{
	"id": "bc457bbb-0307-4b9f-87fa-d6986baba596",
	"created_at": "2026-04-06T00:14:51.714963Z",
	"updated_at": "2026-04-10T03:23:52.688886Z",
	"deleted_at": null,
	"sha1_hash": "7ebec988588a32fd9da91ec236a2d76f363d9610",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41704,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 13:49:50 UTC\r\n APT group: TA2552\r\nNames TA2552 (Proofpoint)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2019\r\nDescription\r\n(Proofpoint) Since January 2020, Proofpoint researchers have tracked an actor abusing\r\nMicrosoft Office 365 (O365) third-party application (3PA) access, with suspected activity\r\ndating back to August 2019. The actor, known as TA2552, uses well-crafted Spanish language\r\nlures that leverage a narrow range of themes and brands. The lures entice users to click a link\r\nin the message, taking them to the legitimate Microsoft third-party apps consent page. There\r\nthey are prompted to grant a third-party application read-only user permissions to their O365\r\naccount via OAuth2 or other token-based authorization methods. TA2552 seeks access to\r\nspecific account resources like the user’s contacts and mail. Requesting read-only permissions\r\nfor such account resources could be used to conduct account reconnaissance, silently steal\r\ndata, or to intercept password reset messages from other accounts such as those at financial\r\ninstitutions. While organizations with global presence have received messages from this group,\r\nthey appear to choose recipients who are likely Spanish speakers.\r\nObserved\r\nTools used\r\nInformation\r\n\u003chttps://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks\u003e\r\nLast change to this card: 19 October 2020\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8677d61e-2bbd-4767-9f5d-90f14810911b\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8677d61e-2bbd-4767-9f5d-90f14810911b\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8677d61e-2bbd-4767-9f5d-90f14810911b"
	],
	"report_names": [
		"showcard.cgi?u=8677d61e-2bbd-4767-9f5d-90f14810911b"
	],
	"threat_actors": [
		{
			"id": "6b88f18e-81b7-46b6-a20d-79e03220447d",
			"created_at": "2024-02-06T02:00:04.101887Z",
			"updated_at": "2026-04-10T02:00:03.569979Z",
			"deleted_at": null,
			"main_name": "TA2552",
			"aliases": [],
			"source_name": "MISPGALAXY:TA2552",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75febd40-3628-491d-be18-366270cb33b1",
			"created_at": "2022-10-25T16:07:24.267099Z",
			"updated_at": "2026-04-10T02:00:04.916264Z",
			"deleted_at": null,
			"main_name": "TA2552",
			"aliases": [],
			"source_name": "ETDA:TA2552",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434491,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ebec988588a32fd9da91ec236a2d76f363d9610.pdf",
		"text": "https://archive.orkl.eu/7ebec988588a32fd9da91ec236a2d76f363d9610.txt",
		"img": "https://archive.orkl.eu/7ebec988588a32fd9da91ec236a2d76f363d9610.jpg"
	}
}