{"id":21189,"date":"2026-05-26T11:51:43","date_gmt":"2026-05-26T11:51:43","guid":{"rendered":"https:\/\/any.run\/cybersecurity-blog\/?p=21189"},"modified":"2026-05-26T12:02:59","modified_gmt":"2026-05-26T12:02:59","slug":"major-cyber-attacks-may-2026","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/","title":{"rendered":"Major Cyber Attacks in May 2026: Fake Invitations, Agent Tesla, BlobPhish, and More"},"content":{"rendered":"\n<p>May 2026 showed how fast routine business activity can turn into real security exposure.&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-may-2026&amp;utm_term=260526&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;observed&nbsp;phishing campaigns, fileless malware delivery, credential theft, OTP interception, and remote access abuse targeting organizations across industries.&nbsp;<\/p>\n\n\n\n<p>From fake invitations and banking portals to compromised B2B websites and Word Online lures, the month\u2019s attacks had one thing in common: they were built to&nbsp;look&nbsp;normal long enough to delay detection.&nbsp;<\/p>\n\n\n\n<p>Here are the major attacks from May and what SOC teams should take away from them.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Business Risks That Stood Out in May Attacks&nbsp;<\/h2>\n\n\n\n<p>The most important lesson from May\u2019s attacks is that many of these campaigns were designed to hide inside normal business activity long enough to create real exposure.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Phishing turned into direct access\u00a0risk:\u00a0<\/strong>May campaigns did not stop at fake login pages. They led to credential theft, OTP interception, remote access tool installation, and\u00a0possible account\u00a0takeover.\u00a0<\/li>\n\n\n\n<li><strong>Trusted workflows became attack paths:\u00a0<\/strong>Fake invitations, Word Online pages, banking portals, legitimate B2B websites, and RMM tools helped\u00a0attackers\u00a0lower suspicion and delay detection.\u00a0<\/li>\n\n\n\n<li><strong>Fileless and browser-based techniques reduced visibility:\u00a0<\/strong>Blob-generated pages, injected scripts, PowerShell execution, and in-memory payloads made some attacks harder to catch with traditional file or network-based controls.\u00a0<\/li>\n\n\n\n<li><strong>Credential theft created broader business exposure:\u00a0<\/strong>Stolen email, browser, banking, and session data can open the door to BEC, fraud, SaaS compromise, supplier risk, and lateral movement.\u00a0<\/li>\n\n\n\n<li><strong>Delayed certainty became the biggest SOC problem:\u00a0<\/strong>When teams cannot quickly confirm whether access was stolen, remote access was installed, or C2 activity happened, response slows and business risk grows.\u00a0<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nStrengthen your entire SOC with Enterprise Suite.\u00a0<br>\n<span class=\"highlight\"> Get special 10th\u00a0Anniversary offers from ANY.RUN.<\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/plans?\/utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=major-cyber-attacks-may-2026&#038;utm_term=260526&#038;utm_content=linktosandboxpricing\" rel=\"noopener\" target=\"_blank\">\nClaim your exclusive deal\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Main Targets in May Attacks&nbsp;<\/h2>\n\n\n\n<p>May\u2019s campaigns were concentrated around the business functions and user groups that attackers can use to reach valuable accounts, financial workflows, and internal systems. For CISOs, this helps show where security reviews, detection coverage, and response playbooks should be prioritized first.&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-331\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"8\"\n           data-wpID=\"331\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Target Area\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        What Attackers Focused On\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Finance and banking users\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Banking login flows, customer account access, and payment-related interactions.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Procurement and payroll teams\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Employees handling invoices, purchase orders, payroll files, and supplier communication.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Corporate email users\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Business inboxes, Microsoft 365 accounts, webmail access, and internal communication channels.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        IT and support workflows\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Remote support processes, software installation flows, and admin-adjacent activity.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Employees using business websites\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Everyday browsing activity on legitimate or familiar-looking websites.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SaaS and cloud account users\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Accounts connected to business apps, shared data, and company operations.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        High-exposure industries\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Finance, banking, healthcare, manufacturing, technology, education, and government.