https://feed.craftedsignal.io/tags/email/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 10:49:07 +0000https://feed.craftedsignal.io/briefs/2026-05-mutt-dos/Mon, 04 May 2026 10:49:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-mutt-dos/A remote, anonymous attacker can exploit multiple vulnerabilities in mutt to bypass security measures and cause a denial-of-service condition.Multiple vulnerabilities in the mutt email client allow a remote, anonymous attacker to bypass security measures and potentially cause a denial-of-service (DoS) condition. While specific details regarding the vulnerabilities are not provided in the source, the advisory indicates a risk of exploitation that could disrupt email services for users of the mutt client. The lack of CVEs or specific techniques suggests a potential zero-day or newly discovered flaw. This poses a risk to organizations relying on mutt for email communications, especially if security measures are not up-to-date or properly configured. The scope of targeting is broad, affecting any user of the mutt email client.

Attack Chain

1. The attacker identifies a vulnerable instance of the mutt email client.
2. The attacker crafts a malicious email or other input designed to trigger a vulnerability in mutt.
3. The malicious input is sent to a user of the mutt email client.
4. The user opens the email or processes the malicious input, causing the mutt client to parse the data.
5. The vulnerability is triggered, potentially leading to memory corruption, code execution, or resource exhaustion.
6. If the vulnerability leads to resource exhaustion, the mutt client becomes unresponsive, denying service to the user.
7. Repeated exploitation of the vulnerability can lead to a sustained denial-of-service condition.

Impact

Successful exploitation of these vulnerabilities could lead to a denial-of-service condition for users of the mutt email client. This can disrupt email communications and potentially lead to loss of productivity. The advisory does not specify the number of victims or sectors targeted, but the impact could be widespread given the popularity of the mutt client among certain user groups. The lack of specific CVEs makes it difficult to assess the severity of the impact, but the potential for DoS warrants immediate attention.

Recommendation

• Monitor network traffic for patterns indicative of denial-of-service attacks targeting systems running the mutt email client.
• Implement rate limiting and traffic filtering to mitigate the impact of potential DoS attacks.
• Since the source does not include specific IOCs, focus on generic DoS detection strategies tailored to email protocols.
• Investigate and apply any available patches or updates for mutt from the vendor to address the underlying vulnerabilities once they are published.

]]>mediumthreatdenial-of-serviceemailhttps://feed.craftedsignal.io/briefs/2026-05-email-phishing-trends/Thu, 30 Apr 2026 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-email-phishing-trends/In Q1 2026, email threats increased, including credential phishing, QR code phishing, and CAPTCHA-gated campaigns, with Microsoft's disruption of the Tycoon2FA phishing platform leading to a 15% volume decrease and shifts in threat actor tactics; BEC activity remained prevalent at 10.7 million attacks.In the first quarter of 2026, Microsoft Threat Intelligence observed a significant rise in email-based phishing threats, totaling approximately 8.3 billion. This increase was driven by surges in QR code phishing (more than doubling over the period), CAPTCHA-gated phishing, and credential phishing attacks. Microsoft’s Digital Crime Unit successfully disrupted the Tycoon2FA phishing-as-a-service (PhaaS) platform in early March, leading to a 15% reduction in associated email volume. However, threat actors adapted by shifting hosting providers and domain registration patterns. Business email compromise (BEC) also remained a prevalent threat, with approximately 10.7 million attacks recorded during the quarter, often characterized by low-effort, generic outreach messages. Microsoft Defender Research has also noted the emergence of AI-enabled device code phishing campaigns.

Attack Chain

1. Initial Email Delivery: Attackers send phishing emails impersonating legitimate services or organizations. These emails may contain links, QR codes, or HTML attachments.
2. Victim Interaction: The victim opens the email and clicks on a malicious link or scans a QR code, redirecting them to a phishing page.
3. Phishing Page Redirection: The phishing page mimics a legitimate login portal, such as Microsoft 365 or other enterprise applications.
4. Credential Harvesting: The victim enters their username and password on the phishing page, which are then captured by the attacker.
5. MFA Bypass (AiTM): For attacks using adversary-in-the-middle (AiTM) techniques (like those facilitated by Tycoon2FA), the attacker intercepts the MFA code and uses it to authenticate.
6. Account Compromise: With the stolen credentials and MFA code (if applicable), the attacker gains unauthorized access to the victim’s account.
7. Lateral Movement/Data Theft: The attacker uses the compromised account to access sensitive data, send further phishing emails, or move laterally within the organization.
8. Business Email Compromise: In BEC attacks, attackers use compromised accounts or spoofed email addresses to send fraudulent invoices or requests for wire transfers.

Impact

The observed email threats in Q1 2026 led to a high risk of credential compromise, financial loss through BEC attacks, and potential data breaches across various sectors. Although the total number of victims is not specified, the billions of phishing attempts indicate a widespread impact. Microsoft’s disruption of Tycoon2FA temporarily reduced phishing volumes by 15%, demonstrating the potential for proactive intervention to mitigate these threats. However, threat actors are quickly adapting their techniques, indicating the need for continued vigilance and enhanced security measures. The 10.7 million BEC attacks alone represent a significant financial threat to businesses.

Recommendation

• Deploy the “Detect Tycoon2FA Phishing Attempts” Sigma rule to identify email campaigns associated with the Tycoon2FA platform.
• Enable Microsoft Defender detections to improve detection of phishing emails and malicious payloads.
• Monitor email traffic for suspicious domain registrations, particularly those using newer generic top-level domains (TLDs) such as .DIGITAL, .BUSINESS, .CONTRACTORS, .CEO, and .COMPANY, and the resurgence of .RU registrations, to identify potential Tycoon2FA infrastructure shifts.
• Educate users about the dangers of QR code phishing and CAPTCHA-gated attacks, emphasizing the importance of verifying the legitimacy of login pages and email senders, to reduce the effectiveness of phishing campaigns (T1566).

