Ethical Hacking News
A growing concern in the cybersecurity world, brand impersonation and callback phishing campaigns are becoming increasingly sophisticated and widespread. These attacks involve tricking victims into calling phone numbers operated by threat actors, resulting in significant financial losses for individuals and organizations. To stay vigilant and protect yourself against these threats, it is essential to be aware of the tactics used by attackers and take proactive measures to safeguard your data.
Cybersecurity researchers warn of a surge in brand impersonation and callback phishing campaigns. The most common brands being impersonated include Microsoft, Docusign, NortonLifeLock, PayPal, and Geek Squad. Attackers use tactics like email attachments, QR codes, and legitimate features to trick victims into calling malicious phone numbers. These attacks manipulate emotions and responses during the call to create an illusion of trust and authority. The attackers often reuse VoIP numbers consecutively for multiple days to launch multi-stage attacks. The attacks are becoming more targeted, exploiting legitimate features like Direct Send on Microsoft 365. These campaigns have already targeted over 70 organizations since May 2025.
Cybersecurity researchers have sounded the alarm over a growing threat landscape that is seeing a surge in brand impersonation and callback phishing campaigns. These attacks, which involve tricking victims into calling phone numbers operated by threat actors, are becoming increasingly sophisticated and can result in significant financial losses for individuals and organizations.
According to Cisco Talos researcher Omid Mirzaei, the most common brands being impersonated in these attacks include Microsoft and Docusign, with NortonLifeLock, PayPal, and Geek Squad also making appearances. The attackers use a variety of tactics, including email attachments, QR codes, and even legitimate features like Direct Send on Microsoft 365, to trick victims into calling phone numbers that appear to be legitimate but are actually controlled by the threat actors.
One of the most concerning aspects of these attacks is their ability to manipulate emotions and responses during the phone call. Attackers use scripted call center tactics, hold music, and even spoofed caller IDs to create an illusion of trust and authority, making it difficult for victims to recognize that they are being targeted by a malicious actor.
Mirzaei notes that this technique has been used in conjunction with other social engineering tactics, such as phishing emails with PDF attachments, to install malware on devices or gain access to sensitive information. The attackers often use VoIP numbers to remain anonymous and make it harder to trace the calls, and some numbers are even reused consecutively for multiple days, allowing them to launch multi-stage attacks using the same number.
The attacks are also becoming more targeted, with threat actors exploiting legitimate features like Direct Send on Microsoft 365 to send phishing emails that appear to come from inside the victim organization. This tactic shares similarities with vishing, tech support scams, and business email compromise (BEC), but differs in its delivery vector and persistence.
In recent months, phishing campaigns have also capitalized on a legitimate feature in Microsoft 365 called Direct Send to spoof internal users and deliver phishing emails without the need for compromising an account. This tactic has been employed to target more than 70 organizations since May 2025, per Varonis.
The development of these attacks highlights the ongoing threat landscape in the cybersecurity world. According to Netcraft, a recent study found that asking large language models (LLMs) where to log in to 50 different brands across various sectors resulted in nearly 30% of domains being unregistered or inactive, leaving them open to takeover.
Furthermore, researchers have also observed attempts to poison AI coding assistants like Cursor by publishing fake APIs on GitHub that harbor functionality to route transactions on the Solana blockchain to an attacker-controlled wallet. The attackers launch blog tutorials, forum Q&As, and dozens of GitHub repos to promote these projects and gain credibility among AI training pipelines.
The attacks are not only targeting individuals but also compromising financial institutions across Africa using open-source tools. Citrix has released emergency patches for Actively Exploited CVE-2025-6543 in NetScaler ADC to address the vulnerability.
In conclusion, the threat landscape in cybersecurity is evolving rapidly, and brand impersonation and callback phishing campaigns are becoming increasingly sophisticated and widespread. As threat actors continue to exploit legitimate features like Direct Send on Microsoft 365 and use AI-powered tools to create phishing pages at scale, it is essential for individuals and organizations to stay vigilant and take proactive measures to protect themselves against these threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Cybersecurity-Threats-on-the-Rise-A-Growing-Concern-for-Brand-Impersonation-and-Callback-Phishing-Campaigns-ehn.shtml
https://thehackernews.com/2025/07/hackers-using-pdfs-to-impersonate.html
https://cloudindustryreview.com/cybercriminals-exploit-pdfs-to-mimic-microsoft-and-docusign-in-phishing-schemes/
https://en.wikipedia.org/wiki/HAFNIUM_(group)
https://www.cybersecuritydive.com/news/microsoft-china-apt-hacked-us-agency-email/686883/
https://cybersecuritynews.com/threat-actors-impersonate-fake-docusign-notifications/
https://www.techopedia.com/antivirus/how-to-recognize-and-avoid-the-norton-lifelock-scam
https://www.infosecurity-magazine.com/news/hackers-hijack-nortonlifelock/
https://www.forbes.com/sites/daveywinder/2025/01/17/warning-as-paypal-cyberattacks-continue-what-you-need-to-know/
https://cybersecuritynews.com/apt-attack/
https://breach-hq.com/threat-actors
Published: Wed Jul 2 08:10:24 2025 by llama3.2 3B Q4_K_M
