{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/email/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["mutt"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","email"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities in the mutt email client allow a remote, anonymous attacker to bypass security measures and potentially cause a denial-of-service (DoS) condition. While specific details regarding the vulnerabilities are not provided in the source, the advisory indicates a risk of exploitation that could disrupt email services for users of the mutt client. The lack of CVEs or specific techniques suggests a potential zero-day or newly discovered flaw. This poses a risk to organizations relying on mutt for email communications, especially if security measures are not up-to-date or properly configured. The scope of targeting is broad, affecting any user of the mutt email client.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of the mutt email client.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious email or other input designed to trigger a vulnerability in mutt.\u003c/li\u003e\n\u003cli\u003eThe malicious input is sent to a user of the mutt email client.\u003c/li\u003e\n\u003cli\u003eThe user opens the email or processes the malicious input, causing the mutt client to parse the data.\u003c/li\u003e\n\u003cli\u003eThe vulnerability is triggered, potentially leading to memory corruption, code execution, or resource exhaustion.\u003c/li\u003e\n\u003cli\u003eIf the vulnerability leads to resource exhaustion, the mutt client becomes unresponsive, denying service to the user.\u003c/li\u003e\n\u003cli\u003eRepeated exploitation of the vulnerability can lead to a sustained denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to a denial-of-service condition for users of the mutt email client. This can disrupt email communications and potentially lead to loss of productivity. The advisory does not specify the number of victims or sectors targeted, but the impact could be widespread given the popularity of the mutt client among certain user groups. The lack of specific CVEs makes it difficult to assess the severity of the impact, but the potential for DoS warrants immediate attention.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for patterns indicative of denial-of-service attacks targeting systems running the mutt email client.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting and traffic filtering to mitigate the impact of potential DoS attacks.\u003c/li\u003e\n\u003cli\u003eSince the source does not include specific IOCs, focus on generic DoS detection strategies tailored to email protocols.\u003c/li\u003e\n\u003cli\u003eInvestigate and apply any available patches or updates for mutt from the vendor to address the underlying vulnerabilities once they are published.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T10:49:07Z","date_published":"2026-05-04T10:49:07Z","id":"/briefs/2026-05-mutt-dos/","summary":"A remote, anonymous attacker can exploit multiple vulnerabilities in mutt to bypass security measures and cause a denial-of-service condition.","title":"Multiple Vulnerabilities in Mutt Email Client Lead to Potential DoS","url":"https://feed.craftedsignal.io/briefs/2026-05-mutt-dos/"},{"_cs_actors":["Storm-1747"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender"],"_cs_severities":["high"],"_cs_tags":["email","phishing","credential-theft","Tycoon2FA","BEC"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eIn the first quarter of 2026, Microsoft Threat Intelligence observed a significant rise in email-based phishing threats, totaling approximately 8.3 billion. This increase was driven by surges in QR code phishing (more than doubling over the period), CAPTCHA-gated phishing, and credential phishing attacks. Microsoft\u0026rsquo;s Digital Crime Unit successfully disrupted the Tycoon2FA phishing-as-a-service (PhaaS) platform in early March, leading to a 15% reduction in associated email volume. However, threat actors adapted by shifting hosting providers and domain registration patterns. Business email compromise (BEC) also remained a prevalent threat, with approximately 10.7 million attacks recorded during the quarter, often characterized by low-effort, generic outreach messages. Microsoft Defender Research has also noted the emergence of AI-enabled device code phishing campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Email Delivery:\u003c/strong\u003e Attackers send phishing emails impersonating legitimate services or organizations. These emails may contain links, QR codes, or HTML attachments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVictim Interaction:\u003c/strong\u003e The victim opens the email and clicks on a malicious link or scans a QR code, redirecting them to a phishing page.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePhishing Page Redirection:\u003c/strong\u003e The phishing page mimics a legitimate login portal, such as Microsoft 365 or other enterprise applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting:\u003c/strong\u003e The victim enters their username and password on the phishing page, which are then captured by the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMFA Bypass (AiTM):\u003c/strong\u003e For attacks using adversary-in-the-middle (AiTM) techniques (like those facilitated by Tycoon2FA), the attacker intercepts the MFA code and uses it to authenticate.