\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-331'>\ntable#wpdtSimpleTable-331{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-331 td, table.wpdtSimpleTable331 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">1. Routine Invitations Created High-Impact Access Risk for U.S. Organizations\u00a0<\/h2>\n\n\n\n<p>In May, ANY.RUN tracked a fake invitation phishing campaign targeting U.S. organizations. The attack used familiar event-style lures to guide users&nbsp;through what&nbsp;looked like a normal invitation flow. Behind that flow, attackers could move victims toward credential theft, OTP interception, and in some cases remote access tool delivery.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/us-fake-invitation-phishing\/\" target=\"_blank\" rel=\"noreferrer noopener\">Check detailed breakdown<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Chain-2048x1075.png-1024x538.webp\" alt=\"Attack chain of US-targeted phishing campaign\u00a0\" class=\"wp-image-21194\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Chain-2048x1075.png-1024x538.webp 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Chain-2048x1075.png-300x157.webp 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Chain-2048x1075.png-768x403.webp 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Chain-2048x1075.png-1536x806.webp 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Chain-2048x1075.png-370x194.webp 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Chain-2048x1075.png-270x142.webp 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Chain-2048x1075.png-740x388.webp 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Chain-2048x1075.png.webp 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Attack chain of US-targeted phishing campaign<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>This campaign shows how a simple business interaction can turn into an access incident. The user does not need to open an obviously malicious file or interact with a suspicious-looking page. They only need to follow an invitation that feels familiar. From there, the risk can expand from one employee action to exposed credentials, compromised mailboxes, unauthorized remote access, and wider business exposure.&nbsp;<\/p>\n\n\n\n<p><strong>CISO priority:&nbsp;<\/strong>Security leaders should treat fake invitation flows as more than phishing noise. These attacks test whether the SOC can connect email, browser, identity, and remote access signals fast enough to understand real exposure. ANY.RUN helps teams safely open the full flow,&nbsp;observe&nbsp;credential and OTP collection,&nbsp;identify&nbsp;possible remote access tool delivery, and pivot to related infrastructure before the same campaign reaches more users.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">2. Business Document Lures Put LATAM Enterprises at Credential Theft Risk\u00a0<\/h2>\n\n\n\n<p>ANY.RUN also\u00a0analyzed\u00a0an <a href=\"https:\/\/any.run\/malware-trends\/agenttesla\/\" target=\"_blank\" rel=\"noreferrer noopener\">Agent Tesla<\/a> campaign targeting enterprises in Latin America. The attack used familiar business-document themes, including purchase orders, invoices, payroll files, and procurement requests, to reach employees who\u00a0regularly work\u00a0with external files and supplier communication.\u00a0<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/\" target=\"_blank\" rel=\"noreferrer noopener\">Check detailed breakdown<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"718\" height=\"553\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image3.png.webp\" alt=\"Exfiltrated passwords exposed inside ANY.RUN\u00a0sandbox\u00a0\" class=\"wp-image-21195\" style=\"width:546px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image3.png.webp 718w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image3.png-300x231.webp 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image3.png-370x285.webp 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image3.png-270x208.webp 270w\" sizes=\"(max-width: 718px) 100vw, 718px\" \/><figcaption class=\"wp-element-caption\"><em>Exfiltrated passwords exposed inside ANY.RUN\u00a0sandbox<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>This type of attack goes after the business functions where one stolen credential can quickly create financial and operational exposure. If attackers gain access to email accounts, browser credentials, FTP logins, or other stored data, the risk can move beyond one infected endpoint. It can support BEC, supplier fraud, cloud account compromise, and wider access across company systems.&nbsp;<\/p>\n\n\n\n<p><strong>Business risk to reduce:&nbsp;<\/strong>Finance, procurement, and payroll inboxes should be treated as high-risk business entry points. A suspicious invoice or purchase order is not only an attachment problem; it may be the first sign of credential theft that can later support fraud or unauthorized access. With&nbsp;behavior-based&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-may-2026&amp;utm_term=260526&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">sandbox&nbsp;analysis<\/a>, teams can quickly confirm whether a file executed, what data it tried to collect, and which accounts need immediate protection.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. Compromised B2B Websites Turned Trusted Browsing into Fileless Malware Risk&nbsp;<\/h2>\n\n\n\n<p>May also showed how legitimate B2B websites can be abused to deliver malware without relying on obvious malicious files. In this activity, attackers used compromised websites and injected scripts to move users toward PowerShell execution, in-memory payload delivery, and outbound C2 communication.