Profile picture
, 4 tweets, 2 min read
My Authors
Read all threads
New phishing campaign successfully bypasses Microsoft ATP (Office ATP, Defender ATP, and Azure ATP). It also bypasses SmartScreen. Works by sending an .HTM attachment or .ZIP containing .HTM.
IOCs
instantrep.xyz
secured.com.awi-o.online
json.geoiplookup.io
The reason this attack is so effective at reaching inbox:
1. Originates from a compromised mailbox, so it passes SPF, DMARC and DKIM.
2. The .HTM is not malicious, so sandbox detonation is not a problem.
3. There is no remote URL attempted unless the user clicks their username.
I've received the same payload from two different compromised accounts at different companies. The body of the email is the same:
"Remittance advice required."
Firstname Lastname (of compromised user)
CFO
Enable MFA.
Consider blocking .HTM attachments.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Joe Stocker

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related threads

Profile picture
Google Transparency Project
@GTP_updates
#NEW: Whenever Google is caught doing something dubious, its response is always the same: Blame someone else.

We've pulled together a sampling of Google's blame-shifting and created a parody "Google Doodle." Play the "Google Blame Game" here:
googletransparencyproject.org/articles/play-… 1/4
When journalists or regulators have raised questions about Google's conduct, Google has cast blame at different times to Microsoft, Apple, Rupert Murdoch, Viacom, Oracle, Fox, AT&T, MPAA, NBC Universal, publishers, competitors... 2/4
...comparison shopping sites, “some existing providers,” “a small number of websites”—even “an anti-Google Industrial Complex.”
politico.com/story/2011/02/… 3/4
Read 4 tweets
Profile picture
G. Elliott Morris
@gelliottmorris
#NEW Polling on impeachment from The Economist and YouGov:

- 50% of registered voters support impeaching POTUS. 39% oppose. !! +11 is up from -12 in July. !!
- 36% of Indies and 11% of Reps support impeachment

- 51% of RVs support impeachment AND removal from office, 39% oppose
- 67% of registered voters say that “abuse of power” warrants removal from office
- 68% of RVs say the same about obstruction of justice
- 71% of RVs say that perjury warrants removal
- 59% of registered voters say they believe it is illegal for the president “to threaten withholding foreign aid to a country if that country refuses to take action that benefits the president”
- 69% of RVs say it would be inappropriate for a president to do this
Read 5 tweets
Profile picture
Jake
@JCyberSec_
:: Phishing Admin Panel Hunting Thread ::

In this thread we will find ways to hunt and attribute phishing admin panels.

This is a continuation from my #phishing hunting thread released earlier this year. ()

Please retweet to knowledge share among others.
Firstly we need to understand what an admin panel is in relation to phishing sites. There are many phishing-as-a-service (PaaS) offerings for threat actors to buy allowing them to quickly and easily deploy kits online. They normally consists of a threat actor buying an API key.
In this thread I will show you how to fingerprint some of the major panels, if you feel I have missed any let me know as I would love to keep this thread current and up-to-date on new threats.
Read 22 tweets
Profile picture
Ophir Harpaz
@OphirHarpaz
#Campaign in tweets - @Guardicore Labs in a new tradition; we find the attacks, you get to know them and learn the attackers' tricks and techniques. This time, let's get familiarized with "Lemon_Duck", a #cryptomining campaign involving a sophisticated #propagation tool. 🍋🦆
Before we start: all scripts, binaries and IOCs are available on our github repository. In addition, malicious IPs, attack servers and domains appear on @Guadicore Cyber Threat Intelligence portal. You're welcome to take a look :)
threatintelligence.guardicore.com/?utm_medium=or…
github.com/guardicore/lab…
Lemon_Duck starts by breaching machines over the #MSSQL service or the #SMB protocol. We'll focus on the MS-SQL flow. Once inside the machine, the attacker enables #xp_cmdshell to run shell commands. It will take only a single command line to trigger the rest of the attack.
Read 12 tweets
Profile picture
Jake
@JCyberSec_
:: Phishing Hunting Thread ::

This is a thread about how to hunt and find #Phishing sites.
Retweets would be great to help spread the knowledge and please add your own techniques, ideas and suggestions.

Let's go hunting!
Firstly we need a site to use as a pivot. I have attached a number of sources at the bottom of this thread. For demonstration purposes we will use this site ::

hxxp://www.new.froid-guyader.fr/libraries/sharepointcontract/

This is a #Phishing site against Microsoft Office
Initially let's see if there is a #PhishingKit or #OpenDir on the domain. Enumeration on the domain is important. This is a example of sites to load and see ::

- hxxp://www.new.froid-guyader.fr/libraries/
- hxxp://www.new.froid-guyader.fr/
- hxxp://www.froid-guyader.fr/
Read 16 tweets
Profile picture
ΞLΞVΞNTH
@3L3V3NTH
#New Trump Tower meeting emerges with Donald Trump Jr. and Saudi representative to discuss "Iran policy." huffpost.com/entry/erik-pri…
The meeting also reportedly included now-top White House aide Stephen Miller and Israeli social media expert Joel Zamel.
Who is Joel Zamel, the Australian-Israeli linked to Mueller’s Trump Probe? haaretz.com/israel-news/.p…
Read 8 tweets

Trending hashtags

#Office365 #EUBudget #TrumpB #UserAgent #FisaBringsDownTheHouse #FVEY #OpenDir #SMB #phishing #RDP #PingCastle #digitaladvertising #makeAmericagreatagain #security #FoxNews #Clouds #tngop #debatenight #Mimikatz #Hijalyh #bitcoin #AppleKit #PA #Russia #ReadTheMuellerReport
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!