Share this page!

Microsoft Security Intelligence Profile picture
Twitter logo
22 Mar, 7 tweets, 2 min read
Phishers continue to find success in using compromised accounts on email marketing services to send malicious emails from legitimate IP ranges and domains. They take advantage of configuration settings that ensure delivery of emails even when the email solution detects phishing.
This is the case for the Compact phishing operation, which was disclosed by WMC Global. The campaign was observed using compromised accounts on SendGrid in late 2020. wmcglobal.com/blog/the-compa…
Microsoft Defender for Office 365 data shows that this phishing operation is still active today and continues to expand. In addition to SendGrid, the attackers also used Amazon SES last year. Since January, they have been using Mailgun. We have shared our research with Mailgun.
The attackers abuse another legitimate service to further mask the malicious intent of their phishing emails. To evade domain reputation-based solutions, they use Appspot to create multiple unique phishing URLs per recipient.
We shared our findings with Appspot, who confirmed the malicious nature of the reported URLs and used the shared intelligence to find and suspend additional offending projects on Appspot. We’ll continue working with Appspot as we continue to track this active phishing operation.
This phishing operation is also known for using emails that impersonate notifications from video conferencing services, another way the attackers feign legitimacy. More recent campaigns have also used emails that spoof security solutions and productivity tools.
Microsoft Defender for Office 365 detects this phishing campaign. Because this campaign uses compromised email marketing accounts, we strongly recommend orgs to review mail flow rules for broad exceptions that may be letting phishing emails through. docs.microsoft.com/en-us/exchange…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Microsoft Security Intelligence

Microsoft Security Intelligence Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MsftSecIntel

Microsoft Security Intelligence Profile picture
2 Mar
We're seeing numerous extensive hands-on-keyboard attacks emanating from the Gootkit malware, which is distributed via drive-by downloads as a JavaScript within a ZIP file. The JavaScript is launched via WScript and establishes C2, enabling attackers to take control of devices.
The attacks use blog posts with malicious links pointing to the Gootkit malware. Attackers publish these blog posts on legitimate websites they have compromised. Users are directed to the malicious blog hosts via search engine optimization.
The blogs usually have subjects relating to contracts, canceling services, agreements, and tenancy. These attacks have been observed to primarily target devices in Germany, though multiple other geolocations are targeted as well.
Read 6 tweets
Microsoft Security Intelligence Profile picture
24 Feb
We’re tracking a rampant phishing attack that uses DGA domains, free email services, and even compromised email accounts to send massive numbers of phishing emails. These emails are linked by open redirector URLs that begin with a distinct pattern: hxxps://t[.]domain[.]tld/r/? ImageImage
The phishing emails pose as notifications from various productivity tools. The use of open redirect is both a detection evasion technique and a way to trick users into clicking the redirector URLs, which show a legitimate domain followed by a redirect to the phishing link.
Microsoft Defender for Office 365 detects this campaign. We’re sharing this info for the broader community & for customers to review mail flow rules, e.g. those related to IP ranges or domain-level allow lists, to ensure phishing emails don’t slip through docs.microsoft.com/en-us/exchange…
Read 4 tweets
Microsoft Security Intelligence Profile picture
8 Feb
Microsoft 365 Defender data shows that the disruption of Emotet infrastructure immediately resulted in the drop in new campaigns. Given Emotet’s reach and role in the deployment of payloads like ransomware, however, customers should ensure continued monitoring and protection.
Just before the takedown, Emotet was very active, launching massive campaigns every week after coming out of a hiatus in late December. The most recent campaigns used the usual document attachments malicious macros that ran a PowerShell script to download a DLL payload.
The use of DLL payload (instead of EXE) is one of updates Emotet introduced in December. These updates, which also included the use of 7 download URLs (up from 5) and binary format for C2 communication (replacing text), show Emotet was actively evolving before being disrupted.
Read 5 tweets
Microsoft Security Intelligence Profile picture
2 Feb
We detected a recent spike in busines email compromise (BEC) attacks soliciting gift cards primarily targeting K-12 schoolteachers. Attackers impersonate colleagues or school officials to ask recipients to purchase various gift cards.
The fraudulent emails are sent from attacker-created accounts on free email service providers, such as Gmail, Mail[.]ru, Yahoo, Hotmail, Outlook, and iCloud. As in many BEC campaigns, attackers identify targets through their publicly available info on websites and social media.
Attackers use various scenarios and lures to feign legitimacy and urgency. Based on intelligence, these attackers have also used COVID-19 lures for similar gift card BEC campaigns.
Read 4 tweets
Microsoft Security Intelligence Profile picture
29 Dec 20
As Solorigate continues to be the top security topic, it’s business as usual for some cybercrime operations. After being seen in short-lived campaigns before Christmas, Emotet is back this week in a new campaign that uses various lures, including, oddly, "Christmas Party".
Emotet is known for its penchant for using holiday-themed emails, but this week’s campaign also uses what’s proven effective for the operators: a wide range of lures in massive volumes of emails, the use of fake replies or forwarded emails, password-protected archive attachments. ImageImageImageImage
The new Emotet campaign still uses documents that contain malicious macro that, when enabled, connects to seven malicious domains to download the Emotet payload. Image
Read 4 tweets
Microsoft Security Intelligence Profile picture
25 Nov 20
In the past weeks, researchers have noted the increased abuse of legitimate cloud hosting services in malware campaigns. Microsoft threat intelligence shows this trend persists, w/ a number of known malware incl. BazarLoader, Zloader, Lightbot, Hancitor, etc. using the technique.
The email campaigns use a wide range of lures, incl. ones that use threats of job dismissal, exposing illegal activity, other fear tactics. The link leads to a malicious document or archive file hosted on a legitimate service. Downloading & opening the file leads to the payload.
A recent campaign uses password-protected .zip files hosted on Google Drive, with the password (curiously incorrect in this sample) in the email. While other services, incl. those from Microsoft, have been abused, the recent spike in the use of Google services is notable.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @MsftSecIntel has new unrolls!

Check out other threads from @MsftSecIntel!

Read all threads by @MsftSecIntel