Phishing — CraftedSignal Threat Feed

Multi-Stage 'Code of Conduct' Phishing Campaign Leads to AiTM Token Compromise

hello@craftedsignal.io — Mon, 04 May 2026 15:00:00 +0000

Between April 14 and 16, 2026, Microsoft Defender Research observed a sophisticated, large-scale phishing campaign targeting over 35,000 users across more than 13,000 organizations in 26 countries, predominantly in the United States (92%). The campaign, which did not focus on a single vertical, impacted a range of industries, with Healthcare & life sciences (19%), Financial services (18%), Professional services (11%), and Technology & software (11%) being the most affected. Attackers employed code of conduct-themed lures delivered via emails that appeared as internal compliance or regulatory communications. The campaign utilized a multi-step attack chain, including CAPTCHA challenges and intermediate staging pages, to reinforce legitimacy and filter out automated defenses, ultimately leading to an adversary-in-the-middle (AiTM) phishing flow.

Attack Chain

The attack begins with phishing emails posing as internal compliance communications, using subjects like “Internal case log issued under conduct policy”.
The emails contain a PDF attachment (e.g., “Awareness Case Log File – Tuesday 14th, April 2026.pdf”) that claims a “code of conduct review” has been initiated.
Recipients are instructed to click a “Review Case Materials” link within the PDF.
Clicking the link redirects the user to one of the attacker-controlled domains (e.g., acceptable-use-policy-calendly[.]de).
The landing page displays a Cloudflare CAPTCHA to validate the user and impede automated analysis.
After CAPTCHA completion, the user is redirected to an intermediate site that informs them the requested documentation is encrypted and requires account authentication.
The user is presented with a legitimate-looking sign-in experience, part of an AiTM phishing flow.
The attackers proxy the authentication session in real time and capture authentication tokens, granting immediate account access.

Impact

This campaign resulted in the compromise of authentication tokens, enabling attackers to gain unauthorized access to user accounts and bypass multifactor authentication. With more than 35,000 users targeted across over 13,000 organizations, the potential for widespread data breaches, financial fraud, and further malicious activities is significant. The targeting of sectors like Healthcare and Financial Services indicates a focus on high-value targets with sensitive data.

Recommendation

Educate users about phishing lures, especially those using social engineering tactics and enterprise-style HTML templates.
Deploy the Sigma rule “Detect Suspicious PDF Opening via Uncommon Applications” to identify unusual PDF execution paths, based on the ‘file_event’ log source.
Configure email security settings in Microsoft Defender for Office 365 to filter out phishing emails effectively.
Enable network protection to leverage SmartScreen as a host-based web proxy.
Block access to the attacker-controlled domains, such as acceptable-use-policy-calendly[.]de, at the DNS resolver level.

Remote Desktop File Opened from Suspicious Path

hello@craftedsignal.io — Mon, 04 May 2026 14:17:05 +0000

Attackers are increasingly using malicious Remote Desktop Protocol (RDP) files to gain initial access to systems. These RDP files, often delivered via spearphishing attachments, contain connection settings that, when opened, can compromise a system. This technique allows adversaries to bypass traditional security measures by leveraging a legitimate tool (mstsc.exe) with a malicious configuration file. The observed activity involves opening RDP files from suspicious locations like Downloads, temporary folders (AppData\Local\Temp), and Outlook content cache (INetCache\Content.Outlook). This campaign has been observed as recently as October 2024, where Midnight Blizzard conducted large-scale spear-phishing using RDP files. Defenders should monitor for the execution of mstsc.exe with RDP files from untrusted locations.

Attack Chain

The attacker crafts a spearphishing email containing a malicious RDP file as an attachment.
The victim receives the email and, lured by social engineering, downloads the attached RDP file to a local directory, often the Downloads folder.
The victim double-clicks the RDP file, initiating the execution of mstsc.exe.
mstsc.exe reads the connection settings from the RDP file, which may include malicious configurations such as altered gateway settings or credential theft mechanisms.
mstsc.exe attempts to establish a remote desktop connection based on the RDP file’s settings.
If the connection is successful, the attacker gains unauthorized access to the remote system.
The attacker may then perform reconnaissance, move laterally, and escalate privileges within the compromised network.
The final objective could be data exfiltration, ransomware deployment, or establishing persistent access.

Impact

A successful attack using malicious RDP files can lead to unauthorized access to sensitive systems and data. The consequences range from data breaches and financial loss to complete system compromise and disruption of operations. The Microsoft Security blog reported a large-scale spear-phishing campaign utilizing RDP files as recently as October 2024. The targets may be across various sectors, with potentially widespread impact depending on the attacker’s objectives and the scope of the compromised network.

Recommendation

Deploy the Sigma rule Remote Desktop File Opened from Suspicious Path to your SIEM and tune for your environment, focusing on the specified file paths and mstsc.exe execution.
Enable process creation logging with command-line arguments to capture the execution of mstsc.exe and the paths of the RDP files being opened.
Educate users on the risks associated with opening RDP files from untrusted sources, particularly those received as email attachments.
Implement strict email filtering to block or quarantine emails with RDP attachments from external sources.
Monitor network connections for unusual RDP traffic originating from systems where suspicious RDP files were executed.

Q1 2026 Email Threat Landscape: Rise in Phishing Techniques and Tycoon2FA Disruption

hello@craftedsignal.io — Thu, 30 Apr 2026 15:00:00 +0000

In the first quarter of 2026, Microsoft Threat Intelligence observed a significant rise in email-based phishing threats, totaling approximately 8.3 billion. This increase was driven by surges in QR code phishing (more than doubling over the period), CAPTCHA-gated phishing, and credential phishing attacks. Microsoft’s Digital Crime Unit successfully disrupted the Tycoon2FA phishing-as-a-service (PhaaS) platform in early March, leading to a 15% reduction in associated email volume. However, threat actors adapted by shifting hosting providers and domain registration patterns. Business email compromise (BEC) also remained a prevalent threat, with approximately 10.7 million attacks recorded during the quarter, often characterized by low-effort, generic outreach messages. Microsoft Defender Research has also noted the emergence of AI-enabled device code phishing campaigns.

Attack Chain

Initial Email Delivery: Attackers send phishing emails impersonating legitimate services or organizations. These emails may contain links, QR codes, or HTML attachments.
Victim Interaction: The victim opens the email and clicks on a malicious link or scans a QR code, redirecting them to a phishing page.
Phishing Page Redirection: The phishing page mimics a legitimate login portal, such as Microsoft 365 or other enterprise applications.
Credential Harvesting: The victim enters their username and password on the phishing page, which are then captured by the attacker.
MFA Bypass (AiTM): For attacks using adversary-in-the-middle (AiTM) techniques (like those facilitated by Tycoon2FA), the attacker intercepts the MFA code and uses it to authenticate.
Account Compromise: With the stolen credentials and MFA code (if applicable), the attacker gains unauthorized access to the victim’s account.
Lateral Movement/Data Theft: The attacker uses the compromised account to access sensitive data, send further phishing emails, or move laterally within the organization.
Business Email Compromise: In BEC attacks, attackers use compromised accounts or spoofed email addresses to send fraudulent invoices or requests for wire transfers.

Impact

The observed email threats in Q1 2026 led to a high risk of credential compromise, financial loss through BEC attacks, and potential data breaches across various sectors. Although the total number of victims is not specified, the billions of phishing attempts indicate a widespread impact. Microsoft’s disruption of Tycoon2FA temporarily reduced phishing volumes by 15%, demonstrating the potential for proactive intervention to mitigate these threats. However, threat actors are quickly adapting their techniques, indicating the need for continued vigilance and enhanced security measures. The 10.7 million BEC attacks alone represent a significant financial threat to businesses.

Recommendation

Deploy the “Detect Tycoon2FA Phishing Attempts” Sigma rule to identify email campaigns associated with the Tycoon2FA platform.
Enable Microsoft Defender detections to improve detection of phishing emails and malicious payloads.
Monitor email traffic for suspicious domain registrations, particularly those using newer generic top-level domains (TLDs) such as .DIGITAL, .BUSINESS, .CONTRACTORS, .CEO, and .COMPANY, and the resurgence of .RU registrations, to identify potential Tycoon2FA infrastructure shifts.
Educate users about the dangers of QR code phishing and CAPTCHA-gated attacks, emphasizing the importance of verifying the legitimacy of login pages and email senders, to reduce the effectiveness of phishing campaigns (T1566).

