Share this page!

Microsoft Security Intelligence Profile picture
Twitter logo
2 Feb, 4 tweets, 2 min read
We detected a recent spike in busines email compromise (BEC) attacks soliciting gift cards primarily targeting K-12 schoolteachers. Attackers impersonate colleagues or school officials to ask recipients to purchase various gift cards.
The fraudulent emails are sent from attacker-created accounts on free email service providers, such as Gmail, Mail[.]ru, Yahoo, Hotmail, Outlook, and iCloud. As in many BEC campaigns, attackers identify targets through their publicly available info on websites and social media.
Attackers use various scenarios and lures to feign legitimacy and urgency. Based on intelligence, these attackers have also used COVID-19 lures for similar gift card BEC campaigns.
To protect customers from these threats, Microsoft Defender for Office 365 uses built-in capabilities to automatically detect domain spoofing and user and domain impersonation. These capabilities are backed by security experts who monitor and analyze these evasive threats.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Microsoft Security Intelligence

Microsoft Security Intelligence Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MsftSecIntel

Microsoft Security Intelligence Profile picture
29 Dec 20
As Solorigate continues to be the top security topic, it’s business as usual for some cybercrime operations. After being seen in short-lived campaigns before Christmas, Emotet is back this week in a new campaign that uses various lures, including, oddly, "Christmas Party".
Emotet is known for its penchant for using holiday-themed emails, but this week’s campaign also uses what’s proven effective for the operators: a wide range of lures in massive volumes of emails, the use of fake replies or forwarded emails, password-protected archive attachments. ImageImageImageImage
The new Emotet campaign still uses documents that contain malicious macro that, when enabled, connects to seven malicious domains to download the Emotet payload. Image
Read 4 tweets
Microsoft Security Intelligence Profile picture
25 Nov 20
In the past weeks, researchers have noted the increased abuse of legitimate cloud hosting services in malware campaigns. Microsoft threat intelligence shows this trend persists, w/ a number of known malware incl. BazarLoader, Zloader, Lightbot, Hancitor, etc. using the technique.
The email campaigns use a wide range of lures, incl. ones that use threats of job dismissal, exposing illegal activity, other fear tactics. The link leads to a malicious document or archive file hosted on a legitimate service. Downloading & opening the file leads to the payload.
A recent campaign uses password-protected .zip files hosted on Google Drive, with the password (curiously incorrect in this sample) in the email. While other services, incl. those from Microsoft, have been abused, the recent spike in the use of Google services is notable.
Read 6 tweets
Microsoft Security Intelligence Profile picture
16 Nov 20
We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering. The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc.
One of the interesting techniques we observed in this campaign is the use of redirector sites with a unique subdomain for each target. The subdomain follows different formats but generally always contains the recipient’s username and org domain name.
This unique subdomain is added to a set of base domains, typically compromised sites. Notably, the phishing URLs have an extra dot after the TLD, followed by the Base64-encoded email address of the recipient.
Read 9 tweets
Microsoft Security Intelligence Profile picture
22 Sep 20
Emotet joined the password-protected attachment bandwagon with a campaign starting Friday. The campaign slowed down over the weekend (typical of Emotet) but was back today in even larger volumes of emails in English, as well as in some European languages.
The Emotet emails carry a password-protected archive file that contains a document with malicious macro, which then downloads the Emotet payload. In contrast, last week’s Trickbot campaign used password-protected documents attached directly to emails.
If the recipient enters the password, which is in the email body, the document tricks users into enabling the malicious macro by claiming the that the file was created on “Windows 10 Mobile” (Friday’s campaign) or “Android device” (today’s campaign).
Read 4 tweets
Microsoft Security Intelligence Profile picture
18 Sep 20
Earlier this week we started seeing a spike in the use of password-protected documents in multiple malware campaigns, including Trickbot. These documents are attached to emails that use varying social engineering lures like the typical "order", "invoice", "documents". Image
We also saw the increasingly less common but still used “new corona case” lure. Some of the emails also indicate more specific targeting, with attackers using the domain of compromised sender accounts as part of the email body for improved believability. ImageImage
When opened, the malicious documents prompt for the password, which is in the email body. If the recipient enters the password, the document opens with instructions to enable editing and enable content, so that a malicious macro can run and download the payload. ImageImage
Read 5 tweets
Microsoft Security Intelligence Profile picture
3 Sep 20
Our comprehensive, active tracking of Dudear operations, attributed to the threat actor CHIMBORAZO (aka TA505), shows that these campaigns relentlessly use multiple layers of detection evasion techniques to try and slip through defenses.
These techniques include the routine use of varying social engineering lures (recent ones include Expense report, fake Citrix ShareFile email, and fake Dropbox notification) and download websites that block traffic from automated analysis, in addition to the CAPTCHA challenge. ImageImageImage
The email campaigns also switch between using HTML attachments that lead to a series of redirector websites before eventually leading to the download website, and using malicious URLs that download the malicious HTML, or both.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @MsftSecIntel has new unrolls!

Check out other threads from @MsftSecIntel!

Read all threads by @MsftSecIntel