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Compromise:\u003c/strong\u003e With the stolen credentials and MFA code (if applicable), the attacker gains unauthorized access to the victim\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Theft:\u003c/strong\u003e The attacker uses the compromised account to access sensitive data, send further phishing emails, or move laterally within the organization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBusiness Email Compromise:\u003c/strong\u003e In BEC attacks, attackers use compromised accounts or spoofed email addresses to send fraudulent invoices or requests for wire transfers.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe observed email threats in Q1 2026 led to a high risk of credential compromise, financial loss through BEC attacks, and potential data breaches across various sectors. Although the total number of victims is not specified, the billions of phishing attempts indicate a widespread impact. Microsoft\u0026rsquo;s disruption of Tycoon2FA temporarily reduced phishing volumes by 15%, demonstrating the potential for proactive intervention to mitigate these threats. However, threat actors are quickly adapting their techniques, indicating the need for continued vigilance and enhanced security measures. The 10.7 million BEC attacks alone represent a significant financial threat to businesses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Tycoon2FA Phishing Attempts\u0026rdquo; Sigma rule to identify email campaigns associated with the Tycoon2FA platform.\u003c/li\u003e\n\u003cli\u003eEnable Microsoft Defender detections to improve detection of phishing emails and malicious payloads.\u003c/li\u003e\n\u003cli\u003eMonitor email traffic for suspicious domain registrations, particularly those using newer generic top-level domains (TLDs) such as .DIGITAL, .BUSINESS, .CONTRACTORS, .CEO, and .COMPANY, and the resurgence of .RU registrations, to identify potential Tycoon2FA infrastructure shifts.\u003c/li\u003e\n\u003cli\u003eEducate users about the dangers of QR code phishing and CAPTCHA-gated attacks, emphasizing the importance of verifying the legitimacy of login pages and email senders, to reduce the effectiveness of phishing campaigns (T1566).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T15:00:00Z","date_published":"2026-04-30T15:00:00Z","id":"/briefs/2026-05-email-phishing-trends/","summary":"In Q1 2026, email threats increased, including credential phishing, QR code phishing, and CAPTCHA-gated campaigns, with Microsoft's disruption of the Tycoon2FA phishing platform leading to a 15% volume decrease and shifts in threat actor tactics; BEC activity remained prevalent at 10.7 million attacks.","title":"Q1 2026 Email Threat Landscape: Rise in Phishing Techniques and Tycoon2FA Disruption","url":"https://feed.craftedsignal.io/briefs/2026-05-email-phishing-trends/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["apple","phishing","callback phishing","email"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA phishing campaign is underway that abuses Apple\u0026rsquo;s account change notification system. Threat actors are inserting phishing messages into the first and last name fields of Apple ID accounts. By modifying the account\u0026rsquo;s shipping information, they trigger legitimate Apple security alerts, which then embed the malicious message within the email body. The emails appear to originate from \u003ca href=\"mailto:appleid@id.apple.com\"\u003eappleid@id.apple.com\u003c/a\u003e and pass SPF, DKIM, and DMARC checks, making them more likely to bypass spam filters. This campaign is designed to trick recipients into believing their accounts have been used for fraudulent purchases, scaring them into calling a scammer\u0026rsquo;s \u0026ldquo;support\u0026rdquo; number.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker creates an Apple ID using a burner email address.\u003c/li\u003e\n\u003cli\u003eThe attacker enters a phishing lure (e.g., \u0026ldquo;Dear User 899 USD iPhone Purchase Via Pay-Pal To Cancel\u0026rdquo;) split across the first and last name fields in the Apple ID profile, as these fields have character limits.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the account\u0026rsquo;s shipping information.\u003c/li\u003e\n\u003cli\u003eThis triggers an Apple account profile change notification email.\u003c/li\u003e\n\u003cli\u003eApple sends a legitimate security alert notifying the user of the change, embedding the attacker-controlled first and last name fields within the email body. The email originates from \u003ca href=\"mailto:appleid@id.apple.com\"\u003eappleid@id.apple.com\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eThe recipient receives the email, which appears legitimate and contains a phishing message and a callback number (e.g., 18023530761).\u003c/li\u003e\n\u003cli\u003eThe recipient, believing their account has been compromised, calls the provided number.\u003c/li\u003e\n\u003cli\u003eThe scammers attempt to convince the victim that their account has been compromised and may instruct them to install remote access software or provide financial information to \u0026ldquo;resolve\u0026rdquo; the issue, leading to financial theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks can lead to financial theft, malware deployment, or data theft. Victims who call the provided number are at risk of being coerced into providing sensitive information or installing remote access software, giving the attackers full control over their devices and accounts. The specific number of victims is currently unknown, but the campaign\u0026rsquo;s use of legitimate Apple infrastructure increases its potential reach and impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule detecting emails originating from Apple infrastructure (\u003ca href=\"mailto:appleid@id.apple.com\"\u003eappleid@id.apple.com\u003c/a\u003e) containing suspicious phone numbers to your SIEM.