

























CyberheistNews Vol 16 #24 | June 16th, 2026
[FBI Alert] Lock Down Your Microsoft 365 Device Code Flows Now
The U.S. Federal Bureau of Investigation (FBI) has warned that a new phishing-as-a-service (PhaaS) platform called "Kali365" is targeting OAuth tokens to gain direct access to users' Microsoft 365 accounts without stealing credentials or multifactor authentication codes.
"Through the Kali365 platform subscription, cyber threat actors can capture 'OAuth' tokens and gain persistent access to targeted individuals or entities' Microsoft 365 environments," the Bureau says. "Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities."
According to the FBI, the attack proceeds as follows:
The Bureau recommends that organizations lock down their device code flows to limit or block device authentication codes unless absolutely necessary. Employee awareness training also helps users recognize phishing attempts so they can thwart these attacks from the start.
Blog post with links:
https://blog.knowbe4.com/fbi-kali365-phishing-kit-targeting-microsoft-365
Why Your DLP Is Failing and What to Do About It
Insider-related incidents now cost organizations $19.5 million annually.
That figure is up 20% in two years—and legacy DLP isn't closing the gap. From accidental mis-deliveries and malicious theft to employees pasting sensitive data into unauthorized Shadow AI tools, a single breach can cause catastrophic damage.
With misdirected emails and unvetted AI usage driving modern security incidents, it's time for intelligent, context-aware data security.
Join Erich Kron, KnowBe4 CISO Advisor, as he deconstructs the hidden risks inside your email environment and shows you a fundamentally different approach to data protection — one built around user intent and behavioral context, not rigid rules and reactive blocks.
You'll learn how to:
Join us and find out how you can proactively prevent data loss while building a more security-conscious culture in your organization and earn CPE credits for attending!
Date/Time: TOMORROW, Wednesday, June 17, @ 2:00 PM (ET)
Save My Spot:
https://info.knowbe4.com/why-your-dlp-is-failing?partnerref=CHN2
Visa: "Now AI-Enabled Social Engineering Attacks Are the No. 1 Fraud Category"
Threat actors are increasingly using AI-enabled social engineering to get around technical security measures, according to a new report from Visa.
Social engineering attacks were behind the largest number of losses in the second half of 2025. "From July to December 2025, Visa identified nearly $1 billion in scam-related activity, making scams the single largest category of consumer payment fraud," Visa says.
"Unlike traditional fraud, these attacks typically do not require breaching technology. Instead, scammers impersonate trusted brands and institutions, manufacture urgency and deceive victims into completing legitimate-looking transactions."
The report also found that ransomware attacks rose by 26% in the second half of 2025, though the number of victims who paid the ransom fell to the lowest on record. Visa believes this reflects "improving resilience and recovery capabilities, as well as a reluctance to pay when data could still be leaked, regardless of payment."
Michael Jabbara, SVP, Payment Ecosystem Risk and Control at Visa, stated, "The rapid adoption of AI has fundamentally lowered the barrier to entry for fraud. What once required deep technical skill can now be executed with a prompt.
"That reality makes intelligence-driven defenses and coordinated action across the ecosystem more critical than ever."
Paul Fabara, Visa's Chief Risk and Client Services Officer, added, "Payments at a network level continue to get safer, but threats are evolving faster than ever. Criminals are increasingly targeting people rather than technology, using deception, urgency and AI-enabled tools to exploit trust.
"Addressing this shift requires continuous innovation at the network level and close collaboration across banks, merchants, policymakers and the broader payments ecosystem."
Blog post with links:
https://blog.knowbe4.com/report-ai-enabled-social-engineering-attacks-are-on-the-rise
Email and Messaging Security That Understands You
Email is your riskiest channel for attacks and data loss. Nearly 58,000 threats slip past traditional defenses every day. They're not occasional. They're persistent, high-volume and growing more sophisticated with AI.
See how you can stop up to 97% more attacks and uncover 10 times more potential data breaches before they happen.
Join this live demo of KnowBe4’s Cloud Email Security to see how you can detect the full spectrum of inbound threats and outbound data loss, and coach your workforce in real time against every threat.
We will showcase:
Your defenses are only as strong as your weakest entry point. Don't let email be it.
Date/Time: Wednesday, June 24, @ 2:00 PM (ET)
Save My Spot:
https://info.knowbe4.com/ces-demo-3?partnerref=HS
A Look at Spam vs. Phishing: 4 Key Differences
Great inspiration for creating user-facing security awareness content!
Spam and phishing are often used interchangeably in email security, but they serve distinct purposes and carry varying levels of risk. Understanding the difference between spam vs. phishing helps organizations better recognize threats and respond appropriately.
This guide breaks down how spam and phishing differ, how to identify each and what steps organizations can take to reduce risk.
Key Takeaways:
[CONTINUED] Blog post with links:
https://blog.knowbe4.com/a-look-at-spam-vs.-phishing-4-key-differences
[Virtual Summit] Secure Every Human & AI Agent
You're invited! Join us for the Workforce Security Summit on July 8 to see what securing both your humans and AI agents looks like in practice.
The workforce has changed, your security strategy needs to catch up. AI agents are proliferating across your organization. Attackers are weaponizing deepfakes and AI-powered social engineering against your people. The old playbook wasn't built for a workforce that is no longer purely human.
