Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label email security. Show all posts
Threat Intelligence
AI Phishing Threats Cyber Awareness Cybercrime Prevention cybersecurity trends Data protection Digital Deception email security Online Safety Technology Threat Intelligence

AI Tools Make Phishing Attacks Harder to Detect, Survey Warns


 

Despite the ever-evolving landscape of cyber threats, the phishing method remains the leading avenue for data breaches in the years to come. However, in 2025, the phishing method has undergone a dangerous transformation. 

What used to be a crude attempt to deceive has now evolved into an extremely sophisticated operation backed by artificial intelligence, transforming once into an espionage. Traditionally, malicious actors are using poorly worded, grammatically incorrect, and inaccurate messages to spread their malicious messages; now, however, they are deploying systems based on generative AI, such as GPT-4 and its successors, to craft emails that are eerily authentic, contextually aware, and meticulously tailored to each target.

Cybercriminals are increasingly using artificial intelligence to orchestrate highly targeted phishing campaigns, creating communications that look like legitimate correspondence with near-perfect precision, which has been sounded alarming by the U.S. Federal Bureau of Investigation. According to FBI Special Agent Robert Tripp, these tactics can result in a devastating financial loss, a damaged reputation, or even a compromise of sensitive data. 

By the end of 2024, the rise of artificial intelligence-driven phishing had become no longer just another subtle trend, but a real reality that no one could deny. According to cybersecurity analysts, phishing activity has increased by 1,265 percent over the last three years, as a direct result of the adoption of generative AI tools. In their view, traditional email filters and security protocols, which were once effective against conventional scams, are increasingly being outmanoeuvred by AI-enhanced deceptions. 

Artificial intelligence-generated phishing has been elevated to become the most dominant email-borne threat of 2025, eclipsing even ransomware and insider risks because of its sophistication and scale. There is no doubt that organisations throughout the world are facing a fundamental change in how digital defence works, which means that complacency is not an option. 

Artificial intelligence has fundamentally altered the anatomy of phishing, transforming it from a scattershot strategy to an alarmingly precise and comprehensive threat. According to experts, adversaries now exploit artificial intelligence to amplify their scale, sophistication, and success rates by utilising AI, rather than just automating attacks.

As AI has enabled criminals to create messages that mimic human tone, context, and intent, the line between legitimate communication and deception is increasingly blurred. The cybersecurity analyst emphasises that to survive in this evolving world, security teams and decision-makers need to maintain constant vigilance, urging them to include AI-awareness in workforce training and defensive strategies. This new threat is manifested in the increased frequency of polymorphic phishing attacks. It is becoming increasingly difficult for users to detect phishing emails due to their enhanced AI automation capabilities. 

By automating the process of creating phishing emails, attackers are able to generate thousands of variants, each with slight changes to the subject line, sender details, or message structure. In the year 2024, according to recent research, 76 per cent of phishing attacks had at least one polymorphic trait, and more than half of them originated from compromised accounts, and about a quarter relied on fraudulent domains. 

Acanto alters URLs in real time and resends modified messages in real time if initial attempts fail to stimulate engagement, making such attacks even more complicated. AI-enhanced schemes can be extremely adaptable, which makes traditional security filters and static defences insufficient when they are compared to these schemes. Thus, organisations must evolve their security countermeasures to keep up with this rapidly evolving threat landscape. 

An alarming reality has been revealed in a recent global survey: the majority of individuals are still having difficulty distinguishing between phishing attempts generated by artificial intelligence and genuine messages.

According to a study by the Centre for Human Development, only 46 per cent of respondents correctly recognised a simulated phishing email crafted by artificial intelligence. The remaining 54 per cent either assumed it was real or acknowledged uncertainty about it, emphasising the effectiveness of artificial intelligence in impersonating legitimate communications now. 

Several age groups showed relatively consistent levels of awareness, with Gen Z (45%), millennials (47%), Generation X (46%) and baby boomers (46%) performing almost identically. In this era of artificial intelligence (AI) enhanced social engineering, it is crucial to note that no generation is more susceptible to being deceived than the others. 

