Threat Briefing: January 30, 2026

Social engineering attacks are increasingly bypassing email security by targeting employees directly through platforms like Teams, LinkedIn, phone calls, and browser extensions. Attackers blend phishing, malware, and credential theft to gain rapid access and accelerate data loss.

Impersonation tactics and the abuse of everyday software make these threats harder to detect. For financial institutions, the result is heightened risk of fraud, unauthorized transactions, regulatory exposure, and operational disruption.

• Teams Phishing Scam Hits Thousands With Fake Billing Alerts – A phishing campaign is using fake Microsoft Teams billing notifications to lure users into calling a fraudulent support number, impacting over 6,000 people. The tactic blends with a broader rise in multi‑platform social engineering that bypasses email defenses and increases risks of fraud, data theft, and operational disruption. Hack Read
• LinkedIn Phishing Scam Uses Trust to Deliver Stealthy Malware – A new LinkedIn‑based phishing campaign is targeting professionals through direct messages designed to build trust before delivering malware. Attackers send files disguised as legitimate documents and use DLL side‑loading to hide malicious code inside common software like PDF readers and Python scripts. Once opened, the payload installs Remote Access Trojans capable of stealing sensitive data. The scheme exposes how easily social media interactions can be weaponized, underscoring the need for caution when engaging with unknown contacts. Hack Read
• ShinyHunters Launches Vishing Campaign to Breach Major Organizations – ShinyHunters, working with Scattered Lapsus$ Hunters, is targeting over 100 major organizations through a voice‑phishing scheme. Attackers impersonate trusted callers and direct employees to fake login pages, capturing real‑time credentials to bypass SSO and access sensitive files for blackmail. A spike in related data leaks highlights the need for stricter verification and heightened vigilance against unexpected phone‑based requests. Hack Read
• WinRAR Vulnerability Actively Exploited by Global Threat Actors – A severe WinRAR vulnerability (CVE‑2025‑8088) is being actively exploited by state‑sponsored and criminal groups. The flaw enables code execution through malicious RAR files and has been used heavily against targets in Ukraine and nearby regions. Russian APTs RomCom and Sandworm, along with a Chinese APT deploying PoisonIvy, are leveraging ready‑made exploit kits circulating in underground markets. The trend underscores how everyday tools like WinRAR are increasingly weaponized for espionage and financial crime. SecurityWeek
• “Stanley” Toolkit Enables Stealthy Chrome Extension Phishing – A new malware toolkit called “Stanley” is being sold on a Russian cybercrime forum for $2,000–$6,000, enabling attackers to build malicious Chrome extensions that overlay phishing pages while still showing the legitimate URL. The kit includes a command‑and‑control panel for managing victims and even promises that its extensions will pass Chrome Web Store review—significantly elevating the threat of browser‑based attacks. As organizations rely heavily on browsers for SaaS access, Stanley underscores the growing risks posed by malicious extensions and the urgent need for stronger browser‑security controls. Dark Reading