We wrote the book on Modern Human Risk Management
Read now
Sign in
Book demo
Sign in
Book a demo

Tag: Email phishing

Emerging threat: Attackers combo voice and email phishing for a credential knock-out

Posted on by Noah Plotkin

TL;DR—

  • Scammers now combine email spearphishing messages with a follow-up voice phishing call “from” an IT staff member.
  • The helpful scammer walks the victim through any multifactor authentication (MFA), one-time passwords (OTPs), or other security challenges to steal Google, Microsoft, Okta, or cryptocurrency credentials.
  • While the current recommendation is to roll out “phishing resistant” MFA tools such as YubiKeys, Fable Security recommends organizations send out reminder microtrainings on social engineering tactics to specific cohorts of likely vulnerable employees.
  • Check out “One ish, two ish: How to prevent modern phishing” for more about modern phishing lures and social engineering attacks like this one.

Okta: Dark web “phishing as a service” kits let scammers email and text victims to avoid MFA

In January 2026, Okta security researchers published a new attack format based on pre-made “phishing as a service” (PaaS) kits for sale on dark web forums.

Scammers can now:

  1. Buy one of these PaaS kits;
  2. Research an organization’s employees and technology stack; and
  3. Create extremely realistic phishing emails “from” a known member of the organization’s IT support staff.

Then, the scammer will follow up their email lure with an actual phone call—a voice phishing, or “vishing”, attack—to the same victim.

Still posing as a member of the organization’s IT help desk, the scammer will walk a victim through a fake login page and ask for whatever one-time passwords (OTPs), multi-factor authentication (MFA) codes, or other authentication challenges may pop up.

The scammer can even tailor their shared, on-screen steps to match what the victim is seeing on their own screen in real-time!

To the victim, it feels like a legitimate support interaction—not a threat—until it’s too late… and the scammer has their corporate account for worse attacks. 

Scammers can plant spyware, steal intellectual property or cryptocurrency, and even infect other corporate devices with malware, ransomware, or wiperware.

The Fable Security team highly encourages any Okta customers to download the complete threat advisory, which contains known indicators of compromise (IOCs) and other details of known exploited attacks.

Start securing your humans from combo phishing attacks—without YubiKeys

Based on initial reporting and the level of effort required to research and target employees—even with a dark web “as a service” platform coding up their emails and landing pages for them!—Fable threat analysts believe with moderate confidence that larger organizations with publicly available branding guidelines will be most at risk from this phishing combination in the next 3-6 months.

As for what these targeted organizations can do, current recommendations from Okta researchers suggest investing in YubiKeys. However, this solution can be expensive to purchase and time-consuming to roll out—particularly for organizations with employees who already don’t care for MFA applications.

Therefore, while your security team invests in long-term infrastructure to combat growing phishing attempts, Fable suggests your awareness team sends out targeted refresher briefings on spotting social engineering techniques—which include vishing and email phishing red flags. 

For example, you might send out social engineering reminders to:

  • Employees with high access permissions to critical applications and not IT help desk staff or system administrators; 
  • Employees likely to answer calls during work hours; or 
  • Employees who have previously clicked on a phishing simulation and either have high access permissions or have not enrolled in MFA. 

Make sure your briefings emphasize:

  • Pausing before clicking or responding to any “suspicious” communications, even if they look legitimate;
  • NEVER sending authentication codes to anyone, for any reason; and 
  • Following current processes for interacting with and accepting IT support. 

When in doubt, they should report the message and ask their security team for advice.

If you’re curious about other types of phishing lures, check out Fable Security’s free ebook, “One ish, two ish: How to prevent modern phishing”—no email required!

Emerging threat: LastPass “Backup Recommended” phishing email

Posted on by A. Stryker

TL;DR—

  • Over a US holiday weekend, attackers sent out urgent LastPass-themed “backup recommended” phishing emails from “mail-lastpass[.]com” to trick victims into revealing their master passwords.
    • Per the latest reports, LastPass itself was NOT compromised and did not leak customer data or credentials.
  • This particular phishing lure combines many effective phishing tactics, such as timing, urgency, and security-specific reassurances.
  • To avoid falling for this and similar phishing attacks, NEVER click, download, or reply to suspicious emails and reach out to the “last known good” contact information.
  • Check out “One ish, two ish: How to prevent modern phishing” for more about modern phishing lures and other social engineering attacks.

The MLK “Backup Required” LastPass phishing email

Password manager vendor LastPass received reports that over the weekend of January 19, 2026, attackers sent branded phishing emails to LastPass customers, pretending that an important “recommended backup” needed to happen within the next 24 hours.

On clicking the link, victims were taken to a realistic—but fake—login page for LastPass, where they were prompted to enter their master password.

With both their email and the master password—and assuming multifactor authentication (MFA) wasn’t set up—an attacker then gains access to the victim’s entire LastPass vault, which could include:

Why the LastPass phishing lure works

(courtesy of LastPass)

This phishing lure features many extremely effective social engineering tactics, including:

  • Send timing: Attackers sent these lures on a US holiday weekend—right before Martin Luther King, Jr. Day—when victims are distracted and security teams typically understaffed.
  • Language choice:
    • Notice the red alert box at the very top, as well as additional urgency triggers—specifically the “action required” within a short time period. The urgency started even before the email was opened, with subject lines like:
      • LastPass Infrastructure Update: Secure Your Vault Now
      • Protect Your Passwords: Backup Your Vault (24-Hour Window)
      • Important: LastPass Maintenance & Your Vault Security
    • Throughout the email’s written message, attackers repeated security-specific reassurances—“ongoing commitment to security”, the “ongoing commitment to security” checklist—to mask malicious intent.
  • Plausible packaging:
    • LastPass is a respected and personally important brand for its victims, increasing the chance they click the email.
    • The sender domain “sounds right” at first glance, from “mail-lastpass[.]com”.

How to avoid getting hooked by the MLK LastPass lure and similar phishing messages

  • DO NOT REPLY TO, DOWNLOAD, CLICK, OR CALL ANYTHING in a suspicious message!
    • After all, if the email is real, you can always come back to it later!
  • Confirm the message by reaching out to a known-good communication, like going to the sender’s website directly or sending a new email to customer support.
    • In this case, you could open the LastPass application itself to see if there was a maintenance banner, as well as find legitimate contact information for their help desk to verify the message.
  • Remember that no password manager company—or financial institution or any other store or vendor!—will ever ask for your password.

While this lure didn’t contain a direct ask for the password, many similar phishing emails—and voice phishing (“vishing”) or sms phishing (“smishing”)—will ask for either your authentication codes or the password to put in for you… but actually steal it.

If you’re curious about other types of phishing lures, check out Fable Security’s free ebook, “One ish, two ish: How to prevent modern phishing”—no email required!