Targeted email attacks in various sectors

Today, Socket's Threat Research Team disclosed a large-scale phishing infrastructure that abused npm + unpkg as free CDN hosting. What we found: • 175 malicious npm packages (randomized names, pattern redirect-xxxxxx) with 26k+ downloads. • 630+ HTML lure files, tailored to victims (purchase orders, specs, project docs). • 7 phishing domains and tooling that automated package creation + publishing per target. • 135+ targeted organizations across industrial, tech, and energy sectors (heavy focus in Western Europe). We’ve named the operation Beamglea — the packages’ payloads are tiny redirect scripts (beamglea.js) that append a victim email and send the user to credential-harvesting pages. Why this is dangerous: • This isn’t a typical npm supply chain attack — it’s infrastructure abuse. The attackers are using npm’s public registry and unpkg’s automatic HTTPS hosting as an inexpensive, trusted CDN for phishing. That makes detection harder and gives their phishing pages plausible legitimacy (pre-filled emails, polished lures). Practical recommendations (do these immediately): • Force password resets for accounts in the IOC list — prioritize Office 365 accounts. • Require MFA across all email and cloud accounts. • Quarantine or strip HTML attachments at the gateway (legitimate business rarely needs raw HTML attachments). • Monitor network traffic for unpkg.com/*/beamglea.js patterns and the seven known C2 domains. • Audit recent email attachments (Sept–Oct 2025) for PO/contract-themed HTML files. • Review wire/financial activity for signs of BEC following credential theft. Indicators we published: • Full list of package names (pattern: redirect-<6 chars>), the seven domains, and a set of author aliases we observed. Treat any detection of these IOCs as high-severity. Why this matters long-term: • This campaign shows a new, repeatable playbook: weaponize public package registries + CDNs as disposable phishing infrastructure. Expect iteration — alternate CDNs, obfuscated JS, geofencing, and DGA-like domain rotations. Defenders should treat public registry assets and CDN-served scripts as part of the threat surface, not just developer tools. If you run an org with public-facing email accounts, developer teams, or supply-chain processes, Socket’s research includes the full IOCs and recommended detection rules — reach out if you need help operationalizing these mitigations. https://lnkd.in/dQCBNRid

🔍 Anatomy of an Modern B2B Business Email Compromise (BEC) Attack A recent Trend Micro™ Managed XDR investigation uncovered a sophisticated B2B Business Email Compromise (BEC) attack, where a threat actor manipulated an ongoing email conversation between three business partners over several days. By compromising an email server and strategically replacing recipients, the attacker successfully redirected funds to their account—all while the victims believed they were communicating with their trusted partners. 🚨 Timeline of the Attack: 📅 Day 1: • T+0:00 – Partner A sends an invoice reminder to Partner B, copying Partner C. • T+4:30 – Threat actor intercepts and sends an email with fraudulent banking details from a compromised third-party email server. • T+11:00 – The attacker resends the email, this time using a compromised Partner C account to reinforce legitimacy. 📅 Days 2-5: • T+15:00 – Partner B, unaware of the compromise, acknowledges the invoice and requests additional details—unknowingly communicating with the attacker instead of the real Partner A. • T+5.02 days – Partner A (still unaware) provides business details, but the email is received by the attacker, not Partner B. • T+5.17 days – Attacker confirms details and reissues fraudulent banking instructions. • T+5.64 days – Partner B deposits the funds into the attacker’s account. • T+5.66 days – Partner B informs ‘Partner A’ (the attacker) that the transfer is complete. By the time Partner A and Partner B realized the fraud (12+ days later), the funds had already been moved. 🔑 Key Insights from the Incident: ✔️ Sophisticated Manipulation: The attacker gradually replaced real recipients in email threads, ensuring the conversation seemed normal. ✔️ Social Engineering & Trust Exploitation: By mimicking writing styles and leveraging auto-complete features, they maintained credibility. ✔️ Weak Email Security Enabled the Attack: A misconfigured third-party email server allowed fraudulent emails to bypass security checks. ✔️ Strategic Patience: The attacker waited 4.5 hours before injecting fraudulent banking details, ensuring it appeared as a legitimate correction. 🛡️ How to Defend Against BEC Attacks: ✅ Strengthen Email Authentication – Implement DMARC, SPF, and DKIM to verify sender legitimacy. ✅ Enable Multi-Factor Authentication (MFA) – Prevent unauthorized access to email accounts. ✅ Monitor for Anomalous Activity – Look for suspicious email forwarding rules and unauthorized logins. ✅ Educate High-Risk Employees – Train finance teams to verify banking details via secure channels before transferring funds. ✅ Establish Out-of-Band Validation – Require phone/video call confirmation for financial transactions to verify sender identity. 💡 BEC attacks are getting more sophisticated, but proactive security measures can significantly reduce the risk. 🔬 Full Research in Comments Section #DeepDive #CyberSecurity #BEC #ThreatIntelligence #EmailSecurity #TrendMicro #SOC

