Between October 2025 and March 2026, security analysts observed a significant spike in phishing campaigns leveraging webhook functionality. These attacks take advantage of how automation tools are designed to connect apps and process real-time data, effectively turning a business productivity feature into a delivery channel for cyber threats.

How the Attack Works

Platforms like n8n and Zapier use webhooks to trigger workflows when a user interacts with a specific URL. Attackers are now embedding these webhook URLs into phishing emails, often disguising them as trusted services like file-sharing links.

When a victim clicks the link, the webhook triggers a workflow that dynamically serves content based on the user’s system or browser data. This makes the attack highly adaptive and harder to detect.

In many observed cases, users are redirected to fake pages that mimic services such as cloud storage platforms. These pages may include CAPTCHA-style verification to appear legitimate. Once the user interacts, a malicious file is downloaded—often disguised as a document or installer.

• Attackers use trusted webhook URLs to bypass security filters
• Payloads are dynamically tailored based on victim device data

Advanced Techniques and Impact

Research from Cisco Talos shows that attackers are not just delivering malware—they are also using these workflows to collect valuable data about their targets.

Some campaigns install remote monitoring tools that give attackers persistent access to infected systems. Others use tracking techniques, such as invisible pixels in emails, to monitor when messages are opened and gather device-level information.

Because the traffic originates from legitimate platforms, it blends into normal network activity. This makes it much harder for traditional security tools to flag or block the attack.

This campaign highlights a major shift in cyber threats. Instead of breaking into systems directly, attackers are abusing trusted tools that organizations rely on every day. As automation and AI-driven workflows become more common, they also introduce new risks that defenders must account for.

The post n8n Webhook Malware: Hackers Exploit Automation to Spread Attacks appeared first on First Hackers News.

A new phishing campaign is pretending to be LastPass support emails to trick users into revealing their vault passwords and account credentials.

Attackers send emails that look like internal support conversations about suspicious activity on a user’s account.

These messages claim that someone is attempting actions such as:

• Exporting vault data
• Recovering the account
• Registering a new trusted device

The goal is to scare users into reacting quickly.

How the Phishing Attack Works

Hackers use a method called display name spoofing. The sender name appears as LastPass Support, but the actual email address comes from a different domain.

Many email apps, especially on mobile devices, show only the sender name. Because of this, users may not notice the fake address.

The email then asks users to secure or verify their account by clicking a link.

However, the link leads to a malicious website such as:

verify-lastpass[.]com

This site hosts a fake LastPass login page designed to look identical to the official one. If users enter their credentials, attackers can capture their master password and access their stored vault data.

Common Phishing Email Signs

The phishing emails often include LastPass branding and fake message threads to appear legitimate.

Some of the subject lines used include:

• “Account recovery verification request”
• “Unauthorized vault export attempt detected”
• “New trusted device registered to your account”

These messages create urgency so users click before verifying the source.

Security Advice for LastPass Users

LastPass has warned that it will never ask for a user’s master password through email.

Users should take the following precautions:

• Check the full sender email address carefully
• Avoid clicking links inside emails
• Access LastPass directly through the official website or app
• Enable multi-factor authentication (MFA)
• Report suspicious emails to abuse@lastpass.com

Why This Attack Matters

Phishing attacks are becoming more realistic and harder to detect.

Since password managers store sensitive data, they are a high-value target for cybercriminals. Users should always verify security alerts and avoid rushing to click links, even when the message appears legitimate.

The post Fake LastPass Support Scam Targets Password Vaults appeared first on First Hackers News.

Instead of exploiting software bugs or directly stealing passwords, attackers abuse trusted login flows used by platforms like Microsoft Entra ID and Google Workspace. This tactic allows them to bypass traditional email security systems and quietly redirect victims to malicious sites.

How the Attack Starts

The attack begins when threat actors create a malicious application inside their own cloud tenant. They configure the application’s redirect link to point to a domain controlled by the attackers.

To lure victims, attackers send phishing emails that appear legitimate. These messages often look like normal workplace requests.

Common phishing lures include:

• Fake e-signature requests
• Microsoft Teams meeting invitations
• Password reset alerts
• Account verification messages

When a victim clicks the link, a hidden OAuth authorization process begins.

How Attackers Bypass Detection

Attackers modify certain parameters in the OAuth request to trigger a silent authentication process.

