Filter by SEG

SEG

Tactic

Theme

A phishing attack is when a fraudster sends an email to trick the recipient. The idea is to persuade the target into giving up sensitive information, for instance, your corporate network credentials, or perhaps to authorize some type of financial transaction. The vast majority of data breaches against businesses today begin as phishing attacks.

Just a couple of famous phishing examples:

The infamous Target breach back in 2013 started with a phishing email that gave attackers a foothold in Target’s business systems for further attacks.
Phishing appeared prominently in the Mueller Report on the 2016 presidential election hacking.

Some quick phishing statistics:

Over 55% organizations experienced a successful phish last year.
$12 billion is the 5-year global cost of just one type of phishing attack, business email compromise (BEC).
The average phishing attack costs a mid-sized business $3.86 million.

Our database has thousands of phishing examples, but most fit into one of these 3 categories:

Phishing Emails with Malicious Links: Sometimes a phishing attack is simply an email with an embedded link. When you click, you either unknowingly activate malware or are directed to a webpage that looks perfectly legitimate but is designed to harvest your information.

Phishing Attacks with Malicious Attachments: Phishing attackers often send emails with attachments containing malware. When you click, look out. Many times phishing attackers use popular document types such as Microsoft Word or Excel or even Adobe PDFs. They take advantage of the trust people place in popular business tools.

Business Email Compromise (BEC): BEC emails, also known as CEO Fraud, typically don’t use malware but simply try to manipulate the target into sending money. Traditionally, BEC phishing attacks try to get employees in the finance department to authorize wire transfers, for instance, to a “vendor” or “partner.” This kind of attack often uses ‘CEO fraud phishing’ where attackers pretend to be the CEO or CFO to spur quick action.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Microsoft STP deliver Raccoon Stealer via an embedded link. The link would then download a password protected .rar archive.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Raccoon Stealer

POSTED ON: 07/27/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Microsoft STP deliver Raccoon Stealer via an embedded link. The link would then download a password protected .rar archive.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Microsoft STP deliver Raccoon Stealer via an embedded link. The link would then download a password protected .rar archive.

ENVIRONMENTS: Proofpoint

TYPE: Raccoon Stealer

POSTED ON: 07/27/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Microsoft STP deliver Raccoon Stealer via an embedded link. The link would then download a password protected .rar archive.

Real Phishing Example: Quotation-themed emails found in environments protected by Proofpoint and TrendMicro deliver Loki Bot via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Loki Bot

POSTED ON: 07/26/2021

TACTIC: Link

THEME: Quotation

PHISHING EXAMPLE DESCRIPTION: Quotation-themed emails found in environments protected by Proofpoint and TrendMicro deliver Loki Bot via an embedded link.

Real Phishing Example: Quotation-themed emails found in environments protected by Proofpoint and TrendMicro deliver Loki Bot via an embedded link.

ENVIRONMENTS: TrendMicro

TYPE: Loki Bot

POSTED ON: 07/26/2021

TACTIC: Link

THEME: Quotation

PHISHING EXAMPLE DESCRIPTION: Quotation-themed emails found in environments protected by Proofpoint and TrendMicro deliver Loki Bot via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, and Mimecast deliver credential phishing via a link embedded in an attached image file.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 07/23/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, and Mimecast deliver credential phishing via a link embedded in an attached image file.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, and Mimecast deliver credential phishing via a link embedded in an attached image file.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 07/23/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, and Mimecast deliver credential phishing via a link embedded in an attached image file.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, and Mimecast deliver credential phishing via a link embedded in an attached image file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/23/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, and Mimecast deliver credential phishing via a link embedded in an attached image file.

Real Phishing Example: Email-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/23/2021

TACTIC: Link

THEME: Email

PHISHING EXAMPLE DESCRIPTION: Email-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

Real Phishing Example: Supreme Court-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Mimecast deliver credential phishing via a link embedded in an attached calendar file.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/22/2021

TACTIC: ICS Attachment

THEME: Supreme Court

PHISHING EXAMPLE DESCRIPTION: Supreme Court-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Mimecast deliver credential phishing via a link embedded in an attached calendar file.