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/x.com\/anyrun_app\/status\/2057084108451254420\" target=\"_blank\" rel=\"noreferrer noopener\">Check technical details on X<\/a>\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIw7F1rXUAAtUhS-768x1024.jpeg\" alt=\"Attack chain of fileless\u00a0ClickFix\u00a0execution\" class=\"wp-image-21196\" style=\"width:510px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIw7F1rXUAAtUhS-768x1024.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIw7F1rXUAAtUhS-225x300.jpeg 225w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIw7F1rXUAAtUhS-1152x1536.jpeg 1152w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIw7F1rXUAAtUhS-1536x2048.jpeg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIw7F1rXUAAtUhS-370x493.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIw7F1rXUAAtUhS-270x360.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIw7F1rXUAAtUhS-740x987.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIw7F1rXUAAtUhS-scaled.jpeg 1920w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><figcaption class=\"wp-element-caption\"><em>Attack chain of fileless\u00a0ClickFix\u00a0execution<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This is dangerous&nbsp;as&nbsp;the attack starts from a place employees may already trust. The website can&nbsp;look&nbsp;legitimate, the traffic may not stand out at first, and the malicious activity becomes clearer only later in the chain. For enterprises, that means a normal browsing session can turn into fileless execution before the SOC has enough evidence to react.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nReduce the delay between detection and action \n\u00a0<br>\n<span class=\"highlight\"> Get Enterprise Suite with a special offer until May 31. <\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/plans?\/utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=major-cyber-attacks-may-2026&#038;utm_term=260526&#038;utm_content=linktosandboxpricing\" rel=\"noopener\" target=\"_blank\">\nClaim special offer\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p><strong>Detection gap to close:&nbsp;<\/strong>This is where reputation-based controls are not enough. A known business website can still become part of the attack chain, and fileless execution may leave fewer obvious artifacts for Tier 1 teams to catch. ANY.RUN gives analysts a way to see what happens after the page loads: script&nbsp;behavior, PowerShell activity, memory execution, process injection, and C2 communication. That turns a suspicious browsing event into a response-ready case.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. OTP Phishing Showed How Fast Financial Access Can Be Weaponized&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN tracked a large-scale phishing campaign impersonating a U.S. financial institution. The campaign used a multi-step flow to collect usernames, passwords, OTP codes, and email verification data. Its infrastructure was also highly reusable, with hundreds of related phishing domains already&nbsp;identified.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/x.com\/anyrun_app\/status\/2056729193870713300\" target=\"_blank\" rel=\"noreferrer noopener\">Check technical details on X<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIr4S4-WMAAn0HZ-768x1024.jpeg\" alt=\"Technical details of the large-scale OTP phishing campaign\u00a0\" class=\"wp-image-21197\" style=\"width:494px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIr4S4-WMAAn0HZ-768x1024.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIr4S4-WMAAn0HZ-225x300.jpeg 225w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIr4S4-WMAAn0HZ-1152x1536.jpeg 1152w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIr4S4-WMAAn0HZ-1536x2048.jpeg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIr4S4-WMAAn0HZ-370x493.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIr4S4-WMAAn0HZ-270x360.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIr4S4-WMAAn0HZ-740x987.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIr4S4-WMAAn0HZ-scaled.jpeg 1920w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><figcaption class=\"wp-element-caption\"><em>Technical details of the large-scale OTP phishing campaign<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This attack highlights a dangerous shift: MFA does not remove phishing risk when attackers can intercept OTPs in real time. Once users&nbsp;submit&nbsp;credentials and verification codes, attackers can move closer to account takeover, fraud, and unauthorized access before security teams have a clear picture of what happened.&nbsp;<\/p>\n\n\n\n<p>For enterprises, the lesson goes beyond one banking-themed campaign. Any organization that relies on login codes, email verification, or user-driven authentication flows needs to understand where those flows can be copied, replayed, or abused.&nbsp;<\/p>\n\n\n\n<p><strong>MSSP priority:&nbsp;<\/strong>The priority is to move from single-alert handling to campaign-level detection. Blocking one domain will not stop an operation built on reusable templates and rotating infrastructure. ANY.RUN&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-may-2026&amp;utm_term=260526&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat&nbsp;Intelligence<\/a>&nbsp;helps MSSPs connect related phishing pages, infrastructure, and recurring artifacts, so teams can prove whether authentication data was exposed and help clients act before stolen access becomes fraud or account takeover.