Skip to content
All posts
Threat BriefingMarch 23, 2026

Weekly Threat Briefing: March 17–23, 2026

Surge in AI-generated phishing targeting financial services, new credential harvesting kit exploiting OAuth redirect flows, and community reporting hits all-time high.

Overview

This week saw a notable spike in AI-generated phishing emails targeting financial services employees. The vspam.org community submitted 9,412 reports — a new weekly record — with 7,203 confirmed and 1,089 rejected. Community response time averaged 38 minutes from submission to confirmation.

AI-Generated Phishing Emails

A coordinated campaign targeting banking and insurance employees used large language models to generate highly personalized phishing emails. Unlike traditional template-based phishing, these emails contained contextually accurate industry terminology and mimicked internal communication patterns.

  • 423 unique phishing URLs identified across 89 domains
  • Emails referenced real regulatory changes (Basel IV timelines) to establish credibility
  • Sender addresses spoofed legitimate financial compliance firms
  • Landing pages used AI-generated profile photos for fake compliance officers
  • Detection rate by traditional email filters: 31% (vs. 78% for template phishing)

OAuth Redirect Flow Exploitation

A new credential harvesting kit dubbed 'AuthSnag-2' was discovered exploiting OAuth authorization code redirect flows in enterprise SSO implementations. The kit intercepts OAuth redirect URIs by registering lookalike callback domains.

  • Targeting Microsoft Entra ID and Okta primarily
  • 67 registered redirect domains mimicking legitimate OAuth callbacks
  • Exfiltrated tokens grant persistent access without triggering MFA re-prompts
  • Kit sold on Telegram for $800/month with managed infrastructure
  • Indicators added to vspam.org feeds within 4 hours of first report

Platform Metrics

Key community metrics for the week:

  • 9,412 total reports submitted (+14% week-over-week)
  • 7,203 confirmed, 1,089 rejected, 1,120 pending review
  • Median confirmation time: 38 minutes
  • 12 new Trusted-tier reporters promoted from Newcomer
  • DNSBL zone size: 34,891 active entries (+2.1%)

Top Targeted Brands

This week's most impersonated brands by confirmed phishing report volume:

  • Microsoft (31%) — driven by the OAuth campaign
  • JPMorgan Chase (12%) — AI-generated financial phishing
  • PayPal (9%) — steady volume of credential harvesting
  • DHL (8%) — package delivery SMS phishing
  • Amazon (7%) — fake order confirmation emails
ai-phishingoauth-abusefinancial-servicesweekly-briefing

For automated IOC data from this briefing, check the threat feeds. Questions about our analysis? Contact research@vspam.org.