{
	"id": "5f94d690-83f5-4cdb-bc14-18c9fb8cd683",
	"created_at": "2026-04-06T00:06:07.246368Z",
	"updated_at": "2026-04-10T13:12:33.157135Z",
	"deleted_at": null,
	"sha1_hash": "40a24dff8248f89b26da99fb31b3bf9d84cd0f7d",
	"title": "Clipping Scripted Sparrow's wings: Tracking a global phishing ring - Help Net Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48070,
	"plain_text": "Clipping Scripted Sparrow's wings: Tracking a global phishing\r\nring - Help Net Security\r\nBy Help Net Security\r\nPublished: 2025-12-18 · Archived: 2026-04-05 15:14:42 UTC\r\nBetween June 2024 and December 2025, Fortra analysts tracked a persistent business email compromise (BEC)\r\noperation that we have now classified as Scripted Sparrow. The group carries out well-crafted highly targeted\r\nphishing campaigns that masquerade as professional services firms to mislead finance teams into transferring\r\nmoney to fraudsters’ accounts.\r\nHowever, unlike conventional BEC actors, Scripted Sparrow uses a structured, consistent, and disciplined\r\napproach. Each campaign shows how they have conducted research, used consistent language with a familiar tone,\r\nand chosen payment amounts that hover just below approval limits.\r\nThis article outlines the tactics, infrastructure, and behavioral markers associated with this group.\r\nCampaign overview\r\nScripted Sparrow first appeared on the radar in June 2024. A smattering of fake invoices appeared in the inboxes\r\nof companies across North America and Europe, with recipients reporting that the messages looked convincingly\r\nreal, complete with fabricated executive approvals for overdue consulting or coaching fees.\r\nTo add to its credibility, the actors included a chain of prior correspondence, a forged email trail to make it appear\r\nthat a company executive had authorized the payment and had instructed the collections agent at the coaching\r\ncompany to contact a specific accounts payable staff member at the victim company.\r\nBy early 2025, our telemetry confirmed repeat sightings across a range of industries. We have since catalogued\r\n512 unique variants.\r\nScripted Sparrow’s campaigns typically involve relatively modest volumes. We estimate that the group sends\r\nbetween 10,000 and 50,000 emails a day, distributed in small, targeted batches. While this volume may seem\r\nsmall compared to commodity email threats, it’s actually massive when compared to other targeted attacks.\r\nOperational Playbook\r\nRather than a group of opportunists, Scripted Sparrow works as a structured organization, with defined roles\r\nacross research, domain creation, email development, and financial coordination.\r\nEach campaign follows a recognizable workflow:\r\nReconnaissance and domain setup: The group registers lookalike domains resembling known firms (such as\r\nteneo-strategyy.com, vistageglobal.co). These domains are usually registered in clusters within a 24-hour window\r\nhttps://www.helpnetsecurity.com/2025/12/18/tracking-scripted-sparrow-phishing-campaigns/\r\nPage 1 of 4\n\nand use privacy-protected WHOIS data.\r\nEmail crafting: The group’s messages reference fictitious companies (such as Catalyst Executive Circle or\r\nVistage Global Consulting) and mimic internal approvals between executives. The forged email threads show\r\nconsistent sentence patterns and polite, non-urgent phrasing to maintain plausibility.\r\nDelivery and payment request: The attached invoice PDF or W-9 form lists totals just under standard manual\r\napproval limits (under USD $50,000). The recipients are instructed to wire funds to an account controlled by the\r\ncriminals.\r\nCash-out: The group utilizes a large collection of US-based mule accounts for the initial transfer. As of this\r\nwriting, We have identified 249 unique bank accounts used by Scripted Sparrow. While the group seems to prefer\r\na handful of banks, we’ve seen them use accounts at 42 different financial institutions.\r\nAlthough the group’s technical sophistication is low, its campaigns exhibit internal consistency in formatting, file\r\nstructure, and language.\r\nInfrastructure and geographic indicators\r\nOur analysis points to a group that’s spread across regions. Many of their emails seem to come from U.S. IP\r\naddresses, but this is a red herring.\r\nTo get closer to their true locations, we engaged with the bad actors. When they requested confirmation of\r\npayment, they were directed to controlled file-sharing services that captured browser fingerprints and asked for\r\nlocation permissions. This data, combined with timezone settings and connection patterns, helped our analysts\r\nidentify likely operators in Nigeria, South Africa, Iran, and Turkey. Our team believes the group has members\r\nlocated in the US, UK, and Canada as well, though with lower confidence due to the various countermeasures the\r\ngroup uses to hide their tracks.\r\nDomain clusters often share hosting providers and registration timelines, pointing to coordinated infrastructure\r\nmanagement. Also, banking activity overlaps across campaigns, indicating a common laundering network.\r\nEven so, attribution remains tentative. IP addresses and financial trails can be easily masked, so these findings\r\nsuggest probable regions rather than definitive actor origins.\r\nBehavioral characteristics\r\nScripted Sparrow has mastered how companies communicate. Their emails mimic internal tone, formatting, and\r\nrhythm. Messages from “executives” have a formal yet conversational feel, with an urgency subtle enough to not\r\nraise suspicion.