Targeted email attacks in various sectors

THREAT CAMPAIGN: “BUTCHER SHOP” PHISHING CAMPAIGN - STEP-BY-STEP BREAKDOWN ℹ️ The "Butcher Shop" phishing campaign, identified by Obsidian Security in early September 2024, targets Microsoft 365 accounts within the legal, government, and construction sectors. 📍 DELIVERY OF PHISHING EMAILS 🔘 Initial Contact: The campaign starts with targeted phishing emails sent to employees within the legal, government, and construction sectors. 🔘 Email Content: The emails often contain links that appear to lead to legitimate domains such as Canva, Google AMP, and Dropbox's Docsend. 🔘 Exploitation of Open Redirects: Links in the emails exploit open redirect vulnerabilities in these trusted platforms, allowing attackers to redirect users to malicious phishing sites. 📍 REDIRECTION TO MALICIOUS DOMAINS 🔘 Compromised Domains: Victims are redirected to compromised or attacker-controlled WordPress sites. 🔘 Domain Rotation: The campaign employs over 200 domains, often short-lived (only a few days), to evade detection by threat intelligence tools and blocklists. 📍 USE OF CLOUDFLARE TURNSTILES 🔘 CAPTCHA Challenge: Victims encounter a CAPTCHA-like challenge (Cloudflare Turnstile) on the phishing site, which verifies they are human. 🔘 Evading Scanners: This step is designed to prevent automated security tools and URL scanners from accessing the malicious site. 📍 PHISHING PAGE LOADING 🔘 Dynamic Page Creation: The phishing page is dynamically constructed using scripts hosted on Tencent Cloud's CDN. 🔘 Credential Theft Mechanism: - The phishing page mimics Microsoft 365 login portals. - Victims are prompted to enter their credentials. - Credentials are validated and captured by the attacker. 📍 REDIRECT AFTER DATA THEFT 🔘 Post-Attack Behavior: After credential submission, the victim is redirected to legitimate websites or decoy pages to minimize suspicion. Meanwhile, attackers have already harvested the credentials. 📍 OBFUSCATION TECHNIQUES 🔘 Code Randomization: The phishing pages contain randomized "lorem ipsum" text with a meat-themed vocabulary (e.g., “beef,” “steak”). 🔘 Purpose: These obfuscation techniques make it harder for security tools to recognize the phishing content as malicious. 📍 CREDENTIAL ABUSE AND MFA BYPASS 🔘 Exploitation of Stolen Credentials: Attackers use stolen credentials to access Microsoft 365 accounts. Techniques to bypass MFA may include leveraging authentication cookies or exploiting vulnerabilities in MFA workflows. 🔘 Account Takeover: With access to accounts, attackers can exfiltrate sensitive data and launch further attacks within the organization (e.g., internal phishing). Report: https://lnkd.in/dMKBvm8D #phishing #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

Today, Socket's Threat Research Team disclosed a large-scale phishing infrastructure that abused npm + unpkg as free CDN hosting. What we found: • 175 malicious npm packages (randomized names, pattern redirect-xxxxxx) with 26k+ downloads. • 630+ HTML lure files, tailored to victims (purchase orders, specs, project docs). • 7 phishing domains and tooling that automated package creation + publishing per target. • 135+ targeted organizations across industrial, tech, and energy sectors (heavy focus in Western Europe). We’ve named the operation Beamglea — the packages’ payloads are tiny redirect scripts (beamglea.js) that append a victim email and send the user to credential-harvesting pages. Why this is dangerous: • This isn’t a typical npm supply chain attack — it’s infrastructure abuse. The attackers are using npm’s public registry and unpkg’s automatic HTTPS hosting as an inexpensive, trusted CDN for phishing. That makes detection harder and gives their phishing pages plausible legitimacy (pre-filled emails, polished lures). Practical recommendations (do these immediately): • Force password resets for accounts in the IOC list — prioritize Office 365 accounts. • Require MFA across all email and cloud accounts. • Quarantine or strip HTML attachments at the gateway (legitimate business rarely needs raw HTML attachments). • Monitor network traffic for unpkg.com/*/beamglea.js patterns and the seven known C2 domains. • Audit recent email attachments (Sept–Oct 2025) for PO/contract-themed HTML files. • Review wire/financial activity for signs of BEC following credential theft. Indicators we published: • Full list of package names (pattern: redirect-<6 chars>), the seven domains, and a set of author aliases we observed. Treat any detection of these IOCs as high-severity. Why this matters long-term: • This campaign shows a new, repeatable playbook: weaponize public package registries + CDNs as disposable phishing infrastructure. Expect iteration — alternate CDNs, obfuscated JS, geofencing, and DGA-like domain rotations. Defenders should treat public registry assets and CDN-served scripts as part of the threat surface, not just developer tools. If you run an org with public-facing email accounts, developer teams, or supply-chain processes, Socket’s research includes the full IOCs and recommended detection rules — reach out if you need help operationalizing these mitigations. https://lnkd.in/dQCBNRid

