Phishing List 2025- 2026 2025 2024 2023 2021 2020 2019 2018
DATE | NAME |
Info | CATEG. |
WEB |
| 30.12.25 | 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials | Cybersecurity researchers have disclosed details of what has been described as a "sustained and targeted" spear-phishing campaign that has published over two dozen packages to the | Phishing | The Hacker News |
| 25.12.25 | Nigeria arrests dev of Microsoft 365 'Raccoon0365' phishing platform | The Nigerian police have arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing-as-a-service. | Phishing | |
| 25.12.25 | Microsoft 365 accounts targeted in wave of OAuth phishing attacks | Multiple threat actors are compromising Microsoft 365 accounts in phishing attacks that leverage the OAuth device code authorization mechanism. | Phishing | |
| 20.12.25 | Beware: PayPal subscriptions abused to send fake purchase emails | An email scam is abusing abusing PayPal's "Subscriptions" billing feature to send legitimate PayPal emails that contain fake purchase notifications embedded in the Customer service URL field. | Phishing | |
| 20.12.25 | Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers | A suspected Russia-aligned group has been attributed to a phishing campaign that employs device code authentication workflows to steal victims' Microsoft 365 credentials and | Phishing | The Hacker News |
| 19.12.25 | Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks | Authorities in Nigeria have announced the arrest of three "high-profile internet fraud suspects" who are alleged to have been involved in phishing attacks targeting major | Phishing | The Hacker News |
| 14.12.25 | New Spiderman phishing service targets dozens of European banks | A new phishing kit called Spiderman is being used to target customers of dozens of European banks and cryptocurrency holders with pixel-perfect cloned sites impersonating brands and organizations. | Phishing | |
| 23.11.25 | Sneaky2FA PhaaS kit now uses redteamers' Browser-in-the-Browser attack | Sneaky2FA, a popular among cybercriminals phishing-as-a-service (PhaaS) kit, has added Browser-in-the-Browser (BitB) capabilities, giving "customers" the option to launch highly deceptive attacks. | Phishing | BleepingComputer |
| 22.11.25 | Attackers Now Bypass App-Based MFA, Hardware Biometrics Stop Them | Tycoon 2FA enables turnkey real-time MFA relays behind 64,000+ attacks this year, proving legacy MFA collapses the moment a phishing kit targets it. Learn from Token Ring how biometric, phishing-proof FIDO2 hardware blocks these relay attacks before they succeed. | Phishing | |
| 22.11.25 | Matrix Push C2 Uses Browser Notifications for Fileless, Cross-Platform Phishing Attacks | Bad actors are leveraging browser notifications as a vector for phishing attacks to distribute malicious links by means of a new command-and-control (C2) platform called Matrix Push | Phishing | The Hacker News |
| 19.11.25 | Sneaky 2FA Phishing Kit Adds BitB Pop-ups Designed to Mimic the Browser Address Bar | The malware authors associated with a Phishing-as-a-Service (PhaaS) kit known as Sneaky 2FA have incorporated Browser-in-the-Browser (BitB) functionality into their arsenal, | Phishing | The Hacker News |
| 16.11.25 | Google sues to dismantle Chinese phishing platform behind US toll scams | Google has filed a lawsuit to dismantle the "Lighthouse" phishing-as-a-service platform used by cybercriminals worldwide to steal credit card information through SMS phishing attacks impersonating the U.S. Postal Service and E-ZPass toll systems. | Phishing | |
| 14.11.25 | Quantum Route Redirect PhaaS targets Microsoft 365 users worldwide | A new phishing automation platform named Quantum Route Redirect is using around 1,000 domains to steal Microsoft 365 users' credentials. | Phishing | |
| 14.11.25 | Russian Hackers Create 4,300 Fake Travel Sites to Steal Hotel Guests' Payment Data | A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year. The activity , per Netcraft security | Phishing | The Hacker News |
| 13.11.25 | Google Sues China-Based Hackers Behind $1 Billion Lighthouse Phishing Platform | Google has filed a civil lawsuit in the U.S. District Court for the Southern District of New York (SDNY) against China-based hackers who are behind a massive Phishing-as-a-Service | Phishing | The Hacker News |
| 2.11.25 | LinkedIn phishing targets finance execs with fake board invites | Hackers are abusing LinkedIn to target finance executives with direct-message phishing attacks that impersonate executive board invitations, aiming to steal their Microsoft credentials. | Phishing | |
