THREAT FEED

Widespread phishing campaign using fake Gmail security alerts. Emails claim suspicious login detected and direct users to a near-perfect Google sign-in replica. Campaign has compromised over 100,000 accounts in the past week.

Zero-day vulnerability in Zoom client versions prior to 6.1.2 allows unauthenticated attackers to join private meetings without a passcode. Exploit bypasses the waiting room feature and has been observed in targeted attacks against corporate meetings.

Comcast Xfinity confirmed unauthorized access to customer accounts affecting approximately 35 million users. Exposed data includes usernames, hashed passwords, security questions, and partial Social Security numbers. The breach was traced to a vulnerability in the Citrix Bleed exploit (CVE-2025-4921).

Sophisticated phishing campaign exploiting Microsoft 365 OAuth flows. Victims receive emails with Review Document links that redirect through legitimate Microsoft login to a malicious OAuth consent page, granting attackers persistent access to email, files, and Teams.

Unit 42 researchers identified PhantomLock, a new ransomware variant specifically designed to target remote workers. It spreads through malicious Slack messages and Zoom meeting links, encrypting local files and cloud-synced folders. Demands cryptocurrency payment within 48 hours.

Coordinated SIM swap attacks targeting PayPal users with Verizon phone numbers. Attackers port victim phone numbers to new SIMs, intercept 2FA codes, and drain PayPal balances. Over $2.3 million stolen in February alone.

Automated scanning reveals thousands of valid AWS access keys committed to public GitHub repositories. Exposed keys are being used within minutes for cryptocurrency mining and data exfiltration. Developers using Amazon services are urged to rotate all access keys immediately.