Cybersecurity News

5 Threats This Week That Started With a Conversation

From the FBI-flagged Kali365 phishing kit to ransomware hidden in "legal documents," here are this week's top social engineering threats and how to...

Illustration of social engineering: an email transforming into a conversation.

If this week's threat headlines share one thing, it's this: attackers aren't breaking in, they're being invited in. Every major campaign making news right now begins with a human being asked to do something that sounds perfectly reasonable. Here's what's circulating, how the social engineering works, and how trained people shut it down.

Social Engineering Threats - Week of July 6, 2026
Threat Social Engineering Hook PhishingBox Defense
Avalon / CrownX ransomware Fake legal-document email + password-protected archive Simulations, KillPhish AI, Awareness Training
VEIL#DROP / PureLogs stealer Fake document files (transcript.pdf.js), Blogger hosting Simulations, Awareness Training, Human Risk Management
Kali365 PhaaS (FBI warning) Device-code phishing on real Microsoft pages, MFA bypass Simulations, Awareness Training, KillPhish AI
RIS messaging-app hijacks (FBI/CISA) Fake support accounts phishing recovery keys Awareness Training, Simulations
ShinyHunters vishing wave Phone calls posing as IT/helpdesk to steal SSO + OAuth access Vishing simulations, Training, Human Risk Management
The week at a glance: five campaigns, one target - human trust.

1. The "legal document" that ends in ransomware

Researchers this week documented Avalon, a new modular malware framework that bundles credential theft, lateral movement, and a ransomware component called CrownX that goes after backup and recovery systems. The opening move is old-fashioned persuasion: a spoofed legal-document email pointing to a password-protected archive on Proton Drive. The password is in the email, and that's the trick - security tools can't scan what they can't open, so the attacker politely asks the victim to do the unwrapping. Inside sits an ISO image and a shortcut file that launches a nearly fileless infection chain.

The lesson: when an email hands you a password and urgent instructions, the "protection" is protecting the malware from your defenses, not your data from prying eyes.

2. VEIL#DROP: a fake PDF, a real infostealer, hosted on Blogger

The VEIL#DROP campaign uses files named like transcript.pdf.js - a document to the eye, a script to the operating system. One double-click launches PowerShell, which pulls its payload from attacker-controlled Blogspot pages and runs it entirely in memory. The payload, PureLogs, sweeps browser passwords, cookies, autofill data, and crypto wallets. Kaspersky describes the wider operation as a massive, multi-domain, multi-language campaign (Infosecurity Magazine).

Two layers of misplaced trust make it work: a familiar document icon, and payload hosting on a Google-owned platform that both users and web filters tend to wave through.

3. Kali365: the FBI-flagged kit that never needs your password

The FBI has warned about Kali365, a phishing-as-a-service platform sold on Telegram for around $250 a month. Here's the unsettling part: victims never touch a fake website. The email directs them to the genuine Microsoft verification page and asks them to enter a code. Doing so authorizes the attacker's device, handing over a Microsoft 365 access token, MFA bypassed, no password required (BleepingComputer). The kit ships with AI-generated lures and real-time victim dashboards, and researchers logged hundreds of attacks in a single month (Bitdefender).

When every pixel the victim sees is legitimate, technology alone can't flag the attack. The instruction itself is the malware, and only a trained human can refuse it.

4. Fake "support accounts" are stealing encrypted chats

In a June 26 update, the FBI and CISA warned that Russian intelligence actors continue hijacking Signal and WhatsApp accounts by posing as automated support accounts, and they've evolved: they now phish for Backup Recovery Keys, which unlock full message history and enable account takeover (CISA). Today's targets are officials and journalists, but nation-state techniques reliably trickle down to commodity crime.

One rule defeats the whole category: legitimate support will never message you asking for verification codes, PINs, or recovery keys.

5. The phisher is calling: vishing hits the mainstream

Mandiant's M-Trends 2026 data shows voice phishing now accounts for 11% of initial access overall and 23% in cloud compromises (Push Security). The ShinyHunters-linked crews behind last year's Salesforce campaigns have breached more than 40 organizations in 2026 by phoning employees while posing as IT support, capturing SSO logins and OAuth tokens, then pivoting into connected SaaS environments (Google Cloud Threat Intelligence, Varonis).

Voice Phishing Share of Initial Access
Voice phishing's share of initial access, per Mandiant M-Trends 2026.

No malware, no exploit, just a confident voice and a helpful employee. Which means the defense isn't in your firewall, it's in your people.

The common thread, and what to do about it

Password-protected archives, fake documents, device codes, support impersonation, helpdesk calls: five different campaigns, one attack surface - human trust. That's exactly the surface PhishingBox hardens:

  • Phishing Simulations recreate these exact lures - protected-archive attachments, device-code prompts, fake support messages, even vishing scenarios - so employees encounter them safely first.
  • Security Awareness Training builds the reflexes: distrust unsolicited passwords, verify callers, never relay codes.
  • KillPhish AI turns every inbox into a sensor, letting employees report suspicious messages for AI-powered triage in one click.
  • Human Risk Management scores which users and roles are most exposed, so training lands where the risk lives.

Over 4 million users globally train with PhishingBox to see threats, score risk, and secure their organizations. See. Score. Secure.

Sources