| 25.10.25 | Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation | The threat actors behind a large-scale, ongoing smishing campaign have been attributed to more than 194,000 malicious domains since January 1, 2024, targeting a broad range of | Phishing | The Hacker News |
| 25.10.25 | Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files | Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed PhantomCaptcha targeting organizations associated with Ukraine's war relief efforts | Phishing | The Hacker News |
|
11.10.25 |
175 Malicious npm Packages with 26,000 Downloads Used in Credential Phishing Campaign | Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual | Phishing | |
|
5.10.25 |
New MatrixPDF toolkit turns PDFs into phishing and malware lures | A new phishing and malware distribution toolkit called MatrixPDF allows attackers to convert ordinary PDF files into interactive lures that bypass email security and redirect victims to credential theft or malware downloads. | Phishing | |
| 28.9.25 | PyPI urges users to reset credentials after new phishing attacks | The Python Software Foundation has warned victims of a new wave of phishing attacks using a fake Python Package Index (PyPI) website to reset credentials. | Phishing | |
| 27.9.25 | Why attackers are moving beyond email-based phishing attacks | Phishing isn't just email anymore. Attackers now use social media, chat apps & malicious ads to steal credentials. Push Security explains the latest tactics and shows how to stop multi-channel phishing where it happens — inside the browser. | Phishing | |
| 23.9.25 | ComicForm and SectorJ149 Hackers Deploy Formbook Malware in Eurasian Cyberattacks | Organizations in Belarus, Kazakhstan, and Russia have emerged as the target of a phishing campaign undertaken by a previously undocumented hacking group called ComicForm since at | Phishing | The Hacker News |
| 20.9.25 | Microsoft and Cloudflare disrupt massive RaccoonO365 phishing service | Microsoft and Cloudflare have disrupted a massive Phishing-as-a-Service (PhaaS) operation, known as RaccoonO365, that helped cybercriminals steal thousands of Microsoft 365 credentials. | Phishing | |
| 20.9.25 | 17,500 Phishing Domains Target 316 Brands Across 74 Countries in Global PhaaS Surge | The phishing-as-a-service (PhaaS) offering known as Lighthouse and Lucid has been linked to more than 17,500 phishing domains targeting 316 brands from 74 countries. "Phishing-as-a- | Phishing | The Hacker News |
| 18.9.25 | New VoidProxy phishing service targets Microsoft 365, Google accounts | A newly discovered phishing-as-a-service (PhaaS) platform, named VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers such as Okta. | Phishing | |
| 17.9.25 | RaccoonO365 Phishing Network Dismantled as Microsoft, Cloudflare Take Down 338 Domains | Microsoft's Digital Crimes Unit said it teamed up with Cloudflare to coordinate the seizure of 338 domains used by RaccoonO365 , a financially motivated threat group | Phishing | The Hacker News |
| 12.9.25 | iCloud Calendar abused to send phishing emails from Apple’s servers | iCloud Calendar invites are being abused to send callback phishing emails disguised as purchase notifications directly from Apple's email servers, making them more likely to bypass spam filters to land in targets' inboxes. | Phishing | |
| 12.9.25 | VirusTotal finds hidden malware phishing campaign in SVG files | VirusTotal has discovered a phishing campaign hidden in SVG files that create convincing portals impersonating Colombia's judicial system that deliver malware. | Phishing | |
| 10.9.25 | Threat Spotlight: Speed, Scale, and Stealth: How Axios Powers Automated Phishing | Axios user agent activity surged 241% from June to August 2025, dwarfing the 85% growth of all other flagged user agents combined. | Phishing | Reliaquest |
| 10.9.25 | Watch Out for Salty2FA: New Phishing Kit Targeting US and EU Enterprises | Phishing-as-a-Service (PhaaS) platforms keep evolving, giving attackers faster and cheaper ways to break into corporate accounts. Now, researchers at ANY.RUN has | Phishing | The Hacker News |
| 10.9.25 | Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks | Threat actors are abusing HTTP client tools like Axios in conjunction with Microsoft's Direct Send feature to form a "highly efficient attack pipeline" in recent | Phishing | The Hacker News |
| 5.9.25 | VirusTotal Finds 44 Undetected SVG Files Used to Deploy Base64-Encoded Phishing Pages | Cybersecurity researchers have flagged a new malware campaign that has leveraged Scalable Vector Graphics (SVG) files as part of phishing attacks impersonating the Colombian judicial system. | Phishing | The Hacker News |
| 26.8.25 | Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads | Cybersecurity researchers have flagged a new phishing campaign that's using fake voicemails and purchase orders to deliver a malware loader called UpCrypter . The | Phishing | The Hacker News |
