Leveraging AI? It’s Time to Understand Growing Threats.

#1 Multi-lure reward scam spam campaign

• Attack Chain: Email → Lure link → Fake redirection → Credential harvest
• A large-scale email spam campaign asking users to participate in a survey and win lucrative gifts.
• Over 500K+ emails sent over a three-day period targeting business sectors in the United States.

Subject: Your MyLowe's Points Balance Expires Tonight

• Email creates urgency claiming award points will expire.
• The email contains a lure of expiring reward points and to renew it to avoid losing points and creating urgency among users.
• Email also contains link to a portal where user can redeem points.
• The URL has lure and asks users to participate in a survey and to redeem reward points to win lucrative gifts.
• Once the user completes fake survey they are redirected to fake payment page where the sensitive credentials are harvested.

Sample email:

IOCs

URLS:

• hxxp://www.kibrisfx[.]net/regional/signals/s7l923
• hxxp://www.cosmomol[.]com/fresh-report-pulse/liveatlas/scicku7res8e75/watch

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) - Phishing/Spam emails are blocked by analytics.
• Stage 3 (Redirection) - Redirected URL is added under security category

#2 Google Calander invite phishing campaign

• Attack Chain: Email → .ics / Support phone number → Customer support → Offers to cancel, refund the charge → Remote access → Stealing credentials
• This technique is an example of a Telephone-Oriented Attack Delivery (TOAD) or Callback Phishing attack.
• The email targets miscellaneous AV services renewal by either attending a meeting or giving a callback on the mentioned Support/Customer Care phone number.
• There were two scenarios observed: one in which an attached .ics file was present, and another which had the calendar invite embedded directly in the email’s body.

Subject: A new order progress update is now active for 5562-FOSZ-URHR

• The email follows a pattern mimicking an Antivirus Renewal request, complete with fake activation codes, phone numbers, and a specific amount due for activation.
• When the user attempts to contact the provided phone number, scammers attempt to collect sensitive credential information and steal funds from the victims.

Sample email:

IOCs

• 34ece4b8eb00273415994012c6a4e8273c60b237 - .ics file

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) - Spam emails are blocked by Cloud rules

#1: Vehicle tax payment phishing campaign

• Attack Chain: Email → URL→ phishing link
• A large-scale phishing campaign impersonating the UK's Driver and Vehicle Licensing Agency was detected with over 10,000+ emails sent to employees across UK public sector organisations, local authorities, financial institutions and private companies.
• A large-scale phishing campaign impersonating the UK's Driver and Vehicle Licensing Agency was detected with over 10,000+ emails sent to employees across UK public sector organisations, local authorities, financial institutions and private companies.

Subject : Information about your recent vehicle tax payment

• The campaign used multiple rotating senders aliases on a Brazilian domain (3three[.]com[.]br) to spoof DVLA branding while distributing send volume across aliases to bypass per-sender spam thresholds.
• The email impersonated an official UK government agency (DVLA) using convincing gov[.]uk branding, fabricated reference numbers, and a false "Not taxed" vehicle status to create fear and urgency, pressuring recipients into clicking the phishing link before a fabricated deadline.
• Embedded URLs redirectto newly registered domains.
• The threat actor registered or compromised five distinct mailboxes on 3three[.]com[.]br (a Brazilian domain), rotating sends across them to distribute volume and evade per-sender spam thresholds.
• Additionally, the phishing CTA URL was hosted on a compromised Indonesian local government subdomain (s[.]blitarkota[.]go[.]id) a legitimate .go.id (Indonesian government) domain likely chosen to evade URL reputation blocklists that typically trust government TLDs.

Sample email:

IOCs

URLS:

• hxxps://s[.]blitarkota[.]go[.]id/IXL2aT
• hxxps://s[.]blitarkota[.]go[.]id/BfLu0h
• hxxps://www[.]tyxcodes[.]com/
• hxxps://vechiletaxv12directdebitupdateemail[.]svpri[.]org/

Sender Domain:

• 3three[.]com[.]br

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) - Phishing emails were blocked by Spam scores.
• Stage 3 (Redirection) - Redirected URL is added under security category.

#1: DarkCloud HTML smug attachment-based campaign

• Attack Chain: Email → HTML→ ZIP → EXE ->DLL
• This is a DLL Sideloading attack
• The email requests the recipient to review an attached purchase order, confirm that all technical specifications can be met without deviations, provide an updated production timeline, and issue the corresponding invoice upon confirmation and having HTML file as attachment.
• When the victim attempts to open the HTML file, it silently downloads a malicious ZIP file in the background and redirects the user to legit adobe[.]com

Sample email:

• The malicious ZIP file contains an EXE and a DLL, where the EXE appears clean but loads the malicious DLL to carry out harmful activity.

