Email Threat Radar – July 2025

During July, Barracuda threat analysts identified several notable email-based threats targeting organizations around the world. Many of them leveraged popular phishing-as-a-service (PhaaS) kits. The threats include:

• Tycoon PhaaS impersonating the Autodesk Construction Cloud for a credential phishing attack
• A fake toll violation scam targeting U.S.-based drivers
• Phishing emails mimicking the Zix Secure Message service
• EvilProxy attacks impersonating RingCentral
• Gabagool phishing kit exploiting business productivity tool with toxic PDF
• Phishing attacks bundling Copilot and SharePoint brands
• LogoKit credential theft attacks using Roundcube webmail service
• Tycoon links distributed as document downloads

Phishing attacks abusing Autodesk Construction Cloud

Threat Snapshot:

Barracuda’s threat analysts have seen attackers abusing the Autodesk Construction Cloud to deliver sophisticated phishing attacks. The Autodesk Construction Cloud is a set of online collaboration tools for people working on construction projects, from design and build to project management and budgeting.

In the attacks seen by Barracuda, attackers impersonate a trusted executive and send official-looking project notifications through Autodesk. The notifications lead recipients to an Autodesk-hosted page containing a seemingly harmless ZIP file. 

The ZIP contains an HTML file that initiates the phishing attempt.

Opening the HTML file brings up a fake CAPTCHA verification screen — a common technique in phishing because it lends credibility to the attack and helps it bypass automated security detection. The user is then prompted to enter Microsoft login credentials on a convincingly spoofed page. 

This campaign employs the Tycoon 2FA phishing kit, which is designed to mimic Microsoft’s login and can bypass two-factor authentication protections.

Attackers target U.S. road users with new toll scam

Threat Snapshot:

A new phishing scam is targeting U.S.-based drivers with fake notices about unpaid tolls. Victims receive urgent messages via text, email or phone calls, often appearing to come from legitimate toll agencies. These messages claim the recipient owes a fee and threaten account suspension or legal action if payment is not made immediately. 

The messages contain links to fake websites that request sensitive data such as license plate numbers and credit card details. Fraudsters then harvest this information for financial gain or identity theft. 

Tactics that include urgency and official branding pressure recipients to act without verifying the legitimacy of the message, making this scam highly effective.

Phishing campaign impersonating the Zix Secure Message Center

Threat Snapshot:

This campaign mimics the Zix Secure Message Center, an encrypted email service that is popular with organizations in healthcare, finance, legal and government sectors.

Victims receive an email about a supposed secure message, with a link to click to view it. The link takes users to a fake Zix page where they are asked to enter their email. They are then redirected to a fraudulent Microsoft login page designed to steal credentials. 

The campaign is effective because it closely replicates Zix’s real workflows and branding, making it hard for recipients to spot the deception. Organizations using email encryption services like Zix and Microsoft 365 are particularly at risk.

EvilProxy fake voicemail attack spoofing RingCentral

Threat Snapshot:

Barracuda’s threat analysts have seen a sophisticated phishing attack using fake voicemail alerts to trick victims into entering their credentials on malicious sites. 

Posing as RingCentral, a popular cloud-based business communications and collaboration platform, attackers send convincing emails about a ‘new voicemail,’ complete with personalized details. Clicking the play button initiates a series of redirections — starting with a trusted newsletter platform (Beehiiv), followed by legitimate cloud hosting (Linode), and finally a verification step on glitch.me.

These steps help the attack evade detection and add credibility. The destination is a phishing page using the EvilProxy PhaaS kit, designed to harvest Microsoft credentials, even bypassing common security checks. This multilayered approach makes the attack difficult to spot and highly effective.

In short

Gabagool phishing kit exploits business productivity tool with toxic PDFs

Threat Snapshot:

Gabagool is a sophisticated PhaaS kit known for its stealth and effectiveness and for targeting corporate and government employees with advanced credential-stealing tactics. Barracuda’s threat analysts have spotted attackers using Gabagool and the file-sharing functionality of the Notion.com business productivity tool to distribute malicious PDF files containing phishing links. The PDFs lead to phishing pages designed to steal user credentials. By leveraging a trusted platform and seemingly innocuous PDFs, attackers increase the chances of bypassing standard security controls.

Bundling Copilot and SharePoint brands for phishing

Threat Snapshot:

Cybercriminals are combining Microsoft SharePoint and Copilot branding in phishing schemes, crafting emails that look like genuine ‘Document shared’ alerts from internal or vendor accounts. These messages encourage recipients to click links leading to expertly spoofed Microsoft login pages. The campaign targets organizations that rely on Microsoft tools, aiming to harvest login credentials from unsuspecting employees.

LogoKit supports credential theft using Roundcube webmail service

Threat Snapshot:

This phishing campaign targets users of the Roundcube free open-source webmail client with fake password expiration alerts, warning that their passwords will expire in 48 hours unless action is taken. The message includes a link, supposedly to retain the current password, but it leads to a phishing site built using the LogoKit toolkit. Here, users are prompted to enter their credentials, which are then harvested by attackers.

Tycoon PhaaS link distributed as project document download

Threat Snapshot:

This phishing campaign circulates emails disguised as legitimate business documents, such as ‘Project Overview.pdf.’ Victims are enticed to click on download links, which redirect through several intermediate pages to mask the malicious intent, eventually landing on a Tycoon PhaaS-hosted phishing site. This modular and evasive strategy helps criminals bypass detection and increases the longevity of malicious URLs. The campaign targets business users accustomed to exchanging documents, making them more likely to trust and interact with the phishing links, resulting in stolen credentials and potential business compromise.

How Barracuda Email Protection can help your organization

Barracuda Email Protection offers a comprehensive suite of features designed to defend against advanced email threats.

It includes capabilities such as Email Gateway Defense, which protects against phishing and malware, and Impersonation Protection, which safeguards against social engineering attacks.

Additionally, it provides Incident Response and Domain Fraud Protection to mitigate risks associated with compromised accounts and fraudulent domains. The service also includes Cloud-to-Cloud Backup and Security Awareness Training to enhance overall email security posture.

Barracuda combines artificial intelligence and deep integration with Microsoft 365 to provide a comprehensive cloud-based solution that guards against potentially devastating, hyper-targeted phishing and impersonation attacks.

Further information is available here.