| 25.7.25 | Patchwork Targets Turkish Defense Firms with Spear-Phishing Using Malicious LNK Files | The threat actor known as Patchwork has been attributed to a new spear-phishing campaign targeting Turkish defense contractors with the goal of gathering strategic1 | Phishing | The Hacker News |
| 22.7.25 | PoisonSeed Hackers Bypass FIDO Keys Using QR Phishing and Cross-Device Sign-In Abuse | Cybersecurity researchers have disclosed a novel attack technique that allows threat actors to downgrade Fast IDentity Online ( FIDO ) key protections by | Phishing | The Hacker News |
| 20.7.25 | Threat actors downgrade FIDO2 MFA auth in PoisonSeed phishing attack | A PoisonSeed phishing campaign is bypassing FIDO2 security key protections by abusing the cross-device sign-in feature in WebAuthn to trick users into approving login authentication requests from fake company portals. | Phishing | |
| 20.7.25 | Popular npm linter packages hijacked via phishing to drop malware | Popular JavaScript libraries eslint-config-prettier and eslint-plugin-prettier were hijacked this week and turned into malware droppers, in a supply chain attack achieved via targeted phishing and credential theft. | Phishing | |
| 3.7.25 | Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns | Cybersecurity researchers are calling attention to phishing campaigns that impersonate popular brands and trick targets into calling phone numbers operated | Phishing | The Hacker News |
| 29.6.25 | Microsoft 365 'Direct Send' abused to send phishing as internal users | Microsoft 365 'Direct Send' abused to send phishing as internal users | Phishing | |
| 22.6.25 | ChainLink Phishing: How Trusted Domains Become Threat Vectors | Phishing has evolved—and trust is the new attack vector. ChainLink Phishing uses real platforms like Google Drive & Dropbox to sneak past filters and steal credentials in the browser. Watch Keep Aware's on-demand webinar to see how these attacks work—and how to stop them. | Phishing | |
| 3.6.25 | Fake Recruiter Emails Target CFOs Using Legit NetBird Tool Across 6 Global Regions | Cybersecurity researchers have warned of a new spear-phishing campaign that uses a legitimate remote access tool called Netbird to target Chief Financial | Phishing | The Hacker News |
| 1.6.25 | Behind the Script: Unmasking Phishing Attacks Using Google Apps Script | When we think about phishing attacks, we typically picture suspicious emails containing questionable links that lead to fake websites designed to mimic authentic ones. However, threat actors are becoming more strategic, now leveraging tools from trusted tech giants to exploit users. | Phishing | CONFENSE |
| 1.6.25 | Threat actors abuse Google Apps Script in evasive phishing attacks | Threat actors are abusing the trusted Google platform 'Google Apps Script' to host phishing pages, making them appear legitimate and eliminating the risk of them getting flagged by security tools. | Phishing | BleepingComputer |
| 27.4.25 | WooCommerce admins targeted by fake security patches that hijack sites | A large-scale phishing campaign targets WooCommerce users with a fake security alert urging them to download a "critical patch" that adds a Wordpress backdoor to the site. | Phishing | |
| 25.4.25 | Phishing detection is broken: Why most attacks feel like a zero day | Phishing attacks now evade email filters, proxies, and MFA — making every attack feel like a zero-day. This article from Push Security breaks down why detection is failing and how real-time, in-browser analysis can help turn the tide. | Phishing | |
| 21.4.25 | Phishers abuse Google OAuth to spoof Google in DKIM replay attack | In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google's systems, passing all verifications but pointing to a fraudulent page that collected logins. | Phishing | |
| 21.4.25 | Windows NTLM hash leak flaw exploited in phishing attacks on governments | A Windows vulnerability that exposes NTLM hashes using .library-ms files is now actively exploited by hackers in phishing campaigns targeting government entities and private companies. | Phishing | BleepingComputer |
| 19.4.25 | Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States | Cybersecurity researchers are warning of a "widespread and ongoing" SMS phishing campaign that's been targeting toll road users in the United States for financial theft | Phishing | The Hacker News |
| 15.4.25 | Phishing Campaigns Use Real-Time Checks to Validate Victim Emails Before Credential Theft | Cybersecurity researchers are calling attention to a new type of credential phishing scheme that ensures that the stolen information is associated with valid online | Phishing | The Hacker News |
