{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/phishing/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender for Office 365"],"_cs_severities":["high"],"_cs_tags":["phishing","credential-theft","AiTM","token-compromise"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cloudflare","Paubox"],"content_html":"\u003cp\u003eBetween April 14 and 16, 2026, Microsoft Defender Research observed a sophisticated, large-scale phishing campaign targeting over 35,000 users across more than 13,000 organizations in 26 countries, predominantly in the United States (92%). The campaign, which did not focus on a single vertical, impacted a range of industries, with Healthcare \u0026amp; life sciences (19%), Financial services (18%), Professional services (11%), and Technology \u0026amp; software (11%) being the most affected. Attackers employed code of conduct-themed lures delivered via emails that appeared as internal compliance or regulatory communications. The campaign utilized a multi-step attack chain, including CAPTCHA challenges and intermediate staging pages, to reinforce legitimacy and filter out automated defenses, ultimately leading to an adversary-in-the-middle (AiTM) phishing flow.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack begins with phishing emails posing as internal compliance communications, using subjects like \u0026ldquo;Internal case log issued under conduct policy\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe emails contain a PDF attachment (e.g., \u0026ldquo;Awareness Case Log File – Tuesday 14th, April 2026.pdf\u0026rdquo;) that claims a \u0026ldquo;code of conduct review\u0026rdquo; has been initiated.\u003c/li\u003e\n\u003cli\u003eRecipients are instructed to click a “Review Case Materials” link within the PDF.\u003c/li\u003e\n\u003cli\u003eClicking the link redirects the user to one of the attacker-controlled domains (e.g., acceptable-use-policy-calendly[.]de).\u003c/li\u003e\n\u003cli\u003eThe landing page displays a Cloudflare CAPTCHA to validate the user and impede automated analysis.\u003c/li\u003e\n\u003cli\u003eAfter CAPTCHA completion, the user is redirected to an intermediate site that informs them the requested documentation is encrypted and requires account authentication.\u003c/li\u003e\n\u003cli\u003eThe user is presented with a legitimate-looking sign-in experience, part of an AiTM phishing flow.\u003c/li\u003e\n\u003cli\u003eThe attackers proxy the authentication session in real time and capture authentication tokens, granting immediate account access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis campaign resulted in the compromise of authentication tokens, enabling attackers to gain unauthorized access to user accounts and bypass multifactor authentication. With more than 35,000 users targeted across over 13,000 organizations, the potential for widespread data breaches, financial fraud, and further malicious activities is significant. The targeting of sectors like Healthcare and Financial Services indicates a focus on high-value targets with sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEducate users about phishing lures, especially those using social engineering tactics and enterprise-style HTML templates.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious PDF Opening via Uncommon Applications\u0026rdquo; to identify unusual PDF execution paths, based on the \u0026lsquo;file_event\u0026rsquo; log source.\u003c/li\u003e\n\u003cli\u003eConfigure email security settings in Microsoft Defender for Office 365 to filter out phishing emails effectively.\u003c/li\u003e\n\u003cli\u003eEnable network protection to leverage SmartScreen as a host-based web proxy.\u003c/li\u003e\n\u003cli\u003eBlock access to the attacker-controlled domains, such as acceptable-use-policy-calendly[.]de, at the DNS resolver level.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T15:00:00Z","date_published":"2026-05-04T15:00:00Z","id":"/briefs/2026-05-aitm-phishing/","summary":"A widespread phishing campaign utilized 'code of conduct' lures, a multi-step attack chain, and legitimate email services to distribute authenticated messages from attacker-controlled domains, ultimately leading to adversary-in-the-middle (AiTM) token compromise, primarily targeting US-based organizations.","title":"Multi-Stage 'Code of Conduct' Phishing Campaign Leads to AiTM Token Compromise","url":"https://feed.craftedsignal.io/briefs/2026-05-aitm-phishing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Sysmon","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike Falcon"],"_cs_severities":["medium"],"_cs_tags":["initial-access","rdp","phishing","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly using malicious Remote Desktop Protocol (RDP) files to gain initial access to systems. These RDP files, often delivered via spearphishing attachments, contain connection settings that, when opened, can compromise a system. This technique allows adversaries to bypass traditional security measures by leveraging a legitimate tool (mstsc.exe) with a malicious configuration file. The observed activity involves opening RDP files from suspicious locations like Downloads, temporary folders (AppData\\Local\\Temp), and Outlook content cache (INetCache\\Content.Outlook). This campaign has been observed as recently as October 2024, where Midnight Blizzard conducted large-scale spear-phishing using RDP files. Defenders should monitor for the execution of mstsc.exe with RDP files from untrusted locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a spearphishing email containing a malicious RDP file as an attachment.\u003c/li\u003e\n\u003cli\u003eThe victim receives the email and, lured by social engineering, downloads the attached RDP file to a local directory, often the Downloads folder.\u003c/li\u003e\n\u003cli\u003eThe victim double-clicks the RDP file, initiating the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emstsc.exe\u003c/code\u003e reads the connection settings from the RDP file, which may include malicious configurations such as altered gateway settings or credential theft mechanisms.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emstsc.exe\u003c/code\u003e attempts to establish a remote desktop connection based on the RDP file\u0026rsquo;s settings.\u003c/li\u003e\n\u003cli\u003eIf the connection is successful, the attacker gains unauthorized access to the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker may then perform reconnaissance, move laterally, and escalate privileges within the compromised network.\u003c/li\u003e\n\u003cli\u003eThe final objective could be data exfiltration, ransomware deployment, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using malicious RDP files can lead to unauthorized access to sensitive systems and data. The consequences range from data breaches and financial loss to complete system compromise and disruption of operations. The Microsoft Security blog reported a large-scale spear-phishing campaign utilizing RDP files as recently as October 2024. The targets may be across various sectors, with potentially widespread impact depending on the attacker\u0026rsquo;s objectives and the scope of the compromised network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRemote Desktop File Opened from Suspicious Path\u003c/code\u003e to your SIEM and tune for your environment, focusing on the specified file paths and \u003ccode\u003emstsc.exe\u003c/code\u003e execution.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to capture the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e and the paths of the RDP files being opened.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with opening RDP files from untrusted sources, particularly those received as email attachments.\u003c/li\u003e\n\u003cli\u003eImplement strict email filtering to block or quarantine emails with RDP attachments from external sources.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual RDP traffic originating from systems where suspicious RDP files were executed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-11-rdp-file-attachment/","summary":"Adversaries may abuse RDP files delivered via phishing from suspicious locations to gain unauthorized access to systems.","title":"Remote Desktop File Opened from Suspicious Path","url":"https://feed.craftedsignal.io/briefs/2024-11-rdp-file-attachment/"},{"_cs_actors":["Storm-1747"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender"],"_cs_severities":["high"],"_cs_tags":["email","phishing","credential-theft","Tycoon2FA","BEC"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eIn the first quarter of 2026, Microsoft Threat Intelligence observed a significant rise in email-based phishing threats, totaling approximately 8.3 billion. This increase was driven by surges in QR code phishing (more than doubling over the period), CAPTCHA-gated phishing, and credential phishing attacks. Microsoft\u0026rsquo;s Digital Crime Unit successfully disrupted the Tycoon2FA phishing-as-a-service (PhaaS) platform in early March, leading to a 15% reduction in associated email volume. However, threat actors adapted by shifting hosting providers and domain registration patterns. Business email compromise (BEC) also remained a prevalent threat, with approximately 10.7 million attacks recorded during the quarter, often characterized by low-effort, generic outreach messages. Microsoft Defender Research has also noted the emergence of AI-enabled device code phishing campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Email Delivery:\u003c/strong\u003e Attackers send phishing emails impersonating legitimate services or organizations. These emails may contain links, QR codes, or HTML attachments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVictim Interaction:\u003c/strong\u003e The victim opens the email and clicks on a malicious link or scans a QR code, redirecting them to a phishing page.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePhishing Page Redirection:\u003c/strong\u003e The phishing page mimics a legitimate login portal, such as Microsoft 365 or other enterprise applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting:\u003c/strong\u003e The victim enters their username and password on the phishing page, which are then captured by the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMFA Bypass (AiTM):\u003c/strong\u003e For attacks using adversary-in-the-middle (AiTM) techniques (like those facilitated by Tycoon2FA), the attacker intercepts the MFA code and uses it to authenticate.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Compromise:\u003c/strong\u003e With the stolen credentials and MFA code (if applicable), the attacker gains unauthorized access to the victim\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Theft:\u003c/strong\u003e The attacker uses the compromised account to access sensitive data, send further phishing emails, or move laterally within the organization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBusiness Email Compromise:\u003c/strong\u003e In BEC attacks, attackers use compromised accounts or spoofed email addresses to send fraudulent invoices or requests for wire transfers.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe observed email threats in Q1 2026 led to a high risk of credential compromise, financial loss through BEC attacks, and potential data breaches across various sectors. Although the total number of victims is not specified, the billions of phishing attempts indicate a widespread impact. Microsoft\u0026rsquo;s disruption of Tycoon2FA temporarily reduced phishing volumes by 15%, demonstrating the potential for proactive intervention to mitigate these threats. However, threat actors are quickly adapting their techniques, indicating the need for continued vigilance and enhanced security measures. The 10.7 million BEC attacks alone represent a significant financial threat to businesses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Tycoon2FA Phishing Attempts\u0026rdquo; Sigma rule to identify email campaigns associated with the Tycoon2FA platform.\u003c/li\u003e\n\u003cli\u003eEnable Microsoft Defender detections to improve detection of phishing emails and malicious payloads.\u003c/li\u003e\n\u003cli\u003eMonitor email traffic for suspicious domain registrations, particularly those using newer generic top-level domains (TLDs) such as .DIGITAL, .BUSINESS, .CONTRACTORS, .CEO, and .COMPANY, and the resurgence of .RU registrations, to identify potential Tycoon2FA infrastructure shifts.\u003c/li\u003e\n\u003cli\u003eEducate users about the dangers of QR code phishing and CAPTCHA-gated attacks, emphasizing the importance of verifying the legitimacy of login pages and email senders, to reduce the effectiveness of phishing campaigns (T1566).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T15:00:00Z","date_published":"2026-04-30T15:00:00Z","id":"/briefs/2026-05-email-phishing-trends/","summary":"In Q1 2026, email threats increased, including credential phishing, QR code phishing, and CAPTCHA-gated campaigns, with Microsoft's disruption of the Tycoon2FA phishing platform leading to a 15% volume decrease and shifts in threat actor tactics; BEC activity remained prevalent at 10.7 million attacks.","title":"Q1 2026 Email Threat Landscape: Rise in Phishing Techniques and Tycoon2FA Disruption","url":"https://feed.craftedsignal.io/briefs/2026-05-email-phishing-trends/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["oauth","device-code","phishing","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eIn early April 2026, Arctic Wolf observed a widespread phishing campaign that abused the OAuth device code flow. This campaign targeted organizations across multiple regions and sectors, mirroring the \u0026ldquo;Riding the Rails\u0026rdquo; campaign observed by Huntress in late March. The attackers exploited the device code grant type in the OAuth 2.0 authorization framework to obtain access tokens. By tricking users into entering a code on a legitimate Microsoft login page, attackers bypassed traditional MFA controls. Defenders should be aware of this evolving technique and implement detection strategies focused on anomalous application registrations and device code flow activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a phishing email to the victim, impersonating a legitimate service.