Cybersecurity researchers are warning of a new and more targeted credential phishing technique known as precision-validating phishing, which leverages real-time email validation to ensure that phishing attempts only engage with verified, high-value email addresses. Uncovered by Cofense, this approach marks a significant evolution from broad, indiscriminate phishing tactics by delivering fake login pages only to victims whose emails are pre-validated against the attacker’s database. If a user’s email isn't recognized, they're redirected to harmless websites like Wikipedia to avoid detection. This selective targeting improves the success rate of stolen credentials and evades automated defenses such as sandboxes or crawlers. In a related campaign, attackers used file deletion warnings and legitimate services like files.fm to lure users into downloading a fake PDF that either redirects to a bogus Microsoft login page or drops malicious software disguised as OneDrive, which is actually the ConnectWise ScreenConnect remote access tool. Additionally, Ontinue reported a multi-stage phishing operation linked to threat clusters Storm-1811 and STAC5777, combining vishing, PowerShell payloads via Microsoft Teams, and remote tools like Quick Assist and TeamViewer, along with living-off-the-land techniques using sideloaded DLLs and JavaScript-based C2 backdoors.

‍