Search

Telegram Phishing Attack Abuses Authentication Workflows to Harvest Credentials

Cyber threats and incidents
By John Kevin Hao

Related

Cyber threats and incidents

Amazon SES Increasingly Abused in Phishing to Evade Detection

What happened Threat actors are exploiting Amazon Simple Email Service...
Read more
Cyber threats and incidents

Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery

What happened CTM360 researchers have uncovered a large-scale fraud operation...
Read more
Cyber threats and incidents

Robinhood Account Creation Flaw Abused to Send Phishing Emails

What happened Threat actors exploited a flaw in Robinhood's account...
Read more
Cyber threats and incidents

NASA Employees Duped in Chinese Phishing Scheme Targeting Defense Software

What happened NASA's Office of Inspector General has released details...
Read more
Cyber threats and incidents

Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks

What happened A law enforcement operation in early March seized...
Read more

Share

What happened

Researchers at Cyfirma have uncovered a phishing campaign targeting Telegram users that abuses authentication workflows to capture login credentials and session tokens. According to the report, the attack begins with unsolicited messages sent through Telegram containing a link that purports to lead to a voice message or other legitimate content. When clicked, recipients are redirected to a fraudulent webpage designed to mimic Telegram’s login interface. The fake interface requests the user’s phone number and verification code, which the attacker then uses to authenticate to the real Telegram service and take control of the account. This workflow abuse allows the attackers to intercept valid session tokens and, in some cases, maintain persistent access without immediately alerting the victim. Cyfirma noted that the phishing pages were crafted to closely resemble the legitimate Telegram authentication experience, increasing the likelihood of user interaction with the malicious content.

Who is affected

Telegram users who receive and interact with the phishing messages are affected, as entering authentication credentials and verification codes on the fraudulent pages can result in unauthorized account access and session takeover.

Why CISOs should care

Phishing campaigns that exploit authentication workflows on trusted platforms like Telegram underscore ongoing risk to identity and communication security, especially when attackers can harvest session tokens and bypass typical alerting mechanisms.

3 practical actions

  • Audit authentication process anomalies. Monitor for unusual login patterns such as verification codes used from unfamiliar IPs.
  • Strengthen user awareness training. Educate stakeholders to distrust unsolicited links claiming to lead to authentic messaging content.
  • Track phishing infrastructure. Block known domains and URLs associated with the Telegram phishing pages identified by Cyfirma.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

Previous article
Black Basta Ransomware Actors Embed BYOVD Loader in Recent Campaigns
Next article
FortiClient EMS RCE Vulnerability Enables Remote Code Execution

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.