Multiple reports describe a broader credential-theft trend in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used compromised WordPress sites and redirects through skimresources[.]com to deliver pixel-perfect fake login pages for Microsoft Teams, Xfinity, and UAE Pass, with lures such as missed voicemail and shared-document alerts. Another campaign abused LiveChat's lc[.]chat infrastructure to impersonate brands like PayPal and Amazon, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues.
A separate industry report reinforces the same operational pattern: attackers increasingly rely on valid credentials and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using Microsoft Teams voice phishing and Quick Assist to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the CamelClone espionage operation, a FancyBear/APT28 infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is not fluff because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Researchers reported a multi-vector phishing campaign that used compromised WordPress websites to host fake Microsoft Teams, Xfinity, and UAE Pass login pages. Victims were redirected through skimresources[.]com to credential-harvesting pages designed for account takeover.
Cofense researchers identified a phishing campaign abusing LiveChat's lc[.]chat infrastructure to impersonate brands including PayPal and Amazon in fake support interactions. The operation used refund and order-confirmation lures to harvest credentials, MFA codes, personal information, and payment card data.
Field Effect's 2026 Cyber Threat Outlook found that compromised cloud identities were the primary cause of more than 80% of the incident-related alerts it investigated during 2025. The report said attackers increasingly relied on valid credentials and trusted collaboration tools rather than software exploits.
Field Effect reported a campaign tracked since September 2025 in which attackers impersonated IT help desks, created Microsoft 365 tenants, and used Microsoft Teams voice phishing to persuade employees to grant remote access through Quick Assist. The intrusions led to credential theft, lateral movement, and ransomware deployment.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcecybersecuritynews.com
Open sourcescworld.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.