IOCs

HTML: D6BB8D9F7EECBD709E3C622282D6E96EF797C5AE

ZIP: 42C36235E35DC3134B089F540444292AAB0A5DB7 -

DLL: F4EDBA4F1B1CB5D53608EE32164355F6EEE67F36

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) - Spam emails are blocked by Cloud rules
• Stage 4 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.

#2: SimpleHelp Remote admin tool URL based campaign

• Attack Chain: Email → URL → EXE
• This technique is “living off trusted services” attack where hackers hide malicious files on legitimate platforms like GitHub so the link doesn’t look dangerous at first glance.
• The email is written in Hebrew and urges the recipient to “verify personal details” immediately to avoid delays in receiving a so-called security grant. It includes a call-to-action link directing the user to a personal area for verification. This creates a sense of urgency and leverages financial incentive to manipulate the recipient into clicking the following link:
• hxxps://github[.]com/nitzanigadi-rgb/RR/raw/refs/heads/main/Run-POLICE-0226[.]exe

Sample email:

• When the recipient clicks the link, it redirects to a malicious site that triggers the download of an executable file, which installs a remote access administration tool on the system.

IOCs

URLs:

Hash:

• hxxps://github[.]com/nitzanigadi-rgb/RR/raw/refs/heads/main/Run-POLICE-0226[.]exe
• SHA1 :61d4b61d6d483ed33995864ecd40ff1e1170834b

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

• URL blocked by Real Time Scanning
• Stage 4 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked

#1: Epstein files email bait-and-switch campaign

• Spammers are using a sensational and trendy subject line, such as ‘Found your name in Epstein Files’, to lure recipients into opening their emails. The body then includes an apology like ‘Apologies for the unexpected subject line — I just wanted to make sure this caught your attention.’ The rest of the message shifts into sales oriented questions and promotional content.
• Email claims to come from unduitham.com, but is actually sent via Salesforce Marketing Cloud bulk mail infrastructure (*.mta.salesforce.com, *.bnc.salesforce.com).
• Header contains X-SFDC-EmailCategory: apiMassMail X-SFDC-EmailCategory: apiMassMail
• Catchy subject: No legitimate communication would use mass-mail delivery with a personal, urgent, alarmist subject line.

Sample email:

IOCs

• Sender address fiona.clark@unduitham[.]com

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

• • Stage 2 (Lure) - Spam emails are blocked by Cloud rules

#2: Free web hosting redirect campaign

• Campaign uses catchy name, an obfuscated JavaScript loader that reconstructs hidden code at runtime to perform browser redirects or load external resources
• Web pages containing Ukraine name and hosted on Weebly site
  • hxxp://fundsukraine[.]weebly[.]com
  • hxxp://ukrainenewsletter[.]weebly[.]com
  • hxxp://ukrainearts[.]weebly[.]com
• The content of pages appears to be generic, non-Ukraine related blog posts, mainly about gaming, tech topics and other unrelated material.
• But code contains obfuscated JavaScript redirector used on SEO‑spam pages to secretly forward visitors to a malicious second‑stage site. 

Ukraine campaign sample page 1:

Ukraine campaign sample page 2:

IOCs

URLs:

• hxxp://fundsukraine[.]weebly[.]com
• hxxp://ukrainenewsletter[.]weebly[.]com

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

• URL blocked by Real Time Scanning (Live RTSS)

#1: Phantom Stealer attachment-based campaign

• Attack Chain: Email - > HTML-> ZIP - > BAT -> PS1 → Process Injection
• Phantom Stealer attacks were already surging in frequency and sophistication, and were still active as of January 2026.
• Delivered via a malicious HTML attachment disguised as a B2B payment invoices.
• Email has HTML Smug attachment which contains embedded Base64 stream and JavaScript code. Once user opens HTML, it downloads a ZIP file that contains a BAT file. BAT further drops PowerShell and performs process injection targeting .Net processes.
• It scans nearby Wi‑Fi networks and displays detailed information.
• It launches Firefox and Chrome browsers with security and resource‑related restrictions disabled, while forcing it to use a temporary custom profile.
• Uses SMTP to exfiltrate data.

Subject Lines Used:

• Confirm your account
• Re: REVISED Purchase Order
• Payment Confirmation Copy
  

Sample email:

Hashes:

• 2F2E13A9B4B1177705A2F7137382E4B35EA06645 - HTML
• a91b5ddca78598e1e85bf7f1fbc855be879cf726 - BAT
• 4585a1b23eb51277056ec26926ac316788c23b45 - EXE

SMTP C2s:

• mail[.]grupomaspaq[.]com
• mail[.]poskirantekstil[.]com
• eraqron[.]shop

IOCs

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) - Malicious emails are blocked by Cloud rules. Archive attachments are detected by Yara.
• Stage 4 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
• Stage 5 (Call Home) - Blocked C&C URLs