https://feed.craftedsignal.io/products/microsoft-365/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 30 Apr 2026 13:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-clickfix-backgroundfix/Thu, 30 Apr 2026 13:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-clickfix-backgroundfix/The 'BackgroundFix' ClickFix campaign uses social engineering to trick victims into downloading malware disguised as a free image-editing tool, leading to the deployment of CastleLoader, NetSupport RAT for remote access, and CastleStealer for credential theft.The BackgroundFix campaign is a social engineering scheme using fake “remove your photo background” services to deliver malware. Victims are lured to malicious sites mimicking legitimate image editing tools. The sites feature fake upload interfaces, progress bars, and download buttons to appear authentic. This campaign delivers a multi-stage payload, starting with CastleLoader. CastleLoader then drops NetSupport RAT, enabling remote access for the attackers, and CastleStealer, a custom .NET stealer designed to exfiltrate browser credentials, wallet extension data, and Telegram session files. This campaign appears to be active, with multiple domains sharing the same template.

Attack Chain

1. Victim searches for an online background removal tool and lands on a malicious BackgroundFix site.
2. The victim uploads an image to the fake website.
3. After clicking a checkbox, the site instructs the victim to copy a command to their clipboard.
4. The copied command executes finger.exe to query cheeshomireciple[.]com
5. finger.exe retrieves a batch script from the C2 server.
6. The batch script executes commands to download and execute further payloads.
7. CastleLoader is deployed, subsequently dropping NetSupport RAT and CastleStealer.
8. NetSupport RAT grants the attacker remote access, while CastleStealer exfiltrates sensitive data.

Impact

Successful attacks result in the installation of NetSupport RAT, granting attackers remote control over the compromised system. Additionally, CastleStealer exfiltrates sensitive information such as browser credentials, wallet extension data, and Telegram session files. This stolen data can be used for further malicious activities, including financial fraud, identity theft, and unauthorized access to sensitive accounts. The active nature of the campaign and the use of multiple domains suggest a broad targeting scope.

Recommendation

• Monitor process creation events for the execution of finger.exe with command-line arguments pointing to external domains (IOC: cheeshomireciple[.]com).
• Deploy the Sigma rule to detect the execution of finger.exe to identify potential initial access attempts.
• Block the C2 domain cheeshomireciple[.]com at the DNS resolver to prevent initial payload delivery.
• Monitor network connections for NetSupport RAT C2 communications on port 688 to detect compromised systems (IOCs: poronto[.]com:688, giovettiadv[.]com:688).

]]>highadvisoryclickfixmalwaresocial-engineeringratinfostealercastleloadernetsupporthttps://feed.craftedsignal.io/briefs/2024-01-04-c2-web-services/Thu, 04 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-04-c2-web-services/This rule detects command and control activity using common web services by identifying Windows hosts making DNS requests to a list of commonly abused web services from processes outside of known program locations, potentially indicating adversaries attempting to blend malicious traffic with legitimate network activity.Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. This detection focuses on identifying connections from Windows hosts to a predefined list of commonly abused web services from processes running outside of typical program installation directories, indicating a potential C2 channel leveraging legitimate services. The rule aims to detect this behavior by monitoring network connections and DNS requests originating from unusual locations.

Attack Chain

1. Initial access is achieved via an unknown method (e.g., phishing, exploit).
2. Malware is installed on the victim’s system, likely outside typical program directories.
3. The malware establishes a DNS connection to a commonly abused web service (e.g., pastebin.com, raw.githubusercontent.com) to obscure C2 traffic.
4. The malware sends encrypted or encoded commands to the web service.
5. The web service acts as an intermediary, relaying the commands to the attacker’s C2 server.
6. The C2 server responds with instructions, which are then relayed back to the compromised host through the same web service.
7. The malware executes the received commands, potentially leading to data exfiltration, lateral movement, or other malicious activities.
8. The attacker maintains persistent access and control over the compromised system using the web service as a hidden C2 channel.

Impact

Successful exploitation can lead to data theft, system compromise, and further propagation within the network. Since commonly used web services are utilized, the malicious activity can blend in with legitimate network traffic, making it difficult to detect. The impact can range from minor data breaches to complete network compromise, depending on the attacker’s objectives and the level of access gained.

Recommendation

• Deploy the Sigma rule Detect Commonly Abused Web Services via DNS to your SIEM to identify suspicious DNS queries to known C2 web services originating from anomalous processes.
• Enable DNS query logging on Windows endpoints to provide the data source required for the Sigma rule.
• Review network connection logs for processes outside standard installation directories communicating with domains listed in the query section of the Sigma rule to identify potential C2 activity.
• Implement network segmentation to limit the potential impact of compromised hosts.

]]>mediumadvisorycommand-and-controlwindowsthreat-detectionhttps://feed.craftedsignal.io/briefs/2024-01-m365-suspicious-email/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-m365-suspicious-email/This brief outlines a threat where Microsoft Defender for Office 365 identifies an email as malicious or suspicious but still delivers it to a user's inbox or junk folder, potentially bypassing initial security measures.This threat involves malicious or suspicious emails, as identified by Microsoft Defender for Office 365, being delivered to user mailboxes despite the existing security mechanisms. This can occur due to various factors, including misconfigured security policies, sophisticated attacker techniques that evade detection, or delayed signature updates. The delivery of such emails presents a significant risk, as they may contain spearphishing attachments, malicious links, or other harmful content designed to compromise user accounts or systems. Successful exploitation can lead to data theft, malware infection, and further propagation of the attack within the organization. It’s crucial to investigate these instances promptly to remediate any potential damage and improve email security posture.

Attack Chain

1. An attacker crafts a spearphishing email designed to bypass standard security filters.
2. The email is sent to a target user within the Microsoft 365 environment.
3. Microsoft Defender for Office 365 analyzes the email and identifies it as suspicious but fails to block delivery.
4. The email is delivered to the user’s Inbox or Junk folder.
5. The user opens the email and clicks on a malicious link or opens a malicious attachment (e.g., a macro-enabled document).
6. The link redirects the user to a credential harvesting site, or the attachment executes malicious code (e.g., via PowerShell).
7. The attacker gains access to the user’s account or system.
8. The attacker uses the compromised account to further propagate the attack, exfiltrate data, or deploy malware within the organization.

Impact

The impact of this threat can be significant. Successful exploitation can lead to the compromise of user accounts, data theft, malware infection, and financial loss. Organizations may experience business disruption, reputational damage, and legal liabilities. The number of affected users and the extent of the damage will depend on the attacker’s objectives and the organization’s security controls.

Recommendation

• Deploy the Sigma rule provided to detect suspicious email delivery events within your Microsoft 365 environment and tune for your specific environment.
• Investigate any alerts generated by the Sigma rule to determine the root cause of the bypass and remediate any potential damage.
• Review and adjust Microsoft Defender for Office 365 settings to improve detection accuracy and blocking capabilities.
• Educate users about the risks of phishing emails and encourage them to report suspicious messages.
• Monitor the TIMailData operation within the M365 audit logs for further analysis and threat hunting.

]]>mediumadvisorysuspicious-emailphishingmicrosoft365