| 13.4.25 | Tycoon2FA phishing kit targets Microsoft 365 with new tricks | Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities. | Phishing | |
| 12.4.25 | Phishing kits now vet victims in real-time before stealing credentials | Phishing actors are employing a new evasion tactic called 'Precision-Validated Phishing' that only shows fake login forms when a user enters an email address that the threat actors specifically targeted. | Phishing | |
| 10.4.25 | E-ZPass toll payment texts return in massive phishing wave | An ongoing phishing campaign impersonating E-ZPass and other toll agencies has surged recently, with recipients receiving multiple iMessage and SMS texts to steal personal and credit card information. | Phishing | BleepingComputer |
| 6.4.25 | PoisonSeed phishing campaign behind emails with wallet seed phrases | A large-scale phishing campaign dubbed 'PoisonSeed' compromises corporate email marketing accounts to distribute emails containing crypto seed phrases used to drain cryptocurrency wallets. | Phishing | |
| 4.4.25 | Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks | A phishing-as-a-service (PhaaS) platform named 'Lucid' has been targeting 169 entities in 88 countries using well-crafted messages sent on iMessage (iOS) and RCS (Android). | Phishing | |
| 4.4.25 | Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware | Microsoft is warning of several phishing campaigns that are leveraging tax-related themes to deploy malware and steal credentials. "These campaigns notably use | Phishing | The Hacker News |
| 2.4.25 | Lucid PhaaS Hits 169 Targets in 88 Countries Using iMessage and RCS Smishing | A new sophisticated phishing-as-a-service (PhaaS) platform called Lucid has targeted 169 entities in 88 countries using smishing messages propagated via | Phishing | |
|
30.3.25 |
Phishing-as-a-service operation uses DNS-over-HTTPS for evasion | A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection. | Phishing | |
|
28.3.25 |
New Morphing Meerkat Phishing Kit Mimics 114 Brands Using Victims' DNS Email Records | Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System ( DNS ) mail exchange ( MX ) | Phishing | The Hacker News |
|
23.3.25 |
Fake Semrush ads used to steal SEO professionals’ Google accounts | A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials. | Phishing | |
|
16.3.25 |
Coinbase phishing email tricks users with fake wallet migration | A large-scale Coinbase phishing attack poses as a mandatory wallet migration, tricking recipients into setting up a new wallet with a pre-generated recovery phrase controlled by attackers. | Phishing | BleepingComputer |
| 13.3.25 | Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails | Microsoft has shed light on an ongoing phishing campaign that targeted the hospitality sector by impersonating online travel agency Booking.com using an increasingly popular social engineering technique called ClickFix to deliver credential-stealing malware. | Phishing | The Hacker News |
| 11.3.25 | US cities warn of wave of unpaid parking phishing texts | US cities are warning of an ongoing mobile phishing campaign pretending to be texts from the city's parking violation departments about unpaid parking invoices, that if unpaid, will incur an additional $35 fine per day. | Phishing | BleepingComputer |
| 4.3.25 | Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail | Threat actors are targeting Amazon Web Services ( AWS ) environments to push out phishing campaigns to unsuspecting targets, according to findings from Palo | Phishing | The Hacker News |
| 4.3.25 | Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites | Cybersecurity researchers are calling attention to a new phishing campaign that employs the ClickFix technique to deliver an open-source command-and-control | Phishing | The Hacker News |
| 28.2.25 | 5,000 Phishing PDFs on 260 Domains Distribute Lumma Stealer via Fake CAPTCHAs | ybersecurity researchers have uncovered a widespread phishing campaign that uses fake CAPTCHA images shared via PDF documents hosted on Webflow's | Phishing | The Hacker News |
| 22.2.25 | Cybercriminals Can Now Clone Any Brand's Site in Minutes Using Darcula PhaaS v3 | The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform appear to be readying a new version that allows prospective customers and cyber | Phishing | The Hacker News |
|
18.1.25 | New 'Sneaky 2FA' Phishing Kit Targets Microsoft 365 Accounts with 2FA Code Bypass | Cybersecurity researchers have detailed a new adversary-in-the-middle (AitM) phishing kit that's capable of Microsoft 365 accounts with an aim to steal | Phishing | The Hacker News |