Large-Scale OAuth Device Code Phishing Campaign Observed in April 2026

hello@craftedsignal.io — Fri, 24 Apr 2026 19:52:35 +0000

In early April 2026, Arctic Wolf observed a widespread phishing campaign that abused the OAuth device code flow. This campaign targeted organizations across multiple regions and sectors, mirroring the “Riding the Rails” campaign observed by Huntress in late March. The attackers exploited the device code grant type in the OAuth 2.0 authorization framework to obtain access tokens. By tricking users into entering a code on a legitimate Microsoft login page, attackers bypassed traditional MFA controls. Defenders should be aware of this evolving technique and implement detection strategies focused on anomalous application registrations and device code flow activity.

Attack Chain

The attacker sends a phishing email to the victim, impersonating a legitimate service.
The email contains a link that redirects the victim to a fake application authorization page.
The fake page prompts the victim to enter a device code.
Unbeknownst to the victim, the device code is associated with a malicious OAuth application controlled by the attacker.
The victim is redirected to a legitimate Microsoft login page, where they enter the provided code and authenticate.
Upon successful authentication, the malicious application receives an access token.
The attacker uses the access token to access the victim’s account and sensitive data.
The attacker may then perform actions such as reading emails, accessing files, or initiating further malicious activity within the compromised account.

Impact

This OAuth device code phishing campaign affected numerous organizations across multiple sectors and regions in early April 2026. Successful attacks grant threat actors unauthorized access to user accounts, potentially leading to data exfiltration, financial fraud, and further compromise of internal systems. Due to the nature of OAuth, attackers can maintain persistent access even after password changes, posing a significant long-term risk.

Recommendation

Monitor Azure AD sign-in logs for device code flow usage to identify suspicious authentications (logsource: azuread, category: authentication).
Implement the Sigma rule provided below to detect suspicious application registrations in Azure AD (logsource: o365, category: configuration).
Educate users on the risks of device code phishing and how to identify malicious authorization requests.
Regularly audit OAuth applications authorized within your environment and revoke access for any suspicious or unused applications.
Investigate any alerts related to anomalous OAuth application activity promptly.

Suspicious RDP File Execution

hello@craftedsignal.io — Mon, 20 Apr 2026 21:38:09 +0000

This detection identifies the execution of mstsc.exe (Remote Desktop Connection) with an RDP file located in suspicious directories on Windows systems. Adversaries may use malicious RDP files delivered via phishing campaigns as an initial access vector. These files, containing connection settings, can be placed in locations such as the Downloads folder, temporary directories, or Outlook’s content cache. The rule focuses on detecting RDP files opened from unusual paths, which can signal unauthorized access or malicious activity. The behavior was observed in conjunction with the Midnight Blizzard campaign in October 2024. This detection helps defenders identify potential RDP-based attacks and investigate suspicious user behavior.

Attack Chain

The attacker crafts a spearphishing email with a malicious RDP file attachment (T1566.001).
The victim receives the email and downloads the RDP file to a common location such as the Downloads folder.
The user executes the downloaded RDP file, initiating the mstsc.exe process (T1204.002).
The mstsc.exe process attempts to establish a remote connection to a malicious server controlled by the attacker.
The attacker may exploit vulnerabilities in the RDP service or use credential harvesting techniques to gain access to the remote system.
Upon successful connection, the attacker performs reconnaissance activities, such as network scanning and user enumeration.
The attacker moves laterally within the network, exploiting additional vulnerabilities or using stolen credentials.
The attacker achieves their objective, such as data exfiltration or deploying ransomware.

Impact

Successful exploitation via malicious RDP files can lead to unauthorized access to internal systems, data breaches, and potential ransomware deployment. While the number of victims and targeted sectors is unspecified, the impact can be significant, especially if the compromised systems have access to sensitive data or critical infrastructure. This can result in financial losses, reputational damage, and operational disruptions.

Recommendation

Enable Sysmon process creation logging to detect the execution of mstsc.exe and capture the command-line arguments used to launch the process.
Deploy the Sigma rule “Remote Desktop File Opened from Suspicious Path” to your SIEM to detect RDP files opened from suspicious locations.
Educate users about the risks of opening RDP files from untrusted sources, especially those received via email.
Implement application control policies to restrict the execution of mstsc.exe from untrusted directories.
Monitor network connections originating from systems where mstsc.exe has been executed to identify suspicious remote connections.

Apple Account Notification Phishing Campaign

hello@craftedsignal.io — Sun, 19 Apr 2026 16:03:01 +0000

A phishing campaign is underway that abuses Apple’s account change notification system. Threat actors are inserting phishing messages into the first and last name fields of Apple ID accounts. By modifying the account’s shipping information, they trigger legitimate Apple security alerts, which then embed the malicious message within the email body. The emails appear to originate from appleid@id.apple.com and pass SPF, DKIM, and DMARC checks, making them more likely to bypass spam filters. This campaign is designed to trick recipients into believing their accounts have been used for fraudulent purchases, scaring them into calling a scammer’s “support” number.

Attack Chain

The attacker creates an Apple ID using a burner email address.
The attacker enters a phishing lure (e.g., “Dear User 899 USD iPhone Purchase Via Pay-Pal To Cancel”) split across the first and last name fields in the Apple ID profile, as these fields have character limits.
The attacker modifies the account’s shipping information.
This triggers an Apple account profile change notification email.
Apple sends a legitimate security alert notifying the user of the change, embedding the attacker-controlled first and last name fields within the email body. The email originates from appleid@id.apple.com.
The recipient receives the email, which appears legitimate and contains a phishing message and a callback number (e.g., 18023530761).
The recipient, believing their account has been compromised, calls the provided number.
The scammers attempt to convince the victim that their account has been compromised and may instruct them to install remote access software or provide financial information to “resolve” the issue, leading to financial theft.

Impact

Successful attacks can lead to financial theft, malware deployment, or data theft. Victims who call the provided number are at risk of being coerced into providing sensitive information or installing remote access software, giving the attackers full control over their devices and accounts. The specific number of victims is currently unknown, but the campaign’s use of legitimate Apple infrastructure increases its potential reach and impact.

Recommendation

Deploy the Sigma rule detecting emails originating from Apple infrastructure (appleid@id.apple.com) containing suspicious phone numbers to your SIEM.
Monitor for emails originating from appleid@id.apple.com that contain phone numbers in the email body and consider blocking the identified number 18023530761.
Educate users to treat unexpected account alerts claiming purchases or urging them to call support numbers with extreme caution, especially if they did not initiate any recent changes.
Review email gateway logs for emails originating from appleid@id.apple.com and uatdsasadmin@email.apple.com.

n8n AI Workflow Automation Platform Abused for Malware Delivery and Device Fingerprinting

hello@craftedsignal.io — Wed, 15 Apr 2026 10:03:05 +0000

Cisco Talos has observed a surge in the abuse of agentic AI workflow automation platforms, specifically n8n, in phishing campaigns between October 2025 and March 2026. Attackers are leveraging the trusted infrastructure of n8n to bypass traditional security filters and deliver malware or fingerprint devices. This involves embedding n8n webhook URLs in phishing emails, which redirect victims to malicious content served through the n8n platform. This technique effectively turns a productivity tool into a delivery mechanism for persistent remote access, highlighting the evolving tactics of threat actors exploiting legitimate services. Talos observed a 686% increase in emails containing n8n webhook URLs between January 2025 and March 2026, indicating the growing prevalence of this attack vector.

Attack Chain

The attacker crafts a phishing email containing a malicious link.
The link is an n8n webhook URL pointing to a workflow controlled by the attacker on a subdomain of tti.app.n8n[.]cloud.
The victim receives the email and clicks the embedded n8n webhook URL, believing it to be a legitimate service.
Clicking the link redirects the victim’s browser to the n8n platform, which triggers the pre-configured workflow.
The n8n workflow serves an HTML page containing a CAPTCHA to the victim’s browser.
After the victim completes the CAPTCHA, the webpage presents a download button, concealing the true source of the payload.
Clicking the download button initiates the download of a malicious executable (e.g., “DownloadedOneDriveDocument.exe”) from an external host.
The executable installs a modified version of Datto RMM, establishes a connection to a relay on centrastage[.]net, granting the attacker remote access and control over the compromised system.

Impact

The abuse of n8n for malware delivery and device fingerprinting can lead to significant compromise of targeted systems. Successful exploitation allows attackers to gain remote access via tools like the modified Datto RMM, enabling them to steal sensitive data, deploy ransomware, or conduct further malicious activities within the compromised network. The rise in n8n webhook URL usage in phishing emails, with a 686% increase in volume from January 2025 to March 2026, indicates a potentially widespread impact across various sectors.

