🕵️ Interception de données : la vraie menace téléphonique

-> https://www.youtube.com/watch?v=3BlXBAarpao

// Ce n’est pas le téléphone qui est “piraté”, mais les données du propriétaire qui sont interceptées.

ZATAZ a détecté une méthode radicale diffusée par le pirate lui-même, preuve d’un mode opératoire discret pour capter vos identifiants sans installer de malware.

À voir pour comprendre et renforcer vos protections.

#Cybersecurite #ProtectionDonnees #OSINT #Infosec #CredentialTheft #Phishing #ZATAZ #zataz @Damien_Bancal

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

https://winbuzzer.com/2026/02/06/cve-2026-0391-microsoft-edge-android-ui-spoofing-xcxwbn/

CVE-2026-0391: Edge Android Flaw Enables Spoofing Attacks

#MicrosoftEdge #Security #Cybersecurity #Microsoft #Android #WebBrowsers #Phishing #CredentialTheft #ZeroDayVulnerabilities #Chromium

“When nothing looks suspicious and attackers are using valid credentials, the challenge is knowing what signals matter once alerts go quiet.”

In this interview, Avery Pennarun, CEO & Co-Founder of Tailscale, explains how identity gaps—not broken crypto—enable modern breaches.

https://www.technadu.com/detecting-compromise-with-valid-credentials-when-normal-activity-becomes-the-attack/619528/

#IdentitySecurity #ZeroTrust #CredentialTheft #Ransomware #ThreatDetection

Malicious MoltBot skills are pushing password-stealing malware — voice assistants are becoming a new social engineering vector. Convenience can be compromised. 🎙️🔓 #CredentialTheft #AttackSurface

https://www.bleepingcomputer.com/news/security/malicious-moltbot-skills-used-to-push-password-stealing-malware/

Fake ChatGPT browser extensions are stealing login credentials — AI hype is being weaponized to hijack accounts. Install less, verify more. 🧩⚠️ #ExtensionSecurity #CredentialTheft

https://www.bitdefender.com/en-us/blog/hotforsecurity/beware-fake-chatgpt-browser-extensions-are-stealing-your-login-credentials

A large infostealer-linked credential dataset was found publicly exposed, containing millions of unique login records across consumer, financial, and government-associated services.

The case reinforces ongoing challenges around endpoint compromise, credential reuse, and post-infection response - especially where malware persists silently.

From an InfoSec standpoint, which control most often fails first in these scenarios?

Source: https://www.expressvpn.com/blog/149m-infostealer-data-exposed/

Share insights and follow @technadu for objective security reporting.

#InfoSec #CredentialTheft #ThreatResearch #EndpointSecurity #CyberRisk #TechNadu

🚨 LastPass phishing campaign uncovered
Fake “urgent backup” emails redirect users to malicious sites designed to steal master passwords — granting full vault access.
LastPass confirms it never requests this via email.

🔗 https://www.technadu.com/lastpass-backup-phishing-campaign-exposed-deceptive-requests-target-password-vaults/618892/

Thoughts on improving phishing resilience for password manager users?

#Infosec #Phishing #LastPass #CredentialTheft

It's been a pretty packed 24 hours in the cyber world, with some critical RCE vulnerabilities under active exploitation, a string of significant breaches impacting UK public sector and a major car manufacturer, and important reminders about MFA. Let's dive in:

Critical RCEs Under Active Exploitation & Patches ⚠️
- Legacy D-Link DSL Routers (CVE-2026-0625): A critical command injection flaw (CVSS 9.3) in the "dnscfg.cgi" endpoint of legacy D-Link DSL gateway routers is being actively exploited. This allows unauthenticated remote attackers to execute arbitrary shell commands, leading to RCE and potential DNS hijacking. Many affected models (DSL-2640B, DSL-2740R, DSL-2780B, DSL-526B) are End-of-Life, meaning no patches are coming – upgrade immediately!
- Veeam Backup & Replication (CVE-2025-59470): Veeam has patched a critical RCE vulnerability (CVSS 9.0, rated high by Veeam due to privilege requirements) in Backup & Replication 13.0.1.180 and earlier. This flaw allows Backup or Tape Operators to achieve RCE as the postgres user. Given VBR's popularity and past targeting by ransomware gangs (Cuba, FIN7, Frag, Akira, Fog), patching is crucial.
- n8n Workflow Automation (CVE-2026-21858): A maximum severity (CVSS 10.0) "Ni8mare" vulnerability in n8n, an open-source workflow automation tool, allows remote, unauthenticated attackers to hijack instances. The flaw is a content-type confusion in how n8n parses data, enabling arbitrary file reading and potential secret exposure or command execution. Over 100,000 vulnerable servers are estimated; update to n8n version 1.121.0 or newer, and restrict public webhook/form endpoints.

