A few themes are starting to show up again this week, and none of them are particularly comforting. Access is getting easier for attackers, coordination is getting messier, and some very familiar systems are still leaving doors open.

The result is the same as always, just faster and at a bigger scale.

‍

Phishing-as-a-Service: Evil Tokens

There’s a new phishing-as-a-service platform doing the rounds called Evil Tokens, and it’s already hit over 340 organisations. What makes this one stand out is how it bypasses MFA. Instead of going after passwords directly, it targets Microsoft OAuth device code flows and hijacks tokens that can survive even after a password reset. So even if you think you’ve contained the issue, the attacker may still have access.

It’s being distributed through a Telegram subscription model, which means you don’t need to be particularly skilled to use it. That’s the real problem here. The barrier to entry keeps dropping.

What to do:
Start with your Entra ID logs. Look for unusual sign-ins, especially anything tied to railway.com IPs. Revoke suspicious refresh tokens immediately. If you’re not actively using OAuth device code flows, block them outright through conditional access.

‍

Geopolitical Spillover: Iranian-Linked Activity

There’s been a noticeable spike in activity linked to pro-Iranian groups. Palo Alto Unit 42 tracked over 7,300 phishing URLs themed around ongoing conflicts. This isn’t just phishing for the sake of it. These campaigns are tied into broader activity including wiper attacks, DDoS operations, and credential harvesting targeting Western infrastructure.

What makes this more unpredictable is the current environment. With Iran experiencing near-total internet disruption, a lot of this activity is becoming more decentralised. Less control, more aggression, wider targeting.

What to do:
If you’re in sectors like healthcare, logistics, or financial services, now’s the time to revisit your business continuity plans. Make sure staff are aware of conflict-themed phishing lures. These campaigns rely heavily on urgency and emotional triggers.

‍

Critical Vulnerability: Magento / Adobe Commerce

There’s also a serious issue affecting Magento and Adobe Commerce, being referred to as Polyshell.

This one allows unauthenticated attackers to upload malicious files disguised as images, leading to full remote code execution. No login required, which is always a bad sign. It’s already being used to extract credit card data from compromised sites.

The catch? There’s no official patch yet. There is a community patch available, but that means organisations need to be proactive rather than waiting for a formal release.

What to do:
If you’re running Magento or Adobe Commerce, you need to assess exposure immediately. Apply the available community patch and monitor closely for suspicious activity, especially around file uploads and payment data access.

‍

Closing Thoughts

Nothing here is especially new in isolation. Phishing, geopolitical campaigns, vulnerable software. We’ve seen all of it before. What’s changed is how easy it is to scale these attacks and how quickly they can move once they get in.

Access is still the main objective. Whether that’s through tokens, users, or exposed systems, once it’s there, everything else becomes easier.

Staying ahead of this isn’t about reacting faster. It’s about tightening the basics so there’s less to exploit in the first place.