Recommendation

Monitor email traffic for URLs containing tti.app.n8n[.]cloud and flag them as suspicious (IOC table).
Implement a detection rule to identify network connections to centrastage[.]net initiated by unusual processes (Sigma rule below).
Inspect process creation events for the execution of “DownloadedOneDriveDocument.exe” or similar filenames downloaded from n8n domains (Sigma rule below).
Block the domains tti.app.n8n[.]cloud and centrastage[.]net at the DNS resolver (IOC table).

SaaS Notification Pipeline Phishing and Medusa Ransomware Exploitation

hello@craftedsignal.io — Thu, 09 Apr 2026 18:00:20 +0000

This threat brief highlights two significant attack vectors observed by Cisco Talos. First, threat actors are exploiting legitimate SaaS notification pipelines (e.g., GitHub, Jira) to deliver phishing and spam, bypassing traditional email security measures by using a “Platform-as-a-Proxy” (PaaP) technique. This abuses the implicit trust placed in system-generated notifications from trusted enterprise tools, primarily targeting credential harvesting. Second, the Storm-1175 group is actively deploying Medusa ransomware, rapidly exploiting n-day vulnerabilities, including CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of BeyondTrust Privileged Remote Access. Defenders must adapt to these evolving tactics, as they bypass standard perimeter defenses and require more nuanced detection strategies.

Attack Chain

Attacker compromises a legitimate SaaS account (e.g., GitHub, Jira) or creates a malicious project.
Attacker configures the SaaS platform to send notifications (e.g., project updates, issue assignments).
The SaaS platform generates an email notification, appearing to originate from a trusted source.
The email bypasses traditional email security checks (SPF, DKIM, DMARC) due to its legitimate source.
The email contains a malicious link or attachment designed to harvest credentials or deliver malware.
The user clicks the link, leading to a phishing page or malware download.
If the user enters credentials, the attacker gains access to their account.
The attacker uses the compromised account for further malicious activities or lateral movement.

Impact

Successful exploitation of SaaS notification pipelines can lead to widespread credential compromise, potentially affecting numerous users within an organization. The “automation fatigue” associated with these notifications increases the likelihood of users falling victim to phishing attacks. Regarding Medusa ransomware, organizations face data encryption, system downtime, and potential financial losses from ransom demands, as Storm-1175 rapidly exploits vulnerabilities like CVE-2026-1731. The impact includes significant disruption to business operations and potential data breaches.

Recommendation

Ingest SaaS API logs into your SIEM to detect anomalous activities, such as suspicious project creation or mass invitations (see Overview).
Implement instance-level verification and cross-reference notifications against internal SaaS directories to detect PaaP attacks (see Overview).
Apply semantic intent analysis to identify notifications that deviate from a platform’s established functional baseline (see Overview).
Patch CVE-2026-1731 on all BeyondTrust Remote Support instances immediately to prevent Medusa ransomware deployment (see Overview).
Deploy the Sigma rule to detect Coinminer malware via SHA256 hash (see Rules).
Monitor network connections for VID001.exe to identify potential Coinminer infections (see IOCs).

SaaS Notification Pipeline Abuse for Phishing and Spam Campaigns

hello@craftedsignal.io — Tue, 07 Apr 2026 10:00:35 +0000

Cisco Talos has observed a surge in malicious activity that abuses notification pipelines within popular collaboration platforms, such as GitHub and Jira, to distribute spam and phishing emails. This technique, known as Platform-as-a-Proxy (PaaP), enables threat actors to bypass conventional email security filters by leveraging the trusted infrastructure of legitimate SaaS providers. Attackers embed malicious content within system-generated notifications, exploiting the implicit trust organizations place in these platforms. This allows them to effectively weaponize legitimate infrastructure and deliver phishing content, often leading to credential harvesting and subsequent attacks. During a campaign on February 17, 2026, approximately 2.89% of emails originating from GitHub were associated with this abuse.

Attack Chain

Repository Creation (GitHub): Attackers create new repositories on GitHub to host their malicious content.
Commit Message Crafting (GitHub): Attackers craft malicious commit messages containing phishing lures within the mandatory summary field and detailed scam content in the optional extended description field.
Commit Push (GitHub): Attackers push the crafted commit to the newly created repository, triggering an automated email notification to collaborators and watchers.
Project Creation (Jira): Attackers create a new Jira Service Management project to configure automated customer invites.
Malicious Data Input (Jira): Attackers inject malicious lures into data fields, such as the “Project Name,” “Welcome Message,” or “Project Description” fields, within the Jira project configuration.
Customer Invite (Jira): The attacker utilizes the “Invite Customers” feature and inputs the victim’s email address.
Automated Notification Generation (GitHub/Jira): The platforms (GitHub/Jira) automatically generate email notifications containing the attacker-supplied malicious content, bypassing standard email security checks due to the trusted source.
Credential Harvesting/Social Engineering: Victims receive the notifications and are tricked into clicking malicious links or providing sensitive information, leading to credential compromise and further exploitation.

Impact

Abusing SaaS notification pipelines can lead to widespread credential compromise and business email compromise (BEC). Successful phishing attacks can grant attackers initial access to corporate networks, enabling data theft, ransomware deployment, and other malicious activities. On February 17, 2026, 2.89% of emails originating from GitHub were associated with this abuse. The trust placed in platforms like GitHub and Jira makes these attacks particularly effective, as users are pre-conditioned to view notifications from these sources as legitimate and urgent.

Recommendation

Implement detection rules to identify suspicious keywords and patterns within commit messages originating from GitHub (see: “GitHub Commit Message Phishing Lure” rule).
Monitor for unusual Jira project names or welcome messages that contain suspicious URLs or language (see: “Jira Service Desk Invite Abuse” rule).
Review email logs for messages originating from noreply[@]github.com that contain invoice-related lures in the subject line, especially spikes in volume (see IOC table).
Implement enhanced email filtering rules to analyze the content of emails originating from SaaS platforms for phishing indicators.
Educate users to carefully inspect emails, even from trusted sources like GitHub and Jira, and to verify the legitimacy of links and requests before clicking or providing information.

Tycoon2FA Phishing-as-a-Service Platform Persists After Takedown

hello@craftedsignal.io — Sun, 29 Mar 2026 08:34:23 +0000

On March 4, 2026, Europol announced a technical disruption of Tycoon2FA, a subscription-based phishing-as-a-service (PhaaS) platform enabling cybercriminals to bypass MFA and compromise email accounts. The takedown involved seizing 330 domains. Despite this disruption, CrowdStrike observed only a short-term decrease in Tycoon2FA campaign activity. The volume of cloud compromises has since returned to pre-disruption levels, and Tycoon2FA’s tactics, techniques, and procedures (TTPs) remain unchanged. This resurgence suggests that the actors behind Tycoon2FA are adaptive and persistent. Tycoon2FA began operations in 2023, and in mid-2025, it was responsible for 62% of all phishing attempts blocked by Microsoft, generating over 30 million malicious emails in a single month. The platform also had a competitor named RaccoonO365, which law enforcement took down in September 2025.

Attack Chain

Victims receive phishing emails designed to mimic legitimate login pages.
Phishing emails direct victims to Tycoon2FA CAPTCHA pages hosted on attacker-controlled domains.
Upon CAPTCHA validation, victims’ session cookies are stolen by the attackers.
A JavaScript (JS) file extracts victims’ email addresses.
Victims are redirected to fake Microsoft 365 or Google login pages hosted on a Tycoon2FA domain.
Victims enter their credentials into the fake login pages, which are then captured by the attackers.
Stolen credentials are proxied to a legitimate Microsoft 365 cloud account via an obfuscated JS file.
Attackers authenticate to the victim’s cloud environment using the stolen cookies and credentials, gaining unauthorized access.

Impact

Tycoon2FA was responsible for 62% of all phishing attempts blocked by Microsoft in mid-2025, generating over 30 million malicious emails in a single month. Successful attacks lead to unauthorized access to victims’ cloud environments, potentially resulting in data theft, business email compromise (BEC), and further malicious activities. Despite law enforcement takedowns, the platform’s rapid resurgence demonstrates the resilience of PhaaS operations and their potential for significant damage.

Recommendation

Monitor network traffic for connections to known phishing domains or newly registered domains, correlating with user agent strings and HTTP referrer headers common in phishing kits, to detect initial access attempts. Deploy the network_connection Sigma rule to identify suspicious connections.
Implement detections for suspicious JavaScript execution within browser environments attempting to steal session cookies or extract email addresses. Enable webserver and proxy logging to capture these events and deploy the process_creation Sigma rule to identify associated processes.
Monitor authentication logs for successful logins from unusual locations or using suspicious user agents after a user has visited a known phishing site. Analyze user authentication patterns and correlate with other security events to detect compromised accounts.