\u003c/li\u003e\n\u003cli\u003eThe email contains a link that redirects the victim to a fake application authorization page.\u003c/li\u003e\n\u003cli\u003eThe fake page prompts the victim to enter a device code.\u003c/li\u003e\n\u003cli\u003eUnbeknownst to the victim, the device code is associated with a malicious OAuth application controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe victim is redirected to a legitimate Microsoft login page, where they enter the provided code and authenticate.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the malicious application receives an access token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the access token to access the victim\u0026rsquo;s account and sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker may then perform actions such as reading emails, accessing files, or initiating further malicious activity within the compromised account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis OAuth device code phishing campaign affected numerous organizations across multiple sectors and regions in early April 2026. Successful attacks grant threat actors unauthorized access to user accounts, potentially leading to data exfiltration, financial fraud, and further compromise of internal systems. Due to the nature of OAuth, attackers can maintain persistent access even after password changes, posing a significant long-term risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Azure AD sign-in logs for device code flow usage to identify suspicious authentications (logsource: azuread, category: authentication).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided below to detect suspicious application registrations in Azure AD (logsource: o365, category: configuration).\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of device code phishing and how to identify malicious authorization requests.\u003c/li\u003e\n\u003cli\u003eRegularly audit OAuth applications authorized within your environment and revoke access for any suspicious or unused applications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts related to anomalous OAuth application activity promptly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T19:52:35Z","date_published":"2026-04-24T19:52:35Z","id":"/briefs/2026-05-oauth-device-code-phishing/","summary":"In early April 2026, Arctic Wolf tracked a large-scale device code phishing campaign across multiple regions and sectors where threat actors abused OAuth device code flow to trick victims into providing authentication codes.","title":"Large-Scale OAuth Device Code Phishing Campaign Observed in April 2026","url":"https://feed.craftedsignal.io/briefs/2026-05-oauth-device-code-phishing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["rdp","phishing","initial-access","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e (Remote Desktop Connection) with an RDP file located in suspicious directories on Windows systems. Adversaries may use malicious RDP files delivered via phishing campaigns as an initial access vector. These files, containing connection settings, can be placed in locations such as the Downloads folder, temporary directories, or Outlook\u0026rsquo;s content cache. The rule focuses on detecting RDP files opened from unusual paths, which can signal unauthorized access or malicious activity. The behavior was observed in conjunction with the Midnight Blizzard campaign in October 2024. This detection helps defenders identify potential RDP-based attacks and investigate suspicious user behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a spearphishing email with a malicious RDP file attachment (T1566.001).\u003c/li\u003e\n\u003cli\u003eThe victim receives the email and downloads the RDP file to a common location such as the Downloads folder.\u003c/li\u003e\n\u003cli\u003eThe user executes the downloaded RDP file, initiating the \u003ccode\u003emstsc.exe\u003c/code\u003e process (T1204.002).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emstsc.exe\u003c/code\u003e process attempts to establish a remote connection to a malicious server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker may exploit vulnerabilities in the RDP service or use credential harvesting techniques to gain access to the remote system.\u003c/li\u003e\n\u003cli\u003eUpon successful connection, the attacker performs reconnaissance activities, such as network scanning and user enumeration.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, exploiting additional vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via malicious RDP files can lead to unauthorized access to internal systems, data breaches, and potential ransomware deployment. While the number of victims and targeted sectors is unspecified, the impact can be significant, especially if the compromised systems have access to sensitive data or critical infrastructure. This can result in financial losses, reputational damage, and operational disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to detect the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e and capture the command-line arguments used to launch the process.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Remote Desktop File Opened from Suspicious Path\u0026rdquo; to your SIEM to detect RDP files opened from suspicious locations.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening RDP files from untrusted sources, especially those received via email.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e from untrusted directories.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from systems where \u003ccode\u003emstsc.exe\u003c/code\u003e has been executed to identify suspicious remote connections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T21:38:09Z","date_published":"2026-04-20T21:38:09Z","id":"/briefs/2024-11-suspicious-rdp/","summary":"This rule identifies attempts to open a remote desktop file from suspicious paths, indicative of adversaries abusing RDP files for initial access via phishing.","title":"Suspicious RDP File Execution","url":"https://feed.craftedsignal.io/briefs/2024-11-suspicious-rdp/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["apple","phishing","callback phishing","email"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA phishing campaign is underway that abuses Apple\u0026rsquo;s account change notification system. Threat actors are inserting phishing messages into the first and last name fields of Apple ID accounts. By modifying the account\u0026rsquo;s shipping information, they trigger legitimate Apple security alerts, which then embed the malicious message within the email body. The emails appear to originate from \u003ca href=\"mailto:appleid@id.apple.com\"\u003eappleid@id.apple.com\u003c/a\u003e and pass SPF, DKIM, and DMARC checks, making them more likely to bypass spam filters. This campaign is designed to trick recipients into believing their accounts have been used for fraudulent purchases, scaring them into calling a scammer\u0026rsquo;s \u0026ldquo;support\u0026rdquo; number.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker creates an Apple ID using a burner email address.\u003c/li\u003e\n\u003cli\u003eThe attacker enters a phishing lure (e.g., \u0026ldquo;Dear User 899 USD iPhone Purchase Via Pay-Pal To Cancel\u0026rdquo;) split across the first and last name fields in the Apple ID profile, as these fields have character limits.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the account\u0026rsquo;s shipping information.\u003c/li\u003e\n\u003cli\u003eThis triggers an Apple account profile change notification email.\u003c/li\u003e\n\u003cli\u003eApple sends a legitimate security alert notifying the user of the change, embedding the attacker-controlled first and last name fields within the email body. The email originates from \u003ca href=\"mailto:appleid@id.apple.com\"\u003eappleid@id.apple.com\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eThe recipient receives the email, which appears legitimate and contains a phishing message and a callback number (e.g., 18023530761).\u003c/li\u003e\n\u003cli\u003eThe recipient, believing their account has been compromised, calls the provided number.\u003c/li\u003e\n\u003cli\u003eThe scammers attempt to convince the victim that their account has been compromised and may instruct them to install remote access software or provide financial information to \u0026ldquo;resolve\u0026rdquo; the issue, leading to financial theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks can lead to financial theft, malware deployment, or data theft. Victims who call the provided number are at risk of being coerced into providing sensitive information or installing remote access software, giving the attackers full control over their devices and accounts. The specific number of victims is currently unknown, but the campaign\u0026rsquo;s use of legitimate Apple infrastructure increases its potential reach and impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule detecting emails originating from Apple infrastructure (\u003ca href=\"mailto:appleid@id.apple.com\"\u003eappleid@id.apple.com\u003c/a\u003e) containing suspicious phone numbers to your SIEM.\u003c/li\u003e\n\u003cli\u003eMonitor for emails originating from \u003ccode\u003eappleid@id.apple.com\u003c/code\u003e that contain phone numbers in the email body and consider blocking the identified number \u003ccode\u003e18023530761\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEducate users to treat unexpected account alerts claiming purchases or urging them to call support numbers with extreme caution, especially if they did not initiate any recent changes.\u003c/li\u003e\n\u003cli\u003eReview email gateway logs for emails originating from \u003ccode\u003eappleid@id.apple.com\u003c/code\u003e and \u003ccode\u003euatdsasadmin@email.apple.com\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-19T16:03:01Z","date_published":"2026-04-19T16:03:01Z","id":"/briefs/2026-04-apple-phishing/","summary":"A phishing campaign is abusing legitimate Apple account change notifications to deliver fake iPhone purchase scams, tricking users into calling malicious support numbers.","title":"Apple Account Notification Phishing Campaign","url":"https://feed.craftedsignal.io/briefs/2026-04-apple-phishing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["n8n","phishing","malware","workflow-automation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCisco Talos has observed a surge in the abuse of agentic AI workflow automation platforms, specifically n8n, in phishing campaigns between October 2025 and March 2026. Attackers are leveraging the trusted infrastructure of n8n to bypass traditional security filters and deliver malware or fingerprint devices. This involves embedding n8n webhook URLs in phishing emails, which redirect victims to malicious content served through the n8n platform. This technique effectively turns a productivity tool into a delivery mechanism for persistent remote access, highlighting the evolving tactics of threat actors exploiting legitimate services. Talos observed a 686% increase in emails containing n8n webhook URLs between January 2025 and March 2026, indicating the growing prevalence of this attack vector.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a phishing email containing a malicious link.\u003c/li\u003e\n\u003cli\u003eThe link is an n8n webhook URL pointing to a workflow controlled by the attacker on a subdomain of \u003ccode\u003etti.app.n8n[.]cloud\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim receives the email and clicks the embedded n8n webhook URL, believing it to be a legitimate service.\u003c/li\u003e\n\u003cli\u003eClicking the link redirects the victim\u0026rsquo;s browser to the n8n platform, which triggers the pre-configured workflow.\u003c/li\u003e\n\u003cli\u003eThe n8n workflow serves an HTML page containing a CAPTCHA to the victim\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eAfter the victim completes the CAPTCHA, the webpage presents a download button, concealing the true source of the payload.\u003c/li\u003e\n\u003cli\u003eClicking the download button initiates the download of a malicious executable (e.g., \u0026ldquo;DownloadedOneDriveDocument.exe\u0026rdquo;) from an external host.\u003c/li\u003e\n\u003cli\u003eThe executable installs a modified version of Datto RMM, establishes a connection to a relay on \u003ccode\u003ecentrastage[.]net\u003c/code\u003e, granting the attacker remote access and control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe abuse of n8n for malware delivery and device fingerprinting can lead to significant compromise of targeted systems. Successful exploitation allows attackers to gain remote access via tools like the modified Datto RMM, enabling them to steal sensitive data, deploy ransomware, or conduct further malicious activities within the compromised network. The rise in n8n webhook URL usage in phishing emails, with a 686% increase in volume from January 2025 to March 2026, indicates a potentially widespread impact across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor email traffic for URLs containing \u003ccode\u003etti.app.n8n[.]cloud\u003c/code\u003e and flag them as suspicious (IOC table).\u003c/li\u003e\n\u003cli\u003eImplement a detection rule to identify network connections to \u003ccode\u003ecentrastage[.]net\u003c/code\u003e initiated by unusual processes (Sigma rule below).\u003c/li\u003e\n\u003cli\u003eInspect process creation events for the execution of \u0026ldquo;DownloadedOneDriveDocument.exe\u0026rdquo; or similar filenames downloaded from n8n domains (Sigma rule below).\u003c/li\u003e\n\u003cli\u003eBlock the domains \u003ccode\u003etti.app.n8n[.]cloud\u003c/code\u003e and \u003ccode\u003ecentrastage[.]net\u003c/code\u003e at the DNS resolver (IOC table).