April Security Roundup

This month:

• Phishing-as-a-service (PhaaS) kits providing tools to bypass MFA
• The Windows 11 vulnerability enabling access in under a minute
• Entra ID access issues with Microsoft’s MACE feature
• The deepfake phishing scam that’s impacted Gmail accounts

Plus: Some of the cybersecurity stories that caught our attention from around the world. 

Phishing-as-a-Service (PhaaS) kits now exploiting SVG files

PhaaS has become a growing cybercrime trend, enabling low-skilled threat actors to run advanced phishing campaigns using plug-and-play kits that typically include everything needed to launch an attack.

One example that’s causing particular concern is Tycoon2FA which embeds malicious JavaScript in SVG file attachments to redirect users to fake Microsoft 365 login pages. These spoofed portals harvest credentials and session tokens in real time, enabling attackers to bypass MFA and gain immediate access to cloud environments.

What’s the risk?

• MFA no longer blocks access once tokens are hijacked
• SVG files often evade basic email security filters
• Attackers can impersonate staff and exfiltrate sensitive data

Recommended mitigation

Action point: Ensure all endpoints are patched and monitored via your EDR solution.

MACE issue triggers Microsoft Entra account lockouts

If you’ve recently dealt with sudden account lockouts and suspected credential leaks, you’re not alone.

The cause?

MACE, a new credential leak detection tool in Microsoft Entra ID, mistakenly flagged accounts as compromised, causing widespread disruptions.

Designed to help organisations manage identities and secure access, MACE scans for credentials exposed via breaches or the dark web. But early detection errors triggered alerts across multiple tenants, with some providers seeing over 20,000 credential warnings.

No actual breaches occurred, but the fallout was significant. Microsoft traced the issue to an internal logging error involving short-lived refresh tokens, which led to false positives in Entra ID Protection and locked out some users.

The problem, identified on 18 April, has since been fixed. Microsoft confirmed that affected accounts can be restored via the “Confirm User Safe” option in Entra.

What’s the risk?

• Legitimate accounts were locked without warning
• Business continuity was disrupted across multiple tenants

Recommended mitigation

Action point: Audit recent lockouts and prepare internal response plans for automated alerts.

Gmail scam fools 2FA and mimics Google with deepfake precision

A sophisticated phishing campaign is targeting Gmail users using spoofed Google addresses that pass DKIM validation. Victims are being lured to fake login pages under the guise of official warnings, all while attackers capture 2FA codes in real time.

The phishing emails appear to come from [email protected], and the attackers use AI to craft deepfake robocalls and emails that bypass common spam filters. Some of these emails were generated using a flaw in Google OAuth, exploiting the envelope name of an app to mimic an official sender.

What’s the risk?

• Attackers can gain full account access by capturing credentials and 2FA codes in real time
• Compromised Gmail accounts can be used to send phishing emails to contacts
• Sensitive data stored in Gmail or linked Google services can be accessed and exfiltrated
• Use of legitimate Google domains makes phishing emails harder to detect or block

Recommended mitigation

Action point: Reinforce MFA security with passkeys and update phishing simulations to reflect new techniques.

Cyber snippets from around the world

North Korean hackers steal $137m in TRON crypto heist

Recent security updates reveal North Korean-linked threats targeting Web3 and crypto sectors. Google’s Mandiant’s 2025 report suggests the financial motivation stems from heavy sanctions on North Korea, with funds potentially supporting its weapons program. The report indicates these threats employ custom tools affecting multiple operating systems.

Cybercrime losses hit record high of $16.6bn in 2024

The FBI’s Internet Crime Complaint Center (IC3) reported a record-breaking $16.6bn in cybercrime losses in 2024 – 33% up on the previous year. The majority of these losses stemmed from cyber-enabled fraud, involving scams that exploit the internet for illegal activities such as theft of money, data, identity, or producing counterfeit goods or services.

Spyware-laced Android app targets Russian military

A spoofed version of the Alpine Quest Android app is reportedly being used to spy on Russian soldiers. The fake app, embedded with spyware (Android.Spy.1292.origin), tracks locations and scans devices for files. According to Russian security firm Dr Web, it’s disguised as a free Alpine Quest Pro with premium features.