Abnormal Blog

Twenty days after Europol seized 330 Tycoon2FA domains, a new campaign emerged with rebuilt infrastructure and six layers of obfuscation. Here's how it works.

Analysis of nearly 800,000 attacks shows how phishing techniques adapt to the workflows, defenses, and platforms of the organizations they target.

Nearly 800,000 attacks reveal how BEC tactics shift with operational characteristics. See which impersonation strategies target organizations like yours.

A cybercrime platform called ATHR uses AI vishing agents, credential harvesting panels, and built-in phishing mailers to execute and scale TOAD attacks.

A phishing-as-a-service platform is exploiting Microsoft’s Device Code OAuth flow at scale, then weaponizing stolen tokens with AI-powered email intelligence to automate business email compromise.

A previously undocumented phishing platform is targeting CEOs and CFOs by name, exploiting live Microsoft authentication to establish persistent access.

Iran-aligned groups are conducting cyber operations after strikes by the U.S. and Israel. Explore their tactics and how Abnormal can strengthen defenses.

Behavioral models live or die on the signals they see. The next frontier uses AI to connect normal user behavior with attack behavior, sharpening detection with each event.

Go inside Starkiller's control panel to see how headless browsers and reverse proxies enable enterprise-grade phishing infrastructure with MFA bypass.

Learn how ShinyHunters uses hybrid vishing, credential harvesting, and MFA abuse to compromise SSO and pivot into SaaS environments.

Attackers are exploiting trust, identity, and routine workflows. Get an in-depth look at the tactics and techniques threat actors will be refining in 2026.

Real threat actors are using AI-powered tools like HTMLMIX to bypass email filters at scale. Here's how the tool works and how to defend against it.

Discover how the InboxPrime AI phishing kit automates scalable, believable email attacks and highlights the growing sophistication of AI-driven cybercrime.

Cyber LNK Builder exploits Windows shortcuts to deliver malicious payloads. Learn how it works and why traditional defenses struggle against it.

Impact Solutions is the new phishing toolkit making advanced malware delivery accessible to any threat actor. Explore its evasion tactics and payload tricks.

A phishing campaign targeting higher education steals credentials and Duo OTPs to compromise accounts, exfiltrate data, and launch lateral attacks.

The Salesloft Drift breach exploited OAuth to compromise Salesforce data across 700+ orgs, exposing SaaS integration and posture management risks.

Threat actors are abusing Microsoft Direct Send to spoof internal emails. See why legacy defenses fail and how Abnormal prevents these attacks.

Major Federal cyber breaches share one overlooked constant: email. This post presents five case studies revealing how attackers exploited the inbox through phishing, credential theft, and forged tokens—and why behavioral, identity-aware AI delivers the decisive advantage over legacy defenses.

Phishing attacks impersonate Zoom and Teams to deliver ScreenConnect, exploiting the legitimate IT tool for stealthy, persistent system access.

Cybercriminals are selling active .gov and .police accounts, enabling identity takeover, fraudulent subpoenas, and access to sensitive law enforcement systems.

A newly discovered zero-day is affecting on-prem SharePoint environments. Here’s what CISOs need to know.

New research reveals predictable seasonal cybersecurity patterns in retail. Discover when attacks are most prevalent and how to synchronize defenses with threat cycles.

Discover how multi-party attacks unfold and how to stop them before they cause damage to your organization.