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T10:03:05Z","date_published":"2026-04-15T10:03:05Z","id":"/briefs/2026-04-n8n-abuse/","summary":"Threat actors are abusing the n8n AI workflow automation platform to deliver malware and fingerprint devices via phishing campaigns, bypassing traditional security filters by leveraging trusted infrastructure.","title":"n8n AI Workflow Automation Platform Abused for Malware Delivery and Device Fingerprinting","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-abuse/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-1731"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["saas","phishing","ransomware","medusa"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief highlights two significant attack vectors observed by Cisco Talos. First, threat actors are exploiting legitimate SaaS notification pipelines (e.g., GitHub, Jira) to deliver phishing and spam, bypassing traditional email security measures by using a \u0026ldquo;Platform-as-a-Proxy\u0026rdquo; (PaaP) technique. This abuses the implicit trust placed in system-generated notifications from trusted enterprise tools, primarily targeting credential harvesting. Second, the Storm-1175 group is actively deploying Medusa ransomware, rapidly exploiting n-day vulnerabilities, including CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of BeyondTrust Privileged Remote Access. Defenders must adapt to these evolving tactics, as they bypass standard perimeter defenses and require more nuanced detection strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a legitimate SaaS account (e.g., GitHub, Jira) or creates a malicious project.\u003c/li\u003e\n\u003cli\u003eAttacker configures the SaaS platform to send notifications (e.g., project updates, issue assignments).\u003c/li\u003e\n\u003cli\u003eThe SaaS platform generates an email notification, appearing to originate from a trusted source.\u003c/li\u003e\n\u003cli\u003eThe email bypasses traditional email security checks (SPF, DKIM, DMARC) due to its legitimate source.\u003c/li\u003e\n\u003cli\u003eThe email contains a malicious link or attachment designed to harvest credentials or deliver malware.\u003c/li\u003e\n\u003cli\u003eThe user clicks the link, leading to a phishing page or malware download.\u003c/li\u003e\n\u003cli\u003eIf the user enters credentials, the attacker gains access to their account.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised account for further malicious activities or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of SaaS notification pipelines can lead to widespread credential compromise, potentially affecting numerous users within an organization. The \u0026ldquo;automation fatigue\u0026rdquo; associated with these notifications increases the likelihood of users falling victim to phishing attacks. Regarding Medusa ransomware, organizations face data encryption, system downtime, and potential financial losses from ransom demands, as Storm-1175 rapidly exploits vulnerabilities like CVE-2026-1731. The impact includes significant disruption to business operations and potential data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIngest SaaS API logs into your SIEM to detect anomalous activities, such as suspicious project creation or mass invitations (see Overview).\u003c/li\u003e\n\u003cli\u003eImplement instance-level verification and cross-reference notifications against internal SaaS directories to detect PaaP attacks (see Overview).\u003c/li\u003e\n\u003cli\u003eApply semantic intent analysis to identify notifications that deviate from a platform\u0026rsquo;s established functional baseline (see Overview).\u003c/li\u003e\n\u003cli\u003ePatch CVE-2026-1731 on all BeyondTrust Remote Support instances immediately to prevent Medusa ransomware deployment (see Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect Coinminer malware via SHA256 hash (see Rules).\u003c/li\u003e\n\u003cli\u003eMonitor network connections for VID001.exe to identify potential Coinminer infections (see IOCs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T18:00:20Z","date_published":"2026-04-09T18:00:20Z","id":"/briefs/2026-04-saas-phishing/","summary":"Threat actors are weaponizing legitimate SaaS notification pipelines to deliver phishing and spam emails, bypassing traditional email authentication protocols, and Storm-1175 is exploiting CVE-2026-1731 to deploy Medusa ransomware.","title":"SaaS Notification Pipeline Phishing and Medusa Ransomware Exploitation","url":"https://feed.craftedsignal.io/briefs/2026-04-saas-phishing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["saas-abuse","phishing","credential-harvesting","github","jira"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCisco Talos has observed a surge in malicious activity that abuses notification pipelines within popular collaboration platforms, such as GitHub and Jira, to distribute spam and phishing emails. This technique, known as Platform-as-a-Proxy (PaaP), enables threat actors to bypass conventional email security filters by leveraging the trusted infrastructure of legitimate SaaS providers. Attackers embed malicious content within system-generated notifications, exploiting the implicit trust organizations place in these platforms. This allows them to effectively weaponize legitimate infrastructure and deliver phishing content, often leading to credential harvesting and subsequent attacks. During a campaign on February 17, 2026, approximately 2.89% of emails originating from GitHub were associated with this abuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eRepository Creation (GitHub):\u003c/strong\u003e Attackers create new repositories on GitHub to host their malicious content.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommit Message Crafting (GitHub):\u003c/strong\u003e Attackers craft malicious commit messages containing phishing lures within the mandatory summary field and detailed scam content in the optional extended description field.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommit Push (GitHub):\u003c/strong\u003e Attackers push the crafted commit to the newly created repository, triggering an automated email notification to collaborators and watchers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProject Creation (Jira):\u003c/strong\u003e Attackers create a new Jira Service Management project to configure automated customer invites.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Data Input (Jira):\u003c/strong\u003e Attackers inject malicious lures into data fields, such as the \u0026ldquo;Project Name,\u0026rdquo; \u0026ldquo;Welcome Message,\u0026rdquo; or \u0026ldquo;Project Description\u0026rdquo; fields, within the Jira project configuration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCustomer Invite (Jira):\u003c/strong\u003e The attacker utilizes the \u0026ldquo;Invite Customers\u0026rdquo; feature and inputs the victim\u0026rsquo;s email address.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAutomated Notification Generation (GitHub/Jira):\u003c/strong\u003e The platforms (GitHub/Jira) automatically generate email notifications containing the attacker-supplied malicious content, bypassing standard email security checks due to the trusted source.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting/Social Engineering:\u003c/strong\u003e Victims receive the notifications and are tricked into clicking malicious links or providing sensitive information, leading to credential compromise and further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAbusing SaaS notification pipelines can lead to widespread credential compromise and business email compromise (BEC). Successful phishing attacks can grant attackers initial access to corporate networks, enabling data theft, ransomware deployment, and other malicious activities. On February 17, 2026, 2.89% of emails originating from GitHub were associated with this abuse. The trust placed in platforms like GitHub and Jira makes these attacks particularly effective, as users are pre-conditioned to view notifications from these sources as legitimate and urgent.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement detection rules to identify suspicious keywords and patterns within commit messages originating from GitHub (see: \u0026ldquo;GitHub Commit Message Phishing Lure\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003eMonitor for unusual Jira project names or welcome messages that contain suspicious URLs or language (see: \u0026ldquo;Jira Service Desk Invite Abuse\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003eReview email logs for messages originating from \u003ccode\u003enoreply[@]github.com\u003c/code\u003e that contain invoice-related lures in the subject line, especially spikes in volume (see IOC table).\u003c/li\u003e\n\u003cli\u003eImplement enhanced email filtering rules to analyze the content of emails originating from SaaS platforms for phishing indicators.\u003c/li\u003e\n\u003cli\u003eEducate users to carefully inspect emails, even from trusted sources like GitHub and Jira, and to verify the legitimacy of links and requests before clicking or providing information.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T10:00:35Z","date_published":"2026-04-07T10:00:35Z","id":"/briefs/2026-04-saas-notification-abuse/","summary":"Attackers are abusing notification pipelines in SaaS platforms like GitHub and Jira to deliver phishing and spam emails by exploiting legitimate platform features and bypassing traditional email security measures.","title":"SaaS Notification Pipeline Abuse for Phishing and Spam Campaigns","url":"https://feed.craftedsignal.io/briefs/2026-04-saas-notification-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["phishing","credential-theft","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 4, 2026, Europol announced a technical disruption of Tycoon2FA, a subscription-based phishing-as-a-service (PhaaS) platform enabling cybercriminals to bypass MFA and compromise email accounts. The takedown involved seizing 330 domains. Despite this disruption, CrowdStrike observed only a short-term decrease in Tycoon2FA campaign activity. The volume of cloud compromises has since returned to pre-disruption levels, and Tycoon2FA’s tactics, techniques, and procedures (TTPs) remain unchanged. This resurgence suggests that the actors behind Tycoon2FA are adaptive and persistent. Tycoon2FA began operations in 2023, and in mid-2025, it was responsible for 62% of all phishing attempts blocked by Microsoft, generating over 30 million malicious emails in a single month. The platform also had a competitor named RaccoonO365, which law enforcement took down in September 2025.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictims receive phishing emails designed to mimic legitimate login pages.\u003c/li\u003e\n\u003cli\u003ePhishing emails direct victims to Tycoon2FA CAPTCHA pages hosted on attacker-controlled domains.\u003c/li\u003e\n\u003cli\u003eUpon CAPTCHA validation, victims\u0026rsquo; session cookies are stolen by the attackers.\u003c/li\u003e\n\u003cli\u003eA JavaScript (JS) file extracts victims\u0026rsquo; email addresses.\u003c/li\u003e\n\u003cli\u003eVictims are redirected to fake Microsoft 365 or Google login pages hosted on a Tycoon2FA domain.\u003c/li\u003e\n\u003cli\u003eVictims enter their credentials into the fake login pages, which are then captured by the attackers.\u003c/li\u003e\n\u003cli\u003eStolen credentials are proxied to a legitimate Microsoft 365 cloud account via an obfuscated JS file.\u003c/li\u003e\n\u003cli\u003eAttackers authenticate to the victim\u0026rsquo;s cloud environment using the stolen cookies and credentials, gaining unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eTycoon2FA was responsible for 62% of all phishing attempts blocked by Microsoft in mid-2025, generating over 30 million malicious emails in a single month. Successful attacks lead to unauthorized access to victims\u0026rsquo; cloud environments, potentially resulting in data theft, business email compromise (BEC), and further malicious activities. Despite law enforcement takedowns, the platform\u0026rsquo;s rapid resurgence demonstrates the resilience of PhaaS operations and their potential for significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections to known phishing domains or newly registered domains, correlating with user agent strings and HTTP referrer headers common in phishing kits, to detect initial access attempts. Deploy the network_connection Sigma rule to identify suspicious connections.\u003c/li\u003e\n\u003cli\u003eImplement detections for suspicious JavaScript execution within browser environments attempting to steal session cookies or extract email addresses. Enable webserver and proxy logging to capture these events and deploy the process_creation Sigma rule to identify associated processes.\u003c/li\u003e\n\u003cli\u003eMonitor authentication logs for successful logins from unusual locations or using suspicious user agents after a user has visited a known phishing site. Analyze user authentication patterns and correlate with other security events to detect compromised accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-29T08:34:23Z","date_published":"2026-03-29T08:34:23Z","id":"/briefs/2026-03-tycoon2fa-persistence/","summary":"The Tycoon2FA phishing-as-a-service (PhaaS) platform, used to bypass MFA and compromise email accounts, saw a temporary decrease in activity after a law enforcement takedown, but cloud compromises have since returned to pre-disruption levels with unchanged TTPs, indicating continued threat actor activity.","title":"Tycoon2FA Phishing-as-a-Service Platform Persists After Takedown","url":"https://feed.craftedsignal.io/briefs/2026-03-tycoon2fa-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["phishing","credential-theft","MFA-bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eTycoon2FA is a subscription-based PhaaS platform that enables cybercriminals to bypass multifactor authentication (MFA) and compromise email accounts using adversary-in-the-middle (AITM) techniques. The platform gained prominence in 2025, reportedly generating over 30 million malicious emails in a single month and accounting for 62% of all phishing attempts blocked by Microsoft at one point. On March 4, 2026, Europol announced a technical disruption of Tycoon2FA, seizing 330 domains forming the platform’s core infrastructure. Despite this takedown, CrowdStrike Falcon Complete observed a short-term decrease in Tycoon2FA activity followed by a return to pre-disruption levels. The persistence of the platform\u0026rsquo;s original tactics, techniques, and procedures (TTPs) suggests that the actors behind Tycoon2FA remain active and pose a continued threat. Defenders should maintain vigilance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictims receive phishing emails designed to appear legitimate.