]]>highthreatemailphishingcredential-theftTycoon2FABEChttps://feed.craftedsignal.io/briefs/2026-04-apple-phishing/Sun, 19 Apr 2026 16:03:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-apple-phishing/A phishing campaign is abusing legitimate Apple account change notifications to deliver fake iPhone purchase scams, tricking users into calling malicious support numbers.A phishing campaign is underway that abuses Apple’s account change notification system. Threat actors are inserting phishing messages into the first and last name fields of Apple ID accounts. By modifying the account’s shipping information, they trigger legitimate Apple security alerts, which then embed the malicious message within the email body. The emails appear to originate from appleid@id.apple.com and pass SPF, DKIM, and DMARC checks, making them more likely to bypass spam filters. This campaign is designed to trick recipients into believing their accounts have been used for fraudulent purchases, scaring them into calling a scammer’s “support” number.

Attack Chain

1. The attacker creates an Apple ID using a burner email address.
2. The attacker enters a phishing lure (e.g., “Dear User 899 USD iPhone Purchase Via Pay-Pal To Cancel”) split across the first and last name fields in the Apple ID profile, as these fields have character limits.
3. The attacker modifies the account’s shipping information.
4. This triggers an Apple account profile change notification email.
5. Apple sends a legitimate security alert notifying the user of the change, embedding the attacker-controlled first and last name fields within the email body. The email originates from appleid@id.apple.com.
6. The recipient receives the email, which appears legitimate and contains a phishing message and a callback number (e.g., 18023530761).
7. The recipient, believing their account has been compromised, calls the provided number.
8. The scammers attempt to convince the victim that their account has been compromised and may instruct them to install remote access software or provide financial information to “resolve” the issue, leading to financial theft.

Impact

Successful attacks can lead to financial theft, malware deployment, or data theft. Victims who call the provided number are at risk of being coerced into providing sensitive information or installing remote access software, giving the attackers full control over their devices and accounts. The specific number of victims is currently unknown, but the campaign’s use of legitimate Apple infrastructure increases its potential reach and impact.

Recommendation

• Deploy the Sigma rule detecting emails originating from Apple infrastructure (appleid@id.apple.com) containing suspicious phone numbers to your SIEM.
• Monitor for emails originating from appleid@id.apple.com that contain phone numbers in the email body and consider blocking the identified number 18023530761.
• Educate users to treat unexpected account alerts claiming purchases or urging them to call support numbers with extreme caution, especially if they did not initiate any recent changes.
• Review email gateway logs for emails originating from appleid@id.apple.com and uatdsasadmin@email.apple.com.

]]>highadvisoryapplephishingcallback phishingemailhttps://feed.craftedsignal.io/briefs/2024-01-outlook-registry-security-settings/Wed, 03 Jan 2024 18:15:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-outlook-registry-security-settings/Attackers modify Outlook security settings via registry changes to enable malicious mail rules and bypass security controls, potentially leading to persistence and data compromise.Attackers are known to modify Outlook security settings by directly manipulating registry values. This tactic allows them to bypass built-in security controls and enable potentially malicious functionalities such as running unsafe mail client rules. This circumvention of security measures can be leveraged for various malicious purposes, including persistence, data exfiltration, and further compromise of the victim’s system. The specific registry keys targeted reside under \SOFTWARE\Microsoft\Office\Outlook\Security\. This technique has been observed in various attack scenarios and poses a significant risk to organizations relying on Outlook for email communication. The modification of these registry settings may be performed by various means, ranging from manually executed commands to automated scripts deployed as part of a larger attack campaign.

Attack Chain

1. An attacker gains initial access to the system through methods such as phishing or exploiting vulnerabilities.
2. The attacker establishes persistence on the compromised system.
3. The attacker identifies the specific registry keys controlling Outlook security settings, located under \SOFTWARE\Microsoft\Office\Outlook\Security\.
4. The attacker uses a command-line tool or script (e.g., reg.exe, PowerShell) to modify the registry values related to Outlook security settings.
5. Specifically, values are modified to enable the execution of “unsafe” mail client rules, potentially allowing arbitrary code execution via crafted emails.
6. The attacker crafts a malicious email designed to trigger the newly enabled, unsafe mail rules.
7. Upon receiving the email, Outlook processes the rules, executing the attacker’s payload.
8. The attacker achieves code execution, enabling further malicious activities, such as data exfiltration or lateral movement within the network.

Impact

Successful modification of Outlook security settings allows attackers to execute arbitrary code within the context of the user account running Outlook. This can lead to the compromise of sensitive information contained within emails, the installation of malware, and further propagation of the attack throughout the organization. The scope of the impact depends on the privileges of the user account and the attacker’s objectives, potentially affecting all users within an organization if the attacker gains domain administrator access.

Recommendation

• Deploy the Sigma rule “Outlook Security Settings Updated - Registry” to your SIEM to detect unauthorized modifications to Outlook security-related registry keys (logsource: registry_set/windows).
• Monitor process creation events for suspicious processes (e.g., reg.exe, powershell.exe) modifying registry keys under \SOFTWARE\Microsoft\Office\Outlook\Security\ (Sigma rule below, logsource: process_creation/windows).
• Implement strict application control policies to prevent unauthorized execution of scripts and executables that could be used to modify registry settings.

]]>mediumadvisorypersistenceregistry_modificationoutlookemail