{
	"id": "69db9470-0906-4af1-a899-34c082b21de6",
	"created_at": "2026-04-06T00:18:25.910966Z",
	"updated_at": "2026-04-10T03:20:38.113463Z",
	"deleted_at": null,
	"sha1_hash": "70cb67abeca8116b4097aa5b7f23ee01f5626d6f",
	"title": "Fresh Phish: Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3818474,
	"plain_text": "Fresh Phish: Colonial Pipeline Ransomware Hack Unleashes Flood\r\nof Related Phishing Attempts\r\nBy Roger Kay\r\nPublished: 2021-06-04 · Archived: 2026-04-02 12:41:58 UTC\r\nAmong other things, phishers are avid newshounds. They read the press diligently looking for topics that might\r\nhelp them more successfully fool targets, land malware, and extract value. The highly visible ransomware attack\r\nrecently executed by Eastern Europe-based hacker group DarkSide against Colonial Pipeline, a Houston-based oil\r\npipeline operator, drew a lot of phisher interest, and, voila! Within a couple of weeks, new phishing attempts were\r\nunleashed on a world suddenly aware of Colonial and the exploitation of its vulnerabilities.\r\nThese new attempts tried to leverage the Colonial attack with clever pitches. INKY, the foremost anti-phishing\r\ntechnology on the market today, started seeing these attempted attacks almost immediately following the public\r\nhumiliation of Colonial, which ended up paying $5 million to DarkSide to unlock its data.\r\nQuick Takes: Attack Flow Overview\r\nType: phishing\r\nVector: email, malware download from abused free site\r\nPayload: abused legitimate penetration-testing tool that launches ransomware, surveillance, or data\r\nexfiltration campaign\r\nTechniques: targeted phishing email tries to trick the recipient into downloading an \"update,” which is\r\nsupposedly related to the Colonial Pipeline vulnerability but is really malware\r\nPlatform: Office365\r\nTarget: Corporate-wide surveillance, data exfiltration, ransomware shutdown\r\nThe Attack\r\nSeveral INKY users received \"helpdesk” emails like the one below with instructions to download a “ransomware\r\nsystem update” from an external site.\r\nhttps://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts\r\nPage 1 of 5\n\nThe malicious emails were sent from newly created domains (ms-sysupdate.com and selectivepatch.com)\r\ncontrolled by cybercriminals. The domain names, sufficiently plausible to appear legitimate, were nonetheless\r\ndifferent enough so that garden variety anti-phishing software would not be able to use regular expression\r\nmatching to detect their perfidy. INKY, of course, caught the phish using other techniques, which is why they're on\r\ndisplay here.\r\nBoth domains were registered with NameCheap, a registrar popular with bad actors. Its domains are inexpensive,\r\nand the company accepts Bitcoin as payment for hosting services (handy for those trying to remain anonymous).\r\nhttps://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts\r\nPage 2 of 5\n\nThe malicious links in the emails belonged to — surprise! — the same domain that sent the emails. Convenient,\r\nright?\r\nIn this highly customized attack, the malicious site used the target company’s logo and imagery. The innocuous\r\n“Download” button was set to download a malware file called “Ransomware_Update.exe”. What could possibly\r\ngo wrong?\r\nhttps://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts\r\nPage 3 of 5\n\nThe malware was, in fact, “Cobalt Strike,” a legitimate penetration-testing tool that has been deeply abused by bad\r\nactors since its source code was leaked in late 2020. This abuse has been linked to ransomware, surveillance, and\r\ndata exfiltration campaigns. According to Talos Intelligence, 66% of ransomware attacks in 4Q20 involved\r\n“Cobalt Strike.” This serious payload is designed for maximum impact.\r\nTechniques\r\nColonial-Pipeline-follow-on attacks were based on the confluence of two factors, the Colonial ransomware attack\r\nitself and the recent public availability of a highly effective remote-access tool. The Colonial Pipeline ransomware\r\nattack raised the visibility of ransomware in general. Whether they operate in infrastructure or are dependent on it\r\n(which includes practically everyone), people were primed by the news cycle to be thinking about ransomware\r\nissues. In this environment, phishers tried to exploit people’s anxiety, offering them a software update that would\r\n“fix” the problem via a highly targeted email that used design language that could plausibly be the recipient’s\r\ncompany’s own. All the recipient had to do was click the big blue button, and the malware would be injected.\r\nRecap of Techniques:\r\nDynamic Phish — uses elements of the target’s company’s brand elements to look legitimate if not internal\r\nAbused Free Website — evades URL analysis by traditional email security products\r\nMalware Injection — A recipient click initiates the injection of a legitimate but abused remote access tool\r\nthat allows the abuser to control the target’s system\r\nTrusted Logo Imagery — gains the confidence of target recipient, furthering the likelihood of a successful\r\nexploit\r\nBest Practices: Guidance and Recommendations\r\nhttps://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts\r\nPage 4 of 5\n\nPhishers are getting better at camouflage.   They try to make their emails look as if they come from the target’s\r\nemployer, lending them an air of greater legitimacy. By using newly created domains, the email can evade\r\ntraditional phishing analysis, which looks only at commonly accepted email tags DKIM and SPF and sees nothing\r\nsuspicious. The important analysis to be done here is not whether the email comes from a legitimate host but\r\nwhether it comes from where it appears to come. If it looks as if it was sent by the company itself (e.g., from HR,\r\nIT or Finance), does it in fact originate from an email server under the company’s control? If it looks like the HR\r\nor IT Departments but deviates from the norm, that should be a flag.\r\nIn addition to using better camouflage, phishers excel at leveraging current events and other cyber-attacks to\r\ncreate urgency in their communications. In this case, no doubt many recipients wanted to “do the right thing and\r\nhelp out the IT team” by clicking on the bad link. Attackers use these emotions to trick users into doing things\r\nthey might not otherwise do. An IT policy stating that employees will not be asked to download certain file types\r\nmight be a good start to combat attacks like this. A standard and formalized communications protocol that is\r\nwidely shared, and frequently reinforced, would help as well.\r\nAnd of course, an anti-phishing software like INKY that performs this sort of analysis, can alert recipients of\r\ninaccurate email sources and potential harm, and direct appropriate actions via a banner in the email.\r\n_____\r\nINKY® is the most effective hero in the war against phishing. An award-winning cloud-based email security\r\nsolution, INKY® prevents the most complex phishing threats from disrupting or even immobilizing your company’s\r\nday-to-day business operations. Using computer vision, artificial intelligence, and machine learning, INKY® is\r\nthe smartest investment you can make in the security of your organization. INKY® is a proud winner of the NYCx\r\nCybersecurity Moonshot Challenge and finalist in the 2020 RSAC Innovation Sandbox Competition. Learn more\r\nabout INKY® or request an online demonstration today.\r\nSource: https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts\r\nhttps://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts"
	],
	"report_names": [
		"colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts"
	],
	"threat_actors": [],
	"ts_created_at": 1775434705,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70cb67abeca8116b4097aa5b7f23ee01f5626d6f.pdf",
		"text": "https://archive.orkl.eu/70cb67abeca8116b4097aa5b7f23ee01f5626d6f.txt",
		"img": "https://archive.orkl.eu/70cb67abeca8116b4097aa5b7f23ee01f5626d6f.jpg"
	}
}