\u003c/li\u003e\n\u003cli\u003eThese emails direct victims to Tycoon2FA CAPTCHA pages hosted on attacker-controlled domains.\u003c/li\u003e\n\u003cli\u003eUpon CAPTCHA validation, a JavaScript (JS) file extracts the victim\u0026rsquo;s email address.\u003c/li\u003e\n\u003cli\u003eThe victim is then redirected to a fake Microsoft 365 or Google login page hosted on a Tycoon2FA domain.\u003c/li\u003e\n\u003cli\u003eVictims enter their credentials, which are proxied to a legitimate Microsoft 365 cloud account via an obfuscated JS file.\u003c/li\u003e\n\u003cli\u003eThe attacker steals the victim\u0026rsquo;s session cookies and credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the victim\u0026rsquo;s cloud environment using the stolen cookies and credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the victim\u0026rsquo;s email and other cloud-based resources, potentially leading to data exfiltration or further malicious activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eTycoon2FA\u0026rsquo;s operations began in 2023, and by mid-2025, it was responsible for 62% of all phishing attempts blocked by Microsoft, generating over 30 million malicious emails in a single month. A successful attack can lead to unauthorized access to sensitive data, business email compromise, financial loss, and reputational damage. The resurgence of Tycoon2FA following the takedown indicates the platform remains a significant threat, highlighting the need for robust defenses against phishing and credential theft.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor email traffic for unusual patterns and sender addresses to detect phishing attempts associated with Tycoon2FA (IOC: phishing emails).\u003c/li\u003e\n\u003cli\u003eImplement and tune web filtering rules to block access to known Tycoon2FA domains and newly registered domains that may be used for phishing campaigns (IOC: Tycoon2FA domain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect JavaScript files that attempt to extract email addresses from web pages, a technique used by Tycoon2FA to target victims.\u003c/li\u003e\n\u003cli\u003eReview and reinforce MFA policies and educate users about the risks of phishing and credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T08:28:28Z","date_published":"2026-03-28T08:28:28Z","id":"/briefs/2026-03-tycoon2fa-resurgence/","summary":"The Tycoon2FA phishing-as-a-service (PhaaS) platform, disrupted in March 2026, has resurged with consistent tactics, employing adversary-in-the-middle (AITM) techniques to bypass MFA and compromise email accounts through phishing campaigns, credential theft, and session cookie hijacking.","title":"Tycoon2FA PhaaS Platform Resurgence After Takedown","url":"https://feed.craftedsignal.io/briefs/2026-03-tycoon2fa-resurgence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["phishing","credential-theft","MFA-bypass","phishing-as-a-service"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 4, 2026, Europol announced a technical disruption of the Tycoon2FA Phishing-as-a-Service (PhaaS) platform, which enabled cybercriminals to bypass multifactor authentication (MFA) and compromise email accounts. The takedown involved seizing 330 domains that formed the platform’s core infrastructure. However, following the takedown, CrowdStrike observed only a short-term decrease in Tycoon2FA campaign activity. The volume of cloud compromises has since returned to pre-disruption levels, and the platform continues to employ previously observed TTPs. Tycoon2FA, active since 2023, was responsible for a significant portion of phishing attempts, purportedly generating over 30 million malicious emails in a single month in mid-2025. The platform primarily targets Microsoft 365 and Google accounts using adversary-in-the-middle (AITM) techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictims receive phishing emails directing them to Tycoon2FA CAPTCHA pages.\u003c/li\u003e\n\u003cli\u003eUpon CAPTCHA validation, victims\u0026rsquo; session cookies are stolen.\u003c/li\u003e\n\u003cli\u003eA JavaScript (JS) file is used to extract victims’ email addresses.\u003c/li\u003e\n\u003cli\u003eVictims are redirected to fake Microsoft 365 or Google login pages hosted on a Tycoon2FA domain.\u003c/li\u003e\n\u003cli\u003eVictims enter their credentials into the fake login pages, which are then proxied to a legitimate Microsoft 365 cloud account via an obfuscated JS file.\u003c/li\u003e\n\u003cli\u003eThe threat actor authenticates to the victim’s cloud environment using the stolen cookies and credentials.\u003c/li\u003e\n\u003cli\u003eOnce authenticated, the attacker gains access to the victim\u0026rsquo;s email and other cloud resources.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as data exfiltration, sending phishing emails to other targets, or further compromising the organization\u0026rsquo;s environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe resurgence of Tycoon2FA demonstrates the resilience of PhaaS platforms and their operators. The platform was responsible for a large percentage of phishing attacks in 2025, including 62% of all phishing attempts blocked by Microsoft in mid-2025, and generating over 30 million malicious emails in a single month. Successful attacks can lead to unauthorized access to sensitive data, financial losses, and reputational damage. The observed return to pre-disruption activity levels indicates a sustained threat to organizations relying on MFA for account security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Tycoon2FA Phishing Redirection\u0026rdquo; Sigma rule to detect potential phishing attempts redirecting to Tycoon2FA infrastructure.\u003c/li\u003e\n\u003cli\u003eMonitor email traffic for patterns indicative of phishing campaigns, focusing on emails directing users to external login pages, as described in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eImplement strict session management policies and regularly review user authentication logs for suspicious activity following successful authentication as described in the attack chain, step 7.\u003c/li\u003e\n\u003cli\u003eBlock known Tycoon2FA domains at the DNS resolver, as referenced in the IOC section.\u003c/li\u003e\n\u003cli\u003eEducate users about the tactics used by Tycoon2FA, specifically the use of CAPTCHA pages to steal session cookies, as described in the Attack Chain, step 2.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T08:20:54Z","date_published":"2026-03-28T08:20:54Z","id":"/briefs/2026-04-tycoon2fa-resurgence/","summary":"The Tycoon2FA Phishing-as-a-Service platform, used to bypass multifactor authentication (MFA), has resurged to pre-takedown levels of activity following a disruption effort in March 2026, maintaining its original tactics, techniques, and procedures (TTPs) for credential harvesting and cloud compromise.","title":"Tycoon2FA Phishing-as-a-Service Resurgence After Takedown","url":"https://feed.craftedsignal.io/briefs/2026-04-tycoon2fa-resurgence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["openbao","oidc","authentication-bypass","phishing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenBao, a secrets management tool, is vulnerable to an authentication bypass in versions prior to 2.5.2. This vulnerability stems from the lack of user confirmation when logging in via JWT/OIDC with a role configured with \u003ccode\u003ecallback_mode\u003c/code\u003e set to \u003ccode\u003edirect\u003c/code\u003e. The vulnerability allows an attacker to initiate an authentication request and trick a victim into visiting a URL, which automatically logs them into the attacker\u0026rsquo;s session. This constitutes a \u0026ldquo;remote phishing\u0026rdquo; attack because the attacker never directly interacts with the victim\u0026rsquo;s credentials. The \u003ccode\u003edirect\u003c/code\u003e callback mode interacts directly with the OpenBao API, enabling the attacker to poll for a token after the victim has been authenticated and a token has been issued. The vulnerability is tracked as CVE-2026-33757.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker configures an OpenBao role with \u003ccode\u003ecallback_mode=direct\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates an OIDC authentication request, generating a unique URL.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the generated URL to the victim via phishing or other social engineering methods.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link and authenticates through the OIDC provider. OpenBao automatically associates this authentication with the attacker\u0026rsquo;s session due to the \u003ccode\u003edirect\u003c/code\u003e callback.\u003c/li\u003e\n\u003cli\u003eOpenBao\u0026rsquo;s API receives a direct callback, skipping user confirmation.\u003c/li\u003e\n\u003cli\u003eOpenBao issues a token associated with the attacker\u0026rsquo;s session, effectively authenticating the attacker as the victim.\u003c/li\u003e\n\u003cli\u003eThe attacker continuously polls the OpenBao API for the issued token.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the token and gains unauthorized access to secrets and resources managed by OpenBao, impersonating the victim.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to impersonate a legitimate user within OpenBao. This can lead to unauthorized access to sensitive data, including secrets, credentials, and other protected resources. The impact is critical as it allows complete bypass of intended authentication mechanisms, potentially affecting all users and systems managed by the vulnerable OpenBao instance. This can lead to data breaches, service disruption, and privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenBao to version 2.5.2 or later to apply the patch that introduces a confirmation screen for \u003ccode\u003edirect\u003c/code\u003e type logins.\u003c/li\u003e\n\u003cli\u003eAs a workaround, remove any OpenBao roles configured with \u003ccode\u003ecallback_mode=direct\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnforce confirmation for every session on the token issuer side for the Client ID used by OpenBao, mitigating the risk even if roles with \u003ccode\u003ecallback_mode=direct\u003c/code\u003e exist.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual patterns of requests to the OpenBao OIDC callback endpoint after authentication, using the \u0026ldquo;Detect OpenBao Direct Callback Abuse\u0026rdquo; Sigma rule to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect OpenBao Direct Callback Configuration\u0026rdquo; Sigma rule to identify roles configured with the vulnerable \u003ccode\u003ecallback_mode=direct\u003c/code\u003e setting.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T18:33:37Z","date_published":"2026-03-26T18:33:37Z","id":"/briefs/2026-04-17-openbao-oidc-bypass/","summary":"OpenBao versions before 2.5.2 lack user confirmation for OIDC direct callback mode, allowing attackers to perform remote phishing and bypass authentication.","title":"OpenBao OIDC Direct Callback Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-17-openbao-oidc-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["phishing","recruiting","social-engineering","scam"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSince August 2025, a series of phishing campaigns have impersonated Palo Alto Networks talent acquisition staff, targeting senior-level professionals. The attackers leverage scraped LinkedIn data to craft personalized lures, enhancing the credibility of their outreach. This campaign involves social engineering to manufacture a bureaucratic barrier related to the candidate\u0026rsquo;s resume. The attackers falsely claim that the candidate\u0026rsquo;s resume failed to meet the applicant tracking system (ATS) requirements. They then offer to assist the candidate in acquiring a position for a fee, typically ranging from $400 to $800 for services like \u0026ldquo;executive ATS alignment\u0026rdquo; or \u0026ldquo;end-to-end executive rewrite.\u0026rdquo; The goal is to exploit the candidate\u0026rsquo;s professional ambitions by creating a sense of financial urgency and directing them to a third-party \u0026ldquo;expert\u0026rdquo; for paid services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Outreach:\u003c/strong\u003e Attackers send personalized emails posing as Palo Alto Networks talent acquisition staff, using flattering language and details from the victim\u0026rsquo;s LinkedIn profile.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEstablish Rapport:\u003c/strong\u003e The emails use legitimate company logos and signatures to appear authentic and build trust with the targeted professional.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eManufactured Crisis:\u003c/strong\u003e Attackers claim the candidate\u0026rsquo;s resume failed to meet ATS requirements, creating a bureaucratic barrier.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOffer of Assistance:\u003c/strong\u003e The \u0026ldquo;recruiter\u0026rdquo; offers \u0026ldquo;executive ATS alignment\u0026rdquo; services for a fee, suggesting an urgent need to update the resume.