Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing

The Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack ...
CSO Online

FlowerStorm phishing gang adopts virtual-machine obfuscation to evade email defenses

Researchers say the campaign uses a browser-based JavaScript VM to hide credential theft and intercept MFA at scale.

Running Claude Code or Claude in Chrome? Here's the audit matrix for every blind spot your security stack misses

Four research teams found the same confused deputy failure in Claude across three surfaces in 48 hours. This audit matrix ...