While most of the participants acknowledged that artificial intelligence has become a tool for deceiving users online, the study demonstrated that awareness is not enough to prevent compromise, since the study found that awareness alone cannot prevent compromise. The same group was presented with a legitimate, human-written corporate email, and only 30 per cent of them correctly identified it as authentic. This is a sign that digital trust is slipping and that people are relying on instinct rather than factual evidence. 

The study was conducted by Talker Research as part of the Global State of Authentication Survey for Yubico, conducted on behalf of Yubico. During Cybersecurity Awareness Month this October, Talker Research collected insights from users throughout the U.S., the U.K., Australia, India, Japan, Singapore, France, Germany, and Sweden in order to gather insights from users across those regions. 

As a result of the findings, it is clear that users are vulnerable to increasingly artificial intelligence-driven threats. A survey conducted by the National Institute for Health found that nearly four in ten people (44%) had interacted with phishing messages within the past year by clicking links or opening attachments, and 1 per cent had done so within the past week. 

The younger generations seem to be more susceptible to phishing content, with Gen Z (62%) and millennials (51%) reporting significantly higher levels of engagement than the Gen X generation (33%) or the baby boom generation (23%). It continues to be email that is the most prevalent attack vector, accounting for 51 per cent of incidents, followed by text messages (27%) and social media messages (20%). 

There was a lot of discussion as to why people fell victim to these messages, with many citing their convincing nature and their similarities to genuine corporate correspondence, demonstrating that even the most technologically advanced individuals struggle to keep up with the sophistication of artificial intelligence-driven deception.

Although AI-driven scams are becoming increasingly sophisticated, cybersecurity experts point out that families do not have to give up on protecting themselves. It is important to take some simple, proactive actions to prevent risk from occurring. Experts advise that if any unexpected or alarming messages are received, you should pause before responding and verify the source by calling back from a trusted number, rather than the number you receive in the communication. 

Family "safe words" can also help confirm authenticity during times of emergency and help prevent emotional manipulation when needed. In addition, individuals can be more aware of red flags, such as urgent demands for action, pressure to share personal information, or inconsistencies in tone and detail, in order to identify deception better. 

Additionally, businesses must be aware of emerging threats like deepfakes, which are often indicated by subtle signs like mismatched audio, unnatural facial movements, or inconsistent visual details. Technology can play a crucial role in ensuring that digital security is well-maintained as well as fortified. 

It is a fact that Bitdefender offers a comprehensive approach to family protection by detecting and blocking fraudulent content before it gets to users by using a multi-layered security suite. Through email scam detection, malicious link filtering, and artificial intelligence-driven tools like Bitdefender Scamio and Link Checker, the platform is able to protect users across a broad range of channels, all of which are used by scammers. 

It is for mobile users, especially users of Android phones, that Bitdefender has integrated a number of call-blocking features within its application. These capabilities provide an additional layer of defence against attacks such as robocalls and impersonation schemes, which are frequently used by fraudsters targeting American homes. 

In Bitdefender's family plans, users have the chance to secure all their devices under a unified umbrella, combining privacy, identity monitoring, and scam prevention into a seamless, easily manageable solution in a seamless manner. As people move into an era where digital deception has become increasingly human-like, effective security is about much more than just blocking malware. 

It's about preserving trust across all interactions, no matter what. In the future, as artificial intelligence continues to influence phishing, it will become increasingly difficult for people to distinguish between the deception of phishing and its own authenticity of the phishing, which will require a shift from reactive defence to proactive digital resilience. 

The experts stress that not only advanced technology, but also a culture of continuous awareness, is needed to fight AI-driven social engineering. Employees need to be educated regularly about security issues that mirror real-world situations, so they can become more aware of potential phishing attacks before they click on them. As well, individuals should utilise multi-factor authentication, password managers and verified communication channels to safeguard both personal and professional information. 