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHand-off to \u0026ldquo;Expert\u0026rdquo;:\u003c/strong\u003e The candidate is directed to a purported expert who provides structured service offers with specific price points (e.g., $400, $600, $800).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTime Pressure:\u003c/strong\u003e The \u0026ldquo;recruiter\u0026rdquo; implies that the \u0026ldquo;review panel\u0026rdquo; has already begun, urging the candidate to update their CV within a limited timeframe.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayment Solicitation:\u003c/strong\u003e The \u0026ldquo;expert\u0026rdquo; offers to deliver the CV within hours, fitting the ostensible review window, but only after payment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFinancial Exploitation:\u003c/strong\u003e Victims who comply with the demands pay for services that are never delivered, resulting in financial loss and potential identity theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis phishing campaign targets senior-level professionals, aiming to defraud them of hundreds of dollars through fabricated resume services. Multiple incidents have been reported, indicating a widespread effort to exploit individuals seeking job opportunities. If successful, victims lose money and may expose personal information, potentially leading to further identity theft or fraudulent activities. The campaign undermines trust in legitimate recruiting processes and damages the reputation of Palo Alto Networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement email filtering rules to flag messages from the IOC email addresses (paloaltonetworks@gmail[.]com, recruiter.paloalnetworks@gmail[.]com, phillipwalters006@gmail[.]com, posunrayi994@gmail[.]com).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic and DNS queries for connections to domains resembling \u0026ldquo;paloaltonetworks\u0026rdquo; but with slight variations, as mentioned in the overview, and implement blocking where appropriate.\u003c/li\u003e\n\u003cli\u003eEducate employees and potential job candidates about this phishing scheme, emphasizing the importance of verifying recruiter identities and avoiding payment requests during the hiring process.\u003c/li\u003e\n\u003cli\u003eDeploy a Sigma rule to detect emails originating from free email providers (e.g. gmail.com) that claim to be from a specific organization based on email content and sender information (see rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-panw-recruiting-scam/","summary":"Since August 2025, threat actors have been impersonating Palo Alto Networks talent acquisition staff in a sophisticated phishing campaign targeting senior professionals, using social engineering tactics to solicit fraudulent resume fees.","title":"Palo Alto Networks Recruiting Impersonation Phishing Campaign","url":"https://feed.craftedsignal.io/briefs/2026-03-panw-recruiting-scam/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["credential-access","initial-access","phishing","oauth"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAn active phishing campaign is leveraging Microsoft\u0026rsquo;s Device Code OAuth flow to target users of cloud-based file storage and document workflow platforms. Unlike traditional phishing attacks that aim to steal usernames and passwords directly, this campaign exploits a legitimate authentication mechanism to gain unauthorized access. The campaign impersonates popular cloud services, enticing users to enter a provided device code on a Microsoft login page. By doing so, victims inadvertently grant the attacker access to their accounts on the targeted platforms. This campaign highlights the evolving tactics of phishing actors and the need for robust detection mechanisms beyond simple credential harvesting alerts. The scope and scale of the campaign are currently unknown.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a phishing email impersonating a cloud-based file storage or document workflow service.\u003c/li\u003e\n\u003cli\u003eThe email contains a message prompting the user to \u0026ldquo;activate\u0026rdquo; or \u0026ldquo;authenticate\u0026rdquo; their account.\u003c/li\u003e\n\u003cli\u003eThe email includes a device code and instructs the user to visit a Microsoft login page (e.g., microsoft.com/devicelogin).\u003c/li\u003e\n\u003cli\u003eThe user, believing the request is legitimate, enters the provided device code on the Microsoft login page.\u003c/li\u003e\n\u003cli\u003eThe Microsoft login page prompts the user to grant permissions to an application controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eIf the user approves the permissions, the attacker gains OAuth tokens that allow access to the user\u0026rsquo;s account on the targeted cloud platform.\u003c/li\u003e\n\u003cli\u003eThe attacker can then access, modify, or exfiltrate data stored on the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised account to further propagate the phishing campaign to other users within the organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks can lead to unauthorized access to sensitive data stored in cloud-based file storage and document workflow platforms. This can result in data breaches, financial loss, and reputational damage for affected organizations. The use of a legitimate Microsoft authentication flow makes this campaign difficult to detect with traditional phishing detection methods. The lack of credential harvesting may also bypass security controls focused on monitoring password theft. The specific number of victims and sectors targeted remains unknown, but the potential impact is significant given the widespread use of cloud services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement user awareness training to educate employees about device code phishing and the risks of entering unknown codes on login pages.\u003c/li\u003e\n\u003cli\u003eMonitor Microsoft Entra ID (Azure AD) logs for unusual device code authentication patterns, focusing on applications requesting broad permissions (reference: Attack Chain steps 5 and 6). Deploy the \u0026ldquo;Detect Suspicious Device Code Authentication\u0026rdquo; Sigma rule to identify anomalous activity.\u003c/li\u003e\n\u003cli\u003eImplement Conditional Access policies in Microsoft Entra ID to restrict device code authentication to trusted devices and locations.\u003c/li\u003e\n\u003cli\u003eInvestigate any successful device code authentications where the application requesting permissions is not recognized or approved by the organization.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-device-code-phishing/","summary":"A phishing campaign abuses Microsoft's Device Code OAuth flow to gain access to cloud-based file storage and document workflow platforms, bypassing traditional credential harvesting.","title":"Device Code Phishing Campaign Targeting Cloud Platforms","url":"https://feed.craftedsignal.io/briefs/2026-03-device-code-phishing/"},{"_cs_actors":["Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud","UNC6201","Salt Typhoon","GhostEmperor","FamousSparrow","UNC5807"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["threat-report","ransomware","phishing","saas"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe Mandiant M-Trends 2026 report analyzes over 500,000 hours of incident investigations, revealing significant shifts in the cyber threat landscape. Cybercriminal groups are optimizing for immediate impact and recovery denial, while cyber espionage groups and insider threats prioritize extreme persistence, leveraging unmonitored edge devices and native network functionalities to evade detection. Voice phishing has surged, replacing email as a primary initial access vector, particularly targeting SaaS environments. The time between initial access and the hand-off to secondary actors deploying ransomware has collapsed dramatically. Targeted industries include the high-tech sector (17%) and the financial sector (14.6%). Ransomware groups are now actively targeting backup infrastructure, identity services, and virtualization management planes to ensure recovery is impossible without paying a ransom. Espionage groups are exploiting zero-day vulnerabilities in edge devices for long-term persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Attackers use voice phishing (vishing) to target IT help desks, bypassing MFA and gaining initial access to SaaS environments. Malicious advertisements or the ClickFix social engineering technique are also used to gain a foothold.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Exploitation of misconfigured Active Directory Certificate Services templates to create admin accounts that bypass password rotation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e Harvesting long-lived OAuth tokens and session cookies to bypass standard defenses. Stealing hard-coded keys and personal access tokens from compromised third-party SaaS vendors. Leveraging native packet-capturing functionality on network appliances to intercept sensitive data and plaintext credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using stolen credentials and tokens to pivot into downstream customer environments. Exploiting the \u0026ldquo;Tier-0\u0026rdquo; nature of hypervisors to bypass guest-level defenses.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e Deploying custom, in-memory malware like BRICKSTORM directly onto network appliances to establish deep persistence that survives standard remediation efforts. Targeting edge and core network devices lacking EDR telemetry.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e Encrypting hypervisor datastores to render all associated virtual machines inoperable simultaneously. Deleting backup objects from cloud storage.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e Large-scale data theft from SaaS environments.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eM-Trends 2026 highlights that ransomware groups are actively destroying the ability to recover data, impacting organizations across more than 16 industry verticals. The high-tech and financial sectors are particularly targeted. The collapse of the hand-off window from hours to seconds means organizations have less time to respond to initial intrusions before ransomware is deployed. The increasing dwell time of threats like BRICKSTORM, reaching nearly 400 days, leaves organizations blind to the full scope of the intrusion due to standard log retention policies.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule for detecting PowerShell commands from uncommon locations to identify potential malicious activity related to post-compromise actions (reference: Sigma rule \u0026ldquo;Detect PowerShell from Uncommon Location\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring on edge devices and VPNs to detect unauthorized packet capturing and credential interception attempts (reference: overview section about edge devices).\u003c/li\u003e\n\u003cli\u003eReview and harden Active Directory Certificate Services configurations to prevent the exploitation of misconfigured templates (reference: attack chain step 2).\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to cloud storage backup objects, especially deletion attempts, to detect ransomware groups attempting to destroy recovery capabilities (reference: attack chain step 6).\u003c/li\u003e\n\u003cli\u003eIncrease log retention policies beyond 90 days to improve visibility into long-term persistent threats like BRICKSTORM (reference: Overview section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T10:45:30Z","date_published":"2026-03-25T10:45:30Z","id":"/briefs/2026-06-mtrends-2026/","summary":"The M-Trends 2026 report highlights the increasing sophistication of threat actors, including voice phishing attacks targeting SaaS environments, ransomware groups actively destroying recovery capabilities, and espionage groups exploiting edge devices for persistent access, revealing a shift towards faster hand-offs between initial access brokers and ransomware deployers.","title":"M-Trends 2026: Evolving Threat Landscape","url":"https://feed.craftedsignal.io/briefs/2026-06-mtrends-2026/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","data-breach","credential-theft","phishing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 23, 2026, a data breach was reported at Crunchyroll, stemming from a compromise of their outsourcing partner, Telus, in India. The attackers successfully gained access to Crunchyroll\u0026rsquo;s environment after a Telus employee was targeted with a spoofed phishing email. This email delivered malware that stole the employee\u0026rsquo;s Okta credentials, granting the attacker a foothold into Crunchyroll\u0026rsquo;s systems. The breach resulted in the exfiltration of approximately 100 GB of sensitive customer analytics and ticketing data. The threat actor had unauthorized access for a duration of 24 hours before the compromised credentials were revoked. This incident highlights the risks associated with supply chain vulnerabilities and the importance of robust security measures across all partner organizations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e A Telus employee received a spoofed phishing email containing malware. (T1566)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Deployment:\u003c/strong\u003e The employee interacted with the phishing email, leading to the deployment of an infostealer on their machine.