Off-the-shelf tools make life easier for phishing attackers
New research from Fortinet’s FortiGuard Labs highlights a recently identified phishing campaign that uses carefully crafted emails to deliver malicious URLs linked to convincing phishing pages.
These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter, malware that ultimately deploys various remote access tools (RATs).
What the research demonstrates is that attackers can now easily make phishing emails and fake websites using ready-made tools found online. These tools let them build a complete system to spread malware, not just deliver simple scams.
The attack is operating on a global scale. In just two weeks, the detection count has more than doubled, reflecting a rapid and aggressive growth pattern. The impact is being felt across multiple sectors, with manufacturing, technology, healthcare, construction, and retail/hospitality among the most affected industries.
Unlike other phishing attacks this is not just about stealing email logins, but is a complete attack process that can secretly install a malicious payload inside a company’s network. Once inside, attackers can keep control of the systems for an extended period. Users and organizations should take this threat seriously, use strong email filters, and make sure staff are trained to recognize and avoid these types of attacks.
J Stephen Kowski, field CTO at SlashNext Email Security+ says:
This phishing campaign is tricky because it personalizes fake websites with the victim’s own email and company logo, making the scam look real. The malicious files delivered are not just for stealing passwords but for installing powerful remote access tools that give attackers long-term control. What’s most important to understand is that this isn’t a one-time data theft—it’s a full system breach that can spread quietly inside company networks.
Teams should focus on catching these threats before users click, since blocking at the email and web layer is the fastest defense. Automated detection that looks past obfuscation in scripts and phishing sites is key, because traditional filters often miss the tricks used here. Training staff to spot lures like fake voicemails or order requests helps, but pairing that with threat detection that stops malicious downloads in real time is what really keeps attackers out.
You can find out more on the Fortinet blog.
Image credit: Josepalbert13/Dreamstime.com