Real Phishing Example: Supreme Court-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Mimecast deliver credential phishing via a link embedded in an attached calendar file.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 07/22/2021

TACTIC: ICS Attachment

THEME: Supreme Court

PHISHING EXAMPLE DESCRIPTION: Supreme Court-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Mimecast deliver credential phishing via a link embedded in an attached calendar file.

Real Phishing Example: Supreme Court-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Mimecast deliver credential phishing via a link embedded in an attached calendar file.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 07/22/2021

TACTIC: ICS Attachment

THEME: Supreme Court

PHISHING EXAMPLE DESCRIPTION: Supreme Court-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Mimecast deliver credential phishing via a link embedded in an attached calendar file.

Real Phishing Example: Finance-themed emails found in environments protected by Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 07/21/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 07/21/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/20/2021

TACTIC: link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 07/20/2021

TACTIC: link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 07/20/2021

TACTIC: link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environment protected by Proofpoint deliver Agent Tesla keylogger via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Agent Tesla Keylogger

POSTED ON: 07/19/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environment protected by Proofpoint deliver Agent Tesla keylogger via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/19/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded link.

Real Phishing Example: Quotation-themed emails found in environments protected by Proofpoint delivers an LZH archive via an embedded link. The archive contains both an Agent Tesla keylogger and FormGrabber executable.

ENVIRONMENTS: Proofpoint

TYPE: Agent Tesla Keylogger

POSTED ON: 07/16/2021

TACTIC: Link

THEME: Quotation

PHISHING EXAMPLE DESCRIPTION: Quotation-themed emails found in environments protected by Proofpoint delivers an LZH archive via an embedded link. The archive contains both an Agent Tesla keylogger and FormGrabber executable.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/15/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 07/15/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Message-themed emails found in environments protected by Symantec spoof various financial brands to deliver Office macro laden documents via embedded URLs. The documents drop and run a reconnaissance tool.

ENVIRONMENTS: Symantec Message

TYPE: Reconaissance Tool

POSTED ON: 07/15/2021

TACTIC: Link

THEME: Message

PHISHING EXAMPLE DESCRIPTION: Message-themed emails found in environments protected by Symantec spoof various financial brands to deliver Office macro laden documents via embedded URLs. The documents drop and run a reconnaissance tool.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Cisco Ironport delivers Credential Phishing via an attached HTM file.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/14/2021

TACTIC: HTML Attachment

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Cisco Ironport delivers Credential Phishing via an attached HTM file.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Cisco Ironport delivers Credential Phishing via an attached HTM file.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 07/14/2021

TACTIC: HTML Attachment

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Cisco Ironport delivers Credential Phishing via an attached HTM file.

Real Phishing Example: Innovative Health Diagnostic-spoofing emails found in environments protected by Proofpoint deliver credential phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/12/2021

TACTIC: Link

THEME: Innovative Health Diagnostic-spoofing

PHISHING EXAMPLE DESCRIPTION: Innovative Health Diagnostic-spoofing emails found in environments protected by Proofpoint deliver credential phishing via an embedded link.

Real Phishing Example: Trend Micro-spoofing emails found in environments protected by Cisco Ironport claim to have a Kaseya advisory and detection tool available via an embedded link. The link delivers Dridex.

ENVIRONMENTS: Cisco Ironport

TYPE: Dridex

POSTED ON: 07/12/2021

TACTIC: Link

THEME: Trend Micro-spoofing

PHISHING EXAMPLE DESCRIPTION: Trend Micro-spoofing emails found in environments protected by Cisco Ironport claim to have a Kaseya advisory and detection tool available via an embedded link. The link delivers Dridex.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/09/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL inside an attached XLSX file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/08/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL inside an attached XLSX file.

Real Phishing Example: Fax-themed emails found in environments protected by Proofpoint to deliver credential phishing via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/08/2021

TACTIC: Link

THEME: Fax

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Proofpoint to deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver a downloaded Agent Tesla Keylogger.