On a broader level, government, cybersecurity vendors, and digital platforms must collaborate in order to create a shared framework that allows them to identify and report AI-enhanced scams as soon as they occur in order to prevent them from spreading.

Even though AI has certainly enhanced the arsenal of cybercriminals, it has also demonstrated the ability of AI to strengthen defence systems—such as adaptive threat intelligence, behavioural analytics, and automated response systems—as well. People must remain vigilant, educated, and innovative in this new digital battleground. 

There is no doubt that the challenge people face is to seize the potential of AI not to deceive people, but to protect them instead-and to leverage the power of digital trust to make our security systems of tomorrow even more powerful.
Read more »
SpamGPT
AI phishing tool Cyber Fraud cybercrime AI email security Phishing Campaigns ransomware attacks SpamGPT

SpamGPT: AI-Powered Phishing Tool Puts Cybersecurity at Risk

 

While most people have heard of ChatGPT, a new threat called SpamGPT is now making headlines. Security researchers at Varonis have discovered that this professional-grade email campaign tool is designed specifically for cybercriminals. The platform, they report, offers “all the conveniences a Fortune 500 marketer might expect, but adapted for cybercrime.”

SpamGPT’s dashboard closely mimics legitimate email marketing software, allowing attackers to plan, schedule, and track large-scale spam and phishing campaigns with minimal effort. By embedding AI-powered features, the tool can craft realistic phishing emails, optimize subject lines, and fine-tune scams—making it accessible even to criminals with little technical background.

"SpamGPT is essentially a CRM for cybercriminals, automating phishing at scale, personalizing attacks with stolen data, and optimizing conversion rates much like a seasoned marketer would. It's also a chilling reminder that threat actors are embracing AI tools just as fast as defenders are," explained Rob Sobers, CMO at Varonis.

The toolkit includes built-in modules for SMTP/IMAP configuration, inbox monitoring, and deliverability testing. Attackers can upload stolen SMTP credentials, verify them through an integrated checker, and rotate multiple servers to avoid detection. IMAP monitoring further allows criminals to track replies, bounces, and email placement.

A real-time inbox check feature sends test emails and confirms whether they land in inboxes or spam folders. Combined with campaign analytics, SpamGPT functions much like a legitimate customer relationship management (CRM) platform—but is weaponized for phishing, ransomware, and other cyberattacks.

Marketed as a “spam-as-a-service” solution, SpamGPT lowers the skill barrier for cybercrime. Tutorials such as “SMTP cracking mastery” guide users in obtaining or hacking servers, while custom header options make it easier to spoof trusted brands or domains. This means even inexperienced attackers can bypass common email authentication methods and run large-scale campaigns.

Experts warn that the rise of SpamGPT could trigger a surge in phishing, ransomware, and malware attacks. Its ability to slip past spam filters and disguise malicious payloads as legitimate correspondence makes it especially dangerous for both individuals and businesses.

To counter threats like SpamGPT, cybersecurity experts recommend:

  • Enforcing DMARC, SPF, and DKIM to block spoofed emails.

  • Deploying AI-driven phishing detection tools.

  • Maintaining regular backups and malware removal protocols.

  • Implementing multi-factor authentication (MFA) across all accounts.

  • Providing ongoing phishing awareness training for employees.

  • Using network segmentation and least-privilege access controls.

  • Keeping software and security patches updated.

  • Testing and refining incident response plans for rapid recovery.

SpamGPT demonstrates how cybercriminals are harnessing AI to evolve their tactics. As defenses improve, attackers are adapting just as quickly—making vigilance and layered security strategies more critical than ever.

Read more »
OCC
Banks bloomberg Cyber Attacks Data Sharing digital data email security financial attack Financial Data Hacker attack OCC

Top U.S. Banks Cut Off Digital Data Sharing With OCC After Major Cyberattack

 

Several of the largest banks in the United States have curtailed or reassessed how they share sensitive data with the Office of the Comptroller of the Currency (OCC), after a significant cyberattack compromised the regulator’s email system. 