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">5. Fake Word Online Lures Turned Document Access into Remote Control\u00a0<\/h2>\n\n\n\n<p>Another May attack started with an Outlook\u00a0email and redirected users to a fake Word Online \/ OneDrive-style page. Instead of pushing an obvious malware download, the chain moved\u00a0through software installation stages and eventually led to remote access\u00a0through\u00a0ScreenConnect, with\u00a0additional\u00a0activity used to hide the installed tools.\u00a0<\/p>\n\n\n\n<p><a href=\"https:\/\/x.com\/anyrun_app\/status\/2054502193206616563\" target=\"_blank\" rel=\"noreferrer noopener\">Check technical details on X<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIMO2dUXMAABOSL-768x1024.jpeg\" alt=\"Phishing-to-RMM attack details\u00a0\" class=\"wp-image-21198\" style=\"width:454px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIMO2dUXMAABOSL-768x1024.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIMO2dUXMAABOSL-225x300.jpeg 225w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIMO2dUXMAABOSL-1152x1536.jpeg 1152w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIMO2dUXMAABOSL-1536x2048.jpeg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIMO2dUXMAABOSL-370x493.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIMO2dUXMAABOSL-270x360.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIMO2dUXMAABOSL-740x987.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HIMO2dUXMAABOSL-scaled.jpeg 1920w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><figcaption class=\"wp-element-caption\"><em>Phishing-to-RMM attack details<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>This is the kind of attack that creates real confusion inside security operations. On the surface, the user is trying to open a business document. Deeper in the chain, the attacker is setting up remote access&nbsp;through tools that may&nbsp;look&nbsp;similar to&nbsp;normal IT or support activity.&nbsp;<\/p>\n\n\n\n<p>For MSSPs, this is especially dangerous as one alert may not&nbsp;immediately&nbsp;look&nbsp;like a full compromise. A fake document page, a silent installer, an RMM tool, and concealment activity may appear as separate weak signals unless the team can connect them fast.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nClose visibility gaps faster.\u00a0 \n\u00a0<br>\n<span class=\"highlight\"> Strengthen SOC response with Enterprise Suite. <\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/plans?\/utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=major-cyber-attacks-may-2026&#038;utm_term=260526&#038;utm_content=linktosandboxpricing\" rel=\"noopener\" target=\"_blank\">\nClaim special offer till May 31\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p><strong>Access question for leaders:&nbsp;<\/strong>This attack should push CISOs and MSSPs to ask a harder question: not \u201cDid malware run?\u201d but \u201cDid someone gain hands-on access to the environment?\u201d Remote access abuse is dangerous because it can&nbsp;look&nbsp;close to legitimate IT activity while giving attackers a path back into the network. Teams should expose the full chain from phishing page to installer&nbsp;behavior, RMM deployment, concealment activity, and follow-on access signals&nbsp;to can&nbsp;contain&nbsp;the access path before it becomes persistence.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">6.\u00a0BlobPhish\u00a0Exposed a Blind Spot in Browser-Based Credential Theft\u00a0<\/h2>\n\n\n\n<p>May also brought attention to\u00a0BlobPhish, a credential-phishing campaign targeting Microsoft 365, major U.S. financial institutions, and webmail services. Instead of loading a phishing page in the usual way, the attack generated the page directly inside the browser using blob objects, keeping the malicious content in memory.\u00a0<\/p>\n\n\n\n<p><a href=\"https:\/\/x.com\/anyrun_app\/status\/2052018722034827774\" target=\"_blank\" rel=\"noreferrer noopener\"><em>Check technical details on X<\/em><\/a><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HHo8JZ3XgAQ1rS3-1024x1024.jpeg\" alt=\"BlobPhish exposed inside ANY.RUN\u2019s cloud-based\u00a0sandbox\" class=\"wp-image-21199\" style=\"width:526px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HHo8JZ3XgAQ1rS3-1024x1024.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HHo8JZ3XgAQ1rS3-300x300.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HHo8JZ3XgAQ1rS3-150x150.jpeg 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HHo8JZ3XgAQ1rS3-768x768.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HHo8JZ3XgAQ1rS3-1536x1536.jpeg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HHo8JZ3XgAQ1rS3-2048x2048.jpeg 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HHo8JZ3XgAQ1rS3-70x70.jpeg 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HHo8JZ3XgAQ1rS3-370x370.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HHo8JZ3XgAQ1rS3-270x270.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/HHo8JZ3XgAQ1rS3-740x740.jpeg 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>BlobPhish exposed inside ANY.RUN\u2019s cloud-based\u00a0sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>\u00a0This matters as many phishing\u00a0defenses\u00a0still depend on what can be seen in the email, URL, or network request.\u00a0BlobPhish\u00a0weakens that visibility. The page can appear after the browser builds it locally, which makes the attack harder to judge using traditional signals alone.\u00a0<\/p>\n\n\n\n<p>For CISOs, this creates a dangerous gap between what the user experiences and what the security stack can clearly prove. For MSSPs, it raises the investigation burden across clients: teams need to understand not only where the user clicked, but what the browser created after the click.