Attackers are abusing Telegram’s own login and authorization workflows to take over accounts no malware, no exploits, just user approval.
A newly resurfaced phishing campaign targeting Telegram users is raising fresh alarms among security teams worldwide. Unlike traditional phishing attacks that steal passwords or session tokens, this operation takes a more insidious route: it abuses Telegram’s legitimate authentication and in-app authorization prompts to gain full control of user accounts.
According to new research published by CYFIRMA and shared in its detailed threat analysis, the campaign is active, scalable, and globally oriented, making it particularly dangerous for individuals, businesses, and organizations that rely on Telegram for communication, coordination, and even operational workflows.
(Source: CYFIRMA research report, linked source embedded)
How the attack works
CYFIRMA’s investigation shows that attackers are no longer trying to “break” Telegram. Instead, they are convincing users to let them in.
The campaign relies on attacker-controlled Telegram API credentials that integrate directly with Telegram’s official login infrastructure. Victims are lured to phishing pages that look convincingly legitimate and are offered two main login paths:
1. QR-code login flow
Victims are instructed to scan a Telegram-style QR code using their mobile app. This action triggers a real Telegram login request, followed by an in-app authorization prompt asking the user to confirm the session.
2. Manual login flow
Victims enter their phone number, one-time code, and – if enabled – their two-step verification password. Again, Telegram sends a legitimate authorization request inside the app.
In both cases, the decisive moment happens inside Telegram itself, where users are prompted to tap “This is me” or “Yes.” Once approved, attackers immediately gain a fully authorized session, without malware, exploits, or suspicious technical artifacts.
To lower suspicion, the phishing pages reinforce the process with misleading messages such as “security verification” or “unusual activity detected,” framing the approval as routine and urgent.
Why this campaign is harder to detect
What makes this operation particularly effective is its abuse of trusted platform features:
- The login and authorization prompts are genuine
- Network traffic blends into normal Telegram activity
- No malicious files or exploits are used
- Traditional endpoint security tools see little to flag
CYFIRMA’s analysis also reveals a centrally managed, configuration-driven infrastructure. Attackers can rapidly rotate domains, reuse the same backend logic, and deploy multilingual phishing pages – including fully localized Simplified Chinese (zh-CN) interfaces – suggesting intentional global reach.
This aligns with a broader trend security professionals are seeing across platforms: attackers increasingly prefer “abuse of function” over technical exploitation.
The wider impact on users and organizations
Once compromised, Telegram accounts are often weaponized quickly. Attackers use them as secondary delivery channels, sending phishing links directly to trusted contacts, groups, and communities—dramatically increasing success rates.
For organizations, this can lead to:
- Internal account takeovers
- Leakage of sensitive conversations
- Impersonation of executives or administrators
- Lateral phishing campaigns inside trusted networks
This is especially relevant for sectors that rely heavily on Telegram, including media, fintech, crypto communities, activists, and businesses operating in high-risk regions.
From a defensive standpoint, this campaign highlights why cybersecurity governance and awareness, such as the services delivered by Saintynet Cybersecurity, are becoming as critical as technical controls alone.
MEA perspective (why it matters regionally)
Telegram is widely used across the Middle East and Africa (MEA) for business communications, community coordination, and government-adjacent activities. The region’s rapid digital adoption – combined with high mobile usage – makes social-engineering-driven attacks particularly effective.
Security leaders in MEA organizations should treat this campaign as a warning: trusted platforms are no longer safe by default when attackers can manipulate user behavior instead of infrastructure.
10 recommended actions for security teams and users
- Approve authorization prompts only if you initiated them
Unexpected Telegram login approvals should always be treated as suspicious. - Avoid logging in via links
Access Telegram only through the official app or website never via message links. - Review active sessions regularly
Check Telegram’s security settings and terminate unknown devices immediately. - Enable and protect two-step verification
Use a strong, unique password and never enter it outside official interfaces. - Educate users continuously
Ongoing training and awareness programs are essential. - Assume trusted contacts can be compromised
Verify unusual requests through a separate channel before responding. - Monitor for impersonation and lateral phishing
Watch for abnormal messaging behavior from known accounts. - Encourage rapid incident response
If a user approves a suspicious prompt, revoke sessions and reset credentials immediately. - Update threat models
Account takeover via legitimate features should be factored into risk assessments. - Share intelligence across teams
Publishing and consuming threat insights – like those on cybercory.com – helps organizations stay ahead of evolving campaigns.
Conclusion
This re-emerging Telegram phishing campaign is not new—but it is more refined, more scalable, and more dangerous. By abusing legitimate authentication workflows and relying on user approval rather than exploits, attackers are blurring the line between normal behavior and compromise.
The takeaway is clear: security can no longer rely on technology alone. Strong governance, user awareness, and proactive cyber defense strategies are now the front line. As attackers continue to weaponize trust itself, organizations that invest early in resilience will be the ones best prepared for what comes next.
