---
title: "Cybersecurity News, TA453's Phishing Tactic, Dark Web's EvilProxy Toolkit, Queen's Passing Phishing Alert | DMARC Report"
description: "Cybercriminals are using new techniques to increase their chances of success in targeted phishing attacks against various organizations."
image: "https://dmarcreport.com/og/blog/news-impersonation-dark-web-phishing-alert.png"
canonical: "https://dmarcreport.com/blog/news-impersonation-dark-web-phishing-alert/"
---

Quick Answer

The Iranian hacking group TA453 recently \[developed\](https://cyware.com/news/ta453-uses-multi-persona-impersonation-mpi-tactic-in-phishing-attacks-38b6ec14) a new phishing technique called ​​Multi-Persona Impersonation (MPI), which uses multiple personas/e-mail accounts to lure the victims into realistic email conversations, which are difficult to detect.

Related: [Free DMARC Checker](/tools/dmarc-checker/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fnews-impersonation-dark-web-phishing-alert%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Cybersecurity%20News%2C%20TA453's%20Phishing%20Tactic%2C%20Dark%20Web's%20EvilProxy%20Toolkit%2C%20Queen's%20Passing%20Phishing%20Alert&url=undefined%2Fblog%2Fnews-impersonation-dark-web-phishing-alert%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fnews-impersonation-dark-web-phishing-alert%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fnews-impersonation-dark-web-phishing-alert%2F&title=Cybersecurity%20News%2C%20TA453's%20Phishing%20Tactic%2C%20Dark%20Web's%20EvilProxy%20Toolkit%2C%20Queen's%20Passing%20Phishing%20Alert "Share on Reddit") [ ](mailto:?subject=Cybersecurity%20News%2C%20TA453's%20Phishing%20Tactic%2C%20Dark%20Web's%20EvilProxy%20Toolkit%2C%20Queen's%20Passing%20Phishing%20Alert&body=Check out this article: undefined%2Fblog%2Fnews-impersonation-dark-web-phishing-alert%2F "Share via Email") 

![Cybersecurity News, TA453's Phishing Tactic, Dark Web's EvilProxy Toolkit, Queen's Passing Phishing Alert](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg) 

Cybercriminals are using new techniques to increase their chances of success in targeted phishing attacks against various organizations. Undoubtedly, online phishing scams are rising, causing significant losses to businesses and individuals. Here are the latest developments related to email security.

> The support tickets we get after a spoofing incident all start the same way: ‘we didn’t know someone was sending email from our domain,’ says Vasile Diaconu, Operations Lead at DuoCircle. DMARC reporting would have caught it weeks earlier. The cost of monitoring is nothing compared to the cost of a successful impersonation attack.

\_According to the [FBI’s 2022 Internet Crime Report (IC3)](https://www.ic3.gov/Media/PDF/AnnualReport/2022IC3Report.pdf), 300,497 US-based victims reported phishing incidents in a single year, and Business Email Compromise (BEC) caused more than $2.7 billion in direct losses.

## \*\*TA453 Utilizes Multi-Persona Impersonation (MPI) Tactic in Latest Phishing Attacks The Iranian hacking group TA453 recently [developed](https://cyware.com/news/ta453-uses-multi-persona-impersonation-mpi-tactic-in-phishing-attacks-38b6ec14) a new phishing technique called ​​Multi-Persona Impersonation (MPI), which uses multiple personas/e-mail accounts to lure the victims into realistic email conversations, which are difficult to detect.

### \*\*_The MPI phishing technique_ Researchers from Proofpoint state that the MPI phishing technique uses social proof, a psychological principle, to lure the victims easily by adding an element of authenticity. MPI requires greater attention to detail, like monitoring the activities of the fake person (wherever applicable) and maintaining a realistic conversation with the potential victim.

### \*\*_How did threat actors fake scenarios?_ The researchers three instances linked to the MPI technique:

- In the first case, the sender was posing as the Director of Research at FRPI. He CCed the Director of Global Attitudes Research, PEW Research Center, in an email forwarded to the target.
- The second case involved scientists who specialized in genome research. The CCed person sent a OneDrive link that downloaded a document containing malicious macros.
- In the third attack, the threat group targeted two academics specializing in nuclear arms control. The group CCed three people to make the attack look more complex.

Researchers warn that organizations should maintain an increased awareness when receiving emails from suspicious or unknown senders. The techniques like MPI will evolve in the future to cause greater harm.

## \*\*EvilProxy Phishing Toolkit Found on Dark Web Forums A new Phishing-as-a-Service (PhaaS) called EvilProxy (or Moloch) was up for sale on dark web forums, Resecurity has [reported](https://www.resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web).

Resecurity published an advisory saying EvilProxy actors use cookie injection and reverse proxy methods to bypass two-factor authentication (2FA) and proxying the victim’s session. The advisory further states that cyber-espionage groups and advanced persistent threat (APTs) actors have used such techniques.