According to Bloomberg, JPMorgan Chase and Bank of New York Mellon have paused all electronic communications with the OCC. Bank of America is continuing to share data, but through what it considers more secure digital channels. The decision follows the discovery that hackers had accessed over 100 email accounts at the OCC for more than a year—a breach labeled a “major incident” by both the OCC and the U.S. Treasury Department. 

The hackers reportedly obtained highly sensitive information related to financial institutions, although their identities remain unknown. The OCC, a bureau under the Treasury, oversees over 1,000 national banks and savings associations, including the U.S. branches of foreign institutions. Among the materials potentially exposed are reports on cybersecurity protocols, internal vulnerability assessments, and National Security Letters—documents that may contain classified intelligence regarding terrorism or espionage. 

Banks have raised concerns about the extent of the breach and the OCC’s communication about the incident. Some financial institutions reportedly did not learn of the scope of the compromise until media coverage surfaced. As a result, there is growing distrust among regulated institutions regarding how the OCC has handled disclosure and mitigation. The OCC said it is actively working with independent cybersecurity experts, including Mandiant and Microsoft, to investigate the breach and determine whether stolen data has surfaced on the dark web. 

A contractor is also reviewing two internal communication systems—BankNet and another used for transferring large files—to assess whether they were affected. While JPMorgan and BNY Mellon have suspended digital transmissions, Citigroup has continued data sharing due to its existing consent order with the OCC. It remains unclear whether other major banks like Wells Fargo or Goldman Sachs have taken similar steps. Experts warn that the breach could enable targeted cyberattacks or extortion attempts, as the stolen material may offer insight into institutional vulnerabilities. 

According to former Treasury CIO Eric Olson, the exposed data is “as sensitive as it gets.” The incident has drawn attention from Congress, with both the House Financial Services Committee and the Senate Banking Committee seeking more information. Experts view the banks’ decision to reduce data sharing as a sign of eroding trust in the OCC’s ability to safeguard critical regulatory communications.
Read more »
phishing
AI threats Business Email Compromise Cyber Attacks email security Hacking phishing

Phishing Attacks Surge by 30% in Australia Amid Growing Cyber Threats

 

kAustralia witnessed a sharp 30% rise in phishing emails last year, as cybercriminals increasingly targeted the Asia-Pacific (APAC) region, according to a recent study by security firm Abnormal Security. The APAC region’s expanding presence in critical industries, such as data centers and telecommunications, has made it a prime target for cyber threats.

Across APAC, credential phishing attacks surged by 30.5% between 2023 and 2024, with New Zealand experiencing a 30% rise. Japan and Singapore faced even greater increases at 37%. Among all advanced email-based threats—including business email compromise (BEC) and malware attacks—phishing saw the most significant spike.

“The surge in attack volume across the APAC region can likely be attributed to several factors, including the strategic significance of its countries as epicentres for trade, finance, and defence,” said Tim Bentley, Vice President of APJ at Abnormal Security.

“This makes organisations in the region attractive targets for complex email campaigns designed to exploit economic dynamics, disrupt essential industries, and steal sensitive data.”

Between 2023 and 2024, advanced email attacks across APAC—including Australia, New Zealand, Japan, and Singapore—rose by 26.9% on a median monthly basis. The increase was particularly notable between Q1 and Q2 of 2024 (16%) and further escalated from Q2 to Q3 (20%).

While phishing remains the primary attack method, BEC scams—including executive impersonation and payment fraud—grew by 6% year-over-year. A single successful BEC attack cost an average of USD $137,000 in 2023, according to Abnormal Security.

Australia has long been a key target for cybercriminals. A 2023 Rubrik survey revealed that Australian organizations faced the highest data breach rates globally.

Antoine Le Tard, Vice President for Asia-Pacific and Japan at Rubrik, previously noted that Australia’s status as an early adopter of cloud and enterprise security solutions may have led to rapid deployment at the expense of robust cybersecurity measures.

