Threat Briefing: February 13, 2026

Cyber threats are rapidly evolving, exposing both human and technical weaknesses. Attackers are rerouting payroll through identity impersonation, abusing trusted software like the AgreeToSteal Outlook add-in to steal credentials, and even fabricating breach claims to extort companies.

They’re also using malicious .scr files and generative AI for reconnaissance, credential harvesting, and malware creation, highlighting the speed and scale of today’s threat landscape.

• Payroll Fraud Rising: Identity Theft Targets Paychecks – A recent Binary Defense investigation showed how attackers used social engineering to impersonate a physician, access a shared mailbox, and reset credentials to redirect payroll deposits. The case highlights a growing trend: payroll and HR systems are prime identity-theft targets, making pay changes high-risk actions that require stronger verification controls. The Register
• Malicious Outlook Add-In Exposes Supply Chain Gap – Researchers uncovered AgreeToSteal, the first known malicious Microsoft Outlook add-in, which stole 4,000+ credentials via a fake login page after hijacking the domain of an abandoned plugin. The incident highlights how trusted app marketplaces can be abused and why add-ins require ongoing monitoring and tighter permission controls. The Hacker News
• 0APT: Fake Breaches Used for Real Extortion – The cybercrime group “0APT” claims attacks against 200+ companies, but investigators believe many incidents are fabricated. By mixing real company names with false claims, the group pressures victims into paying ransoms for data that was never stolen, a reminder to verify breach claims before reacting. Hack Read
• Screensaver Files Become New Phishing Weapon – Attackers are disguising malware as Windows screensaver (.scr) files in spear-phishing emails. Once opened, the files install remote access tools, exploiting the fact users don’t recognize .scr files as executables, reinforcing the need for user awareness and strict application controls. Dark Reading
• Hackers Weaponize AI: Gemini Used in Cyber Operations – Google reports the North Korea-linked group UNC2970 is using Google’s Gemini for reconnaissance, target profiling, credential theft, and social engineering. Researchers also observed malware generated through the model’s API, showing how generative AI is increasingly being adapted to support cyberattacks. The Hacker News