Tycoon2FA PhaaS Platform Resurgence After Takedown

hello@craftedsignal.io — Sat, 28 Mar 2026 08:28:28 +0000

Tycoon2FA is a subscription-based PhaaS platform that enables cybercriminals to bypass multifactor authentication (MFA) and compromise email accounts using adversary-in-the-middle (AITM) techniques. The platform gained prominence in 2025, reportedly generating over 30 million malicious emails in a single month and accounting for 62% of all phishing attempts blocked by Microsoft at one point. On March 4, 2026, Europol announced a technical disruption of Tycoon2FA, seizing 330 domains forming the platform’s core infrastructure. Despite this takedown, CrowdStrike Falcon Complete observed a short-term decrease in Tycoon2FA activity followed by a return to pre-disruption levels. The persistence of the platform’s original tactics, techniques, and procedures (TTPs) suggests that the actors behind Tycoon2FA remain active and pose a continued threat. Defenders should maintain vigilance.

Attack Chain

Victims receive phishing emails designed to appear legitimate.
These emails direct victims to Tycoon2FA CAPTCHA pages hosted on attacker-controlled domains.
Upon CAPTCHA validation, a JavaScript (JS) file extracts the victim’s email address.
The victim is then redirected to a fake Microsoft 365 or Google login page hosted on a Tycoon2FA domain.
Victims enter their credentials, which are proxied to a legitimate Microsoft 365 cloud account via an obfuscated JS file.
The attacker steals the victim’s session cookies and credentials.
The attacker authenticates to the victim’s cloud environment using the stolen cookies and credentials.
The attacker gains access to the victim’s email and other cloud-based resources, potentially leading to data exfiltration or further malicious activity.

Impact

Tycoon2FA’s operations began in 2023, and by mid-2025, it was responsible for 62% of all phishing attempts blocked by Microsoft, generating over 30 million malicious emails in a single month. A successful attack can lead to unauthorized access to sensitive data, business email compromise, financial loss, and reputational damage. The resurgence of Tycoon2FA following the takedown indicates the platform remains a significant threat, highlighting the need for robust defenses against phishing and credential theft.

Recommendation

Monitor email traffic for unusual patterns and sender addresses to detect phishing attempts associated with Tycoon2FA (IOC: phishing emails).
Implement and tune web filtering rules to block access to known Tycoon2FA domains and newly registered domains that may be used for phishing campaigns (IOC: Tycoon2FA domain).
Deploy the Sigma rule to detect JavaScript files that attempt to extract email addresses from web pages, a technique used by Tycoon2FA to target victims.
Review and reinforce MFA policies and educate users about the risks of phishing and credential theft.

Tycoon2FA Phishing-as-a-Service Resurgence After Takedown

hello@craftedsignal.io — Sat, 28 Mar 2026 08:20:54 +0000

On March 4, 2026, Europol announced a technical disruption of the Tycoon2FA Phishing-as-a-Service (PhaaS) platform, which enabled cybercriminals to bypass multifactor authentication (MFA) and compromise email accounts. The takedown involved seizing 330 domains that formed the platform’s core infrastructure. However, following the takedown, CrowdStrike observed only a short-term decrease in Tycoon2FA campaign activity. The volume of cloud compromises has since returned to pre-disruption levels, and the platform continues to employ previously observed TTPs. Tycoon2FA, active since 2023, was responsible for a significant portion of phishing attempts, purportedly generating over 30 million malicious emails in a single month in mid-2025. The platform primarily targets Microsoft 365 and Google accounts using adversary-in-the-middle (AITM) techniques.

Attack Chain

Victims receive phishing emails directing them to Tycoon2FA CAPTCHA pages.
Upon CAPTCHA validation, victims’ session cookies are stolen.
A JavaScript (JS) file is used to extract victims’ email addresses.
Victims are redirected to fake Microsoft 365 or Google login pages hosted on a Tycoon2FA domain.
Victims enter their credentials into the fake login pages, which are then proxied to a legitimate Microsoft 365 cloud account via an obfuscated JS file.
The threat actor authenticates to the victim’s cloud environment using the stolen cookies and credentials.
Once authenticated, the attacker gains access to the victim’s email and other cloud resources.
The attacker can then perform actions such as data exfiltration, sending phishing emails to other targets, or further compromising the organization’s environment.

Impact

The resurgence of Tycoon2FA demonstrates the resilience of PhaaS platforms and their operators. The platform was responsible for a large percentage of phishing attacks in 2025, including 62% of all phishing attempts blocked by Microsoft in mid-2025, and generating over 30 million malicious emails in a single month. Successful attacks can lead to unauthorized access to sensitive data, financial losses, and reputational damage. The observed return to pre-disruption activity levels indicates a sustained threat to organizations relying on MFA for account security.

Recommendation

Deploy the “Tycoon2FA Phishing Redirection” Sigma rule to detect potential phishing attempts redirecting to Tycoon2FA infrastructure.
Monitor email traffic for patterns indicative of phishing campaigns, focusing on emails directing users to external login pages, as described in the Attack Chain.
Implement strict session management policies and regularly review user authentication logs for suspicious activity following successful authentication as described in the attack chain, step 7.
Block known Tycoon2FA domains at the DNS resolver, as referenced in the IOC section.
Educate users about the tactics used by Tycoon2FA, specifically the use of CAPTCHA pages to steal session cookies, as described in the Attack Chain, step 2.

OpenBao OIDC Direct Callback Authentication Bypass Vulnerability

hello@craftedsignal.io — Thu, 26 Mar 2026 18:33:37 +0000

OpenBao, a secrets management tool, is vulnerable to an authentication bypass in versions prior to 2.5.2. This vulnerability stems from the lack of user confirmation when logging in via JWT/OIDC with a role configured with callback_mode set to direct. The vulnerability allows an attacker to initiate an authentication request and trick a victim into visiting a URL, which automatically logs them into the attacker’s session. This constitutes a “remote phishing” attack because the attacker never directly interacts with the victim’s credentials. The direct callback mode interacts directly with the OpenBao API, enabling the attacker to poll for a token after the victim has been authenticated and a token has been issued. The vulnerability is tracked as CVE-2026-33757.

Attack Chain

The attacker configures an OpenBao role with callback_mode=direct.
The attacker initiates an OIDC authentication request, generating a unique URL.
The attacker sends the generated URL to the victim via phishing or other social engineering methods.
The victim clicks the link and authenticates through the OIDC provider. OpenBao automatically associates this authentication with the attacker’s session due to the direct callback.
OpenBao’s API receives a direct callback, skipping user confirmation.
OpenBao issues a token associated with the attacker’s session, effectively authenticating the attacker as the victim.
The attacker continuously polls the OpenBao API for the issued token.
The attacker retrieves the token and gains unauthorized access to secrets and resources managed by OpenBao, impersonating the victim.

Impact

Successful exploitation of this vulnerability allows an attacker to impersonate a legitimate user within OpenBao. This can lead to unauthorized access to sensitive data, including secrets, credentials, and other protected resources. The impact is critical as it allows complete bypass of intended authentication mechanisms, potentially affecting all users and systems managed by the vulnerable OpenBao instance. This can lead to data breaches, service disruption, and privilege escalation.

Recommendation

Upgrade OpenBao to version 2.5.2 or later to apply the patch that introduces a confirmation screen for direct type logins.
As a workaround, remove any OpenBao roles configured with callback_mode=direct.
Enforce confirmation for every session on the token issuer side for the Client ID used by OpenBao, mitigating the risk even if roles with callback_mode=direct exist.
Monitor web server logs for unusual patterns of requests to the OpenBao OIDC callback endpoint after authentication, using the “Detect OpenBao Direct Callback Abuse” Sigma rule to identify potential exploitation attempts.
Deploy the “Detect OpenBao Direct Callback Configuration” Sigma rule to identify roles configured with the vulnerable callback_mode=direct setting.

Palo Alto Networks Recruiting Impersonation Phishing Campaign

hello@craftedsignal.io — Wed, 25 Mar 2026 12:00:00 +0000

Since August 2025, a series of phishing campaigns have impersonated Palo Alto Networks talent acquisition staff, targeting senior-level professionals. The attackers leverage scraped LinkedIn data to craft personalized lures, enhancing the credibility of their outreach. This campaign involves social engineering to manufacture a bureaucratic barrier related to the candidate’s resume. The attackers falsely claim that the candidate’s resume failed to meet the applicant tracking system (ATS) requirements. They then offer to assist the candidate in acquiring a position for a fee, typically ranging from $400 to $800 for services like “executive ATS alignment” or “end-to-end executive rewrite.” The goal is to exploit the candidate’s professional ambitions by creating a sense of financial urgency and directing them to a third-party “expert” for paid services.

