Request Your Demo

"*" indicates required fields

Contact Information

PIXM Blog

Verify You are Human: How Legitimate CAPTCHAs are Concealing Phishing Attacks

  Between June 23 and 30, the phishing we detected in enterprise browsers clustered around two themes that also dominated the week’s security headlines: fake e-card “invitations” that harvest corporate credentials and fake “virus” warnings that push victims to phone a scammer. Both leaned on infrastructure users are trained to trust to slip past reputation […]

Read More

Anatomy of a Phish: Engineering Panic

  It didn’t start with an email. The user clicked a Facebook ad — a sponsored post that looked routine — and a tab opened to what looked like an official Microsoft Support page. Within seconds the browser locked up: a dialog they couldn’t dismiss, a fake security scan reporting “1,200 threats,” and their own […]

Read More

Ad-Funded Phishing: How Facebook and Google Deliver Attacks to Enterprise Browsers

  Between June 16 and June 22, we detected phishing campaigns spanning tech support scams delivered via Facebook ads on Azure infrastructure, Microsoft credential harvesting hosted on Heroku and promoted through Google Ads, Paperless Post invitation lures targeting multiple email providers. What ties them together: these campaign abused trusted infrastructure both to host and deliver […]

Read More

The Browser Under Siege: Q1 2026 Phishing Report

Across Q1 2026, PIXM detected and analyzed over 75 distinct phishing campaigns. What stands out is not the volume — it is how rapidly the campaigns matured across the quarter. January’s attacks relied on credential harvesting forms and consumer brand impersonation. By March, the same threat surface featured 100+ phishing pages hosted on Microsoft’s own […]

Read More

70 Clicks in 24 Hours: OneDrive Phish Explodes via Backblaze

  Mid October saw astonishingly widespread phishing campaigns, with a single OneDrive phishing link clicked by over 70 users within 24 hours. Similar to attacks reported in September and early October, these were hosted on Backblaze infrastructure and exfiltrated detailed information about their victims. The same period saw surges in Attack-in-the-Middle (AiTM) phishing, also hosted […]

Read More

Invoice Phish Tsunami: MFA-Bypassing Phish Sweep U.S. via OneDrive & Backblaze

  Early October and late September saw a concentrated wave of phishing campaigns using document share and billing updates lures, particularly across Outlook, Sharepoint and OneDrive. Many of these were hosted on legitimate infrastructure like Backblaze, Azure, and compromised small business domains, with near 100% adoption of MFA phishing flows and kits. Here are some […]

Read More

AiTM Evolution and Cloud Abuse: September’s Backblaze-Driven Phishing Wave

  Phishing campaigns hosted on Backblaze infrastructure seen earlier in the September substantially ratchetted up in the second half, complete with credential exfiltration through Telegram and lures referencing purchase orders. Other widespread phishing campaigns that hit half a dozen organizations during this period used Attack in the Middle (AiTM) tools to exfiltrate two factor codes […]

Read More

September Phishing Fires: Backblaze Ablaze with OneDrive Credential Attacks

  The first half of September witnessed yet new records of Microsoft spearphish volume, with threat actors employing advanced evasion techniques, including payload encryption, device fingerprinting, and infrastructure abuse of reputable hosts like Backblaze, Hostinger, and Telegram’s Bot API. The same period saw sustained phishing targeting of personal accounts on work devices like American Express […]

Read More

August Phish Flood Warning: Credential Attacks Raining Down from Cloudflare

Later August saw records of phishing activity spanning Microsoft support scams, Adobe file shares and Paperless Post deliveries. Tactics involved MFA relay kits and usage of CloudFlare infrastructure to evade detection. The same period saw continued targeting of personal accounts like Amazon and Yahoo on work devices. Below are some examples and highlights. tgcj86gcjyp[.]z13[.]web[.]core[.]windows[.]net hdbn46dhu[.]z13[.]web[.]core[.]windows[.]net […]

Read More
Share This