The Australian Signals Directorate reported that only 15% of government agencies met the minimum cybersecurity standards in 2024, a steep drop from 25% in 2023. The reluctance to adopt passkey authentication methods further reflects the cybersecurity maturity challenges in the public sector.

The widespread accessibility of AI chatbots has altered the cybersecurity landscape, making phishing attacks more sophisticated. Even jailbroken AI models enable cybercriminals to create phishing content effortlessly, reducing technical barriers for attackers.

AI-driven cyber threats are on the rise, with AI-powered chatbots listed among the top security risks for 2025. According to Vipre, BEC attacks in Q2 2024 increased by 20% year-over-year, with two-fifths of these scams generated using AI tools.

In June, HP intercepted a malware-laden email campaign featuring a script that was “highly likely” created using generative AI. Cybercriminals are also leveraging AI chatbots to establish trust with victims before launching scams—mirroring how businesses use AI for customer engagement.
Read more »
SVG attachments
cyber fraud prevention Cyber Security Cybersecurity email security Microsoft visio Phishing Attacks Ransomware threats SVG attachments

Cybercriminals Exploit Two-Step Phishing Tactics and SVG Attachments in Sophisticated Cyber Attacks

 

Layered defense strategies are a cornerstone of cybersecurity, but attackers are employing similar methods to launch sophisticated attacks. Two-step phishing (2SP) tactics are becoming increasingly prevalent, leveraging trusted platforms to deliver malicious content in layers and evade detection, according to researchers at Perception Point.

These researchers have identified a new wave of 2SP attacks weaponising Microsoft Visio (.vsdx) files. Peleg Cabra, product marketing manager at Perception Point, shared that Ariel Davidpur, a security researcher at the firm, uncovered an alarming trend: attackers are embedding malicious URLs within Visio files to bypass security systems.

Visio, widely used in workplaces for data visualization, plays into the attackers' strategy of exploiting familiarity. The files are being used in phishing emails containing urgent business-related requests. Once the recipient engages with these emails and accesses the Visio file, they encounter another embedded URL disguised as a clickable button, like “view document.”

Perception Point’s analysis highlights how attackers ask victims to hold the Ctrl key while clicking the URL, bypassing automated detection tools. This redirects users to a fake Microsoft 365 login page designed to steal credentials. Robust two-factor authentication is recommended to mitigate the risks of such attacks.

Additionally, a report by Lawrence Abrams from Bleeping Computer reveals another alarming technique: attackers are leveraging scalable vector graphics (SVG) files. These files, capable of displaying HTML and executing JavaScript, are being used to deliver phishing forms and malware. Security researcher MalwareHunterTeam demonstrated how SVG attachments could mimic an Excel spreadsheet with an embedded login form to harvest credentials.

To counter these threats, cybersecurity experts recommend treating SVG attachments with suspicion and implementing stringent email security measures.

International Fraud Awareness Week, held from November 17 to 23, 2024, aims to raise awareness of evolving cyber fraud. Muhammad Yahya Patel, lead security engineer at Check Point Software, warns that technological advancements empower both legitimate industries and cyber criminals.

Patel categorizes the major fraud types businesses should watch out for:
  • Cyber Fraud: Using phishing, malware, and ransomware to steal sensitive data.
  • Internal Fraud: Involving employee-driven actions like embezzlement and theft.
  • Invoice Fraud: Sending fake invoices to businesses for payment.
  • CEO Fraud: Impersonating executives to extract sensitive information.
  • Return Fraud: Exploiting return policies in retail for financial gain.
  • Payroll Fraud: Manipulating payroll systems to benefit employees fraudulently.
Ransomware has also evolved from untargeted attacks to highly strategic campaigns, employing reconnaissance and double-extortion tactics. As cyber threats grow more sophisticated, businesses must remain vigilant, adopt robust security practices, and foster awareness to combat evolving fraud.
Read more »
SMTP servers
Authentication Cyber Security Cyber Threats Cybersecurity Dark Web Data Privacy email encryption email security Malware Distribution Phishing Attacks SMTP servers

New SMTP Cracking Tool for 2024 Sold on Dark Web Sparks Email Security Alarm

 

A new method targeting SMTP (Simple Mail Transfer Protocol) servers, specifically updated for 2024, has surfaced for sale on the dark web, sparking significant concerns about email security and data privacy.

