Faisal MisleWhat's happening in email security: February 23 - March 1, 2026
APT28 spent five months beaconing victims through a developer tool nobody blocks. Meanwhile, the Sophos numbers confirm what most practitioners already sense: BEC is accelerating, and identity is still the primary attack surface.
APT28 Operation MacroMaze: Webhook Beacons in Spear-Phishing Documents
Russia-linked APT28 ran Operation MacroMaze from September 2025 through January 2026, targeting Western and Central European organizations with spear-phishing emails carrying macro-embedded Office documents.
The beaconing mechanism is worth understanding. APT28 embedded INCLUDEPICTURE fields pointing to webhook.site URLs in the documents. When a victim opens the file, Word silently fetches the URL, confirming the open to the attacker. It's functionally identical to an email tracking pixel, but triggered by document open rather than email open. Reputation-based URL filtering won't flag webhook.site. It's a legitimate developer tool.
After confirming a document open, VBScript delivered batch scripts that launched Microsoft Edge in headless mode. Edge rendered an HTML payload retrieved from a webhook endpoint, executed the commands it contained, then sent results back to a separate attacker-controlled webhook.site endpoint. All C2 traffic routes through a trusted domain.
Two things make this notable. First, the beaconing step lets attackers identify live targets before deploying payloads, reducing operational noise. Second, the entire C2 infrastructure runs on a service that security teams generally have no reason to block. Macro execution in documents delivered via email is the initial attack surface here, but the C2 design is specifically built around the blind spot in reputation-based filtering.
Fake FedEx Email Delivers XWorm Malware
A phishing campaign used FedEx shipping notification lures to deliver 7z archives containing obfuscated batch scripts that injected XWorm into explorer.exe.
The evasion chain is worth examining. The batch script used delayed variable expansion (!VAR! syntax) to defeat pattern matchers, combined with Base64-obfuscated PowerShell and AES-encrypted shellcode decrypted at runtime. Only 12 of 61 antivirus engines flagged the initial submission. Persistence runs through Registry Run keys. C2 points to 204.10.160.190:7003.
Commodity phishing campaigns now routinely defeat signature-based detection through runtime decryption and syntax-level obfuscation. Behavioral detection and script execution controls are the relevant response.
UAC-0050 Targets European Financial Institution with Spoofed Ukrainian Judicial Domain
Russia-aligned UAC-0050 sent spear-phishing emails to a senior legal advisor with procurement oversight at a European regional development and reconstruction institution. The lure spoofed a Ukrainian judicial domain with legal and procurement themes chosen to match the target's role.
Payload delivery used nested archives. ZIP to password-protected RAR to 7-Zip to a .pdf.exe double-extension executable deploying Remote Manipulator System for unauthorized access. Files were hosted on PixelDrain to bypass reputation-based security.
UAC-0050 historically focused on Ukrainian targets. This campaign marks a clear expansion toward Western European institutions with Ukraine-related mandates. The spoofed domain was selected for geopolitical credibility against this specific individual, not mass distribution.
Sophos 2026 Active Adversary Report: BEC Attempts Quadrupled, Phishing Doubled
Sophos's 2026 Active Adversary Report, drawn from MDR and incident response cases, found phishing as an initial access vector more than doubled year-over-year (from 2.13% in 2024 to 5.86% in 2025), while BEC attempts quadrupled, primarily through compromised M365 identities. Identity-related tactics account for 67% of root causes overall, and weak or absent MFA was a factor in 59% of incidents. The phishing figure is likely understated; many cases categorized as credential compromise originated from upstream phishing. Median dwell time across all cases is now 3 days. Sophos notes the BEC increase may be partly influenced by more customers engaging IR on shorter, hourly engagements rather than full incident response retainers.
- Scattered LAPSUS$ Hunters Pays $500-$1,000 Per Call for IT Help Desk Impersonation Attacks
Organized vishing operation recruits and pays callers to run IT help desk social engineering, providing pre-written scripts to gain unauthorized access to corporate systems.
- ESET: How to Detect AI Deepfake Voice Calls
ESET published guidance on identifying AI-generated voice in calls used for executive impersonation and BEC, covering behavioral tells and verification approaches that don't rely on voice recognition alone.
- Who is the Kimwolf Botmaster "Dort"?
Krebs identified the operator of what may be the world's largest active botnet, whose toolkit includes a CAPTCHA bypass service and disposable email infrastructure used for mass account creation and credential stuffing operations.