\r\nCertain linguistic quirks appear again and again: polite sign-offs like “Thank you for your quick attention,”\r\nconsistent U.S.-style date formatting even in emails aimed at European firms, and tidy HTML layouts, all crafted\r\nwithout obfuscation or tracking pixels, making the messages feel genuine.\r\nThe evolution of activity\r\nhttps://www.helpnetsecurity.com/2025/12/18/tracking-scripted-sparrow-phishing-campaigns/\r\nPage 2 of 4\n\nSince early 2024, Scripted Sparrow has shown small but noticeable changes in how it operates:\r\nInvoice design updates: Fonts, logos, and branding are tweaked to resemble legitimate firms more closely.\r\nIdentity reuse: Fake personas and company names reappear throughout campaigns, hinting at shared\r\ntemplates or internal style guides.\r\nInfrastructure recycling: Domains often resurface months later with minor variations, reflecting a\r\ndeliberate rotation instead of random reuse.\r\nImportantly, the group rarely attempts privilege escalation or data theft. Their focus remains clear and consistent:\r\nuse social engineering to push targets into making real financial transfers.\r\nDetection and attribution\r\nFrom a defense point of view, this campaign’s subtlety muddies detection. There is no malware payload, link\r\nshortener, or credential-harvesting form, only a PDF attachment and a convincing story.\r\nOur detection systems flagged anomalies in:\r\nHeader routing paths that are inconsistent with declared sender domains.\r\nDomain registration timestamps that indicate rapid, clustered creation.\r\nTemplates repeated across messages are seen in different industries.\r\nBy clustering these signals, Fortra analysts attribute activity to the same operational entity despite the superficial\r\nvariety of company names.\r\nObserved TTPs\r\nOur findings show a group that relies on psychology, using familiar communication patterns, minimal\r\ninfrastructure, and consistent routines to stay hidden.\r\nSpearphishing via attachments: Emails arrive with polished PDF invoices that look authentic and contain no\r\nmalicious code. The goal isn’t infection, but to convince finance teams to approve payments.\r\nReconnaissance: Before each campaign, the group studies its targets, collecting public details about company\r\nstaff and approval processes to make messages sound authentic.\r\nMasquerading and impersonation: The group mimics executives, consultants, or vendors by using lookalike\r\ndomains that differ by a single letter or by a different top-level domain.\r\nTemplate reuse and consistency: Their templates rarely change. The same phrasing and invoice formats reappear\r\nacross campaigns, offering a reliable pattern for identification.\r\nDomain and account rotation: Each wave of emails uses new domains and bank accounts. When one is detected,\r\nit’s quickly replaced, keeping activity a step ahead of blocklists.\r\nPayment manipulation: Amounts hover just below review thresholds to slip past internal checks and speed up\r\nprocessing.\r\nhttps://www.helpnetsecurity.com/2025/12/18/tracking-scripted-sparrow-phishing-campaigns/\r\nPage 3 of 4\n\nThese consistent TTPs reinforce the assessment of a cohesive actor group maintaining an ongoing, profitable\r\nscheme.\r\nMitigation and response recommendations\r\nWhile Scripted Sparrow’s methods are simple, their success comes from consistency and timing.\r\nUnderstanding their playbook is only half the battle, the next step is knowing how to break the pattern. We advise\r\ncompanies to:\r\nImplement verification protocols: Require secondary confirmation for new vendor payments or invoices\r\nexceeding a set threshold. Never rely on an email reply chain as evidence of expense approval, as this can\r\nbe easily spoofed.\r\nMonitor domain and header anomalies: Automated tools should flag mismatched domains, unusual\r\nreply-to headers, or recent domain registrations.\r\nEducate finance teams: Awareness training remains effective. Emphasize linguistic red flags and request\r\nvalidation.\r\nLeverage behavioral analytics: Track deviations in communication frequency, time zones, and sender-recipient patterns.\r\nThese controls can interrupt the group’s primary success condition: unverified trust. The campaign’s consistency\r\nsuggests a central management structure coordinating multiple operators rather than loose affiliates.\r\nSource: https://www.helpnetsecurity.com/2025/12/18/tracking-scripted-sparrow-phishing-campaigns/\r\nhttps://www.helpnetsecurity.com/2025/12/18/tracking-scripted-sparrow-phishing-campaigns/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.helpnetsecurity.com/2025/12/18/tracking-scripted-sparrow-phishing-campaigns/"
	],
	"report_names": [
		"tracking-scripted-sparrow-phishing-campaigns"
	],
	"threat_actors": [
		{
			"id": "d7617600-fc37-404c-9eae-1b84c8a2129f",
			"created_at": "2026-02-03T02:00:03.445289Z",
			"updated_at": "2026-04-10T02:00:03.943455Z",
			"deleted_at": null,
			"main_name": "Scripted Sparrow",
			"aliases": [],
			"source_name": "MISPGALAXY:Scripted Sparrow",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433967,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/40a24dff8248f89b26da99fb31b3bf9d84cd0f7d.pdf",
		"text": "https://archive.orkl.eu/40a24dff8248f89b26da99fb31b3bf9d84cd0f7d.txt",
		"img": "https://archive.orkl.eu/40a24dff8248f89b26da99fb31b3bf9d84cd0f7d.jpg"
	}
}