Share this page!

Microsoft Security Intelligence Profile picture
Twitter logo
13 Apr, 7 tweets, 2 min read
The recent surge of IcedID campaigns indicate that this malware family is likely being used to fill in some of the void left by recent malware infrastructure disruptions. We are tracking multiple active IcedID campaigns of various sizes, delivery methods, and targets.
As we recently published, an IcedID campaign abuses contact forms to deliver malicious links via legitimate emails. The malicious links point to IcedID, which downloads a Cobalt Strike implant that allows attackers to perform hands-on-keyboard activities: microsoft.com/security/blog/…
Another campaign delivers IcedID via malicious Excel 4.0 (XLM) macros in spreadsheets within ZIP files attached to COVID-19 and other health-themed emails. AMSI drives behavior-based detection of malicious XLM macros: microsoft.com/security/blog/…
We’re also seeing a region-specific IcedID campaign that targets users in Italy. The campaign utilizes malicious documents within password-protected ZIP files attached to emails that use the fake reply technique, with training and certification as lure in the Italian language.
In another campaign, attackers use a fake installer masquerading as Zoom from a fake download site. The fake installer (ZoomPortable.exe) installs a patched version of the legitimate Zoom app, which connects to malicious infrastructure to send system info and download IcedID.
These IcedID campaigns show the breadth of attack surface and techniques available to attackers aiming to gain access to systems and deliver payloads. Microsoft 365 Defender uses cross-domain visibility and coordinated defense to provide comprehensive protection against attacks.
Microsoft Defender for Office 365 detects malicious documents, attachments, and URLs on emails. Microsoft Defender for Endpoint detects malware, behaviors, and other malicious artifacts. Microsoft 365 Defender orchestrates sharing of threat data and remediation across services.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Microsoft Security Intelligence

Microsoft Security Intelligence Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MsftSecIntel

Microsoft Security Intelligence Profile picture
22 Mar
Phishers continue to find success in using compromised accounts on email marketing services to send malicious emails from legitimate IP ranges and domains. They take advantage of configuration settings that ensure delivery of emails even when the email solution detects phishing.
This is the case for the Compact phishing operation, which was disclosed by WMC Global. The campaign was observed using compromised accounts on SendGrid in late 2020. wmcglobal.com/blog/the-compa…
Microsoft Defender for Office 365 data shows that this phishing operation is still active today and continues to expand. In addition to SendGrid, the attackers also used Amazon SES last year. Since January, they have been using Mailgun. We have shared our research with Mailgun.
Read 7 tweets
Microsoft Security Intelligence Profile picture
2 Mar
We're seeing numerous extensive hands-on-keyboard attacks emanating from the Gootkit malware, which is distributed via drive-by downloads as a JavaScript within a ZIP file. The JavaScript is launched via WScript and establishes C2, enabling attackers to take control of devices.
The attacks use blog posts with malicious links pointing to the Gootkit malware. Attackers publish these blog posts on legitimate websites they have compromised. Users are directed to the malicious blog hosts via search engine optimization.
The blogs usually have subjects relating to contracts, canceling services, agreements, and tenancy. These attacks have been observed to primarily target devices in Germany, though multiple other geolocations are targeted as well.
Read 6 tweets
Microsoft Security Intelligence Profile picture
24 Feb
We’re tracking a rampant phishing attack that uses DGA domains, free email services, and even compromised email accounts to send massive numbers of phishing emails. These emails are linked by open redirector URLs that begin with a distinct pattern: hxxps://t[.]domain[.]tld/r/? ImageImage
The phishing emails pose as notifications from various productivity tools. The use of open redirect is both a detection evasion technique and a way to trick users into clicking the redirector URLs, which show a legitimate domain followed by a redirect to the phishing link.
Microsoft Defender for Office 365 detects this campaign. We’re sharing this info for the broader community & for customers to review mail flow rules, e.g. those related to IP ranges or domain-level allow lists, to ensure phishing emails don’t slip through docs.microsoft.com/en-us/exchange…
Read 4 tweets
Microsoft Security Intelligence Profile picture
8 Feb
Microsoft 365 Defender data shows that the disruption of Emotet infrastructure immediately resulted in the drop in new campaigns. Given Emotet’s reach and role in the deployment of payloads like ransomware, however, customers should ensure continued monitoring and protection.
Just before the takedown, Emotet was very active, launching massive campaigns every week after coming out of a hiatus in late December. The most recent campaigns used the usual document attachments malicious macros that ran a PowerShell script to download a DLL payload.
The use of DLL payload (instead of EXE) is one of updates Emotet introduced in December. These updates, which also included the use of 7 download URLs (up from 5) and binary format for C2 communication (replacing text), show Emotet was actively evolving before being disrupted.
Read 5 tweets
Microsoft Security Intelligence Profile picture
2 Feb
We detected a recent spike in busines email compromise (BEC) attacks soliciting gift cards primarily targeting K-12 schoolteachers. Attackers impersonate colleagues or school officials to ask recipients to purchase various gift cards.
The fraudulent emails are sent from attacker-created accounts on free email service providers, such as Gmail, Mail[.]ru, Yahoo, Hotmail, Outlook, and iCloud. As in many BEC campaigns, attackers identify targets through their publicly available info on websites and social media.
Attackers use various scenarios and lures to feign legitimacy and urgency. Based on intelligence, these attackers have also used COVID-19 lures for similar gift card BEC campaigns.
Read 4 tweets
Microsoft Security Intelligence Profile picture
29 Dec 20
As Solorigate continues to be the top security topic, it’s business as usual for some cybercrime operations. After being seen in short-lived campaigns before Christmas, Emotet is back this week in a new campaign that uses various lures, including, oddly, "Christmas Party".
Emotet is known for its penchant for using holiday-themed emails, but this week’s campaign also uses what’s proven effective for the operators: a wide range of lures in massive volumes of emails, the use of fake replies or forwarded emails, password-protected archive attachments. ImageImageImageImage
The new Emotet campaign still uses documents that contain malicious macro that, when enabled, connects to seven malicious domains to download the Emotet payload. Image
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @MsftSecIntel has new unrolls!

Check out other threads from @MsftSecIntel!

Read all threads by @MsftSecIntel