CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Increased Browser-Based Attacks Targeting Business Applications

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Browser-based attacks targeting business applications have surged, exploiting modern work practices and decentralized internet apps. These attacks, including phishing, malicious OAuth integrations, and browser extensions, compromise business apps and data by targeting users. The attacks leverage various delivery channels and evasion techniques, making them difficult to detect and block. Phishing attacks have evolved to use non-email channels such as social media, instant messaging apps, and malicious search engine ads. These attacks often bypass traditional email security controls and are harder to detect. Attackers exploit the decentralized nature of modern work environments, targeting users across multiple apps and communication channels. Non-email phishing attacks can result in significant breaches, as seen in the 2023 Okta breach. The rise in these attacks highlights the need for enhanced browser security measures and better visibility into user activities within the browser.

Timeline

  1. 15.09.2025 14:55 2 articles · 14d ago

    Browser-Based Attacks Surge Targeting Business Applications

    Phishing attacks are increasingly delivered through non-email channels such as social media, instant messaging apps, and malicious search engine ads. These attacks exploit the decentralized nature of modern work environments, targeting users across multiple apps and communication channels. Modern phishing attacks often bypass traditional email security controls by using various communication channels and evasion techniques. Non-email phishing attacks are often undetected by traditional security measures, making them harder to mitigate. Attackers use techniques like DOM obfuscation, page obfuscation, and code obfuscation to evade detection. Phishing campaigns can be highly targeted, using specific geographic locations, email domain matches, or device types to tailor attacks. Compromised personal accounts can be used to launch targeted phishing campaigns against corporate users. Non-email phishing attacks can result in significant breaches, as seen in the 2023 Okta breach.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ForcedLeak Vulnerability in Salesforce Agentforce Exploited via AI Prompt Injection

A critical vulnerability in Salesforce Agentforce, named ForcedLeak, allowed attackers to exfiltrate sensitive CRM data through indirect prompt injection. The flaw affected organizations using Salesforce Agentforce with Web-to-Lead functionality enabled. The vulnerability was discovered and reported by Noma Security on July 28, 2025. Salesforce has since patched the issue and implemented additional security measures, including regaining control of an expired domain and preventing AI agent output from being sent to untrusted domains. The exploit involved manipulating the Description field in Web-to-Lead forms to execute malicious instructions, leading to data leakage. Salesforce has enforced a Trusted URL allowlist to mitigate the risk of similar attacks in the future. The ForcedLeak vulnerability is a critical vulnerability chain with a CVSS score of 9.4, described as a cross-site scripting (XSS) play for the AI era. The exploit involves embedding a malicious prompt in a Web-to-Lead form, which the AI agent processes, leading to data leakage. The attack could potentially lead to the exfiltration of internal communications, business strategy insights, and detailed customer information. Salesforce is addressing the root cause of the vulnerability by implementing more robust layers of defense for their models and agents.

Open in new tab

Malicious npm package 'fezbox' uses QR codes to deliver cookie-stealing malware

A malicious npm package named 'fezbox' was discovered using QR codes to fetch and execute cookie-stealing malware. The package, disguised as a utility library, was downloaded at least 327 times before being removed from the npm registry. The malware targets user credentials and employs steganographic techniques to evade detection. The package was found to fetch a JPG image containing a QR code, which then executes a second-stage payload. The QR code is designed to be unusually dense and difficult to read with standard phone cameras, making it harder to detect. The package was published by a Chinese-speaking attacker using the alias 'janedu' and included multiple layers of obfuscation to evade detection. The malware specifically targets cookies to steal usernames and passwords, sending the stolen information via an HTTPS POST request to a command-and-control server. The package was removed and flagged as malware posing a supply-chain risk. The attacker's activity status on the npm registry remains unclear. The package's ReadMe mentioned a QR Code Module, making its existence seem legitimate. The package used reversed strings as an anti-analysis technique. The payload could read a web cookie and extract the username and password if both were present.

Open in new tab

ShadowLeak: Undetectable Email Theft via AI Agents

A new attack vector, dubbed ShadowLeak, allows hackers to invisibly steal emails from users who integrate AI agents like ChatGPT with their email inboxes. The attack exploits the lack of visibility into AI processing on cloud infrastructure, making it undetectable to the user. The vulnerability was discovered by Radware and reported to OpenAI, which addressed it in August 2025. The attack involves embedding malicious code in emails, which the AI agent processes and acts upon without user awareness. The attack leverages an indirect prompt injection hidden in email HTML, using techniques like tiny fonts, white-on-white text, and layout tricks to remain undetected by the user. The attack can be extended to any connector that ChatGPT supports, including Box, Dropbox, GitHub, Google Drive, HubSpot, Microsoft Outlook, Notion, or SharePoint. The ShadowLeak attack targets users who connect AI agents to their email inboxes, such as those using ChatGPT with Gmail. The attack is non-detectable and leaves no trace on the user's network. The exploit involves embedding malicious code in emails, which the AI agent processes and acts upon, exfiltrating sensitive data to an attacker-controlled server. OpenAI acknowledged and fixed the issue in August 2025, but the exact details of the fix remain unclear. The exfiltration in ShadowLeak occurs directly within OpenAI's cloud environment, bypassing traditional security controls.

Open in new tab

Fake FBI crime reporting portals used in cybercrime campaigns

Cybercriminals are impersonating the FBI's Internet Crime Complaint Center (IC3) website to conduct financial scams and steal personal information. Spoofed websites mimic legitimate domains to deceive users into entering sensitive data. The FBI issued a public service announcement warning about this tactic, which has been reported over 100 times since December 2023. The FBI advises users to directly enter the official IC3 URL in their browser and avoid clicking on sponsored search results. Users should also refrain from sharing personal information with unknown individuals and avoid sending money or financial assets to them. The FBI will never contact victims directly to ask for payment to recover stolen funds.

Open in new tab

Lighthouse and Lucid PhaaS Campaigns Target 316 Brands Across 74 Countries

The phishing-as-a-service (PhaaS) offerings Lighthouse and Lucid have been linked to over 17,500 phishing domains targeting 316 brands across 74 countries. The campaigns leverage various phishing kits and templates to impersonate brands and harvest credentials. The operations are attributed to the Chinese-speaking XinXin group and other associated actors. The phishing campaigns target a wide range of industries, including toll companies, governments, postal companies, and financial institutions. The attacks incorporate specific criteria to ensure that only intended targets can access the phishing URLs. The phishing kits offer template customization and real-time victim monitoring, with prices ranging from $88 for a week to $1,588 for a yearly subscription. The campaigns also highlight a broader trend of collaboration and innovation within the PhaaS ecosystem, with threat actors returning to email as a primary channel for harvesting stolen credentials.

Open in new tab