We are observing widespread and sophisticated fileless malware campaigns targeting companies in the African finance and telecommunications sectors. The campaign typically begins with a phishing email sent to departments such as Sales and Procurement, often disguised as a Request for Quotation (RFQ). The email includes an attachment, commonly a PowerShell (.ps1) dropper file crafted to appear legitimate. In one notable case, the dropper, once executed, downloaded what appeared to be a random image file onto the user’s system. At first glance, the image seemed harmless, but its huge file size raised suspicion. Further analysis revealed the file contained a malicious DLL hidden using steganography. The attackers concealed binary malware within the image file. The dropper extracted this hidden payload and executed it in memory. It also created a scheduled task via Windows Task Scheduler, ensuring persistence even after reboot. The DLL was executed using in-memory .NET assemblies and PowerShell one-liners, avoiding detection by traditional antivirus solutions. Once active, the payload could accept commands from a remote C2 server, launch processes, and exfiltrate sensitive system information. The malware was observed collecting public and private IP addresses, geolocation data, a list of scheduled tasks, and basic system metadata (useful for lateral movement or persistence). These behaviours are consistent with advanced fileless malware operations, where attackers minimise their on-disk footprint and rely on living-off-the-land techniques (LOLBins) to evade detection. Indicators of compromise (IoCs) revealed that the email sender, domain, and IPs have previously been reported in malicious activity, including spoofing, credential harvesting, spam, and phishing. This suggests the threat actors are leveraging an established, actively maintained infrastructure. Recommendations for Security Teams - Train employees to recognise phishing tactics such as urgency-driven language, unexpected RFQs, and suspicious attachments. Encourage reporting to IT/security teams. - Configure filtering policies to block or sandbox compressed file types (e.g., .zip, .rar, .tgz) and scripts (.ps1, .js, .vbs) from untrusted senders. - Enable DMARC, SPF, and DKIM enforcement for email to avoid spoofing and spam. - Deploy advanced EDR solutions with behavioural detection to catch in-memory execution, PowerShell abuse, and steganographic payloads. - Monitor for suspicious persistence mechanisms (e.g., unexpected scheduled tasks). - Regularly apply security patches to operating systems, browsers, and office applications. - Restrict execution of unsigned PowerShell scripts via Constrained Language Mode or AppLocker/Defender Application Control. - Monitor outbound connections to detect C2 traffic patterns. - Hunt for anomalous large image files or unusual PowerShell activity in logs. #SOC #ThreatIntelligence #DigitalForensics #Malware #FilelessMalware #Threat

Beware of an active integrated credential phishing and cloud Account Takeover (ATO) campaign. It was originally detected by Proofpoint researchers in late November 2023. This campaign uses individualized phishing lures within shared documents, including embedded links to 'view document' that lead to a malicious phishing webpage. The targets of this attack are often senior positions, including sales directors, account managers, and finance managers. Even individuals holding executive positions such as 'vice president, operations,' 'chief financial officer & treasurer,' and 'president & CEO' were among those targeted, according to the researchers. During the access phase of the attack, the attackers use a specific Linux user-agent for accessing OfficeHome sign-in application and gain access to a range of native Microsoft365 apps. Defenders can use this information as an indicator of compromise (IOC) as the user-agent reads: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36". Once the initial access succeeds, the attackers manipulate multi-factor authentication (MFA) to maintain persistence. This can include registering a fake phone number for SMS authentication or adding a separate authenticator with notification and code. Subsequent activity is likely to include data exfiltration, internal and external phishing, financial fraud, and compromise obfuscation through new mailbox rules to cover tracks and remove evidence of malicious activity from the victims’ mailboxes. Stay vigilant, and be cautious when clicking on shared documents or links, especially if they are individualized and come from an unverified source.