Research from FortiGuard Labs reveals a new phishing campaign leveraging emails posing as purchase orders, prompting targets to open malicious attachments.  

The research states, “This campaign demonstrates a sophisticated multi-stage attack chain that begins with a phishing email delivering a malicious JavaScript file. The JavaScript decrypts and executes a PowerShell script that uses process hollowing to inject a .NET downloader module into a trusted Windows process (MsBuild.exe). The downloader module communicates with a remote C2 server to fetch and execute additional plugin modules, allowing the attacker to adapt the malware’s post-compromise behavior.”

Windows users are the primary target of this phishing threat. 

This campaign is evasive and challenging for conventional signature-based security measures to identify, largely due to the use of: 

• Several encryption layers
• Fileless execution
• Process hollowing tactics 

Below, security leaders discuss this campaign. 

Security Leaders Weigh In

Kern Smith, Senior Vice President of Global Solutions Engineering at Zimperium:

While this campaign ultimately executes on Windows, the broader lesson extends well beyond the endpoint. Attackers increasingly rely on social engineering and multi-stage attack chains that begin wherever users are most active, and increasingly, that starts on mobile devices through email, messaging platforms, and collaboration tools.

What makes these attacks effective is not just the malware itself, but the ability to move users from initial engagement to compromise while avoiding detection across devices and environments. Organizations should think beyond traditional endpoint visibility and ensure they can identify suspicious activity early, correlate signals across mobile devices, applications, and endpoints, and rapidly determine whether an alert represents a real incident. As attack paths become more distributed and AI accelerates attacker execution, security teams need AI-empowered security capabilities that reduce investigation time and provide clearer paths from signal to response.

Jason Soroko, Senior Fellow at Sectigo:

FortiGuard Labs recently discovered JavaScript-driven phishing campaign, deploying a PureLogs variant, underscores the shift toward fileless, evasive execution chains. Attackers hide the payload in an archive disguised as a purchase order, exploiting routine business workflows. The obfuscated JavaScript serves as an entry point that bypasses perimeter defenses, then decrypts and launches a PowerShell script. Threat actors continue refining methods that blend malicious activity with legitimate administrative tools.

The campaign relies on process hollowing to inject a .NET downloader into the trusted Windows MsBuild executable, masking it within a heavily used framework component and complicating detection. Once embedded, the downloader contacts a remote command server to retrieve modular plugins, giving the attacker dynamic post-compromise control. Layered encryption combined with legitimate system processes shows a sophisticated approach to data theft that demands equally adaptive, behavior-focused defenses.

Maxime Cartier, Vice President of Human Risk at Hoxhunt:

Historically, risky behavior and the human element have been linked to up to 90% of breaches, mainly via social engineering and phishing. However, when you look meticulously at recent research, many of the risks and barriers are behavioral, not technical.

Developers, admins, IT operations teams — they respond to the same drivers we think about in Human Risk Management every day: motivation, prioritization, clarity, communication, and friction. If security teams want outcomes to improve, they need to communicate risk in ways that help people act, not just escalate pressure.

This creates a significant opportunity for security awareness and Human Risk Management teams to collaborate more closely with vulnerability management teams. We spend a lot of time thinking about how to influence secure behavior at scale. Those same principles apply directly to improving remediation outcomes across the organization.