Blog

Cybercriminals use GhostGPT, an uncensored AI chatbot, for malware creation, BEC scams, and more. Learn about the risks and how AI fights back.

How GhostGPT Empowers Cybercriminals with Uncensored AI

B Punycode Problem Blog

Explore how threat actors exploit Punycode in email attacks and learn how AI-driven solutions can protect against these threats.

The Punycode Problem: Protecting Your Inbox from Deceptive Domains

B Weaponizing Google Translate for Phishing

Learn how attackers use Google Translate's URL redirection for phishing, exploiting Google’s trust to deceive users and bypass security.

How Threat Actors Weaponize Google Translate for Phishing

B Cyberattack Forecast Emerging Threats Blog

Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.

2025 Cyberattack Forecast: Top Email Threats to Watch for

B How Phishing Kits Work Blog

Learn how phishing kits provide pre-packaged tools for stealing credentials, bypassing MFA, and targeting platforms like Gmail and Microsoft 365.

How Phishing Kits Work: Unpacking Cybercriminal Tools in 2024

B Malicious AI Platforms Blog

What happened to WormGPT? Discover how AI tools like WormGPT changed cybercrime, why they vanished, and what cybercriminals are using now.

What Happened to WormGPT and What Are Cybercriminals Using Now?

B Dropbox Open Enrollment Attack Blog

Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.

Adversary-in-the-Middle Tactics Elevate Dropbox Phishing Attack Capitalizing on Open Enrollment

Demo

Schedule a Demo

Phishing Score Cover

Sydney Gangi

Learn how Abnormal's behavioral model uses signals, recency, and context—not just clicks—to deliver a more accurate and actionable phishing risk score.

An Abnormal Theory on Human Risk: The Formula Behind Abnormal’s Phishing Risk Score

Unveiling Attune Cover

Lily Prest

Attune 1.0 transforms detection with a unified behavioral intelligence architecture built for an AI-driven threat landscape.

Unveiling Attune: Modern Email Security Meets Behavioral Intelligence

Email Subscribe

<p> Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.</p>

Homepage

Breadcrumbs

Abnormal AI provides advanced email security to prevent credential phishing, business email compromise, account takeover, and more.

Abnormal AI

Learn about the latest cybercrime attack types and email security data trends and discover the latest product and company announcements from Abnormal.

Email Security Blog

description

cybersecurity, insight, news, team, latest, experts

keywords

https://images.abnormalsecurity.com/production/images/L_Abnormal-homepage_Opengraph.png?w=1200&h=630&q=82&auto=format&fit=crop&dm=1740090372&s=5d61b4c2e242be3ca70dfe1d54859b11

referrer

robots

twitter:card

twitter:creator

twitter:description

https://images.abnormalsecurity.com/production/images/T_Abnormal-homepage_Opengraph.png?w=800&h=418&q=82&auto=format&fit=crop&dm=1740090398&s=d6f915fc8861f3928b09a79dae44e4be

twitter:image

twitter:image:alt

twitter:image:height

twitter:image:width

twitter:site

twitter:title

{"title":{"title":"Email Security Blog | Abnormal AI"}}

Abnormal Blog

Persistent Nav Click - New Report: Exposing VENOM, the PhaaS Platform Targeting Executives

.css-bmf3w{font-family:inherit;font-size:15px;font-style:normal;font-weight:400;line-height:24px;}Abnormal Blog.css-7dny4u{-webkit-padding-start:12px;padding-inline-start:12px;-webkit-padding-end:12px;padding-inline-end:12px;display:inline;}/Author/Piotr Wojtyla

Piotr Wojtyla

Abnormal Blog/Author/Piotr Wojtyla