Two parameters are commonly abused:

• prompt=none – forces the system to check the session without user interaction
• scope=invalid – intentionally triggers an authentication error

This forces the identity provider to redirect the user automatically. Because the redirection happens through a trusted identity provider, the link looks legitimate to users and security tools.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

Using the “State” Parameter for Deception

To make the attack look even more convincing, attackers abuse the OAuth state parameter.

Normally, this parameter is used to match authentication requests and responses. However, attackers encode the victim’s email address inside it.

Encoding methods used include:

• Base64
• Hex encoding
• Custom decoding schemes

When the victim lands on the phishing page, their email address is already filled in automatically, making the login page appear legitimate.

What Happens After Redirection

Once redirected, victims are sent to attacker-controlled infrastructure.

Two main outcomes have been observed:

Credential Theft

Victims are redirected to phishing frameworks such as EvilProxy that capture login credentials and session cookies.

Malware Delivery

In some campaigns, the redirect automatically downloads a ZIP file. This archive contains a malicious shortcut that launches a PowerShell script.

The script performs several actions:

• Collects system information
• Extracts a legitimate executable file (steam_monitor.exe)
• Loads a malicious DLL (crashhandler.dll)

This technique allows attackers to run malicious code while appearing as legitimate software, ultimately connecting the infected system to an external command-and-control server.

Mitigation and Threat Indicators

This attack shows how threat actors can misuse normal OAuth authentication behavior instead of exploiting software bugs. Because the activity follows standard protocol rules, it can be harder for traditional security tools to detect.

Key Mitigation Steps

• Restrict user consent for third-party OAuth applications
• Regularly audit apps with excessive permissions
• Implement Conditional Access policies
• Enable strong identity protection controls
• Use XDR to monitor identity, email, and endpoint activity
• Monitor OAuth URL clicks with invalid scope parameters
• Watch for unusual downloads triggered after OAuth redirects
• Investigate suspicious PowerShell executions
• Detect unexpected DLL side-loading activit

IOCs

The post OAuth Phishing Campaign Targets Entra ID and Google Workspace appeared first on First Hackers News.

By hosting phishing content on legitimate Google-owned domains, the attackers are able to bypass many email security filters and web gateways. Because the links appear trustworthy, they are less likely to raise suspicion.

Victims are redirected to realistic login pages that imitate well-known brands. After entering their credentials, they are quietly sent to the real website, making the attack difficult to detect.

Global Impact and Scale

The campaign is widespread. Investigators uncovered attacker-controlled servers containing thousands of stolen credentials linked to more than 1,000 organizations across 100+ countries and over 200 industries.

Mexico has the highest number of confirmed victims, particularly in manufacturing, education, and government sectors. The United States, Spain, India, and Argentina are also significantly affected.

The use of trusted cloud services makes this campaign especially effective and harder to block using traditional security controls.

Group-IB researchers describe GTFire as a structured, large-scale credential theft operation.

Attackers reuse the same phishing templates across multiple brands and store stolen data on centralized servers, organized by date, language, and targeted servic

More than 120 phishing domains were discovered, using similar naming patterns to quickly rotate infrastructure and avoid detection.

Attackers customize each fake login page to closely match real brands. After victims enter their credentials, they are redirected to the legitimate website, delaying suspicion.

Because the campaign uses trusted Google domains, traditional URL filtering and blocklists struggle to detect it — showing how easily legitimate infrastructure can be misused for phishing.

How the Attack Works

The attack starts with a phishing email that contains a Google Translate link. This link quietly routes the victim through Google’s translation service before redirecting them to a fake login page hosted on Firebase.

Because the link uses a Google domain, many email filters and web gateways do not block it.

Attackers create many random *.web.app subdomains to host phishing pages and rotate them frequently to avoid detection. Each page is designed to look like a real brand login portal.

When victims enter their credentials, they are shown a fake “wrong password” message and asked to try again. Both login attempts are secretly captured and sent to attacker-controlled servers, along with basic details like location and browser language.

The stolen data is collected using simple, ready-made backend tools, making the campaign easy to scale.

Mitigation Measures

Organizations should:

• Enforce phishing-resistant multi-factor authentication (MFA)
• Train employees to recognize suspicious Google-based links
• Monitor for unusual use of translate.goog and *.web.app domains
• Watch for brand impersonation hosted on trusted cloud platforms
• Share indicators of compromise with security communities and CERT teams

Trusted services can be misused, so detection strategies must go beyond basic domain reputation check

The post GTFire Phishing Attack Hides Behind Google Services appeared first on First Hackers News.