Attack Chain

Initial Outreach: Attackers send personalized emails posing as Palo Alto Networks talent acquisition staff, using flattering language and details from the victim’s LinkedIn profile.
Establish Rapport: The emails use legitimate company logos and signatures to appear authentic and build trust with the targeted professional.
Manufactured Crisis: Attackers claim the candidate’s resume failed to meet ATS requirements, creating a bureaucratic barrier.
Offer of Assistance: The “recruiter” offers “executive ATS alignment” services for a fee, suggesting an urgent need to update the resume.
Hand-off to “Expert”: The candidate is directed to a purported expert who provides structured service offers with specific price points (e.g., $400, $600, $800).
Time Pressure: The “recruiter” implies that the “review panel” has already begun, urging the candidate to update their CV within a limited timeframe.
Payment Solicitation: The “expert” offers to deliver the CV within hours, fitting the ostensible review window, but only after payment.
Financial Exploitation: Victims who comply with the demands pay for services that are never delivered, resulting in financial loss and potential identity theft.

Impact

This phishing campaign targets senior-level professionals, aiming to defraud them of hundreds of dollars through fabricated resume services. Multiple incidents have been reported, indicating a widespread effort to exploit individuals seeking job opportunities. If successful, victims lose money and may expose personal information, potentially leading to further identity theft or fraudulent activities. The campaign undermines trust in legitimate recruiting processes and damages the reputation of Palo Alto Networks.

Recommendation

Implement email filtering rules to flag messages from the IOC email addresses (paloaltonetworks@gmail[.]com, recruiter.paloalnetworks@gmail[.]com, phillipwalters006@gmail[.]com, posunrayi994@gmail[.]com).
Monitor network traffic and DNS queries for connections to domains resembling “paloaltonetworks” but with slight variations, as mentioned in the overview, and implement blocking where appropriate.
Educate employees and potential job candidates about this phishing scheme, emphasizing the importance of verifying recruiter identities and avoiding payment requests during the hiring process.
Deploy a Sigma rule to detect emails originating from free email providers (e.g. gmail.com) that claim to be from a specific organization based on email content and sender information (see rule below).

Device Code Phishing Campaign Targeting Cloud Platforms

hello@craftedsignal.io — Wed, 25 Mar 2026 12:00:00 +0000

An active phishing campaign is leveraging Microsoft’s Device Code OAuth flow to target users of cloud-based file storage and document workflow platforms. Unlike traditional phishing attacks that aim to steal usernames and passwords directly, this campaign exploits a legitimate authentication mechanism to gain unauthorized access. The campaign impersonates popular cloud services, enticing users to enter a provided device code on a Microsoft login page. By doing so, victims inadvertently grant the attacker access to their accounts on the targeted platforms. This campaign highlights the evolving tactics of phishing actors and the need for robust detection mechanisms beyond simple credential harvesting alerts. The scope and scale of the campaign are currently unknown.

Attack Chain

The attacker sends a phishing email impersonating a cloud-based file storage or document workflow service.
The email contains a message prompting the user to “activate” or “authenticate” their account.
The email includes a device code and instructs the user to visit a Microsoft login page (e.g., microsoft.com/devicelogin).
The user, believing the request is legitimate, enters the provided device code on the Microsoft login page.
The Microsoft login page prompts the user to grant permissions to an application controlled by the attacker.
If the user approves the permissions, the attacker gains OAuth tokens that allow access to the user’s account on the targeted cloud platform.
The attacker can then access, modify, or exfiltrate data stored on the compromised account.
The attacker may use the compromised account to further propagate the phishing campaign to other users within the organization.

Impact

Successful attacks can lead to unauthorized access to sensitive data stored in cloud-based file storage and document workflow platforms. This can result in data breaches, financial loss, and reputational damage for affected organizations. The use of a legitimate Microsoft authentication flow makes this campaign difficult to detect with traditional phishing detection methods. The lack of credential harvesting may also bypass security controls focused on monitoring password theft. The specific number of victims and sectors targeted remains unknown, but the potential impact is significant given the widespread use of cloud services.

Recommendation

Implement user awareness training to educate employees about device code phishing and the risks of entering unknown codes on login pages.
Monitor Microsoft Entra ID (Azure AD) logs for unusual device code authentication patterns, focusing on applications requesting broad permissions (reference: Attack Chain steps 5 and 6). Deploy the “Detect Suspicious Device Code Authentication” Sigma rule to identify anomalous activity.
Implement Conditional Access policies in Microsoft Entra ID to restrict device code authentication to trusted devices and locations.
Investigate any successful device code authentications where the application requesting permissions is not recognized or approved by the organization.

M-Trends 2026: Evolving Threat Landscape

hello@craftedsignal.io — Wed, 25 Mar 2026 10:45:30 +0000

The Mandiant M-Trends 2026 report analyzes over 500,000 hours of incident investigations, revealing significant shifts in the cyber threat landscape. Cybercriminal groups are optimizing for immediate impact and recovery denial, while cyber espionage groups and insider threats prioritize extreme persistence, leveraging unmonitored edge devices and native network functionalities to evade detection. Voice phishing has surged, replacing email as a primary initial access vector, particularly targeting SaaS environments. The time between initial access and the hand-off to secondary actors deploying ransomware has collapsed dramatically. Targeted industries include the high-tech sector (17%) and the financial sector (14.6%). Ransomware groups are now actively targeting backup infrastructure, identity services, and virtualization management planes to ensure recovery is impossible without paying a ransom. Espionage groups are exploiting zero-day vulnerabilities in edge devices for long-term persistence.

Attack Chain

Initial Access: Attackers use voice phishing (vishing) to target IT help desks, bypassing MFA and gaining initial access to SaaS environments. Malicious advertisements or the ClickFix social engineering technique are also used to gain a foothold.
Privilege Escalation: Exploitation of misconfigured Active Directory Certificate Services templates to create admin accounts that bypass password rotation.
Credential Access: Harvesting long-lived OAuth tokens and session cookies to bypass standard defenses. Stealing hard-coded keys and personal access tokens from compromised third-party SaaS vendors. Leveraging native packet-capturing functionality on network appliances to intercept sensitive data and plaintext credentials.
Lateral Movement: Using stolen credentials and tokens to pivot into downstream customer environments. Exploiting the “Tier-0” nature of hypervisors to bypass guest-level defenses.
Defense Evasion: Deploying custom, in-memory malware like BRICKSTORM directly onto network appliances to establish deep persistence that survives standard remediation efforts. Targeting edge and core network devices lacking EDR telemetry.
Impact: Encrypting hypervisor datastores to render all associated virtual machines inoperable simultaneously. Deleting backup objects from cloud storage.
Exfiltration: Large-scale data theft from SaaS environments.

Impact

M-Trends 2026 highlights that ransomware groups are actively destroying the ability to recover data, impacting organizations across more than 16 industry verticals. The high-tech and financial sectors are particularly targeted. The collapse of the hand-off window from hours to seconds means organizations have less time to respond to initial intrusions before ransomware is deployed. The increasing dwell time of threats like BRICKSTORM, reaching nearly 400 days, leaves organizations blind to the full scope of the intrusion due to standard log retention policies.

Recommendation

Deploy the Sigma rule for detecting PowerShell commands from uncommon locations to identify potential malicious activity related to post-compromise actions (reference: Sigma rule “Detect PowerShell from Uncommon Location”).
Implement network monitoring on edge devices and VPNs to detect unauthorized packet capturing and credential interception attempts (reference: overview section about edge devices).
Review and harden Active Directory Certificate Services configurations to prevent the exploitation of misconfigured templates (reference: attack chain step 2).
Monitor for modifications to cloud storage backup objects, especially deletion attempts, to detect ransomware groups attempting to destroy recovery capabilities (reference: attack chain step 6).
Increase log retention policies beyond 90 days to improve visibility into long-term persistent threats like BRICKSTORM (reference: Overview section).

Crunchyroll Data Breach via Telus Supply Chain Compromise

hello@craftedsignal.io — Tue, 24 Mar 2026 12:00:00 +0000

On March 23, 2026, a data breach was reported at Crunchyroll, stemming from a compromise of their outsourcing partner, Telus, in India. The attackers successfully gained access to Crunchyroll’s environment after a Telus employee was targeted with a spoofed phishing email. This email delivered malware that stole the employee’s Okta credentials, granting the attacker a foothold into Crunchyroll’s systems. The breach resulted in the exfiltration of approximately 100 GB of sensitive customer analytics and ticketing data. The threat actor had unauthorized access for a duration of 24 hours before the compromised credentials were revoked. This incident highlights the risks associated with supply chain vulnerabilities and the importance of robust security measures across all partner organizations.

