Email Threat Radar
Email Threat Radar â June 2026
The latest email threats: real Microsoft login phishing, device code scams with a kill switch, split-click attacks, and the shift to malware delivery
Over the last month, Barracuda researchers have seen the following email threats targeting organizations and their employees:
- Real Microsoft login phishing used to steal session tokens in Tycoon 2FA attack
- PDF attachments used for device code phishing with a built-in kill switch
- Sneaky 2FA âsplit-clickâ phishing attack where one button has two outcomes
- Shift from credential theft to malware delivery in phishing campaigns
Real Microsoft login page used to capture session tokens in Tycoon 2FA attack
How the attack works
Attackers are using a genuine Microsoft login page rather than a fake version to intercept usersâ session tokens and access permissions, allowing them to access the victimâs email, online files and linked Microsoft 365 services.
Users receive a legitimate-looking warning that their inbox is nearly full, with a calendar invite to a meeting with Microsoft security. The meeting is not referred to in the main body of the email, which features a button to release emails that have been held back.
The button is a calendar invite that links to a genuine Microsoft login page â but one that is routed through the Tycoon 2FA phishing-as-a-service platform. In essence, the attackers have registered their own Microsoft account and are asking the victim to enter their details into that.
Example of the attack email with the button that takes them to the real Microsoft login page
The user enters their credentials and receives a session token, which is captured by the attackers.
In a supplementary step victims are asked to enter their credentials again, but this time into a fake page â allowing attackers to also steal their password.
The techniques used in this Tycoon 2FA-based campaign help to boost the attackersâ chances of success:
- Most phishing attacks rely on imitation pages. Here, attackers use a genuine Microsoft domain, which bypasses many security checks and can even deceive employees trained to spot spoofed URLs.
- The capture of session tokens and OAuth permissions provide the attackers with immediate and persistent access.
- Calendar invites are a rarely monitored attack vector, making them highly effective for bypassing traditional email defenses.
For more technical teams:
The weaponized OAuth authorization stage involves the victim being redirected to a legitimate Microsoft OAuth authorization registered by the attackers. Researchers observed the following:
Attack code for the adversary-in-the-middle interception of credentials from a real Microsoft login page
- client_id â16d628a6-9445-4210-8e5b-527b7c9c6191â: This is a malicious application registered in Microsoft Entra by the attackers. It requests permissions scoped to Outlook and includes âoffline_accessâ, which grants a refresh token for persistent access.
- PKCE (code_challenge): The use of a S256 code challenge shows that the attackersâ infrastructure supports Proof Key for Code Exchange (PKCE), making the OAuth flow appear even more legitimate and consistent with modern authentication standards.
PDFs abused for device code phishing attacks with built-in kill switch
How the attack works
The attackers have removed suspicious links from the main body of the phishing email and placed them in a PDF attachment where they are less likely to be spotted by URL scanners.
In the campaign seen by Barracuda researchers, the email asks the recipient to open an attachment relating either to a compliance or payment issue. A link in the PDF takes the users to a fake device authentication flow that captures their credentials and business email address.
Example of the Tycoon 2FA device code phishing email
Previously reported device code phishing attacks used real Microsoft APIs. In this campaign, the attackers generate fake device codes locally in the browser, mimicking the legitimate device code authorization flow that victims will recognize from linking apps and devices to their Microsoft accounts.
The use of CAPTCHA blocks automated scanning and sandbox detection and ensures only real users reach the phishing stage.
The campaign is also notable for its short-lived infrastructure. The phishing pages are self-expiring and disappear automatically after a set time. This limits forensic analysis or post event detection.
Attack code showing the expiry instructions for the phishing page
Sneaky 2FA attack features rare âsplit-clickâ technique where one button has two outcomes
How the attack works
Barracuda researchers encountered an email attack featuring a single button that behaved differently depending on where the user clicks.
The email warns users that their mailbox is full, and the message includes a âResolve Issueâ button.
Clicking the top half of the button opens a legitimate Microsoft page, while clicking the bottom half triggers a malicious redirect.
The malicious option opens a blob URL (a browser-generated web page) that redirects via a link to a phishing page belonging to the Sneaky 2FA phishing-as-a-service platform. This is where the attackers capture credentials and other sensitive information.
The split-click interaction is a rarely seen technique. It is used to evade automated link analysis and ensure testing tools can only see the safe version.
Blob URLs are generated dynamically by the browser and are harder to inspect or block using traditional tools.
Emerging tactics: Phishing shifts from credential capture to malware
A steganographic JavaScript disguised as a harmless PDF
Barracuda researchers uncovered a phishing attack where the typical âfake invoiceâ download turns out to be a malicious script. The attack email appears to be a routine invoice notification, presenting victims with a link to a fake document named âInvoice.pdf (11.3 KB).â
However, instead of delivering an invoice, the link triggers the download of a malicious JavaScript file. The script hides its malicious code in the fake document using steganography and obfuscation. Once executed, it can load additional malware, gather system information, establish persistence, and communicate with attacker-controlled infrastructure.
Impersonation attack delivers fileless malware
In this campaign, the attackers impersonate the Social Security Administration to distribute a malicious JavaScript file disguised as a payment receipt PDF. The heavily obfuscated script reconstructs a hidden URL, retrieves a second-stage payload from a remote server, and executes it directly in memory using Windows ActiveX components.
By avoiding file drops and leveraging in-memory execution, the malware reduces its visibility to traditional security tools and can be used to deliver credential stealers, banking trojans or other malicious payloads.
Multi-step Microsoft impersonation to boost deception
Researchers also observed an attack where an HTML file led the recipient to a fake OneDrive, which in turn took them to an Excel login. This kind of multi-step redirection improves credential theft success rates by effectively hiding malicious intent.
How to stay safe from these attacks
- Protect identities and session tokens, not just passwords.
- Extend detection beyond email to calendar, attachments and login flows.
- Use behavioural detection to catch evasive attacks.
- Invest in attachment and endpoint protection for fileless and embedded threats.
- Enable rapid response, as attacks are short-lived and hard to trace.
- Update training to reflect real-world phishing techniques now bypassing traditional controls.
2026 Email Threats Report
Learn how AI and phishing-as-a-service are reshaping the email threat landscape and how to stay protected
Subscribe to the Barracuda Blog.
Sign up to receive threat spotlights, industry commentary, and more.
The Managed XDR Global Threat Report
Key findings about the tactics attackers use to target organizations and the security weak spots they try to exploit
How it works
Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content â general knowledge won't be enough. Score 70+ to count toward your certificate.
Questions are cached â you'll always get the same 5 for this article.