&nbsp;<\/p>\n\n\n\n<p><strong>Visibility gap to close:&nbsp;<\/strong>BlobPhish&nbsp;shows why phishing response cannot stop at URL checks. The real danger is the gap between what the user sees in the browser and what security teams can prove afterward. ANY.RUN allows teams to reproduce the browser-side flow safely,&nbsp;observe&nbsp;how the phishing page is generated, and capture the credential-theft&nbsp;behavior&nbsp;that may not be visible&nbsp;through standard inspection alone. For CISOs and MSSPs, this closes a critical evidence gap before stolen accounts turn into BEC, SaaS compromise, or client-wide exposure.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Give Your SOC the Visibility May\u2019s Attacks Demand with Enterprise Suite&nbsp;<\/h2>\n\n\n\n<p>May\u2019s attacks made one thing clear: the earliest signs of compromise are often hidden inside normal workflows. A user follows an invitation, opens a supplier file, visits a trusted website, enters an OTP, or previews a document, and the SOC may only see scattered signals until the risk has already moved forward.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-1024x576.webp\" alt=\"Reported outcomes by teams using ANY.RUN\u2019s Enterprise Suite\" class=\"wp-image-21200\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-1024x576.webp 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-300x169.webp 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-768x432.webp 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-1536x864.webp 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-370x208.webp 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-270x152.webp 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-740x416.webp 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png.webp 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Outcomes reported by teams using ANY.RUN\u2019s Enterprise Suite<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>That is where\u00a0<a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-may-2026&amp;utm_term=260526&amp;utm_content=linktoenterpriselanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN Enterprise Suite<\/a>\u00a0gives security leaders stronger control. Teams get full\u00a0sandbox\u00a0functionality, private analyses, multi-platform analysis across <a href=\"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\">Windows<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/anyrun-macos-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\">macOS<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/network-traffic-analysis-in-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/android-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Android<\/a>, advanced privacy controls, SSO, team management, API access, workspace analytics, and TI\u00a0Lookup\u00a0&amp; YARA Premium to validate\u00a0threats faster and investigate sensitive cases without losing visibility or control.\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Special-Offers-4-1024x538.png\" alt=\"Stengthen your SOC with ANY.RUN\u2019s\u00a0special offers\u00a0available until May 31\u00a0\" class=\"wp-image-21202\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Special-Offers-4-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Special-Offers-4-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Special-Offers-4-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Special-Offers-4-1536x806.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Special-Offers-4-2048x1075.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Special-Offers-4-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Special-Offers-4-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/Special-Offers-4-740x389.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Stengthen your SOC with ANY.RUN\u2019s\u00a0special offers\u00a0available until May 31<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>With these capabilities, enterprise teams can:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce investigation delays<\/strong>\u00a0by safely\u00a0analyzing\u00a0suspicious files, URLs, scripts, and phishing flows in real time.\u00a0<\/li>\n\n\n\n<li><strong>Confirm business exposure faster<\/strong>\u00a0by seeing whether credentials, OTPs, remote access tools, C2 traffic, or fileless execution were involved.\u00a0<\/li>\n\n\n\n<li><strong>Protect sensitive investigations<\/strong>\u00a0with private analyses, advanced privacy controls, SSO, and team-based access.\u00a0<\/li>\n\n\n\n<li><strong>Improve SOC efficiency<\/strong>\u00a0with shared workflows, workspace analytics, API access, and full task history.\u00a0<\/li>\n\n\n\n<li><strong>Strengthen detection coverage<\/strong>\u00a0with\u00a0<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-may-2026&amp;utm_term=260526&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI\u00a0Lookup<\/a>\u00a0&amp; YARA Premium to connect related infrastructure, IOCs, and attack patterns.\u00a0<\/li>\n\n\n\n<li><strong>Support enterprise-scale response<\/strong>\u00a0with longer VM timeout\u00a0and analysis across major operating systems.\u00a0<\/li>\n<\/ul>\n\n\n\n<p>ANY.RUN\u2019s <a href=\"https:\/\/any.run\/cybersecurity-blog\/anyrun-10th-anniversary-offers\/\" target=\"_blank\" rel=\"noreferrer noopener\">10th-anniversary special offers<\/a> are available until May 31, making this a timely opportunity for SOCs, MSSPs, and enterprise security teams to expand threat analysis and intelligence capabilities, reduce investigation delays, and respond with more confidence.