CoFense Scam News

Ransomware has long been a staple among threat actors, and the attacks often garner large media coverage. Ransomwares such as WannaCry and NotPetya dominated both the cyber news and broader reporting landscape for months on end.

Subject customization is widely used in targeted malware phishing campaigns to make the email appear more authentic and increase the chances of the malicious payload being run. When combined with Remote Access Trojans (RATs) or Information Stealers, threat actors can easily obtain remote access or credentials. In this blog, Cofense Intelligence outlined the top 5 most prevalent themes associated with malware-delivery emails where subject customization was included. These themes include categories such as Travel Assistance, Response, Finance, Taxes, and Notification.  

Threat actors have increasingly exploited Google AMP and Google redirect methods to bypass security defenses, leveraging Google’s reputation to mask malicious content from detection. Despite improved security measures, the quarterly volume of Google AMP abuse has remained consistently high, with attackers adapting by using varied Google URL paths, TLDs, and even services like Google Maps and Translate for redirects. 

With generative AI fueling the rise of highly targeted phishing campaigns, attackers can now create more convincing emails that bypass traditional security measures. In this blog, learn six expert tips to build employee resiliency and turn your team into active defenders against evolving threats.

The Cofense Phishing Defense Center (PDC) recently observed a new phishing campaign in which threat actors are leveraging fake invitations to Zoom meetings to harvest the Zoom Workplace credentials of users.

Cofense Intelligence tracks advanced Tactics, Techniques, and Procedures (TTPs) in credential phishing and malware reporting. These tracked advanced TTPs consist of individual techniques such as steganography or reversing a filename and file extension with a special character. They also include overall campaign characteristics, such as Spanish language emails delivering Remote Access Trojans (RATs) via embedded links to password protected archive files hosted on Google Drive or Google Docs. Luckily, advanced TTPs such as these are not as common and only account for a small fraction of the campaigns observed by Cofense. This report will cover the individual TTPs that account for over 5% of all tracked TTPs in 2024.

Threat actors are increasingly abusing Spain’s .es TLD for malicious activities, with a 19x rise in abuse from Q4 2024 to Q1 2025. This makes it one of the top 10 most exploited TLDs for credential phishing. This surge is particularly notable in second-stage URLs, which host phishing pages or exfiltrate data after users click on embedded links. While .com and .ru remain the most abused TLDs, the .es TLD’s rapid rise has disrupted the rankings of commonly exploited domains.

Cybercriminals are exploiting CapCut’s popularity by launching a phishing campaign with fake invoice lures to steal Apple ID credentials and credit card information. By imitating CapCut’s branding, attackers aim to deceive users into sharing sensitive data. This blog post delves into the mechanics of this phishing scheme, highlights the tactics used, and provides insights on how to recognize and avoid such threats.

The Cofense PDC has identified a new phishing campaign that uses a .gov domain to deceive employees into thinking they owe an unpaid toll. It creates urgency by warning of penalties or vehicle registration holds if payment isn’t made immediately. The attackers aim to exploit this urgency to steal personal information or credentials.

In Q1 2025, Cofense Intelligence identified a sophisticated phishing tactic combining long-lived domains, custom CAPTCHAs, and anti-automated analysis to bypass SEGs. This combination allows threat actors to evade detection by replacing malicious content with benign pages for scanning software and leveraging CAPTCHAs that security systems cannot easily solve.

Cofense Intelligence has identified a rise in Booking.com-spoofing phishing attacks using fake CAPTCHAs to deliver malicious scripts disguised as verification codes. These campaigns surged in March 2025, with 75% spoofing Booking.com templates.

A recent campaign identified by the Cofense PDC disguises phishing emails as invoices, linking to a Google Apps Script-hosted page to appear legitimate. This tactic exploits Google’s trusted environment, making it easier to deceive recipients into sharing sensitive information.