We are observing widespread and sophisticated fileless malware campaigns targeting companies in the African finance and telecommunications sectors. The campaign typically begins with a phishing email sent to departments such as Sales and Procurement, often disguised as a Request for Quotation (RFQ). The email includes an attachment, commonly a PowerShell (.ps1) dropper file crafted to appear legitimate. In one notable case, the dropper, once executed, downloaded what appeared to be a random image file onto the user’s system. At first glance, the image seemed harmless, but its huge file size raised suspicion. Further analysis revealed the file contained a malicious DLL hidden using steganography. The attackers concealed binary malware within the image file. The dropper extracted this hidden payload and executed it in memory. It also created a scheduled task via Windows Task Scheduler, ensuring persistence even after reboot. The DLL was executed using in-memory .NET assemblies and PowerShell one-liners, avoiding detection by traditional antivirus solutions. Once active, the payload could accept commands from a remote C2 server, launch processes, and exfiltrate sensitive system information. The malware was observed collecting public and private IP addresses, geolocation data, a list of scheduled tasks, and basic system metadata (useful for lateral movement or persistence). These behaviours are consistent with advanced fileless malware operations, where attackers minimise their on-disk footprint and rely on living-off-the-land techniques (LOLBins) to evade detection. Indicators of compromise (IoCs) revealed that the email sender, domain, and IPs have previously been reported in malicious activity, including spoofing, credential harvesting, spam, and phishing. This suggests the threat actors are leveraging an established, actively maintained infrastructure. Recommendations for Security Teams - Train employees to recognise phishing tactics such as urgency-driven language, unexpected RFQs, and suspicious attachments. Encourage reporting to IT/security teams. - Configure filtering policies to block or sandbox compressed file types (e.g., .zip, .rar, .tgz) and scripts (.ps1, .js, .vbs) from untrusted senders. - Enable DMARC, SPF, and DKIM enforcement for email to avoid spoofing and spam. - Deploy advanced EDR solutions with behavioural detection to catch in-memory execution, PowerShell abuse, and steganographic payloads. - Monitor for suspicious persistence mechanisms (e.g., unexpected scheduled tasks). - Regularly apply security patches to operating systems, browsers, and office applications. - Restrict execution of unsigned PowerShell scripts via Constrained Language Mode or AppLocker/Defender Application Control. - Monitor outbound connections to detect C2 traffic patterns. - Hunt for anomalous large image files or unusual PowerShell activity in logs. #SOC #ThreatIntelligence #DigitalForensics #Malware #FilelessMalware #Threat

Beware of an active integrated credential phishing and cloud Account Takeover (ATO) campaign. It was originally detected by Proofpoint researchers in late November 2023. This campaign uses individualized phishing lures within shared documents, including embedded links to 'view document' that lead to a malicious phishing webpage. The targets of this attack are often senior positions, including sales directors, account managers, and finance managers. Even individuals holding executive positions such as 'vice president, operations,' 'chief financial officer & treasurer,' and 'president & CEO' were among those targeted, according to the researchers. During the access phase of the attack, the attackers use a specific Linux user-agent for accessing OfficeHome sign-in application and gain access to a range of native Microsoft365 apps. Defenders can use this information as an indicator of compromise (IOC) as the user-agent reads: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36". Once the initial access succeeds, the attackers manipulate multi-factor authentication (MFA) to maintain persistence. This can include registering a fake phone number for SMS authentication or adding a separate authenticator with notification and code. Subsequent activity is likely to include data exfiltration, internal and external phishing, financial fraud, and compromise obfuscation through new mailbox rules to cover tracks and remove evidence of malicious activity from the victims’ mailboxes. Stay vigilant, and be cautious when clicking on shared documents or links, especially if they are individualized and come from an unverified source.

If your email is publicly searchable, cybercriminals will find it—and target you. This morning, we analyzed a phishing attempt directed at an individual working in the defense sector. A quick Google search of her email revealed multiple academic papers and online mentions—information that made her an ideal target. Threat actors, including Nigerian groups we’re actively tracking, commonly use Google Dorks to identify potential victims. Once they find an email, they craft highly personalized phishing emails that significantly increase their success rate compared to broad "spray-and-pray" tactics. Despite the abundance of breached data on the dark web, open-source intelligence remains a preferred method for targeting. Why? Because it enables precision attacks with higher return. Actionable advice: Search your own email or phone number on Google. If it appears, request removal where possible. Even if removal isn’t an option, awareness of high-risk exposure allows for stronger protective measures. Stay vigilant. Stay secure. #CyberSecurity #PhishingAwareness #ThreatIntelligence #EmailSecurity #OSINT #DarkWebMonitoring #InfoSec #SpearPhishing #DataPrivacy #CyberThreats #OnlineSafety

Strong security for emails is one of the top concerns of CNI dealing companies. According to a recent OPSWAT report, 80% of CNI companies reported an email-related security breach in the past year. Malicious emails are being exploited to target essential services, and email-based attacks are increasingly used as a key strategy for gaining unauthorised access. CNI organisations, such as utilities, transportation, telecommunications, and data centres, are prime targets for cybercriminals. The appeal lies in the widespread disruption a successful attack can cause. For example, a report from Malwarebytes highlighted that the services industry, which includes many CNI sectors, has been heavily impacted by ransomware, accounting for nearly a quarter of global attacks. Email attacks prove to be particularly effective, according to a report by OPSWAT, which polled 250 IT and security leaders of CNI firms. For instance, CNI organisations experienced 5.7 phishing incidents, 5.6 account compromises, and 4.4 instances of data leakage per year for every 1,000 employees. Yet still, more than half of the respondents assumed that email messages and attachments were safe by default. https://lnkd.in/ghTN_8zX