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nStrengthen SOC response with Enterprise Suite.\u00a0 \n\u00a0<br>\n<span class=\"highlight\"> Claim your 10th-anniversary offer before May 31.\u00a0 <\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/plans?\/utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=major-cyber-attacks-may-2026&#038;utm_term=260526&#038;utm_content=linktosandboxpricing\" rel=\"noopener\" target=\"_blank\">\nGet your special offer\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-may-2026&amp;utm_term=260526&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>, a leading provider of interactive malware analysis and&nbsp;threat&nbsp;intelligence solutions, helps SOC, MSSP, and enterprise security teams detect&nbsp;threats earlier, and investigate incidents faster.&nbsp;<\/p>\n\n\n\n<p>With its&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-may-2026&amp;utm_term=260526&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive&nbsp;Sandbox<\/a>,&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-may-2026&amp;utm_term=260526&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat&nbsp;Intelligence&nbsp;Lookup<\/a>,&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-may-2026&amp;utm_term=260526&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Feeds<\/a>, and YARA Search, ANY.RUN gives teams the visibility they need to&nbsp;analyze&nbsp;suspicious files, URLs, scripts, phishing pages, and malware&nbsp;behavior&nbsp;in real time. Security teams can safely&nbsp;observe&nbsp;full attack chains, extract IOCs, investigate related infrastructure, and turn unclear alerts into evidence they can act on.&nbsp;<\/p>\n\n\n\n<p>Trusted by more than 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN supports faster triage, stronger&nbsp;threat&nbsp;visibility, and more confident response across modern SOC workflows.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>May 2026 showed how fast routine business activity can turn into real security exposure.&nbsp;ANY.RUN&nbsp;observed&nbsp;phishing campaigns, fileless malware delivery, credential theft, OTP interception, and remote access abuse targeting organizations across industries.&nbsp; From fake invitations and banking portals to compromised B2B websites and Word Online lures, the month\u2019s attacks had one thing in common: they were built [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":21026,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-21189","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Major Cyber Attacks in May 2026: Phishing, Agent Tesla &amp; More<\/title>\n<meta name=\"description\" content=\"Explore major cyber attacks in May 2026, including fake invitations, Agent Tesla, OTP phishing, fileless malware, and RMM abuse targeting businesses.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Major Cyber Attacks in May 2026: Fake Invitations, Agent Tesla, BlobPhish, and More\",\"datePublished\":\"2026-05-26T11:51:43+00:00\",\"dateModified\":\"2026-05-26T12:02:59+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/\"},\"wordCount\":2168,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/\",\"name\":\"Major Cyber Attacks in May 2026: Phishing, Agent Tesla & More\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2026-05-26T11:51:43+00:00\",\"dateModified\":\"2026-05-26T12:02:59+00:00\",\"description\":\"Explore major cyber attacks in May 2026, including fake invitations, Agent Tesla, OTP phishing, fileless malware, and RMM abuse targeting businesses.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Major Cyber Attacks in May 2026: Fake Invitations, Agent Tesla, BlobPhish, and More\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Major Cyber Attacks in May 2026: Phishing, Agent Tesla & More","description":"Explore major cyber attacks in May 2026, including fake invitations, Agent Tesla, OTP phishing, fileless malware, and RMM abuse targeting businesses.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Major Cyber Attacks in May 2026: Fake Invitations, Agent Tesla, BlobPhish, and More","datePublished":"2026-05-26T11:51:43+00:00","dateModified":"2026-05-26T12:02:59+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/"},"wordCount":2168,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/","url":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/","name":"Major Cyber Attacks in May 2026: Phishing, Agent Tesla & More","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-05-26T11:51:43+00:00","dateModified":"2026-05-26T12:02:59+00:00","description":"Explore major cyber attacks in May 2026, including fake invitations, Agent Tesla, OTP phishing, fileless malware, and RMM abuse targeting businesses.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-may-2026\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Major Cyber Attacks in May 2026: Fake Invitations, Agent Tesla, BlobPhish, and More"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/21189"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=21189"}],"version-history":[{"count":31,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/21189\/revisions"}],"predecessor-version":[{"id":21245,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/21189\/revisions\/21245"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/21026"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=21189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=21189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=21189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}