\u003c/li\u003e\n\u003cli\u003eMonitor for emails originating from \u003ccode\u003eappleid@id.apple.com\u003c/code\u003e that contain phone numbers in the email body and consider blocking the identified number \u003ccode\u003e18023530761\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEducate users to treat unexpected account alerts claiming purchases or urging them to call support numbers with extreme caution, especially if they did not initiate any recent changes.\u003c/li\u003e\n\u003cli\u003eReview email gateway logs for emails originating from \u003ccode\u003eappleid@id.apple.com\u003c/code\u003e and \u003ccode\u003euatdsasadmin@email.apple.com\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-19T16:03:01Z","date_published":"2026-04-19T16:03:01Z","id":"/briefs/2026-04-apple-phishing/","summary":"A phishing campaign is abusing legitimate Apple account change notifications to deliver fake iPhone purchase scams, tricking users into calling malicious support numbers.","title":"Apple Account Notification Phishing Campaign","url":"https://feed.craftedsignal.io/briefs/2026-04-apple-phishing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Outlook"],"_cs_severities":["medium"],"_cs_tags":["persistence","registry_modification","outlook","email"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are known to modify Outlook security settings by directly manipulating registry values. This tactic allows them to bypass built-in security controls and enable potentially malicious functionalities such as running unsafe mail client rules. This circumvention of security measures can be leveraged for various malicious purposes, including persistence, data exfiltration, and further compromise of the victim\u0026rsquo;s system. The specific registry keys targeted reside under \u003ccode\u003e\\SOFTWARE\\Microsoft\\Office\\Outlook\\Security\\\u003c/code\u003e. This technique has been observed in various attack scenarios and poses a significant risk to organizations relying on Outlook for email communication. The modification of these registry settings may be performed by various means, ranging from manually executed commands to automated scripts deployed as part of a larger attack campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through methods such as phishing or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the specific registry keys controlling Outlook security settings, located under \u003ccode\u003e\\SOFTWARE\\Microsoft\\Office\\Outlook\\Security\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line tool or script (e.g., \u003ccode\u003ereg.exe\u003c/code\u003e, PowerShell) to modify the registry values related to Outlook security settings.\u003c/li\u003e\n\u003cli\u003eSpecifically, values are modified to enable the execution of \u0026ldquo;unsafe\u0026rdquo; mail client rules, potentially allowing arbitrary code execution via crafted emails.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious email designed to trigger the newly enabled, unsafe mail rules.\u003c/li\u003e\n\u003cli\u003eUpon receiving the email, Outlook processes the rules, executing the attacker\u0026rsquo;s payload.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution, enabling further malicious activities, such as data exfiltration or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Outlook security settings allows attackers to execute arbitrary code within the context of the user account running Outlook. This can lead to the compromise of sensitive information contained within emails, the installation of malware, and further propagation of the attack throughout the organization. The scope of the impact depends on the privileges of the user account and the attacker\u0026rsquo;s objectives, potentially affecting all users within an organization if the attacker gains domain administrator access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Outlook Security Settings Updated - Registry\u0026rdquo; to your SIEM to detect unauthorized modifications to Outlook security-related registry keys (logsource: registry_set/windows).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious processes (e.g., \u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) modifying registry keys under \u003ccode\u003e\\SOFTWARE\\Microsoft\\Office\\Outlook\\Security\\\u003c/code\u003e (Sigma rule below, logsource: process_creation/windows).\u003c/li\u003e\n\u003cli\u003eImplement strict application control policies to prevent unauthorized execution of scripts and executables that could be used to modify registry settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:15:00Z","date_published":"2024-01-03T18:15:00Z","id":"/briefs/2024-01-outlook-registry-security-settings/","summary":"Attackers modify Outlook security settings via registry changes to enable malicious mail rules and bypass security controls, potentially leading to persistence and data compromise.","title":"Outlook Security Settings Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-outlook-registry-security-settings/"}],"language":"en","title":"CraftedSignal Threat Feed — Email","version":"https://jsonfeed.org/version/1.1"}