Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

You Are Still Vulnerable to Password Attacks When Using Passkeys

Just because you’re using a passkey doesn’t mean your password is gone. Microsoft is going passwordless in a new big push. As part of that new initiative, they are strongly pushing FIDO passkeys. I am a big fan of FIDO passkeys and FIDO in general. FIDO authentication offerings, including passkeys, are phishing-resistant, which makes them a HUGE improvement over passwords and most other multi-factor authentication products.

Phishing Kits Are Growing More Sophisticated; Focused on Bypassing MFA

Researchers at Cisco Talos warn that major phishing kits continue to incorporate features that allow them to bypass multi-factor authentication (MFA). Commodity phishing kits like Tycoon 2FA and Evilproxy achieve this by using reverse proxies to intercept traffic from the authentication process during a phishing attack.

Warning: Phishing Campaign Impersonates the US Social Security Administration

Researchers at Malwarebytes warn that phishing emails are impersonating the US Social Security Administration (SSA) to trick users into installing the ScreenConnect remote access tool. ScreenConnect is a legitimate tool used for remote IT management, but it can be abused by hackers to take control of victims’ computers.

Xfinity Scam Might Explain Similar Scams

Recently, I covered a T-Mobile scam where a friend of mine narrowly avoided losing money. In that scam, the attackers called up pretending to be from T-Mobile offering him a cannot-pass-up 30% discount on future T-Mobile bills. While he was initially suspicious of the unexpected callers, they gained his confidence by repeating the amounts of his last two T-Mobile bills, billing address, and knew that his wife was also on the account.

Email Remains the Top Attack Vector for Cyberattacks

Email is still the most common attack vector for cyber threats, according to a new report from Barracuda. The researchers found that one in four emails during February 2025 was either malicious or spam. HTML attachments were the most common file type used in phishing emails. “One of the most striking findings from the report is that 23% of HTML attachments are malicious, making them the most weaponized type of text file,” Barracuda says.

A Sneaky T-Mobile Scam and Lessons That Were Learned

A friend of mine got a call on his phone and he regrettably picked it up. The number was 267-332-3644. The area code is from Bucks County, PA, where he used to live many years ago. But since his multiple anti-scam phone filter apps did not flag the number as a scam, and it was from a place he used to live, he picked it up.

Criminals Exploit the Death of Pope Francis to Launch Scams

Scammers are exploiting the death of Pope Francis to launch social engineering attacks, according to researchers at Check Point. The researchers note that threat actors often take advantage of high-profile tragedies and crises to exploit victims’ emotions. “They typically begin with disinformation campaigns on social media platforms like Instagram, TikTok, or Facebook, uploading fake images generated by AI,” the researchers write.

What Is Device Code Phishing?

Ever since Microsoft’s initial announcement on February 13, 2025, about a Russian nation-state phishing campaign using "device code phishing," many people have been wondering what it is. This post will tell you what device code phishing is and how to defend against it. Here are some other related reports involving the recently reported device code phishing attacks.

Social Engineering Campaign Abuses Zoom to Install Malware

A social engineering campaign is abusing Zoom's remote control feature to take control of victims’ computers and install malware, according to researchers at security firm Trail of Bits. The operation targeted Trail of Bits’ CEO, who recognized it as malicious and didn’t fall for the attack. The researchers have attributed the campaign to the ELUSIVE COMET threat actor.