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Theft:\u003c/strong\u003e The malware captured the employee\u0026rsquo;s Okta credentials. (TA0006)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication:\u003c/strong\u003e The attacker used the stolen Okta credentials to authenticate into Crunchyroll\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e Upon successful authentication, the attacker gained access to customer analytics and ticketing data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker exfiltrated approximately 100 GB of data, including PII such as email addresses and IP addresses. (TA0010)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Likely):\u003c/strong\u003e While not explicitly stated, the attacker likely performed some level of lateral movement within the Crunchyroll environment to access the data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObjective Achieved:\u003c/strong\u003e The attacker successfully exfiltrated sensitive customer data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Crunchyroll data breach resulted in the exfiltration of 100 GB of customer analytics and ticketing data. This included personally identifiable information (PII) such as email addresses and IP addresses. The exposure of this data could lead to identity theft, phishing attacks targeting Crunchyroll customers, and potential financial fraud. The breach also damages Crunchyroll\u0026rsquo;s reputation and erodes customer trust. The incident underscores the critical need for robust security measures across the entire supply chain to protect sensitive customer data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement and enforce strict email security policies to prevent phishing attacks, focusing on employee training to recognize spoofed emails (T1566).\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection and response (EDR) solutions on all employee machines to detect and prevent malware deployment (TA0005).\u003c/li\u003e\n\u003cli\u003eMonitor Okta authentication logs for suspicious login activity, such as logins from unusual locations or at unusual times (TA0006).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with access to sensitive data, to mitigate the impact of credential theft (TA0006).\u003c/li\u003e\n\u003cli\u003eConduct regular security audits of all third-party vendors and partners to ensure they meet the required security standards (TA0011).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the use of stolen Okta credentials based on anomalous login patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-crunchyroll-breach/","summary":"Crunchyroll suffered a data breach after a Telus employee was phished, leading to Okta credential theft and exfiltration of 100GB of customer data.","title":"Crunchyroll Data Breach via Telus Supply Chain Compromise","url":"https://feed.craftedsignal.io/briefs/2026-03-crunchyroll-breach/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["motw","bypass","phishing","defense-evasion","archive","7-zip","cab","tar"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA new MOTW bypass technique has emerged that chains a CAB file with two TAR archives nested within a 7-Zip archive. This method effectively strips the Zone.Identifier stream from downloaded files, preventing the display of SmartScreen prompts or security warnings. Many organizations rely on MOTW and SmartScreen as a crucial layer of defense against phishing attacks. This bypass, affecting fully patched environments, allows attackers to execute arbitrary code without the usual security checks, potentially leading to malware infection or data compromise. The technique is not a rehash of older 7-Zip MOTW issues but a novel approach to evade detection based on Zone.Identifier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious payload.\u003c/li\u003e\n\u003cli\u003eAttacker packages the payload into a TAR archive.\u003c/li\u003e\n\u003cli\u003eThe TAR archive is nested inside another TAR archive.\u003c/li\u003e\n\u003cli\u003eThe nested TAR archives are then compressed into a 7-Zip archive using 7z.exe.\u003c/li\u003e\n\u003cli\u003eThe 7-Zip archive is packaged into a CAB archive using makecab.exe.\u003c/li\u003e\n\u003cli\u003eThe CAB archive is distributed to the victim, potentially via phishing or drive-by download.\u003c/li\u003e\n\u003cli\u003eThe victim opens the CAB archive, extracting the nested 7-Zip, TAR, and payload.\u003c/li\u003e\n\u003cli\u003eThe payload executes without a Zone.Identifier stream, bypassing MOTW and SmartScreen, potentially leading to malware infection or unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security controls that rely on MOTW and SmartScreen. This can lead to malware infections, data breaches, or other malicious activities. The bypass affects fully patched environments, increasing the scope of potential victims. The absence of security warnings makes it more likely that users will execute the malicious payload, increasing the success rate of attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement detections for unusual process chains involving \u003ccode\u003emakecab.exe\u003c/code\u003e, \u003ccode\u003e7z.exe\u003c/code\u003e, and \u003ccode\u003etar.exe\u003c/code\u003e as these tools are used in the bypass (see Sigma rule \u0026ldquo;Detect Suspicious Archive Chaining\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor for archive extractions from unusual locations, especially those originating from downloaded CAB files, using file event logging and process monitoring (see Sigma rule \u0026ldquo;Detect Archive Extraction from Downloaded CAB\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eAnalyze network connections from processes spawned from archive extractions, as they may indicate command and control or data exfiltration.\u003c/li\u003e\n\u003cli\u003eBlock the URL \u003ccode\u003ehttps://youtu.be/pQxiPwGTBL8\u003c/code\u003e to prevent users from accessing potentially malicious content related to this bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T17:31:15Z","date_published":"2026-03-19T17:31:15Z","id":"/briefs/2026-03-motw-bypass/","summary":"A newly discovered Mark of the Web (MOTW) bypass technique utilizes a chain of CAB, TAR, and 7-Zip archives to circumvent SmartScreen and execute files without security warnings.","title":"MOTW Bypass via CAB, TAR, and 7-Zip Chaining","url":"https://feed.craftedsignal.io/briefs/2026-03-motw-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["credential-access","netntlm","phishing","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability, tracked as CVE-2025-59284, enables attackers to capture NetNTLM hashes from Windows systems through a specially crafted archive file. This technique exploits how Windows handles file extraction, potentially forcing authentication requests to a malicious server controlled by the attacker. The vulnerability was presented at BsidesLjubljana in March 2026, suggesting recent active research and potential exploitation. The original Reddit post indicates that the Microsoft patch might…\u003c/p\u003e\n","date_modified":"2026-03-18T12:00:00Z","date_published":"2026-03-18T12:00:00Z","id":"/briefs/2026-03-netntlm-phishing/","summary":"A phishing technique, potentially still viable due to incomplete patching, allows attackers to obtain NetNTLM hashes from archive extraction on Windows systems (CVE-2025-59284).","title":"NetNTLM Hash Phishing via Archive Extraction (CVE-2025-59284)","url":"https://feed.craftedsignal.io/briefs/2026-03-netntlm-phishing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["remcos","rat","fileless","phishing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief discusses a Remcos RAT infection chain that utilizes a fileless, multi-stage approach. While specific details regarding the initial phishing lure, exploitation method, and Remcos RAT version are absent from the original report, the core focus is on the fileless execution and memory residency of the RAT. The attack begins with an unspecified phishing attack and culminates in a Remcos RAT running entirely in memory, hindering traditional disk-based forensic analysis. This type of attack poses a significant challenge to traditional endpoint detection and response (EDR) solutions. The scope and scale of this campaign are unknown, but fileless techniques are generally employed in targeted attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unsuspecting user receives a phishing email containing a malicious attachment or link (specific delivery mechanism not specified).\u003c/li\u003e\n\u003cli\u003eThe user interacts with the malicious content, initiating the first stage of the attack.\u003c/li\u003e\n\u003cli\u003eA script (e.g., PowerShell, VBScript) is executed, likely delivered through the phishing attachment/link.\u003c/li\u003e\n\u003cli\u003eThe script downloads and executes additional payloads directly into memory, avoiding writing files to disk.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload injects Remcos RAT into a legitimate system process (process injection).\u003c/li\u003e\n\u003cli\u003eRemcos RAT establishes a command and control (C2) connection with the attacker\u0026rsquo;s server for further instructions.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform various malicious activities such as data exfiltration, keylogging, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe Remcos RAT persists in memory, potentially evading detection by signature-based antivirus solutions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful deployment of Remcos RAT can lead to significant data breaches, intellectual property theft, and financial losses. Victims may experience system instability, unauthorized access to sensitive information, and reputational damage. The fileless nature of the attack makes it harder to detect and remediate, potentially prolonging the dwell time and increasing the overall impact. The number of victims and targeted sectors are not specified in the original source.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging and transcription to enhance visibility into potentially malicious script execution (reference attack chain step 3).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious parent-child relationships (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e spawning uncommon processes) to detect injected Remcos processes (reference attack chain step 5).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM and tune them for your specific environment.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown scripts and binaries (reference attack chain step 4).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-15T15:34:12Z","date_published":"2026-03-15T15:34:12Z","id":"/briefs/2024-01-remcos-fileless/","summary":"A fileless multi-stage Remcos RAT is delivered via phishing, achieving memory-resident execution, but specific technical details are not provided in this brief.","title":"Fileless Multi-Stage Remcos RAT via Phishing","url":"https://feed.craftedsignal.io/briefs/2024-01-remcos-fileless/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["phishing","redirect","google-cloud-storage"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAn ongoing phishing campaign observed in March 2026 abuses Google Cloud Storage (storage.googleapis.com) as a redirector. Attackers are using this service to proxy victims to various scam pages. These scam pages are primarily hosted on domains ending in .autos. The campaign employs various phishing themes, including fake Walmart surveys, Dell giveaways, Netflix rewards, antivirus renewal alerts, storage full warnings, and fake job lures. This tactic allows attackers to obfuscate the final destination of the phishing link, making it harder for victims to identify malicious content before they are redirected to a scam page. Defenders should monitor for unusual redirects originating from Google Cloud Storage to untrusted domains.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a phishing email to potential victims.\u003c/li\u003e\n\u003cli\u003eThe email contains a link that appears legitimate, hosted on Google Cloud Storage (storage.googleapis.com).\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the link, initiating a request to the specified Google Cloud Storage URL.\u003c/li\u003e\n\u003cli\u003eGoogle Cloud Storage, configured by the attacker, redirects the victim to a malicious domain, typically ending in .autos.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser is redirected to the scam page hosted on the .autos domain.\u003c/li\u003e\n\u003cli\u003eThe scam page presents a fake survey, giveaway, reward, alert, or job lure designed to trick the victim.\u003c/li\u003e\n\u003cli\u003eThe victim enters personal information or credentials into the fake form.\u003c/li\u003e\n\u003cli\u003eThe attacker harvests the stolen information for malicious purposes, such as identity theft or financial fraud.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis phishing campaign can lead to the theft of personal and financial information. Victims who interact with the scam pages may experience financial losses, identity theft, or malware infections. The use of Google Cloud Storage as a redirector makes it harder to detect and block these phishing attacks, potentially impacting a large number of users. Sectors targeted include retail customers (Walmart), technology consumers (Dell, Netflix), and job seekers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for redirects originating from \u003ccode\u003estorage.googleapis.com\u003c/code\u003e to suspicious domains, particularly those ending in \u003ccode\u003e.autos\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule to detect redirects from Google Cloud Storage to .autos domains.\u003c/li\u003e\n\u003cli\u003eEducate users about phishing tactics and the dangers of clicking on suspicious links.\u003c/li\u003e\n\u003cli\u003eConsider blocking or sandboxing domains ending in \u003ccode\u003e.autos\u003c/code\u003e if they are not part of your organization\u0026rsquo;s trusted ecosystem.