📰 The Hacker News | https://thehackernews.com/2026/01/active-exploitation-hits-legacy-d-link.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-veeam-vulnerabilities-expose-backup-servers-to-rce-attacks/
🤫 CyberScoop | https://cyberscoop.com/veeam-backup-replication-security-flaw-remote-code-execution-fix/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-lets-hackers-hijack-n8n-servers/

Major Cyber Incidents and Breaches 🚨
- Jaguar Land Rover (JLR): A September cyberattack, claimed by Scattered Lapsus$ Hunters, severely impacted JLR's Q3 fiscal 2026 results, causing wholesale volumes to plummet by 43.3% and retail sales by 25.1%. The incident halted production for weeks, disrupted global supply chains, and cost the UK economy an estimated £2.1 billion.
- UK Ministry of Justice (MoJ) / Legal Aid Agency (LAA): Despite spending £50 million on cybersecurity, the LAA suffered a "highly sensitive" cyberattack in December 2024 that went undetected until April 2025. The breach compromised legal aid applicant data, causing significant operational disruption and financial overpayments to providers, with recovery expected to take years.
- European Space Agency (ESA): ESA has confirmed another significant security breach, with Scattered Lapsus$ Hunters claiming to have stolen 500 GB of sensitive data, including operational procedures, spacecraft details, and proprietary contractor data (from partners like SpaceX, Airbus). The group alleges the vulnerability remains open, giving them continued access. This follows a December incident where 200 GB of ESA data was listed for sale.
- Higham Lane School: A cyberattack over the Christmas holiday has forced a British high school to delay its reopening, with its entire IT system, including phones, emails, and management systems, taken offline. This follows over 80 ransomware attacks on the UK education sector in 2024.
- Illinois Department of Human Services (IDHS): The IDHS inadvertently exposed personal data of over 700,000 state residents for up to four years by posting it on public mapping websites. The exposed data, including names, addresses, and public benefits status, is protected health information under HIPAA.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/07/jlr_wholesale_volumes/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/07/legal_aid_agency_attack/
🗞️ The Record | https://therecord.media/cyberattack-forces-british-high-school-to-delay-opening
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/07/european_space_agency_breach_criminal_probe/
🗞️ The Record | https://therecord.media/illinois-agency-exposed-data

Threat Actor Activity & Nation-State Operations ⚔️
- DDoSia Hacktivist Tool: Pro-Russian hacktivist group NoName057(16) is leveraging its custom DDoS tool, DDoSia, to conduct sustained, politically motivated attacks against Ukrainian and Western interests. The tool allows volunteers with minimal technical skill to participate in coordinated application-layer and multi-vector DDoS campaigns, often coinciding with geopolitical events.
- China's Cyber Offensive on Taiwan: Taiwan's National Security Bureau reported a 6% increase in Chinese cyberattacks in 2025, with 2.63 million intrusion attempts daily targeting government and critical infrastructure, particularly energy and hospitals. These attacks, often exploiting software/hardware vulnerabilities, are linked to China's political and military coercive actions.

⚫ Dark Reading | https://www.darkreading.com/cyberattacks-data-breaches/ddosia-powers-volunteer-driven-hacktivist-attacks
🤫 CyberScoop | https://cyberscoop.com/taiwan-china-cyberattacks-2025-energy-hospitals-nsb-report/

The Critical Need for MFA 🔒
- ownCloud Credential Theft: File-sharing platform ownCloud is urging its 200 million users to enable Multi-Factor Authentication (MFA) after reports of credential theft. Threat actors, like "Zestix" or "Sentap," are using infostealer malware (RedLine, Lumma, Vidar) to compromise employee devices, then leveraging stolen credentials to access ownCloud, ShareFile, and Nextcloud instances that lack MFA.
- Widespread Cloud Credential Heist: A report by Hudson Rock highlights a "pervasive failure in credential hygiene," where a single threat actor has breached dozens of global organisations by using infostealer-harvested credentials against cloud collaboration platforms without MFA. This underscores that simple security failures, not zero-days, are often the root cause of significant breaches.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/owncloud-urges-users-to-enable-mfa-after-credential-theft-reports/
⚫ Dark Reading | https://www.darkreading.com/cloud-security/lack-mfa-common-thread-vast-cloud-credential-heist

