CoFense Scam News

The blog describes a phishing campaign identified by Cofense that impersonates Interactive Brokers using a fake IRS W-8BEN renewal email to trick users into clicking a malicious link. The email appears legitimate but uses a suspicious sender address and directs victims to a counterfeit login page designed to steal account credentials.

This blog describes a phishing campaign that impersonates the IRS and Elon Musk to lure victims with a fake $5000 tax refund, ultimately redirecting them to credential harvesting websites. After submitting personal information, victims are funneled into a fraudulent cryptocurrency platform that requests additional sensitive data, including bank details and photo ID, under the guise of processing the refund.

Threat actors are increasingly abusing trusted platforms like GitHub and GitLab to host malware and credential phishing pages, allowing malicious links to bypass email security because these domains are widely trusted and cannot easily be blocked. The volume of these campaigns has grown significantly since 2021, with 2025 accounting for nearly half of all activity, and attacks often include both malware delivery and credential theft, sometimes in combined “dual threat” chains.

An Iran conflict-related phishing email titled “Public Safety Advisory – Action Recommended,” sent from “@qualitycollection.com.au,” is impersonating official government and civil defense organizations. The message uses urgent, fear-inducing language about air-raid threats, infrastructure disruption, and evacuation readiness to pressure recipients into acting quickly. It directs users to scan a QR code for supposed instructions, which instead leads to a Microsoft-themed phishing page designed to steal sensitive information.

Polymorphic phishing attacks are evolving rapidly, using AI and automation to generate constantly changing threats that traditional detection methods struggle to stop. At the same time, organizations face increasing pressure to meet complex cybersecurity and data protection regulations, creating a gap because AI security tools themselves remain largely unregulated. To close this gap, businesses must adopt automation alongside strong governance, transparency, and accountability to ensure both effective threat defense and regulatory compliance.

This article explains how a phishing campaign impersonates LinkedIn notifications to trick users into clicking malicious links and entering their login credentials on spoofed websites. It highlights how attackers use realistic branding, urgent messaging, and deceptive domains to exploit trust and curiosity, making the emails and fake login pages appear legitimate.

The blog describes a phishing campaign targeting Xiaomi users, where attackers send realistic emails posing as official communications to trick recipients into clicking malicious links and entering credentials on a fake login page. It highlights how these attacks use convincing branding, urgency, and polished design, often enhanced by AI, to exploit user trust rather than technical vulnerabilities.

The blog explains how threat actors increasingly abuse legitimate Cloudflare services like Workers and Tunnels to host phishing pages, distribute malware, and evade traditional security defenses by leveraging Cloudflare’s trusted infrastructure. It details how attackers use these tools to create convincing credential-harvesting sites and covert malware delivery mechanisms, including RAT deployment through obfuscated connections and WebDAV-based techniques.

Threat actors are abusing the LiveChat SaaS platform to impersonate brands like PayPal and Amazon in phishing campaigns designed to steal credentials, credit card details, MFA codes, and other sensitive data. Victims are lured through phishing emails and directed to LiveChat pages where attackers use chat interactions to request personal and financial information. The campaign highlights how cybercriminals are increasingly leveraging legitimate services and real-time engagement to make phishing attacks appear more trustworthy. 

Telegram is a free, online instant messenger platform that is also commonly abused by threat actors for a wide range of malicious activities. One of Telegram’s notable features is its extensive collection of web APIs, one of which is used to interact with automated bot accounts. 

Cofense Intelligence has identified a growing tactic in which threat actors abuse Windows File Explorer and WebDAV to deliver malware outside of traditional browser-based downloads. By leveraging URL and LNK shortcut files along with Cloudflare Tunnel infrastructure, attackers are disguising remote file servers as seemingly local resources and delivering multi-stage campaigns that frequently end in RAT infections. This report breaks down how the technique works, why it is effective, and what organizations can do to detect and mitigate this evolving threat.

This blog examines a phishing campaign that abuses trusted digital invitation platforms to trick recipients into entering their credentials on branded phishing pages. By impersonating well-known services and leveraging newly registered domains, threat actors are able to harvest credentials while evading traditional security controls.