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-15T12:00:00Z","date_published":"2026-03-15T12:00:00Z","id":"/briefs/2026-03-google-cloud-storage-redirector/","summary":"A phishing campaign leverages Google Cloud Storage as a redirect layer to serve victims scam pages related to surveys, giveaways, rewards, alerts, and job lures, primarily hosted on .autos domains.","title":"Phishing Campaign Abusing Google Cloud Storage Redirectors","url":"https://feed.craftedsignal.io/briefs/2026-03-google-cloud-storage-redirector/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["phishing","execution","url-file","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers commonly use .url shortcut files in phishing campaigns to deliver malicious payloads. These files, when downloaded from non-local sources, may bypass traditional security measures. This detection rule identifies such files by monitoring their creation events on Windows systems. The rule focuses on files with the .url extension and a zone identifier indicating they originated from outside the local network. These files are often delivered via email or malicious websites, tricking users into clicking them, which can lead to the execution of arbitrary commands or the redirection to malicious websites. This technique allows attackers to gain initial access or execute malicious code on the victim\u0026rsquo;s machine.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a phishing email or a malicious website containing a link to a .url file.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link, resulting in the download of the .url file to their Windows system.\u003c/li\u003e\n\u003cli\u003eThe .url file is created on the filesystem, triggering a file creation event.\u003c/li\u003e\n\u003cli\u003eThe operating system assigns a Zone Identifier to the file, marking it as originating from an external source.\u003c/li\u003e\n\u003cli\u003eThe victim double-clicks the .url file, which contains a URL pointing to a malicious website or an executable.\u003c/li\u003e\n\u003cli\u003eThe operating system attempts to open the URL using the default web browser or execute the embedded command.\u003c/li\u003e\n\u003cli\u003eIf the URL points to a malicious website, the victim may be prompted to download and execute malware.\u003c/li\u003e\n\u003cli\u003eThe malware executes, potentially leading to system compromise, data theft, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary commands, redirection to malicious websites, and subsequent malware infection. If successful, attackers can compromise user systems, steal sensitive information, or establish a foothold for further malicious activities within the organization\u0026rsquo;s network. The impact can range from individual system compromise to broader network breaches, depending on the attacker\u0026rsquo;s objectives and the extent of the infection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDownloaded URL Files Created\u003c/code\u003e to your SIEM to detect the creation of downloaded .url files with a non-local Zone Identifier and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003efile creation\u003c/code\u003e events where \u003ccode\u003efile.extension == \u0026quot;url\u0026quot;\u003c/code\u003e and \u003ccode\u003efile.Ext.windows.zone_identifier == 3\u003c/code\u003e using the provided investigation steps in the advisory.\u003c/li\u003e\n\u003cli\u003eUpdate security policies and endpoint protection configurations to block the download and execution of .url files from untrusted sources, as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eEducate users on safe downloading practices and the risks associated with opening .url files from untrusted sources, as highlighted in the advisory\u0026rsquo;s false positive analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T17:49:12Z","date_published":"2024-01-04T17:49:12Z","id":"/briefs/2024-01-downloaded-url-files/","summary":"This detection rule identifies downloaded .url shortcut files on Windows systems, often used in phishing campaigns, by monitoring their creation events and flagging those from non-local sources, enabling early threat detection.","title":"Detection of Downloaded URL Files Used in Phishing Campaigns","url":"https://feed.craftedsignal.io/briefs/2024-01-downloaded-url-files/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["phishing","lnk","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies suspicious .lnk files created on Windows systems, especially those downloaded from external sources, which may indicate potential phishing attempts. The rule leverages file creation events and zone identifiers to trace the file\u0026rsquo;s origin. Adversaries exploit shortcut files by embedding malicious commands within them, often distributing these files via phishing campaigns. This can lead to arbitrary code execution upon user interaction. The rule is designed for data generated by Elastic Defend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser receives a phishing email containing a malicious .lnk file.\u003c/li\u003e\n\u003cli\u003eThe user downloads the .lnk file to their Windows system.\u003c/li\u003e\n\u003cli\u003eThe Windows OS marks the file with a Zone Identifier indicating it came from an external source.\u003c/li\u003e\n\u003cli\u003eThe user double-clicks the .lnk file, triggering its execution.\u003c/li\u003e\n\u003cli\u003eThe .lnk file executes embedded commands, such as PowerShell or cmd.exe.\u003c/li\u003e\n\u003cli\u003eThe command downloads and executes a malicious payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access and control over the infected host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of the user\u0026rsquo;s system, potentially resulting in data theft, malware installation, or further propagation of the attack within the network.  The severity of the impact depends on the privileges of the compromised user account and the attacker\u0026rsquo;s objectives. The rule aims to detect and prevent such attacks early in the attack chain, reducing the potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Downloaded Shortcut Files\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend to capture the necessary file creation events for the rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, paying close attention to the file path, zone identifier, and associated user account.\u003c/li\u003e\n\u003cli\u003eUpdate security policies to restrict the execution of .lnk files from untrusted sources.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening suspicious attachments, especially .lnk files, to prevent initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:32Z","date_published":"2024-01-03T18:22:32Z","id":"/briefs/2024-01-downloaded-lnk/","summary":"This rule detects potentially malicious .lnk shortcut files downloaded from outside the local network on Windows systems, which are commonly used in phishing campaigns.","title":"Detection of Downloaded Shortcut Files","url":"https://feed.craftedsignal.io/briefs/2024-01-downloaded-lnk/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","LogiOptions","Sidekick.vsto"],"_cs_severities":["medium"],"_cs_tags":["office-addins","phishing","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Logitech","Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging malicious Microsoft Office Add-Ins to gain initial access and persistence on victim systems. These add-ins, often delivered through phishing campaigns, contain embedded malicious code. This detection identifies unusual execution patterns, such as Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSACCESS.EXE, VSTOInstaller.exe) launching add-ins (wll, xll, ppa, ppam, xla, xlam, vsto) from suspicious paths like Temp or Downloads directories, or with atypical parent processes (explorer.exe, OpenWith.exe, cmd.exe, powershell.exe). The detection logic filters out known benign activities to minimize false positives, focusing on anomalies indicative of malicious intent, such as installations of Logitech software. This activity matters because successful exploitation can lead to arbitrary code execution, data theft, and further compromise of the victim\u0026rsquo;s network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a phishing email containing a malicious Microsoft Office document.\u003c/li\u003e\n\u003cli\u003eThe user opens the document, which prompts them to enable macros or install an add-in.\u003c/li\u003e\n\u003cli\u003eThe malicious add-in (wll, xll, ppa, ppam, xla, xlam, vsto) is downloaded from a remote server or dropped into a suspicious directory, such as %TEMP% or %APPDATA%.\u003c/li\u003e\n\u003cli\u003eThe user executes an Office application (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSACCESS.EXE), which loads the malicious add-in.\u003c/li\u003e\n\u003cli\u003eThe malicious add-in executes arbitrary code, potentially downloading and executing a second-stage payload.\u003c/li\u003e\n\u003cli\u003eThe add-in may establish persistence by modifying registry keys or creating scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the system and can perform reconnaissance, lateral movement, and data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data theft, ransomware deployment, or intellectual property theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to complete system compromise, data theft, and potential ransomware deployment. Organizations across all sectors are at risk, particularly those with a high volume of email traffic. The use of malicious Office Add-Ins provides attackers with a persistent foothold within the victim\u0026rsquo;s environment, allowing for long-term data collection and disruption of business operations. This can lead to significant financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOffice Add-In Loaded From Suspicious Path\u003c/code\u003e to detect add-ins loaded from temporary or download directories based on \u003ccode\u003eprocess.args\u003c/code\u003e and \u003ccode\u003eprocess.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOffice Add-In Loaded By Suspicious Parent\u003c/code\u003e to detect add-ins loaded by \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e based on \u003ccode\u003eprocess.parent.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eVSTOInstaller.exe\u003c/code\u003e executing with the \u003ccode\u003e/Uninstall\u003c/code\u003e argument, as this may indicate suspicious activity, correlating with the exclusion rule in the provided query.\u003c/li\u003e\n\u003cli\u003eMonitor for Office applications launching add-ins with parent processes of \u003ccode\u003eexplorer.exe\u003c/code\u003e or \u003ccode\u003eOpenWith.exe\u003c/code\u003e using process creation logs and the provided query logic.\u003c/li\u003e\n\u003cli\u003eImplement stricter email filtering to prevent phishing emails containing malicious Office documents from reaching end-users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-office-addins/","summary":"This rule detects suspicious execution of Microsoft Office applications launching Office Add-Ins from unusual paths or with atypical parent processes, potentially indicating an attempt to gain initial access via a malicious phishing campaign.","title":"Suspicious Execution via Microsoft Office Add-Ins","url":"https://feed.craftedsignal.io/briefs/2024-01-office-addins/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["html-smuggling","phishing","initial-access","windows","evasion"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies a suspicious sequence of events indicative of HTML smuggling, where adversaries embed malicious payloads within seemingly benign HTML files to bypass security filters. The rule focuses on Windows systems and monitors for the creation of HTML files exhibiting characteristics such as high entropy (\u0026gt;=5) and large size (\u0026gt;=150,000 bytes) or very large size (\u0026gt;=1,000,000 bytes) within common download and temporary directories (e.g., Downloads, Content.Outlook, AppData\\Local\\Temp). Subsequently, it tracks the execution of browser processes (e.g., chrome.exe, firefox.exe, iexplore.exe) opening these HTML files with specific command-line arguments (e.g., \u0026ndash;single-argument, -url). The detection aims to uncover initial access attempts, defense evasion, and user execution of malicious files delivered through HTML smuggling techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a phishing email containing a malicious HTML attachment.\u003c/li\u003e\n\u003cli\u003eThe user opens the attachment, triggering the download of a large HTML file to the Downloads folder.\u003c/li\u003e\n\u003cli\u003eThe HTML file contains obfuscated JavaScript code that, when executed, reconstructs a malicious payload (e.g., a Cobalt Strike beacon).\u003c/li\u003e\n\u003cli\u003eThe file is saved with an .htm or .html extension in a temporary or download directory.\u003c/li\u003e\n\u003cli\u003eA browser process (chrome.exe, firefox.exe, etc.) is initiated to open the HTML file, often with specific arguments like \u0026ldquo;\u0026ndash;single-argument\u0026rdquo; or \u0026ldquo;-url\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe browser renders the HTML, executing the embedded JavaScript.\u003c/li\u003e\n\u003cli\u003eThe JavaScript deobfuscates and executes the smuggled payload, initiating a reverse shell connection to a command-and-control server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the compromised system and can proceed with lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via HTML smuggling can lead to initial access to a targeted system, potentially enabling attackers to perform lateral movement, data exfiltration, or ransomware deployment. While the specific number of victims and targeted sectors are not explicitly stated in the source, the technique is broadly applicable and can affect any Windows user who interacts with malicious HTML attachments or downloads from untrusted sources. The consequences of successful exploitation range from data breaches and financial losses to reputational damage and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune the file path and browser process filters for your environment.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on common download and temporary directories to detect the creation of suspicious HTML files as described in the Sigma rules.\u003c/li\u003e\n\u003cli\u003eImplement network egress filtering to block connections to known malicious command-and-control servers and domains to prevent payload execution.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening attachments from untrusted sources and train them to recognize phishing emails as outlined in the Overview.