Regulatory Actions & Legal Outcomes ⚖️
- FCC Robocall Penalties: The US Federal Communications Commission (FCC) has finalised new financial penalties for telecoms that submit false, inaccurate, or late reporting to its Robocall Mitigation Database (RMD). Fines include $10,000 for false information and $1,000 for late updates, aiming to combat call spoofing and illegal robocalls. Two-factor authentication has also been added to the RMD.
- Stalkerware Prosecution: Bryan Fleming, creator of the pcTattletale stalkerware, has pleaded guilty in US federal court to selling software designed to intercept communications. This marks only the second successful prosecution of a stalkerware operator since 2014, highlighting a rare but significant legal victory against consumer spyware.

🤫 CyberScoop | https://cyberscoop.com/fcc-finalizes-new-penalties-for-robocall-violators/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/07/stalkerware_slinger_pleads_guilty/
🗞️ The Record | https://therecord.media/stalkerware-guilty-plea-fleming

UK Public Sector Cyber Defence Boost 🛡️
- The UK government has unveiled a new £210 million ($283 million) "Government Cyber Action Plan" to bolster cyber defences across its departments and the wider public sector. The plan includes establishing a dedicated Government Cyber Unit, setting minimum security standards, improving risk visibility, and promoting best practices through a new Software Security Ambassador Scheme. This follows recent legislation to protect critical infrastructure and a ban on ransomware payments for public sector organisations.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/uk-announces-plan-to-strengthen-public-sector-cyber-defenses/

Cyber Landscape Commentary 💭
- AI and the Cybersecurity Workforce: Qualys CEO Sumedh Thakar argues that the cybersecurity industry cannot simply hire its way out of the talent shortage in the AI era. Instead, organisations must leverage AI to automate repetitive tasks and shift towards a proactive Risk Operations Center (ROC) model. He also warns that AI-generated code often contains security flaws, necessitating embedded security in development pipelines.
- Cyber in Military Operations: Speculation surrounds the role of US Cyber Command in a recent military operation in Venezuela that led to the capture of President Nicolás Maduro. While President Trump hinted at "certain expertise" causing power outages, NetBlocks data suggests kinetic attacks could also be responsible. Experts note Venezuela's network infrastructure is a "soft target" for cyber operations.

🤫 CyberScoop | https://cyberscoop.com/cybersecurity-talent-shortage-ai-risk-operations-center-2026-op-ed/
⚫ Dark Reading | https://www.darkreading.com/cybersecurity-operations/cyberattacks-part-military-operation-venezuela/

Other Noteworthy Developments 💡
- HackerOne Bug Bounty Delays: A security researcher, Jakub Ciolek, reported being "ghosted" by HackerOne for months over an $8,500 bug bounty for two high-severity DoS flaws (CVE-2025-59538, CVE-2025-59531) in Argo CD. HackerOne attributed the delay to an "operational backlog," raising concerns about trust and communication in bug bounty programs, especially with increasing AI-generated submissions.
- Microsoft Exchange Online Spam Clamp Scrapped: Microsoft has reversed its controversial plan to impose a 2,000 external recipient rate limit on Exchange Online mailboxes, following significant customer backlash. While the aim was to curb spam and abuse, the limits created operational challenges for legitimate bulk sending. Microsoft plans to develop "smarter, more adaptive approaches."
- Cyber Scam Kingpin Arrested: Cambodian authorities have arrested and extradited to China Chen Zhi, head of the Prince Group conglomerate, who is alleged to be the mastermind behind a multi-billion dollar scam empire. Zhi and 128 entities linked to him were sanctioned by the US and UK for illegal online gambling, sextortion, money laundering, and the trafficking of enslaved workers.
- HSBC App Sideloading Issues: Some HSBC mobile banking customers in the UK are being locked out of the bank's app if they have the Bitwarden password manager installed via an open-source app catalog like F-Droid. HSBC's app security controls appear to flag sideloaded apps as a risk, preventing coexistence with its banking app.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/07/hackerone_ghosted_researcher/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/07/exchange_online_recipient_rate/
🗞️ The Record | https://therecord.media/alleged-cyber-scam-kingpin-cambodia-arrested-extradited
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/07/hsbc_bitwarden_sideloaded/

#CyberSecurity #ThreatIntelligence #Vulnerability #RCE #ActiveExploitation #ZeroDay #CyberAttack #Breach #Ransomware #DDoS #NationState #APT #MFA #CredentialTheft #DataPrivacy #Regulation #UKGov #AI #CyberWarfare #InfoSec