Phishing attacks expanding beyond email to social media, instant messaging, and malicious search engine ads

First reported

22.09.2025 17:01

Last updated

📰 1 unique sources, 1 articles

Summary

Hide ▲

Attackers are increasingly using non-email channels such as social media, instant messaging apps, and malicious search engine ads to deliver phishing links. This shift is driven by the decentralized nature of modern work environments and the variety of communication channels used by employees. Non-email phishing attacks are often undetected and unreported, making them a significant threat to organizations. These attacks can be targeted and sophisticated, using techniques like Attacker-in-the-Middle (AitM) phishing kits to evade detection. They can lead to account compromises and broader breaches, as seen in recent cases involving LinkedIn and Google Search malvertising. Security teams need to adapt their defenses to detect and block phishing across all apps and delivery vectors.

Timeline

22.09.2025 17:01 📰 1 articles · ⏱ 16h ago

Non-email phishing attacks expanding to social media, instant messaging, and malicious search engine ads
Attackers are increasingly using non-email channels such as social media, instant messaging apps, and malicious search engine ads to deliver phishing links. This shift is driven by the decentralized nature of modern work environments and the variety of communication channels used by employees. Non-email phishing attacks are often undetected and unreported, making them a significant threat to organizations. These attacks can be targeted and sophisticated, using techniques like Attacker-in-the-Middle (AitM) phishing kits to evade detection. They can lead to account compromises and broader breaches, as seen in recent cases involving LinkedIn and Google Search malvertising.
Show sources

Why attackers are moving beyond email-based phishing attacks — www.bleepingcomputer.com — 22.09.2025 17:01
Open in new tab

Information Snippets

Phishing attacks are moving beyond email to include social media, instant messaging, SMS, and malicious ads.
First reported: 22.09.2025 17:01

📰 1 source, 1 article
Show sources
- Why attackers are moving beyond email-based phishing attacks — www.bleepingcomputer.com — 22.09.2025 17:01
Modern work environments use decentralized internet apps and varied communication channels, making it harder to stop users from interacting with malicious content.
First reported: 22.09.2025 17:01

📰 1 source, 1 article
Show sources
- Why attackers are moving beyond email-based phishing attacks — www.bleepingcomputer.com — 22.09.2025 17:01
Non-email phishing attacks often go unreported and undetected, relying on user reports or web proxies that are increasingly bypassed by modern phishing kits.
First reported: 22.09.2025 17:01

📰 1 source, 1 article
Show sources
- Why attackers are moving beyond email-based phishing attacks — www.bleepingcomputer.com — 22.09.2025 17:01
Attackers use techniques like DOM obfuscation, Page obfuscation, and Code obfuscation to evade detection.
First reported: 22.09.2025 17:01

📰 1 source, 1 article
Show sources
- Why attackers are moving beyond email-based phishing attacks — www.bleepingcomputer.com — 22.09.2025 17:01
Phishing attacks can be targeted and sophisticated, using AitM phishing kits and conditional loading parameters to deliver malicious payloads under specific conditions.
First reported: 22.09.2025 17:01

📰 1 source, 1 article
Show sources
- Why attackers are moving beyond email-based phishing attacks — www.bleepingcomputer.com — 22.09.2025 17:01
Compromised accounts can lead to broader breaches, as seen in the 2023 Okta breach where a personal device compromise led to a corporate account compromise.
First reported: 22.09.2025 17:01

📰 1 source, 1 article
Show sources
- Why attackers are moving beyond email-based phishing attacks — www.bleepingcomputer.com — 22.09.2025 17:01
Recent case studies include a LinkedIn spear-phishing campaign targeting tech company execs and a Google Search malvertising campaign traced back to a Scattered Spider campaign.
First reported: 22.09.2025 17:01

📰 1 source, 1 article
Show sources
- Why attackers are moving beyond email-based phishing attacks — www.bleepingcomputer.com — 22.09.2025 17:01
Security teams need comprehensive solutions that detect and block phishing across all apps and delivery vectors.
First reported: 22.09.2025 17:01

📰 1 source, 1 article
Show sources
- Why attackers are moving beyond email-based phishing attacks — www.bleepingcomputer.com — 22.09.2025 17:01

Similar Happenings

Subtle Snail APT Targets Global Telcos and Satellite Operators

Subtle Snail (UNC1549) has conducted a series of cyberattacks against 11 global telecommunications, satellite, and aerospace companies in recent weeks. The attacks, which occurred over a short period, targeted key personnel in these industries using highly customized phishing lures and malware. The primary goals appear to be data theft for research and development and call data records (CDRs) for espionage. The group has been active since at least June 2022, focusing on aerospace, defense, and telecommunications sectors. Their tactics include extensive background research on targets and the use of custom malware, particularly the MiniBike backdoor, which employs modular components to evade detection. The attacks have been observed across the Middle East, Europe, and North America, with victims including major companies serving millions of customers. The group is believed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC). Subtle Snail has expanded its operations to target critical infrastructure organizations in Western Europe, specifically in Denmark, Portugal, and Sweden. The group uses new malware variants, MiniJunk and MiniBrowse, to conduct its attacks. MiniJunk is a highly obfuscated backdoor that provides persistent access to infected systems, while MiniBrowse is a lightweight stealer designed to steal credentials from Chrome and Edge browsers.

Open in new tab

Salesloft Disables Drift Following OAuth Token Theft

Salesloft has taken Drift offline due to a security incident involving the theft of OAuth tokens and unauthorized access to Salesforce data. The breach began with the compromise of Salesloft's GitHub account, affecting multiple major tech companies, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, Zscaler, Tenable, Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, BugCrowd, and Stellantis. The incident was attributed to a threat cluster tracked as UNC6395 and GRUB1. The breach occurred on September 5, 2025, affecting the marketing software-as-a-service product Drift. The attackers exploited vulnerabilities to steal authentication tokens, leading to unauthorized access to sensitive data. Salesloft has temporarily disabled Drift to conduct a comprehensive review and enhance security measures. The ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks. The threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets. The threat actors' primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. The number of impacted companies has been updated to 29. Cloudflare disclosed that some customer support cases stored in Salesforce included configuration settings and 104 Cloudflare API tokens. Salesforce restored integration with the Salesloft platform, except for the Drift app, which remains disabled until further notice. The breach also affected Qantas, where executives had their short-term compensation reduced by 15% due to a data breach that impacted approximately 5.7 million passengers.