LIVECHAT Abuse: How Phishers Are Exploiting SaaS Support Tools to Steal Sensitive Data, published on 16 March 2026, describes a Cofense Phishing Defense Center finding of a phishing campaign that uses LiveChat, a SaaS live-messaging and support tool, to harvest credentials, card details, MFA codes and other PII.
The campaign includes two email variants: one branded as PayPal offering a $200.00 USD refund and a second branded as Amazon that prompts the user to confirm an order, with both directing victims to a LiveChat page to continue the interaction.
In the PayPal scenario, the attacker directs users to an external site for refund processing and then proceeds to collect billing and card information, while the Amazon variant asks for email verification, phone number, date of birth and address to make the interaction feel legitimate.
The blog notes that the threat actor employs brand impersonation, social engineering and credential theft via a real-time chat interface to reduce caution and increase data loss, with the PayPal flow additionally enabling MFA verification steps that are captured for later account access. According to Cofense Phishing Defense Center, these cases illustrate the rapid evolution of threats and the importance of human-driven analysis to identify and stop evolving attacks.