31 July 2025
Threat analysts at Barracuda Networks have identified a new wave of advanced email-based threats targeting organisations worldwide, with attackers increasingly deploying phishing-as-a-service (PhaaS) kits to evade detection.
These campaigns, observed prominently in July, include credential phishing attempts impersonating well-known business services such as Autodesk Construction Cloud, Zix Secure Message Centre, and RingCentral, aiming to breach a wide array of sectors including healthcare, finance, legal, government, and corporate environments.
One notable attack involved impersonation of Autodesk Construction Cloud, a widely used collaboration platform in the construction industry. Attackers used the Tycoon PhaaS kit to send messages from compromised or fake executive accounts, claiming to deliver project notifications. Recipients were directed to Autodesk-hosted pages containing links to ZIP files. Opening these files launched HTML pages with CAPTCHA screens and spoofed Microsoft login pages, designed to harvest login credentials.
In the United States, a scam targeting drivers involves false toll notification messages warning of unpaid tolls. These messages, delivered via text, email, or phone calls, create a sense of urgency by threatening suspension or legal action. Victims who respond are led to fake websites requesting sensitive details such as licence plate numbers and credit card information, risking financial loss and identity theft.
Another prevalent campaign exploits the Zix Secure Message Centre, an encrypted email service popular among organisations in sensitive sectors. Victims receive emails claiming to contain secure messages, with links prompting them to view the message. These links redirect to fake Zix pages requesting email addresses, then to fraudulent Microsoft login pages designed to steal credentials. The realistic replication of Zix’s branding and workflows makes these scams particularly effective.
Similarly, Barracuda’s researchers uncovered a RingCentral voicemail phishing campaign where attackers impersonate the communications platform. Victims receive personalised voicemail notifications with links that, when clicked, involve multiple redirections through legitimate-looking sites before reaching a phishing site hosted by the EvilProxy PhaaS kit. This approach aims to bypass detection and steal Microsoft credentials, even those protected by two-factor authentication.
Additional threats include campaigns leveraging the Gabagool PhaaS kit, which exploits Notion.com’s file-sharing capabilities by embedding phishing links within seemingly innocuous PDF attachments. Other campaigns employ branding from Microsoft SharePoint and Copilot to craft convincing 'Document shared' notifications, or use LogoKit with Roundcube webmail for password expiry scams. The Tycoon PhaaS kit has also been distributed through campaigns masquerading as legitimate business documents like ‘Project Overview.pdf,’ with attackers leading victims through multiple intermediate webpages to conceal their true intent and harvest credentials.
Barracuda recommends a comprehensive, multilayered security approach combined with employee awareness training to combat these evolving threats. Its Email Protection suite features tools such as Email Gateway Defence against phishing and malware, Impersonation Protection for social engineering, Incident Response, and Domain Fraud Protection. The company emphasises that its solutions integrate artificial intelligence and deep compatibility with Microsoft 365 to defend organisations against highly targeted phishing and impersonation attacks effectively.