Attack Chain

Initial Access: A Telus employee received a spoofed phishing email containing malware. (T1566)
Malware Deployment: The employee interacted with the phishing email, leading to the deployment of an infostealer on their machine.
Credential Theft: The malware captured the employee’s Okta credentials. (TA0006)
Authentication: The attacker used the stolen Okta credentials to authenticate into Crunchyroll’s environment.
Data Access: Upon successful authentication, the attacker gained access to customer analytics and ticketing data.
Data Exfiltration: The attacker exfiltrated approximately 100 GB of data, including PII such as email addresses and IP addresses. (TA0010)
Lateral Movement (Likely): While not explicitly stated, the attacker likely performed some level of lateral movement within the Crunchyroll environment to access the data.
Objective Achieved: The attacker successfully exfiltrated sensitive customer data.

Impact

The Crunchyroll data breach resulted in the exfiltration of 100 GB of customer analytics and ticketing data. This included personally identifiable information (PII) such as email addresses and IP addresses. The exposure of this data could lead to identity theft, phishing attacks targeting Crunchyroll customers, and potential financial fraud. The breach also damages Crunchyroll’s reputation and erodes customer trust. The incident underscores the critical need for robust security measures across the entire supply chain to protect sensitive customer data.

Recommendation

Implement and enforce strict email security policies to prevent phishing attacks, focusing on employee training to recognize spoofed emails (T1566).
Deploy endpoint detection and response (EDR) solutions on all employee machines to detect and prevent malware deployment (TA0005).
Monitor Okta authentication logs for suspicious login activity, such as logins from unusual locations or at unusual times (TA0006).
Implement multi-factor authentication (MFA) for all user accounts, especially those with access to sensitive data, to mitigate the impact of credential theft (TA0006).
Conduct regular security audits of all third-party vendors and partners to ensure they meet the required security standards (TA0011).
Deploy the Sigma rule to detect the use of stolen Okta credentials based on anomalous login patterns.

MOTW Bypass via CAB, TAR, and 7-Zip Chaining

hello@craftedsignal.io — Thu, 19 Mar 2026 17:31:15 +0000

A new MOTW bypass technique has emerged that chains a CAB file with two TAR archives nested within a 7-Zip archive. This method effectively strips the Zone.Identifier stream from downloaded files, preventing the display of SmartScreen prompts or security warnings. Many organizations rely on MOTW and SmartScreen as a crucial layer of defense against phishing attacks. This bypass, affecting fully patched environments, allows attackers to execute arbitrary code without the usual security checks, potentially leading to malware infection or data compromise. The technique is not a rehash of older 7-Zip MOTW issues but a novel approach to evade detection based on Zone.Identifier.

Attack Chain

Attacker crafts a malicious payload.
Attacker packages the payload into a TAR archive.
The TAR archive is nested inside another TAR archive.
The nested TAR archives are then compressed into a 7-Zip archive using 7z.exe.
The 7-Zip archive is packaged into a CAB archive using makecab.exe.
The CAB archive is distributed to the victim, potentially via phishing or drive-by download.
The victim opens the CAB archive, extracting the nested 7-Zip, TAR, and payload.
The payload executes without a Zone.Identifier stream, bypassing MOTW and SmartScreen, potentially leading to malware infection or unauthorized access.

Impact

Successful exploitation allows attackers to bypass security controls that rely on MOTW and SmartScreen. This can lead to malware infections, data breaches, or other malicious activities. The bypass affects fully patched environments, increasing the scope of potential victims. The absence of security warnings makes it more likely that users will execute the malicious payload, increasing the success rate of attacks.

Recommendation

Implement detections for unusual process chains involving makecab.exe, 7z.exe, and tar.exe as these tools are used in the bypass (see Sigma rule “Detect Suspicious Archive Chaining”).
Monitor for archive extractions from unusual locations, especially those originating from downloaded CAB files, using file event logging and process monitoring (see Sigma rule “Detect Archive Extraction from Downloaded CAB”).
Analyze network connections from processes spawned from archive extractions, as they may indicate command and control or data exfiltration.
Block the URL https://youtu.be/pQxiPwGTBL8 to prevent users from accessing potentially malicious content related to this bypass.

NetNTLM Hash Phishing via Archive Extraction (CVE-2025-59284)

hello@craftedsignal.io — Wed, 18 Mar 2026 12:00:00 +0000

A vulnerability, tracked as CVE-2025-59284, enables attackers to capture NetNTLM hashes from Windows systems through a specially crafted archive file. This technique exploits how Windows handles file extraction, potentially forcing authentication requests to a malicious server controlled by the attacker. The vulnerability was presented at BsidesLjubljana in March 2026, suggesting recent active research and potential exploitation. The original Reddit post indicates that the Microsoft patch might…

Fileless Multi-Stage Remcos RAT via Phishing

hello@craftedsignal.io — Sun, 15 Mar 2026 15:34:12 +0000

This threat brief discusses a Remcos RAT infection chain that utilizes a fileless, multi-stage approach. While specific details regarding the initial phishing lure, exploitation method, and Remcos RAT version are absent from the original report, the core focus is on the fileless execution and memory residency of the RAT. The attack begins with an unspecified phishing attack and culminates in a Remcos RAT running entirely in memory, hindering traditional disk-based forensic analysis. This type of attack poses a significant challenge to traditional endpoint detection and response (EDR) solutions. The scope and scale of this campaign are unknown, but fileless techniques are generally employed in targeted attacks.

Attack Chain

An unsuspecting user receives a phishing email containing a malicious attachment or link (specific delivery mechanism not specified).
The user interacts with the malicious content, initiating the first stage of the attack.
A script (e.g., PowerShell, VBScript) is executed, likely delivered through the phishing attachment/link.
The script downloads and executes additional payloads directly into memory, avoiding writing files to disk.
The downloaded payload injects Remcos RAT into a legitimate system process (process injection).
Remcos RAT establishes a command and control (C2) connection with the attacker’s server for further instructions.
The attacker can then perform various malicious activities such as data exfiltration, keylogging, or lateral movement.
The Remcos RAT persists in memory, potentially evading detection by signature-based antivirus solutions.

Impact

The successful deployment of Remcos RAT can lead to significant data breaches, intellectual property theft, and financial losses. Victims may experience system instability, unauthorized access to sensitive information, and reputational damage. The fileless nature of the attack makes it harder to detect and remediate, potentially prolonging the dwell time and increasing the overall impact. The number of victims and targeted sectors are not specified in the original source.

Recommendation

Enable PowerShell script block logging and transcription to enhance visibility into potentially malicious script execution (reference attack chain step 3).
Monitor process creation events for suspicious parent-child relationships (e.g., cmd.exe or powershell.exe spawning uncommon processes) to detect injected Remcos processes (reference attack chain step 5).
Deploy the Sigma rules provided below to your SIEM and tune them for your specific environment.
Implement application control policies to restrict the execution of unauthorized or unknown scripts and binaries (reference attack chain step 4).

Phishing Campaign Abusing Google Cloud Storage Redirectors

hello@craftedsignal.io — Sun, 15 Mar 2026 12:00:00 +0000

An ongoing phishing campaign observed in March 2026 abuses Google Cloud Storage (storage.googleapis.com) as a redirector. Attackers are using this service to proxy victims to various scam pages. These scam pages are primarily hosted on domains ending in .autos. The campaign employs various phishing themes, including fake Walmart surveys, Dell giveaways, Netflix rewards, antivirus renewal alerts, storage full warnings, and fake job lures. This tactic allows attackers to obfuscate the final destination of the phishing link, making it harder for victims to identify malicious content before they are redirected to a scam page. Defenders should monitor for unusual redirects originating from Google Cloud Storage to untrusted domains.

Attack Chain

The attacker sends a phishing email to potential victims.
The email contains a link that appears legitimate, hosted on Google Cloud Storage (storage.googleapis.com).
The victim clicks on the link, initiating a request to the specified Google Cloud Storage URL.
Google Cloud Storage, configured by the attacker, redirects the victim to a malicious domain, typically ending in .autos.
The victim’s browser is redirected to the scam page hosted on the .autos domain.
The scam page presents a fake survey, giveaway, reward, alert, or job lure designed to trick the victim.
The victim enters personal information or credentials into the fake form.
The attacker harvests the stolen information for malicious purposes, such as identity theft or financial fraud.

Impact

This phishing campaign can lead to the theft of personal and financial information. Victims who interact with the scam pages may experience financial losses, identity theft, or malware infections. The use of Google Cloud Storage as a redirector makes it harder to detect and block these phishing attacks, potentially impacting a large number of users. Sectors targeted include retail customers (Walmart), technology consumers (Dell, Netflix), and job seekers.

