{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/gmail/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GSuite","Gmail"],"_cs_severities":["medium"],"_cs_tags":["gsuite","spear-phishing","malicious-attachment"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis analytic focuses on detecting potential spear-phishing attacks targeting GSuite users by identifying emails containing suspicious attachments. The detection leverages GSuite Gmail logs to identify emails with attachments having file extensions commonly associated with malware, such as .exe, .bat, .js, .vbs, .ps1 and others. The goal is to identify potentially malicious emails that bypass traditional security measures, such as spam filters. Successfully delivered malicious attachments can lead to unauthorized code execution, data breaches, or further network infiltration. This activity is significant as these file types are often used to deliver malicious payloads, posing a risk of compromising targeted machines. The alert is designed to detect anomalies that may indicate a sophisticated spear-phishing attempt.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a spear-phishing email targeting a GSuite user.\u003c/li\u003e\n\u003cli\u003eThe email contains an attachment with a suspicious file extension (e.g., .exe, .bat, .js, .vbs, .ps1).\u003c/li\u003e\n\u003cli\u003eThe target user receives the email in their GSuite Gmail inbox.\u003c/li\u003e\n\u003cli\u003eThe user opens the email and downloads the suspicious attachment.\u003c/li\u003e\n\u003cli\u003eThe user executes the downloaded attachment, initiating the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, potentially compromising the user's machine.\u003c/li\u003e\n\u003cli\u003eThe compromised machine establishes a connection to a command-and-control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised machine, potentially leading to data exfiltration or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful spear-phishing attack through GSuite can result in the compromise of individual user accounts and machines. This can lead to unauthorized access to sensitive data stored in GSuite, such as emails, documents, and contacts. It can also facilitate the deployment of malware on the compromised machine, potentially leading to data breaches, financial loss, and reputational damage. The impact is further amplified if the compromised user has privileged access to critical systems or data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGSuite Email with Suspicious Attachment\u003c/code\u003e to your SIEM and tune for your environment based on the known_false_positives.\u003c/li\u003e\n\u003cli\u003eEnable alerting on the Sigma rule and prioritize investigation based on the \u003ccode\u003eseverity\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eImplement user awareness training to educate employees about the risks of opening suspicious attachments and to recognize spear-phishing attempts.\u003c/li\u003e\n\u003cli\u003eReview and strengthen your organization's email security policies and procedures, focusing on attachment handling and malware prevention.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-gsuite-suspicious-attachment/","summary":"This analytic detects GSuite emails with suspicious file attachments (e.g., .exe, .bat, .js) which may indicate a spear-phishing attack leading to malware deployment and potential system compromise.","title":"GSuite Email with Suspicious Attachment","url":"https://feed.craftedsignal.io/briefs/2024-01-03-gsuite-suspicious-attachment/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GSuite","Gmail"],"_cs_severities":["medium"],"_cs_tags":["gsuite","phishing","malware","pastebin","telegram","discord"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of malicious emails within the GSuite environment that contain links to web services known for abuse, such as Pastebin, Telegram, and Discord. These platforms are often leveraged by threat actors to host and distribute malicious payloads, phishing links, and command-and-control instructions. The detection specifically targets GSuite Gmail logs to identify emails with links containing domains associated with these services. This activity is significant because successful exploitation can lead to malware infections, credential theft, and further compromise of internal systems. The detection logic is based on identifying specific domains within email links and is designed to identify potential threats before they can be successfully executed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker sends a phishing email to a target within the organization, using a GSuite account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDelivery:\u003c/strong\u003e The email contains a link to a malicious payload hosted on Pastebin.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRedirection:\u003c/strong\u003e The user clicks on the link, redirecting them to the attacker-controlled Pastebin page.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Delivery:\u003c/strong\u003e The Pastebin page contains obfuscated code, such as a PowerShell script, designed to download and execute a malicious payload.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The PowerShell script executes on the victim's machine, downloading a malware stager from a Telegram channel.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The malware stager establishes persistence on the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The malware establishes a command and control (C2) connection with the attacker's server, potentially using Discord as a communication channel.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker gains remote access to the compromised system, enabling data exfiltration or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of sensitive information, system downtime, and financial losses. Organizations using GSuite are at risk. The impact could range from a single compromised user account to a widespread ransomware infection affecting critical business operations. Public reporting suggests similar attacks have resulted in data breaches impacting thousands of users and costing victim organizations millions of dollars in recovery efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGSuite Email with Known Abuse Web Service Links\u003c/code\u003e to your SIEM to detect emails containing links to known abuse web services (Pastebin, Discord, Telegram, t.me) within GSuite Gmail logs.\u003c/li\u003e\n\u003cli\u003eBlock the known malicious domains (pastebin.com, discord.com, telegram.org, t.me) at your organization's DNS resolver to prevent access to potentially malicious content as per the IOC table.\u003c/li\u003e\n\u003cli\u003eEnable GSuite Gmail logs to ensure visibility into email traffic and enable the successful operation of the detection rule detailed in this brief.\u003c/li\u003e\n\u003cli\u003eImplement user awareness training to educate employees about the risks associated with clicking links in emails from unknown senders, especially links to file-sharing or messaging platforms.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-gsuite-abuse-links/","summary":"This analytic detects emails in Gsuite containing links to known abuse web services such as Pastebin, Telegram, and Discord, commonly used by attackers to deliver malicious payloads leading to malware, phishing, or other harmful activities.","title":"GSuite Email with Known Abuse Web Service Links","url":"https://feed.craftedsignal.io/briefs/2024-01-gsuite-abuse-links/"}],"language":"en","title":"CraftedSignal Threat Feed - Gmail","version":"https://jsonfeed.org/version/1.1"}