This cracking technique is engineered to bypass protective measures, enabling unauthorized access to email servers. Such breaches risk compromising personal, business, and government communications.

The availability of this tool showcases the growing sophistication of cybercriminals and their ability to exploit weaknesses in email defenses. Unauthorized access to SMTP servers not only exposes private correspondence but also facilitates phishing, spam campaigns, and cyber-espionage.

Experts caution that widespread use of this method could result in increased phishing attacks, credential theft, and malware distribution. "Organizations and individuals must prioritize strengthening email security protocols, implementing strong authentication, and closely monitoring for unusual server activity," they advise.

Mitigating these risks requires consistent updates to security patches, enforcing multi-factor authentication, and using email encryption. The emergence of this dark web listing highlights the ongoing threats cybercriminals pose to critical communication systems.

As attackers continue to innovate, the cybersecurity community emphasizes vigilance and proactive defense strategies to safeguard sensitive information. This development underscores the urgent need for robust email security measures in the face of evolving cyber threats.
Read more »
Vulnerabilities
Cyber Security Digital Communication email security Malware Detection Vulnerabilities

Email Security Vulnerabilities: Shocking Gaps in Malware Detection

Email Security Vulnerabilities: Shocking Gaps in Malware Detection

In an era where digital communication dominates, email remains a fundamental tool for personal and professional correspondence. However, recent research by web browser security startup SquareX has exposed alarming vulnerabilities in email security. 

The study, titled “Security Bite: iCloud Mail, Gmail, Others Shockingly Bad at detecting malware, Study Finds,” highlights the shortcomings of popular email service providers in safeguarding users from malicious attachments.

The State of Email Security

1. The Persistent Threat of Malicious Attachments

  • Despite advancements in cybersecurity, email attachments continue to be a prime vector for malware distribution.
  • Malicious attachments can carry viruses, trojans, ransomware, and other harmful payloads.
  • Users often unknowingly open attachments, leading to compromised devices and data breaches.

2. The SquareX Study

Researchers collected 100 malicious document samples, categorized into four groups:

  • Original Malicious Documents from Malware Bazaar
  • Slightly Altered Malicious Documents from Malware Bazaar (with changes in metadata and file formats)
  • Malicious Documents modified using attack tools
  • Basic Macro-enabled Documents that execute programs on user devices

These samples were sent via Proton Mail to addresses on iCloud Mail, Gmail, Outlook, Yahoo! Mail, and AOL.

3. Shockingly Bad Detection Rates

The study’s findings were alarming:

  • iCloud Mail and Gmail failed to deliver any of the malicious samples. Their malware detection mechanisms worked effectively.
  • Outlook, Yahoo! Mail, and AOL delivered the samples, leaving users potentially exposed to threats.

Implications and Recommendations

1. User Awareness and Caution

  • Users must exercise caution when opening email attachments, even from seemingly legitimate sources.
  • Educate users about the risks associated with opening attachments, especially those from unknown senders.

2. Email Providers Must Step Up

  • Email service providers need to prioritize malware detection.
  • Regularly update and enhance their security protocols to prevent malicious attachments from reaching users’ inboxes.
  • Collaborate with cybersecurity experts to stay ahead of evolving threats.

3. Multi-Layered Defense

Implement multi-layered security measures:

  • Attachment Scanning: Providers should scan attachments for malware before delivery.
  • Behavioral Analysis: Monitor user behavior to detect suspicious patterns.
  • User Training: Educate users about phishing and safe email practices.

4. Transparency and Reporting

  • Email providers should transparently report their detection rates and improvements.
  • Users deserve to know how well their chosen service protects them.

What next?