Recommendation

Monitor network traffic for redirects originating from storage.googleapis.com to suspicious domains, particularly those ending in .autos.
Implement the Sigma rule to detect redirects from Google Cloud Storage to .autos domains.
Educate users about phishing tactics and the dangers of clicking on suspicious links.
Consider blocking or sandboxing domains ending in .autos if they are not part of your organization’s trusted ecosystem.

Detection of Downloaded URL Files Used in Phishing Campaigns

hello@craftedsignal.io — Thu, 04 Jan 2024 17:49:12 +0000

Attackers commonly use .url shortcut files in phishing campaigns to deliver malicious payloads. These files, when downloaded from non-local sources, may bypass traditional security measures. This detection rule identifies such files by monitoring their creation events on Windows systems. The rule focuses on files with the .url extension and a zone identifier indicating they originated from outside the local network. These files are often delivered via email or malicious websites, tricking users into clicking them, which can lead to the execution of arbitrary commands or the redirection to malicious websites. This technique allows attackers to gain initial access or execute malicious code on the victim’s machine.

Attack Chain

The attacker crafts a phishing email or a malicious website containing a link to a .url file.
The victim clicks the link, resulting in the download of the .url file to their Windows system.
The .url file is created on the filesystem, triggering a file creation event.
The operating system assigns a Zone Identifier to the file, marking it as originating from an external source.
The victim double-clicks the .url file, which contains a URL pointing to a malicious website or an executable.
The operating system attempts to open the URL using the default web browser or execute the embedded command.
If the URL points to a malicious website, the victim may be prompted to download and execute malware.
The malware executes, potentially leading to system compromise, data theft, or other malicious activities.

Impact

Successful exploitation can lead to the execution of arbitrary commands, redirection to malicious websites, and subsequent malware infection. If successful, attackers can compromise user systems, steal sensitive information, or establish a foothold for further malicious activities within the organization’s network. The impact can range from individual system compromise to broader network breaches, depending on the attacker’s objectives and the extent of the infection.

Recommendation

Deploy the Sigma rule Downloaded URL Files Created to your SIEM to detect the creation of downloaded .url files with a non-local Zone Identifier and tune for your environment.
Investigate any file creation events where file.extension == "url" and file.Ext.windows.zone_identifier == 3 using the provided investigation steps in the advisory.
Update security policies and endpoint protection configurations to block the download and execution of .url files from untrusted sources, as mentioned in the advisory.
Educate users on safe downloading practices and the risks associated with opening .url files from untrusted sources, as highlighted in the advisory’s false positive analysis.

Detection of Downloaded Shortcut Files

hello@craftedsignal.io — Wed, 03 Jan 2024 18:22:32 +0000

This detection identifies suspicious .lnk files created on Windows systems, especially those downloaded from external sources, which may indicate potential phishing attempts. The rule leverages file creation events and zone identifiers to trace the file’s origin. Adversaries exploit shortcut files by embedding malicious commands within them, often distributing these files via phishing campaigns. This can lead to arbitrary code execution upon user interaction. The rule is designed for data generated by Elastic Defend.

Attack Chain

User receives a phishing email containing a malicious .lnk file.
The user downloads the .lnk file to their Windows system.
The Windows OS marks the file with a Zone Identifier indicating it came from an external source.
The user double-clicks the .lnk file, triggering its execution.
The .lnk file executes embedded commands, such as PowerShell or cmd.exe.
The command downloads and executes a malicious payload from a remote server.
The payload establishes persistence on the compromised system.
The attacker gains remote access and control over the infected host.

Impact

A successful attack can lead to the compromise of the user’s system, potentially resulting in data theft, malware installation, or further propagation of the attack within the network. The severity of the impact depends on the privileges of the compromised user account and the attacker’s objectives. The rule aims to detect and prevent such attacks early in the attack chain, reducing the potential damage.

Recommendation

Deploy the Sigma rule “Downloaded Shortcut Files” to your SIEM and tune for your environment.
Enable Elastic Defend to capture the necessary file creation events for the rule to function.
Investigate any alerts generated by the rule, paying close attention to the file path, zone identifier, and associated user account.
Update security policies to restrict the execution of .lnk files from untrusted sources.
Educate users about the risks of opening suspicious attachments, especially .lnk files, to prevent initial access.

Suspicious Execution via Microsoft Office Add-Ins

hello@craftedsignal.io — Wed, 03 Jan 2024 14:00:00 +0000

Attackers are increasingly leveraging malicious Microsoft Office Add-Ins to gain initial access and persistence on victim systems. These add-ins, often delivered through phishing campaigns, contain embedded malicious code. This detection identifies unusual execution patterns, such as Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSACCESS.EXE, VSTOInstaller.exe) launching add-ins (wll, xll, ppa, ppam, xla, xlam, vsto) from suspicious paths like Temp or Downloads directories, or with atypical parent processes (explorer.exe, OpenWith.exe, cmd.exe, powershell.exe). The detection logic filters out known benign activities to minimize false positives, focusing on anomalies indicative of malicious intent, such as installations of Logitech software. This activity matters because successful exploitation can lead to arbitrary code execution, data theft, and further compromise of the victim’s network.

Attack Chain

A user receives a phishing email containing a malicious Microsoft Office document.
The user opens the document, which prompts them to enable macros or install an add-in.
The malicious add-in (wll, xll, ppa, ppam, xla, xlam, vsto) is downloaded from a remote server or dropped into a suspicious directory, such as %TEMP% or %APPDATA%.
The user executes an Office application (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSACCESS.EXE), which loads the malicious add-in.
The malicious add-in executes arbitrary code, potentially downloading and executing a second-stage payload.
The add-in may establish persistence by modifying registry keys or creating scheduled tasks.
The attacker gains initial access to the system and can perform reconnaissance, lateral movement, and data exfiltration.
The attacker achieves their objective, which could include data theft, ransomware deployment, or intellectual property theft.

Impact

A successful attack can lead to complete system compromise, data theft, and potential ransomware deployment. Organizations across all sectors are at risk, particularly those with a high volume of email traffic. The use of malicious Office Add-Ins provides attackers with a persistent foothold within the victim’s environment, allowing for long-term data collection and disruption of business operations. This can lead to significant financial losses, reputational damage, and legal liabilities.

Recommendation

Deploy the Sigma rule Office Add-In Loaded From Suspicious Path to detect add-ins loaded from temporary or download directories based on process.args and process.name.
Deploy the Sigma rule Office Add-In Loaded By Suspicious Parent to detect add-ins loaded by cmd.exe or powershell.exe based on process.parent.name.
Investigate any instances of VSTOInstaller.exe executing with the /Uninstall argument, as this may indicate suspicious activity, correlating with the exclusion rule in the provided query.
Monitor for Office applications launching add-ins with parent processes of explorer.exe or OpenWith.exe using process creation logs and the provided query logic.
Implement stricter email filtering to prevent phishing emails containing malicious Office documents from reaching end-users.

Suspicious HTML File Creation Leading to Potential Payload Delivery

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection rule identifies a suspicious sequence of events indicative of HTML smuggling, where adversaries embed malicious payloads within seemingly benign HTML files to bypass security filters. The rule focuses on Windows systems and monitors for the creation of HTML files exhibiting characteristics such as high entropy (>=5) and large size (>=150,000 bytes) or very large size (>=1,000,000 bytes) within common download and temporary directories (e.g., Downloads, Content.Outlook, AppData\Local\Temp). Subsequently, it tracks the execution of browser processes (e.g., chrome.exe, firefox.exe, iexplore.exe) opening these HTML files with specific command-line arguments (e.g., –single-argument, -url). The detection aims to uncover initial access attempts, defense evasion, and user execution of malicious files delivered through HTML smuggling techniques.

Attack Chain

A user receives a phishing email containing a malicious HTML attachment.
The user opens the attachment, triggering the download of a large HTML file to the Downloads folder.
The HTML file contains obfuscated JavaScript code that, when executed, reconstructs a malicious payload (e.g., a Cobalt Strike beacon).
The file is saved with an .htm or .html extension in a temporary or download directory.
A browser process (chrome.exe, firefox.exe, etc.) is initiated to open the HTML file, often with specific arguments like “–single-argument” or “-url”.
The browser renders the HTML, executing the embedded JavaScript.
The JavaScript deobfuscates and executes the smuggled payload, initiating a reverse shell connection to a command-and-control server.
The attacker gains initial access to the compromised system and can proceed with lateral movement or data exfiltration.