“However, EvilProxy is the successful productization of these methods, highlighting the significance of growing attacks against MFA authorization mechanisms and online services.” Resecurity wrote.

Furthermore, acting on the ongoing attacks’ investigation against various employees of Fortune 500 companies, Resecurity says it has obtained substantial knowledge regarding EvilProxy, including its modules, functions, structure, and network infrastructure.

Security researchers said they had identified Early occurrences of EvilProxy in attacks against MSFT and Google customers with MFA enabled on their accounts (with SMS or Application Token). Establishing a timeline for EvilProxy’s operations, researchers said they spotted the malware in early May 2022 when cybercriminals released a video demonstrating how one can use it to deliver advanced phishing links.

These threat actors can use it to compromise consumer accounts on Apple, Instagram, Microsoft, Facebook, Google, and Twitter, among others.

## \*\*Users Alerted as Phishing Campaigns Exploit Queen Elizabeth II’s Passing Experts warned that threat actors are [using](https://www.tomsguide.com/news/hackers-are-exploiting-the-queens-death-watch-out-for-these-scams) the Queen’s death as a lure to phish for victims’ Microsoft credentials. Proofpoint recently posted a screenshot showing a spoofed email that looked as if sent from the tech giant. With the headline, “In Memory of Her Majesty, Queen Elizabeth II,” the email read that Microsoft is going to launch an AI memory board in her memory. The spoofed email further requested the users’ assistance to make it work.

The victims had to click on a link embedded in the email, which took them to a page that requested them to key in and enter their email credentials. Proofpoint warned that the sophisticated phishing attempt could bypass MFA (multi-factor authentication).

Proofpoint researchers added that the campaign used a man-in-the-middle (MITM) phishing framework, utilizing a reverse proxy for custom landing pages for each victim. The infrastructure used to deploy the phishing campaign bypassed MFA to collect user credentials.

Sherrod DeGrippo, VP, threat research and detection, Proofpoint, said that phishing actors exploit major news stories like the Queen’s death and COVID-19.

“Social engineering requires manipulating the target’s emotional state. In the recent case, the attackers attempted to elicit a sense of sadness, grief, or concern by offering a place to share comments and memories in honor of the Queen,” she continued.

## \*\*Lampion Banking Trojan Returns in a New Phishing Attack Threat actors behind the [Lampion](https://cyware.com/news/lampion-trojan-returns-in-a-new-phishing-attack-322cbcc9) banking trojan recently released a new set of phishing attacks to target victims. The latest phishing attacks bypass email security checks by leveraging the renowned file-sharing software, WeTransfer.

About the latest phishing attack Security researchers at Cofense observed a new campaign in which Lampion operators sent phishing emails using compromised accounts asking recipients to download a few documents, including a ‘Proof of Payment’ from WeTransfer.

However, the downloaded file is a ZIP archive that contains a VBS script initiating the attack. Once executed, the script starts the WScript process connecting two hardcoded URLs that fetch DLL files. The DLL files then install the Lampion banking trojan on users’ systems. Hackers used the malware to pick up bank account details from the infected computers. They trick the victims, asking them to enter credentials on fake login forms.

The \*\*Lampion Trojan is more dangerous because cybercriminals use more than one legitimate service for spreading across systems. The researchers also added that besides WeTransfer, the threat actors leverage AWS (Amazon Web Services).

The Lampion trojan, primarily designed for targeting Spanish-speaking users, has gone international in the past few years. In 2022, researchers believe its distribution picked up rapidly, with some identifying a hostname link to the LockiBit 2.0 and Bazaar ransomware.

## Topics

[ DMARC ](/tags/dmarc/) 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free - no credit card required.

[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) 

## Related Articles

[  Foundational 8m  10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective  Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[  Foundational 12m  10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast  Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[  Foundational 12m  10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection  Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[  Foundational 12m  10 Reasons SPF Filtering Is Critical For Email Security  Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Cybersecurity News, TA453's Phishing Tactic, Dark Web's EvilProxy Toolkit, Queen's Passing Phishing Alert","description":"Cybercriminals are using new techniques to increase their chances of success in targeted phishing attacks against various organizations.","url":"https://dmarcreport.com/blog/news-impersonation-dark-web-phishing-alert/","datePublished":"2022-10-18T07:59:26.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2022-10-18T07:59:26.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/news-impersonation-dark-web-phishing-alert/"},"articleSection":"foundational","keywords":"DMARC","wordCount":959,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg","caption":"Cybersecurity News, TA453's Phishing Tactic, Dark Web's EvilProxy Toolkit, Queen's Passing Phishing Alert","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Cybersecurity News, TA453's Phishing Tactic, Dark Web's EvilProxy Toolkit, Queen's Passing Phishing Alert","item":"https://dmarcreport.com/blog/news-impersonation-dark-web-phishing-alert/"}]}
```