Always think before you click. The SquareX study serves as a wake-up call for email service providers. As the digital landscape evolves, robust email security is non-negotiable. Let’s bridge the gaps, protect users, and ensure that our inboxes remain safe havens rather than gateways for malware.
Read more »
Proofprint
Black Basta Ransomware Cyber Attacks CyberCrime Data Theft Email Phishing Email scam email security Hacekrs NTLM Proofprint

New Email Scam Targets NTLM Hashes in Covert Data Theft Operation

 


TA577 has been identified as a notorious threat actor who orchestrated a sophisticated phishing campaign, according to researchers at security firm Proofpoint. Currently, the group is utilizing a new method of phishing involving ZIP archive attachments. This tactic is geared towards pilfering the hash data of NT LAN Manager (NTLM) users.

According to our investigation, this group is utilizing a chain of attacks aimed at stealing authentication information from the NT LAN Manager (NTLM) system. It would be possible to exploit this method for obtaining sensitive data and facilitating further malicious activity if this method were to be exploited. 

By using booby-trapped email attachments containing booby-trapped NTLM hashes to steal employees' NTLM hashes, a threat actor that is known for establishing initial access to organizations' computer systems and networks is using these attachments to steal employees’ hashes. Earlier this week, enterprise security firm Proofpoint published a report that suggested that the new attack chain "is capable of gathering sensitive information and facilitating follow-on activities." 

As reported by the company, at least two phishing campaigns have utilized this approach since February 26, 2024, when thousands of messages were distributed worldwide and hundreds of organizations were targeted. As an initial access broker (IAB), TA577 has previously been associated with Qbot and has been linked to Black Basta ransomware infections. 

The phishing waves spread thousands of messages around the world and targeted hundreds of organizations. The email security company Proofpoint reported today that although it has seen TA577 favouring Pikabot deployment in recent months, two recent attacks indicate that TA577 has taken a different approach to the attack. 

A group called TA578, which has been linked with the Qbot malware campaign and the Black Basta ransomware campaign, is one of the first access brokers. Recently, it has demonstrated an increasing interest in exploiting authentication protocols despite its previous inclination toward deploying Pikabot malware. 

NTLM hashes are a cornerstone of the security of Windows systems for authentication and session management. Attackers are extremely interested in these hashes as they are potentially useful in offline password cracking and in pass-the-hash attacks, which do not require actual passwords to gain access to services but instead use hashes as shortcuts. 

A technique known as thread hijacking, by which the attackers craft phishing emails that seem like legitimate follow-up emails to ongoing conversations, is used by the attackers. There is a malicious external server that is used to capture NTLM hashes, as these emails contain personalized ZIP files with HTML documents. When opened, these malicious servers start connecting to a malicious external server that has been set up specifically to capture these hashes. 

TA577 likely has the resources, time, and experience to iterate and test new delivery methods at the rate at which it adopts and distributes new tactics, techniques, and procedures (TTPs). TA577, along with other IABs, seems to be on top of the threat landscape and understands when and why certain attack chains cease to be effective. 

To increase the effectiveness and likelihood of victim engagement with their payload delivery and bypass detections, they will be able to create new methods to bypass detections and make use of them as quickly as possible. Researchers at Proofpoint have also noticed an increase in the use of file scheme URIs to direct recipients to external file shares such as SMB and WebDAV for the delivery of malware. To prevent exploits identified in this campaign, organizations should block outbound SMBs to prevent these sophisticated attacks. 

While restricting guest access to SMB servers is a simple security measure, it falls short of preventing these sophisticated attacks. The company advises that strict email filtering be implemented, outbound SMB connections should not be allowed, and Windows group policies should be activated to minimize the risk. 

To combat these types of NTLM-based threats effectively, Microsoft has introduced advanced security features into Windows 11 to help users. It is important to maintain constant vigilance and take strong security measures to prevent phishing attacks targeting the NTLM authentication protocol. For organizations to remain safe from sophisticated cybercriminal endeavours, they must stay abreast of emerging threats and adjust their defences to keep up with the rapidly evolving threats.
Read more »
Subscribe to: Comments (Atom)