Impact

Successful exploitation via HTML smuggling can lead to initial access to a targeted system, potentially enabling attackers to perform lateral movement, data exfiltration, or ransomware deployment. While the specific number of victims and targeted sectors are not explicitly stated in the source, the technique is broadly applicable and can affect any Windows user who interacts with malicious HTML attachments or downloads from untrusted sources. The consequences of successful exploitation range from data breaches and financial losses to reputational damage and operational disruption.

Recommendation

Deploy the Sigma rules provided in this brief to your SIEM and tune the file path and browser process filters for your environment.
Enable file integrity monitoring (FIM) on common download and temporary directories to detect the creation of suspicious HTML files as described in the Sigma rules.
Implement network egress filtering to block connections to known malicious command-and-control servers and domains to prevent payload execution.
Educate users about the risks of opening attachments from untrusted sources and train them to recognize phishing emails as outlined in the Overview.
Utilize endpoint detection and response (EDR) solutions to monitor process execution and network connections for anomalous behavior associated with HTML smuggling.

Okta FastPass Phishing Attempt Detection

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This alert identifies instances where Okta FastPass successfully blocked a user authentication attempt due to a detected phishing attack. This is based on Okta system logs that record when FastPass declines an authentication because the user was attempting to log in to a known phishing site. The event indicates that a user was likely targeted via phishing, potentially through email or other means, and entered their Okta credentials into a fraudulent site. While the authentication was blocked, the event warrants investigation to determine the scope of the phishing campaign and whether the user may have entered credentials elsewhere.

Attack Chain

An attacker crafts a phishing email or message mimicking a legitimate Okta login page.
The user receives the phishing message and clicks the embedded link.
The user is directed to a fake Okta login page that is designed to steal credentials.
The user enters their Okta username and password on the phishing site.
The phishing site attempts to authenticate the user to Okta using the stolen credentials.
Okta FastPass detects that the authentication attempt is originating from a known phishing site.
Okta FastPass declines the authentication request, preventing access.
The Okta system logs record the event “user.authentication.auth_via_mfa” with outcome “FAILURE” and reason “FastPass declined phishing attempt”.

Impact

While Okta FastPass successfully prevented the immediate breach, the incident confirms that a user was targeted by a phishing campaign. This could lead to the compromise of other accounts if the user reuses the same password. Furthermore, successful phishing attacks can lead to data breaches, financial loss, and reputational damage. The number of affected users depends on the scale of the phishing campaign.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect Okta FastPass phishing prevention events.
Investigate users who triggered the detection to identify the phishing campaign and assess potential credential compromise.
Review Okta system logs for other suspicious activity associated with the targeted user accounts.
Educate users about phishing tactics and how to identify malicious websites to reduce susceptibility to future attacks.

Microsoft 365 Suspicious Email Delivery

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat involves malicious or suspicious emails, as identified by Microsoft Defender for Office 365, being delivered to user mailboxes despite the existing security mechanisms. This can occur due to various factors, including misconfigured security policies, sophisticated attacker techniques that evade detection, or delayed signature updates. The delivery of such emails presents a significant risk, as they may contain spearphishing attachments, malicious links, or other harmful content designed to compromise user accounts or systems. Successful exploitation can lead to data theft, malware infection, and further propagation of the attack within the organization. It’s crucial to investigate these instances promptly to remediate any potential damage and improve email security posture.

Attack Chain

An attacker crafts a spearphishing email designed to bypass standard security filters.
The email is sent to a target user within the Microsoft 365 environment.
Microsoft Defender for Office 365 analyzes the email and identifies it as suspicious but fails to block delivery.
The email is delivered to the user’s Inbox or Junk folder.
The user opens the email and clicks on a malicious link or opens a malicious attachment (e.g., a macro-enabled document).
The link redirects the user to a credential harvesting site, or the attachment executes malicious code (e.g., via PowerShell).
The attacker gains access to the user’s account or system.
The attacker uses the compromised account to further propagate the attack, exfiltrate data, or deploy malware within the organization.

Impact

The impact of this threat can be significant. Successful exploitation can lead to the compromise of user accounts, data theft, malware infection, and financial loss. Organizations may experience business disruption, reputational damage, and legal liabilities. The number of affected users and the extent of the damage will depend on the attacker’s objectives and the organization’s security controls.

Recommendation

Deploy the Sigma rule provided to detect suspicious email delivery events within your Microsoft 365 environment and tune for your specific environment.
Investigate any alerts generated by the Sigma rule to determine the root cause of the bypass and remediate any potential damage.
Review and adjust Microsoft Defender for Office 365 settings to improve detection accuracy and blocking capabilities.
Educate users about the risks of phishing emails and encourage them to report suspicious messages.
Monitor the TIMailData operation within the M365 audit logs for further analysis and threat hunting.

Detection of Office Macro File Creation

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

The creation of Office macro files (.docm, .xlsm, .pptm, etc.) can be an indicator of malicious activity, often linked to initial access attempts such as phishing campaigns or malware distribution. Attackers frequently embed malicious macros within these files to execute arbitrary code on a victim’s machine upon opening the document and enabling macros. While legitimate use cases for macro-enabled documents exist, their creation should be monitored, especially when originating from unusual processes or locations. This activity is related to the technique T1566.001 (Phishing: Spearphishing Attachment). Defenders need to monitor file creation events for specific Office macro extensions, filtering out common false positives to identify potential threats.

Attack Chain

An attacker crafts a malicious Office document (e.g., .docm, .xlsm) containing a VBA macro.
The attacker sends the malicious document as an attachment via email (spearphishing).
The user receives the email and opens the attached Office document.
The user is prompted to enable macros within the document.
If the user enables macros, the embedded VBA code executes.
The VBA code may execute PowerShell or other scripting languages to download a malicious payload.
The downloaded payload is saved to disk (e.g., in the user’s temp directory).
The payload executes, establishing persistence or performing other malicious actions, such as ransomware deployment.

Impact

Successful exploitation can lead to arbitrary code execution, malware installation, data exfiltration, and potentially complete system compromise. The impact can range from individual user infection to widespread organizational damage, depending on the attacker’s objectives and the level of access gained. In a widespread attack, numerous systems could be infected, leading to significant downtime, data loss, and financial repercussions.

Recommendation

Deploy the Sigma rule Office Macro File Creation to your SIEM to detect the creation of suspicious Office macro files (logsource: file_event/windows).
Investigate any alerts generated by the Sigma rule, focusing on the parent processes of the file creation event.
Implement user awareness training to educate employees about the risks of opening unsolicited attachments and enabling macros.
Enable Sysmon file creation logging to capture the necessary events for the Sigma rule to function effectively.

Suspicious MS Outlook Child Process

hello@craftedsignal.io — Tue, 02 Jan 2024 10:00:00 +0000

This detection identifies suspicious child processes of Microsoft Outlook, often associated with spear phishing activity and the execution of malicious attachments. Attackers may leverage malicious documents delivered via email to execute arbitrary code on a victim’s machine. The rule focuses on identifying processes such as cmd.exe, powershell.exe, and other system binaries being spawned by Outlook, suggesting the potential execution of malicious attachments or exploitation for initial access. This activity is designed to bypass traditional security measures and gain an initial foothold within the targeted environment. The rule is designed for data generated by Elastic Defend, but also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.

Attack Chain

A user receives a spear phishing email with a malicious attachment (e.g., a Microsoft Office document or PDF).
The user opens the attachment, unknowingly triggering embedded malicious code (e.g., macros or exploits).
The malicious code executes within the context of Microsoft Outlook (outlook.exe).
The malicious code spawns a suspicious child process, such as cmd.exe, powershell.exe, mshta.exe, or wscript.exe.
The spawned process executes commands to download and execute further malicious payloads from external sources.
The downloaded payload establishes persistence on the compromised system.
The attacker gains initial access and begins reconnaissance activities.
The attacker moves laterally within the network, escalating privileges and compromising additional systems.

Impact

A successful attack can lead to initial access, allowing attackers to gain a foothold within the network, escalate privileges, and potentially exfiltrate sensitive data, deploy ransomware, or conduct other malicious activities. While specific victim counts and sectors are unavailable, similar attacks have targeted a wide range of industries.

Recommendation

Deploy the Sigma rule “Suspicious MS Outlook Child Process Spawning Command Interpreter” to your SIEM to detect potential initial access attempts (see rule below).
Enable Sysmon process creation logging (Event ID 1) to provide the necessary data for the Sigma rules.
Block the execution of commonly abused system binaries (e.g., cmd.exe, powershell.exe, wscript.exe) as child processes of Outlook using application control policies where possible.
Implement and enforce strict macro policies in Microsoft Office applications to prevent the execution of malicious code within documents.
Regularly review and update email security policies to prevent spear phishing emails from reaching users.