CFOtech UK - Technology news for CFOs & financial decision-makers
United Kingdom

Guides

#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
health technologies

Search

Hooded figure computer phishing hooks globe email icons global threat
#
Firewalls
#
Phishing
#
Physical Security

Major rise in global email impersonation threats

Yesterday
Author image
By Melania Watson, Interview Editor

Barracuda Networks threat analysts have identified a new wave of sophisticated email-based threats targeting organisations globally, with a range of phishing campaigns leveraging phishing-as-a-service (PhaaS) kits to evade detection.

Among the key threats observed in July are credential phishing attacks impersonating well-known business services, including Autodesk Construction Cloud, Zix Secure Message Centre, and RingCentral.

These campaigns are increasingly designed to bypass standard security controls and target a wide range of sectors, from healthcare and finance to legal, government, and corporate environments.

Autodesk Construction Cloud impersonation

The Autodesk Construction Cloud, widely used for collaboration within the construction industry, has been used as a vector for phishing attacks involving the Tycoon PhaaS kit.

In these incidents, attackers impersonate trusted executives and send official-seeming project notifications, directing recipients to Autodesk-hosted pages with links to download ZIP files. The contained HTML file launches what appears to be a standard CAPTCHA screen, followed by a spoofed Microsoft login page designed to harvest credentials.

Toll violation phishing scam targets US drivers

Another scam identified involves fraudulent notifications about unpaid tolls, aimed at drivers in the United States. Victims receive urgent messages via text, email, or phone calls, appearing to originate from legitimate toll agencies.

These messages create a sense of urgency, threatening suspension or legal action if payment is not made. Recipients who respond are directed to fake websites that request sensitive information such as licence plate numbers and credit card details, exposing them to financial loss or identity theft.

Zix Secure Message Centre phishing campaign

This campaign mimics the Zix Secure Message Centre, an encrypted email service that is popular with organisations in healthcare, finance, legal and government sectors.
Victims receive an email about a supposed secure message, with a link to click to view it. The link takes users to a fake Zix page where they are asked to enter their email. They are then redirected to a fraudulent Microsoft login page designed to steal credentials. The campaign is effective because it closely replicates Zix's real workflows and branding, making it hard for recipients to spot the deception. Organisations using email encryption services like Zix and Microsoft 365 are particularly at risk.

This demonstrates attackers' ability to closely replicate the look and feel of established workflow and branding, making it challenging for recipients to discern illegitimate communications.

RingCentral voicemail phishing with EvilProxy

Barracuda's analysts have also uncovered a campaign where attackers impersonate RingCentral, a widely used business communication service. Victims receive apparent voicemail notifications with personalised details, encouraging them to click a playback button.

The link initiates multiple redirections - first to a known newsletter provider, then onwards to legitimate cloud hosting, and finally to a verification step - before concluding at a phishing site hosted by the EvilProxy PhaaS kit. This attack is designed to bypass detection and steal Microsoft credentials, including those protected by two-factor authentication.

Other notable threats

Researchers identified further examples of credential theft and phishing tactics involving the Gabagool PhaaS kit, which exploits the file-sharing capabilities of the Notion.com platform by delivering phishing links within harmless-seeming PDF attachments. Meanwhile, campaigns were seen combining Microsoft SharePoint and Copilot branding to create believable 'Document shared' notifications, and using LogoKit with Roundcube webmail for password expiry deception.

The Tycoon PhaaS kit has also been distributed in campaigns disguised as legitimate business documents, such as 'Project Overview.pdf.' Victims are led through multiple intermediate webpages to conceal the attack's intent, eventually landing on phishing sites where credentials are harvested.

Mitigation and protection

Barracuda advocates for multilayered security measures and employee awareness training to counter these evolving threats.

The company states its Email Protection suite includes features such as Email Gateway Defence against phishing and malware, Impersonation Protection for social engineering attacks, Incident Response, and Domain Fraud Protection. It also provides Cloud-to-Cloud Backup and Security Awareness Training.

According to Barracuda, the solution combines artificial intelligence and deep integration with Microsoft 365 to help guard organisations from highly targeted phishing and impersonation attacks.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
UK firms see Windows 11 move as chance to adopt AI PCs
Exclusive: How remote working is causing major security gaps
HR & financial data most exposed in major cyber breaches
Financial firms in EMEA face data resilience gaps post DORA
UK moves to ban ransomware payments for public sector groups

Top stories

Why deep tech venture capitalists have resilience in the face of global tariffs
Nexer Enterprise Applications names Chris Braisby Operations Director
NetSuite adds AI translation to workflows for seamless teamwork
Small UK accounting firms split between cloud & in-house IT
Four-day week replaces Summer Fridays for UK’s younger workforce