\u003c/li\u003e\n\u003cli\u003eUtilize endpoint detection and response (EDR) solutions to monitor process execution and network connections for anomalous behavior associated with HTML smuggling.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-html-creation/","summary":"This detection identifies the creation of HTML files with high entropy and large size, followed by execution via a browser process, indicating potential HTML smuggling and malicious payload delivery on Windows systems.","title":"Suspicious HTML File Creation Leading to Potential Payload Delivery","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-html-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta"],"_cs_severities":["high"],"_cs_tags":["phishing","okta","fastpass"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThis alert identifies instances where Okta FastPass successfully blocked a user authentication attempt due to a detected phishing attack. This is based on Okta system logs that record when FastPass declines an authentication because the user was attempting to log in to a known phishing site. The event indicates that a user was likely targeted via phishing, potentially through email or other means, and entered their Okta credentials into a fraudulent site. While the authentication was blocked, the event warrants investigation to determine the scope of the phishing campaign and whether the user may have entered credentials elsewhere.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a phishing email or message mimicking a legitimate Okta login page.\u003c/li\u003e\n\u003cli\u003eThe user receives the phishing message and clicks the embedded link.\u003c/li\u003e\n\u003cli\u003eThe user is directed to a fake Okta login page that is designed to steal credentials.\u003c/li\u003e\n\u003cli\u003eThe user enters their Okta username and password on the phishing site.\u003c/li\u003e\n\u003cli\u003eThe phishing site attempts to authenticate the user to Okta using the stolen credentials.\u003c/li\u003e\n\u003cli\u003eOkta FastPass detects that the authentication attempt is originating from a known phishing site.\u003c/li\u003e\n\u003cli\u003eOkta FastPass declines the authentication request, preventing access.\u003c/li\u003e\n\u003cli\u003eThe Okta system logs record the event \u0026ldquo;user.authentication.auth_via_mfa\u0026rdquo; with outcome \u0026ldquo;FAILURE\u0026rdquo; and reason \u0026ldquo;FastPass declined phishing attempt\u0026rdquo;.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eWhile Okta FastPass successfully prevented the immediate breach, the incident confirms that a user was targeted by a phishing campaign. This could lead to the compromise of other accounts if the user reuses the same password. Furthermore, successful phishing attacks can lead to data breaches, financial loss, and reputational damage. The number of affected users depends on the scale of the phishing campaign.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect Okta FastPass phishing prevention events.\u003c/li\u003e\n\u003cli\u003eInvestigate users who triggered the detection to identify the phishing campaign and assess potential credential compromise.\u003c/li\u003e\n\u003cli\u003eReview Okta system logs for other suspicious activity associated with the targeted user accounts.\u003c/li\u003e\n\u003cli\u003eEducate users about phishing tactics and how to identify malicious websites to reduce susceptibility to future attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-okta-fastpass-phishing/","summary":"Okta FastPass detected and prevented a phishing attempt, indicating a user was likely targeted with a credential harvesting attack.","title":"Okta FastPass Phishing Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-fastpass-phishing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft 365"],"_cs_severities":["medium"],"_cs_tags":["suspicious-email","phishing","microsoft365"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat involves malicious or suspicious emails, as identified by Microsoft Defender for Office 365, being delivered to user mailboxes despite the existing security mechanisms. This can occur due to various factors, including misconfigured security policies, sophisticated attacker techniques that evade detection, or delayed signature updates. The delivery of such emails presents a significant risk, as they may contain spearphishing attachments, malicious links, or other harmful content designed to compromise user accounts or systems. Successful exploitation can lead to data theft, malware infection, and further propagation of the attack within the organization. It\u0026rsquo;s crucial to investigate these instances promptly to remediate any potential damage and improve email security posture.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a spearphishing email designed to bypass standard security filters.\u003c/li\u003e\n\u003cli\u003eThe email is sent to a target user within the Microsoft 365 environment.\u003c/li\u003e\n\u003cli\u003eMicrosoft Defender for Office 365 analyzes the email and identifies it as suspicious but fails to block delivery.\u003c/li\u003e\n\u003cli\u003eThe email is delivered to the user\u0026rsquo;s Inbox or Junk folder.\u003c/li\u003e\n\u003cli\u003eThe user opens the email and clicks on a malicious link or opens a malicious attachment (e.g., a macro-enabled document).\u003c/li\u003e\n\u003cli\u003eThe link redirects the user to a credential harvesting site, or the attachment executes malicious code (e.g., via PowerShell).\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the user\u0026rsquo;s account or system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised account to further propagate the attack, exfiltrate data, or deploy malware within the organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of this threat can be significant. Successful exploitation can lead to the compromise of user accounts, data theft, malware infection, and financial loss. Organizations may experience business disruption, reputational damage, and legal liabilities. The number of affected users and the extent of the damage will depend on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect suspicious email delivery events within your Microsoft 365 environment and tune for your specific environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the root cause of the bypass and remediate any potential damage.\u003c/li\u003e\n\u003cli\u003eReview and adjust Microsoft Defender for Office 365 settings to improve detection accuracy and blocking capabilities.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of phishing emails and encourage them to report suspicious messages.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003eTIMailData\u003c/code\u003e operation within the M365 audit logs for further analysis and threat hunting.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-m365-suspicious-email/","summary":"This brief outlines a threat where Microsoft Defender for Office 365 identifies an email as malicious or suspicious but still delivers it to a user's inbox or junk folder, potentially bypassing initial security measures.","title":"Microsoft 365 Suspicious Email Delivery","url":"https://feed.craftedsignal.io/briefs/2024-01-m365-suspicious-email/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office"],"_cs_severities":["medium"],"_cs_tags":["initial-access","phishing","macro"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe creation of Office macro files (.docm, .xlsm, .pptm, etc.) can be an indicator of malicious activity, often linked to initial access attempts such as phishing campaigns or malware distribution. Attackers frequently embed malicious macros within these files to execute arbitrary code on a victim\u0026rsquo;s machine upon opening the document and enabling macros. While legitimate use cases for macro-enabled documents exist, their creation should be monitored, especially when originating from unusual processes or locations. This activity is related to the technique T1566.001 (Phishing: Spearphishing Attachment). Defenders need to monitor file creation events for specific Office macro extensions, filtering out common false positives to identify potential threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Office document (e.g., .docm, .xlsm) containing a VBA macro.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious document as an attachment via email (spearphishing).\u003c/li\u003e\n\u003cli\u003eThe user receives the email and opens the attached Office document.\u003c/li\u003e\n\u003cli\u003eThe user is prompted to enable macros within the document.\u003c/li\u003e\n\u003cli\u003eIf the user enables macros, the embedded VBA code executes.\u003c/li\u003e\n\u003cli\u003eThe VBA code may execute PowerShell or other scripting languages to download a malicious payload.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk (e.g., in the user\u0026rsquo;s temp directory).\u003c/li\u003e\n\u003cli\u003eThe payload executes, establishing persistence or performing other malicious actions, such as ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, malware installation, data exfiltration, and potentially complete system compromise. The impact can range from individual user infection to widespread organizational damage, depending on the attacker\u0026rsquo;s objectives and the level of access gained. In a widespread attack, numerous systems could be infected, leading to significant downtime, data loss, and financial repercussions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOffice Macro File Creation\u003c/code\u003e to your SIEM to detect the creation of suspicious Office macro files (logsource: file_event/windows).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes of the file creation event.\u003c/li\u003e\n\u003cli\u003eImplement user awareness training to educate employees about the risks of opening unsolicited attachments and enabling macros.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation logging to capture the necessary events for the Sigma rule to function effectively.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-office-macro-creation/","summary":"This brief outlines a threat involving the creation of new Office macro files, potentially indicating malicious activity such as phishing or malware distribution, targeting Windows systems.","title":"Detection of Office Macro File Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-office-macro-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Outlook","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["initial-access","phishing","malware","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes of Microsoft Outlook, often associated with spear phishing activity and the execution of malicious attachments. Attackers may leverage malicious documents delivered via email to execute arbitrary code on a victim\u0026rsquo;s machine. The rule focuses on identifying processes such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, and other system binaries being spawned by Outlook, suggesting the potential execution of malicious attachments or exploitation for initial access. This activity is designed to bypass traditional security measures and gain an initial foothold within the targeted environment. The rule is designed for data generated by Elastic Defend, but also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a spear phishing email with a malicious attachment (e.g., a Microsoft Office document or PDF).\u003c/li\u003e\n\u003cli\u003eThe user opens the attachment, unknowingly triggering embedded malicious code (e.g., macros or exploits).\u003c/li\u003e\n\u003cli\u003eThe malicious code executes within the context of Microsoft Outlook (outlook.exe).\u003c/li\u003e\n\u003cli\u003eThe malicious code spawns a suspicious child process, such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, or \u003ccode\u003ewscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes commands to download and execute further malicious payloads from external sources.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload establishes persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access and begins reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, escalating privileges and compromising additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to initial access, allowing attackers to gain a foothold within the network, escalate privileges, and potentially exfiltrate sensitive data, deploy ransomware, or conduct other malicious activities. While specific victim counts and sectors are unavailable, similar attacks have targeted a wide range of industries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious MS Outlook Child Process Spawning Command Interpreter\u0026rdquo; to your SIEM to detect potential initial access attempts (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to provide the necessary data for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eBlock the execution of commonly abused system binaries (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e) as child processes of Outlook using application control policies where possible.\u003c/li\u003e\n\u003cli\u003eImplement and enforce strict macro policies in Microsoft Office applications to prevent the execution of malicious code within documents.\u003c/li\u003e\n\u003cli\u003eRegularly review and update email security policies to prevent spear phishing emails from reaching users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-02-suspicious-outlook-child-process/","summary":"Detection of suspicious child processes spawned by Microsoft Outlook, indicative of spear phishing and malicious file execution leading to potential initial access and further exploitation.","title":"Suspicious MS Outlook Child Process","url":"https://feed.craftedsignal.io/briefs/2024-01-02-suspicious-outlook-child-process/"}],"language":"en","title":"CraftedSignal Threat Feed — Phishing","version":"https://jsonfeed.org/version/1.1"}