Barracuda flags stealthy Microsoft 365 attack shift

Barracuda Networks has reported a fake Claude AI installer, more convincing Microsoft 365 account intrusions, and clipboard-based malware in its latest threat findings. The incidents were identified by the company's Managed XDR security operations centre.

The update suggests a shift in attacker behaviour toward methods designed to appear routine or leave little trace on a victim's system. Across incidents handled by its analysts, Barracuda observed account compromises using login locations more commonly associated with legitimate business traffic.

One of the clearest trends involved Microsoft 365 account access. Attackers were able to sign in successfully using IP addresses that resembled those of normal users, often through VPNs or frequently changing addresses that helped the activity blend in with everyday employee logins.

This makes detection harder because many security tools place greater emphasis on repeated failed sign-in attempts. When attackers gain access with valid credentials, they can move through email, files, and internal systems without immediately triggering the same alerts.

Barracuda recorded an increase of about 25% in malicious Microsoft 365 logins from countries typically viewed as lower risk, including the UK and the US, compared with regions more commonly linked to suspicious activity. The finding suggests security teams may need to pay closer attention to successful logins from apparently ordinary locations rather than relying too heavily on geographic risk assumptions.

AI lure

Barracuda also detailed an incident in which cybercriminals used interest in generative AI tools to disguise a malware delivery attempt. In the case its researchers identified, a user trying to download Claude Code was redirected to a fake website that closely resembled a legitimate software page.

Instead of installing the expected tool, the site launched a multi-stage attack. The malware ran a PowerShell script, stole credentials stored in the browser, communicated with an attacker-controlled server, and attempted to make removal harder by installing malicious certificates.

The threat was contained within seconds, but the attack still progressed far enough to include credential access and persistence activity. The case reflects a wider trend in which attackers use the names of popular AI products to increase trust and improve the chances that a target will click or download.

The approach mirrors an older pattern in cybercrime, in which threat actors have long borrowed the branding of widely used services, productivity tools, and software vendors. The difference now is that AI products have quickly become familiar in workplaces, giving attackers a fresh set of names that can appear credible to employees under time pressure.

Clipboard technique

A separate incident highlighted a method designed to avoid leaving the usual forensic signs on a device. Malware loaded malicious code into the clipboard and then executed it directly in memory through PowerShell, rather than placing a conventional malicious file on disk.

By avoiding a saved file, the malware reduced the chance of detection by basic security products that look for suspicious artefacts written to storage. Barracuda classified this activity as high severity because the code was able to contact a command-and-control server, retrieve a payload, place it in the clipboard, and run it locally.

A command-and-control beacon triggered an alert, and the threat was then contained by Barracuda's XDR service. In-memory execution has become more common in recent years because it can give attackers more dwell time before defenders identify what has happened.

Taken together, the incidents show how current attacks rely less on obviously crude methods and more on making malicious behaviour resemble normal user activity. That can include using familiar brands, apparently safe login origins, and techniques that leave fewer traces on compromised machines.

For businesses, the findings underline a practical issue for security operations teams: suspicious behaviour is not always tied to a blocked login, a known high-risk geography, or a file detected by antivirus software. Increasingly, the warning signs may be a successful sign-in from a plausible location, a download from a site that looks genuine, or a script running in memory without a traditional malware file.

The cases were drawn from incidents mitigated by Barracuda's Managed XDR operation and are intended to show how attackers are trying to make attacks look normal, trusted, or invisible.