Here's what you'll walk away with:
Date/Time: Wednesday, July 8 @ 1:00 - 3:00 PM ET
Save My Spot:
https://www.knowbe4.com/workforce-summit-na?partnerref=CHN
Let's stay safe out there.
Warm regards,
Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.
PS: KnowBe4 Wins Multiple 2026 TrustRadius Top Rated Awards:
https://blog.knowbe4.com/knowbe4-wins-multiple-2026-trustradius-top-rated-awards
PPS: [For your CMO] Yours Truly in Forbes "Five Patterns Leading To An Impending Revenue Miss":
https://www.forbes.com/councils/forbestechcouncil/2026/06/09/five-patterns-leading-to-an-impending-revenue-miss/
Quotes of the Week
"There is nothing impossible to him who will try."
- Alexander the Great (356 - 323 BC)
"It is hard to fail, but it is worse never to have tried to succeed. In this life we get nothing save by effort."
- Theodore Roosevelt - 26th U.S. President (1858 - 1919)
Thanks for reading CyberheistNews
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-24-fbi-alert-lock-down-your-microsoft-365-device-code-flows-now
Security News
APWG Report: Social Media Phishing Is Surging
Phishing scams surged across social media platforms during the first quarter of 2026, according to a new report from the Anti-Phishing Working Group (APWG).
"Threat volume increased in Q1 2026 on every social media platform, predominantly in two formats: Scams (27.1 percent of all threats) and Impersonation (43.8 percent of all threats)," the report says.
The APWG adds, "Impersonation became more prevalent than in the previous quarter. Impersonation is frequently the opening move in a scam campaign, with threat actors establishing a fake identity before advancing to financial fraud. Seen through that lens, the two categories remain deeply intertwined, and their combined 70.9 percent share still represents the core of the threat landscape."
Attackers are also using more advanced evasion techniques to hide their websites from security scanners, giving their schemes a longer lifespan.
"Fraudsters appear to be using more intricate and elaborate methods to hide their scam and phishing sites," the APWG says. "Phishers are still employing well-known techniques such as geo/IP blocking and user-agent blocking. But an increasing number of sites only show fraudulent content when the referrer is a certain site or kind of site.
"For example, the fraud site is only displayed if the user came from the Bing search engine and had searched for "[bank name] bank login", or visited from a certain social media site (i.e. a user clicked on a comment in a TikTok video).
"Otherwise, the visitors will see innocuous-looking content, or may be redirected to another site."
KnowBe4 empowers your workforce to make smarter security decisions every day.
The APWG has the story:
https://www.accessnewswire.com/newsroom/en/computers-technology-and-internet/apwg-q1-2026-report-phishing-and-scams-rising-on-all-social-media-1170893
Americans Lost $900 Million to AI-Powered Scams Last Year
The U.S. Federal Bureau of Investigation (FBI) warns that Americans lost just under $900 million to AI-powered scams in 2025, Malwarebytes reports. Total reported losses to scams last year reached nearly $21 billion, a 26% increase from 2024.
The researchers note that the true losses are likely much higher, since many attacks go unreported. "The main drivers behind the rise in AI-powered scams are voice cloning, deepfake images and videos and AI‑generated scripts," Malwarebytes says. "These tools have supercharged classic fraud schemes such as romance scams, kidnapping and extortion calls, fake influencers and government impersonation."
The FBI notes that AI tools have drastically lowered the bar for attackers to craft highly realistic fraudulent content. "AI technology enables the creation of convincing synthetic content, such as social media profiles and personalized conversations, often in mass quantities," the Bureau says.
"People have manipulated video and audio similarly for decades, but the widespread availability of this developing technology makes it possible to create high-quality content. AI-enabled synthetic content is becoming increasingly difficult to detect and easier to make, which allows criminal actors to potentially conduct successful fraud schemes against individuals, businesses and financial institutions."
Malwarebytes concludes that these attacks will increase as AI tools improve and become more accessible. "The FBI and financial institutions recommend verifying identities via official contact channels," Malwarebytes says.
"One of their biggest concerns is government impersonation scams, which have evolved from crude IRS gift‑card phone calls into sophisticated, multi‑channel operations that combine spoofed caller ID, stolen agency logos and AI-generated audio and video of public officials.
"This report, and others like it, shows how AI is being weaponized to automate research on victims, generate convincing scripts and create highly believable deepfake personas at scale. AI is also increasingly used in business email compromise (BEC), romance scams and impersonation fraud.
"In BEC cases involving AI, losses have already reached tens of millions of dollars for businesses alone."
Over 70,000 organizations worldwide trust the KnowBe4 Platform to strengthen their security culture and reduce risk.
Malwarebytes has the story:
https://www.malwarebytes.com/blog/scams/2026/06/americans-lost-nearly-900-million-to-ai-powered-scams-fbi-says
What KnowBe4 Customers Say
"Thank you so much for the fantastic call today. You answered many questions that I had that I hadn't even verbalized on the call. It has been a good experience working with KnowBe4 for about nine years now and you two have continued that great working relationship. I greatly appreciate you!"
- T.M., Executive Director - Information Technology Services
The 10 Interesting News Items This Week
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。