"Send me a quick text"

A recent phishing campaign is targeting Instagram users with messages that closely resemble legitimate account alerts. Victims are tricked into responding in ways that validate their address and gradually hand over details attackers can use to reset passwords, hijack accounts, and pivot into connected services. Once an account is taken, it can be locked for ransom, abused to spread further scams, or sold on underground markets.

Key defensive actions:

• Train users to verify the sender and question unexpected account-security messages.
• Reinforce that Instagram/Meta does not handle credential verification through direct email correspondence.
• Monitor for suspicious outbound communications to unfamiliar domains.
• Encourage fast reporting of unusual security alerts to security teams.

IOCs & Infrastructure:

• Suspicious sender domains observed: @vacasa[.]uk.com, @syntec[.]uk.com, @pdftools[.]com.de, @boss[.]eu.com, among others.
• Multiple malicious domains hosted together on shared IP infrastructure.

Detection & Monitoring Recommendations:

• Expand filters to flag alerts urging users to respond via email rather than through in-app or known support channels.
• Track domain reputation for sender addresses linked to brand impersonation.
• Focus awareness campaigns on the risks of replying to suspicious security notifications.

This campaign highlights how attackers adapt by shifting tactics into spaces that feel safe and familiar. Defenses must adjust to catch threats that blend into ordinary communication.

Thanks for spending a few minutes on the CyberBrief Project.

If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.

You can also find the podcast on YouTube at youtube.com/@CyberBriefProject — I’d love to see you there.

And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support

Your support means a lot.

See you in the next one, and thank you for listening.