Re-Emerging Telegram Phishing Campaign Hijacks User Authorization Prompts
Subtitle:
Attackers are abusing Telegram’s own login and authorization workflows to take over accounts no malware, no exploits, just user approval.
What happened and why it matters
A newly resurfaced phishing campaign targeting Telegram users is raising fresh alarms among security teams worldwide. Unlike traditional phishing attacks that steal passwords or session tokens, this operation takes a more insidious route: it abuses Telegram’s legitimate authentication and in-app authorization prompts to gain full control of user accounts.
According to new research published by CYFIRMA and shared in its detailed threat analysis, the campaign is active, scalable, and globally oriented, making it particularly dangerous for individuals, businesses, and organizations that rely on Telegram for communication, coordination, and even operational workflows.
(Source: CYFIRMA research report, linked source embedded)
How the attack works
CYFIRMA’s investigation shows that attackers are no longer trying to “break” Telegram. Instead, they are convincing users to let them in.
The campaign relies on attacker-controlled Telegram API credentials that integrate directly with Telegram’s official login infrastructure. Victims are lured to phishing pages that look convincingly legitimate and are offered two main login paths:
1. QR-code login flow
Victims are instructed to scan a Telegram-style QR code using their mobile app. This action triggers a real Telegram login request, followed by an in-app authorization prompt asking the user to confirm the session.
2. Manual login flow
Victims enter their phone number, one-time code, and – if enabled – their two-step verification password. Again, Telegram sends a legitimate authorization request inside the app.
In both cases, the decisive moment happens inside Telegram itself, where users are prompted to tap “This is me” or “Yes.” Once approved, attackers immediately gain a fully authorized session, without malware, exploits, or suspicious technical artifacts.
To lower suspicion, the phishing pages reinforce the process with misleading messages such as “security verification” or “unusual activity detected,” framing the approval as routine and urgent.
Why this campaign is harder to detect
What makes this operation particularly effective is its abuse of trusted platform features:
- The login and authorization prompts are genuine
- Network traffic blends into normal Telegram activity
- No malicious files or exploits are used
- Traditional endpoint security tools see little to flag
CYFIRMA’s analysis also reveals a centrally managed, configuration-driven infrastructure. Attackers can rapidly rotate domains, reuse the same backend logic, and deploy multilingual phishing pages – including fully localized Simplified Chinese (zh-CN) interfaces – suggesting intentional global reach.
This aligns with a broader trend security professionals are seeing across platforms: attackers increasingly prefer “abuse of function” over technical exploitation.
The wider impact on users and organizations
Once compromised, Telegram accounts are often weaponized quickly. Attackers use them as secondary delivery channels, sending phishing links directly to trusted contacts, groups, and communities—dramatically increasing success rates.
For organizations, this can lead to:
- Internal account takeovers
- Leakage of sensitive conversations
- Impersonation of executives or administrators
- Lateral phishing campaigns inside trusted networks
This is especially relevant for sectors that rely heavily on Telegram, including media, fintech, crypto communities, activists, and businesses operating in high-risk regions.
From a defensive standpoint, this campaign highlights why cybersecurity governance and awareness, such as the services delivered by Saintynet Cybersecurity, are becoming as critical as technical controls alone.
MEA perspective (why it matters regionally)
Telegram is widely used across the Middle East and Africa (MEA) for business communications, community coordination, and government-adjacent activities. The region’s rapid digital adoption—combined with high mobile usage—makes social-engineering-driven attacks particularly effective.
Security leaders in MEA organizations should treat this campaign as a warning: trusted platforms are no longer safe by default when attackers can manipulate user behavior instead of infrastructure.
10 recommended actions for security teams and users
- Approve authorization prompts only if you initiated them
Unexpected Telegram login approvals should always be treated as suspicious. - Avoid logging in via links
Access Telegram only through the official app or website—never via message links. - Review active sessions regularly
Check Telegram’s security settings and terminate unknown devices immediately. - Enable and protect two-step verification
Use a strong, unique password and never enter it outside official interfaces. - Educate users continuously
Ongoing training and awareness programs—such as those offered via saintynet.com—are essential. - Assume trusted contacts can be compromised
Verify unusual requests through a separate channel before responding. - Monitor for impersonation and lateral phishing
Watch for abnormal messaging behavior from known accounts. - Encourage rapid incident response
If a user approves a suspicious prompt, revoke sessions and reset credentials immediately. - Update threat models
Account takeover via legitimate features should be factored into risk assessments. - Share intelligence across teams
Publishing and consuming threat insights—like those on cybercory.com—helps organizations stay ahead of evolving campaigns.
Conclusion
This re-emerging Telegram phishing campaign is not new, but it is more refined, more scalable, and more dangerous. By abusing legitimate authentication workflows and relying on user approval rather than exploits, attackers are blurring the line between normal behavior and compromise.
The takeaway is clear: security can no longer rely on technology alone. Strong governance, user awareness, and proactive cyber defense strategies are now the front line. As attackers continue to weaponize trust itself, organizations that invest early in resilience will be the ones best prepared for what comes next.
