THREAT FEED

Widespread phishing campaign using fake Gmail security alerts. Emails claim suspicious login detected and direct users to a near-perfect Google sign-in replica. Campaign has compromised over 100,000 accounts in the past week.

Zero-day vulnerability in Zoom client versions prior to 6.1.2 allows unauthenticated attackers to join private meetings without a passcode. Exploit bypasses the waiting room feature and has been observed in targeted attacks against corporate meetings.

Comcast Xfinity confirmed unauthorized access to customer accounts affecting approximately 35 million users. Exposed data includes usernames, hashed passwords, security questions, and partial Social Security numbers. The breach was traced to a vulnerability in the Citrix Bleed exploit (CVE-2025-4921).

Sophisticated phishing campaign exploiting Microsoft 365 OAuth flows. Victims receive emails with Review Document links that redirect through legitimate Microsoft login to a malicious OAuth consent page, granting attackers persistent access to email, files, and Teams.

Fraudulent PayPal invoices sent to remote workers claiming charges for software licenses or IT services. Invoices include legitimate PayPal phone numbers replaced with scam call centers that request remote access to victims' computers.

Unit 42 researchers identified PhantomLock, a new ransomware variant specifically designed to target remote workers. It spreads through malicious Slack messages and Zoom meeting links, encrypting local files and cloud-synced folders. Demands cryptocurrency payment within 48 hours.

Critical vulnerability discovered in Xfinity xFi gateway routers allowing unauthenticated remote code execution. Firmware versions prior to 3.2.1 are affected. Attackers can gain full control of the router and intercept all network traffic.

Evil twin Wi-Fi attacks detected at major Bay Area locations including BART stations, cafes, and coworking spaces. Attackers set up fake public Wi-Fi networks that intercept login credentials for email and cloud services.

Surge in SIM swap attacks targeting cryptocurrency holders with Verizon accounts. Attackers use social engineering at Verizon retail stores to port numbers, then access cryptocurrency exchanges and PayPal accounts linked to the phone number.

Attackers exploiting misconfigured Slack incoming webhooks to exfiltrate sensitive data from private channels. Organizations with default webhook permissions are particularly vulnerable. Data is sent to attacker-controlled servers via outbound webhook posts.

Data breach at Chicago Public Schools exposed records of 500,000+ students and staff. Compromised data includes names, emails, student IDs, and Google Workspace credentials used for remote learning platforms.

New attack vector exploiting Google Workspace OAuth consent flow to steal long-lived access tokens. Malicious third-party apps request broad permissions and exfiltrate email, Drive, and Calendar data. Particularly targeting organizations using Slack-Gmail integrations.

Fake Amazon Prime membership renewal emails claiming automatic charges of $139.99. Emails include a Cancel Membership button linking to a phishing site that harvests Amazon credentials and credit card information.

Unit 42 discovered FinPhish, a phishing-as-a-service kit generating highly convincing replicas of PayPal and Amazon login pages. Kit includes real-time OTP interception, browser fingerprinting evasion, and automatic credential validation against live services.

Sophisticated phishing campaign targeting Comcast customers in the Philadelphia metro area. Emails impersonate Comcast support and claim billing issues, directing victims to a convincing login page at comcast-billing-update.example.

Compromised npm packages discovered containing backdoors that exfiltrate environment variables and SSH keys. Over 45,000 downloads before removal. Developers using VS Code and Slack desktop apps with Node.js backends may be affected.

Critical vulnerability in Microsoft Outlook allows remote code execution via specially crafted calendar invitations. No user interaction required. Affects Outlook desktop clients on Windows. Patch available in March 2026 security update.

Philadelphia's SEPTA transit authority hit by ransomware attack affecting payment systems and real-time tracking. Customer payment card data from the past 6 months may be compromised. Riders advised to monitor credit card statements.

Increase in malware distribution via Gmail attachments disguised as shipping notifications and invoice documents. Payloads include information-stealing trojans targeting browser-stored credentials and cryptocurrency wallets.

Unsecured Verizon API endpoint exposed customer records including names, addresses, phone numbers, and account PINs for approximately 7.5 million customers in the NYC metro area. The endpoint was publicly accessible for an estimated 3 weeks before being secured.

Phishing emails mimicking Apple purchase receipts for expensive items. Emails prompt users to cancel the order by clicking a link that leads to a fake Apple ID login page. Campaign primarily targeting iCloud email users.

Reports of USB drives left at Bay Area coworking spaces containing auto-executing malware. Malware targets Slack tokens and Zoom session cookies, enabling persistent access to corporate communications.

Coordinated SIM swap attacks targeting PayPal users with Verizon phone numbers. Attackers port victim phone numbers to new SIMs, intercept 2FA codes, and drain PayPal balances. Over $2.3 million stolen in February alone.

Man-in-the-middle attacks detected on NYC subway Wi-Fi networks. Attackers intercepting unencrypted traffic and injecting malicious content into HTTP connections. Email credentials sent over non-HTTPS connections are at risk.

Robocall campaign claiming recipients' Apple IDs have been compromised and locked. Callers impersonate Apple Support and request remote access or Apple gift card payments to restore accounts. Over 50,000 reports filed with FTC in February.

Widespread phishing campaign targeting .edu email accounts. Emails impersonate university IT departments requesting password resets for security compliance. Harvested credentials used to access student financial aid portals and research data.

Automated scanning reveals thousands of valid AWS access keys committed to public GitHub repositories. Exposed keys are being used within minutes for cryptocurrency mining and data exfiltration. Developers using Amazon services are urged to rotate all access keys immediately.

Scammers placing fraudulent QR code stickers over legitimate restaurant menu QR codes. Fake codes redirect to phishing sites mimicking payment processors or prompt installation of malware-laden menu apps. Most commonly reported in urban areas.