A new study from UC San Diego Health should make every security leader stop and think. Researchers ran nearly 20,000 employees through ten simulated phishing campaigns over eight months. The result? Training made almost no difference. Employees who had recently completed mandatory cyber awareness courses failed phishing tests at virtually the same rate as those who hadn’t. The average gap was a sickly 1.7% improvement — effectively zero.

Last week, BleepingComputer reported on a clever new phishing campaign targeting Microsoft users. Instead of pixel-perfect fake sites or smishing lures, attackers are now abusing legitimate Microsoft ADFS redirect endpoints to steal logins.

How “ん” And Clever Domain Spoofing Are Bypassing Legacy MFA — And Why Only Token Shuts The Door In the evolving phishing landscape, attackers don’t need high-level exploits—they only need one cunning trick: swap in a lookalike character that fools the human eye. As detailed recently in BleepingComputer, Booking.com users recently fell victim to one such campaign that leveraged the Japanese Hiragana “ん” (Unicode U+3093) to masquerade as a familiar URL path. It’s no text-only illusion; this is phishing with precision.

CSO Online just dropped a staggering stat: ransomware attacks have jumped 179% in the first half of 2025. Credential theft? Up 800%. That’s not a typo. Eight. Hundred. Percent.

CISA just dropped a bombshell. In its latest alert (dated July 25, 2025), the U.S. Cybersecurity and Infrastructure Security Agency is now urging every enterprise to implement phishing-resistant multifactor authentication (MFA)—everywhere: for email, VPNs, and anything touching critical systems. Not “consider it.” Not “evaluate in the future.” Require it. Now.

Another day. Another preventable breach. This time it’s a major UK based insurance company, Allianz Life, and the attackers didn’t need zero-day exploits or complex malware. They just talked their way in.

BetaNews recently asked this question in a detailed Q&A. The answers should concern every enterprise leader. The rise of identity-based attacks isn’t just a trend; it’s now the primary way cybercriminals get in. Attackers are no longer brute-forcing firewalls or cracking encryption. They’re simply logging in as you.

Microsoft’s recent advisory on Octo Tempest should make every CISO lose sleep. This group isn’t just hacking software vulnerabilities. They’re hacking people, impersonating employees, tricking help desks into resetting passwords, stealing session cookies, and bypassing legacy MFA with social engineering.

Generative AI just made phishing so easy that anyone can do it—and do it convincingly. According to Axios, researchers demonstrated that in just 30 seconds, a simple natural-language prompt was all it took to build a pixel-perfect spoofed login site. No coding. No technical skills. Just type “build a copy of the website login.okta.com,” and a convincing clone appears, ready to trick anyone into handing over credentials.

The cybersecurity world has a new consensus: credentials are no longer a weak point—they’re the entire attack surface.

A new report from CyberCube just confirmed what many of us in cybersecurity have long suspected: Scattered Spider is targeting hundreds of major enterprises with precision. Nearly 300 companies—each with over $500 million in annual revenue—have been flagged as high-risk. Why? Because they’re still running the same legacy technologies this threat group exploits with shocking ease.