ENVIRONMENTS: Proofpoint

TYPE: Agent Tesla Keylogger

POSTED ON: 07/07/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver a downloaded Agent Tesla Keylogger.

Real Phishing Example: Environmental day-themed emails found in environments protected by Microsoft ATP deliver a series of broken attachments and a JavaScript file. The JavaScript file downloads BazarBackdoor.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: BazarBackdoor

POSTED ON: 07/07/2021

TACTIC: Attached JavaScript

THEME: Environmental day

PHISHING EXAMPLE DESCRIPTION: Environmental day-themed emails found in environments protected by Microsoft ATP deliver a series of broken attachments and a JavaScript file. The JavaScript file downloads BazarBackdoor.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP and Proofpoint to deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/06/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP and Proofpoint to deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP and Proofpoint to deliver credential phishing via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/06/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP and Proofpoint to deliver credential phishing via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded URL within an attached HTML file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/05/2021

TACTIC: Attached HTML

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded URL within an attached HTML file.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded URL within an attached HTML file.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/05/2021

TACTIC: Attached HTML

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded URL within an attached HTML file.

Real Phishing Example: Invoice-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/02/2021

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Symantec MessageLabs deliver credential phishing via an embedded URL that downloaded a HTML with a credential phishing link inside.

ENVIRONMENTS: Symantec Message

TYPE: Credential Phishing

POSTED ON: 07/01/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Symantec MessageLabs deliver credential phishing via an embedded URL that downloaded a HTML with a credential phishing link inside.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver FormGrabber via embedded link inside an attached PDF.

ENVIRONMENTS: Proofpoint

TYPE: FormGrabber

POSTED ON: 06/30/2021

TACTIC: Attached PDF

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver FormGrabber via embedded link inside an attached PDF.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver FormGrabber via embedded link.

ENVIRONMENTS: Proofpoint

TYPE: FormGrabber

POSTED ON: 06/29/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver FormGrabber via embedded link.

Real Phishing Example: WeTransfer-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL that downloaded a PDF with a credential phishing link inside.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 06/28/2021

TACTIC: Link

THEME: WeTransfer-spoofing

PHISHING EXAMPLE DESCRIPTION: WeTransfer-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL that downloaded a PDF with a credential phishing link inside.

Real Phishing Example: Coronavirus-themed emails found in environments protected by Cisco Ironport deliver Buer Loader via an attached Office macro.

ENVIRONMENTS: Cisco Ironport

TYPE: Buer Loader

POSTED ON: 06/28/2021

TACTIC: XLSM Attachment

THEME: Coronavirus

PHISHING EXAMPLE DESCRIPTION: Coronavirus-themed emails found in environments protected by Cisco Ironport deliver Buer Loader via an attached Office macro.

Real Phishing Example: Shipping-themed emails found in environments protected by Proofpoint deliver an attached document with CVE-2017-0199. The document downloads an Office macro laden document which drops and runs a VBS script. The script downloads BazarBackdoor.

ENVIRONMENTS: Proofpoint

TYPE: BazarBackdoor

POSTED ON: 06/25/2021

TACTIC: DOCX Attachment

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: Shipping-themed emails found in environments protected by Proofpoint deliver an attached document with CVE-2017-0199. The document downloads an Office macro laden document which drops and runs a VBS script. The script downloads BazarBackdoor.

Real Phishing Example: Airbus-spoofing emails found in environments protected by Microsoft ATP deliver VBS scripts via embedded URLs. The scripts run a DotNET loader which then runs Async RAT.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Async RAT

POSTED ON: 06/24/2021

TACTIC: Link

THEME: Airbus-spoofing

PHISHING EXAMPLE DESCRIPTION: Airbus-spoofing emails found in environments protected by Microsoft ATP deliver VBS scripts via embedded URLs. The scripts run a DotNET loader which then runs Async RAT.

Real Phishing Example: Adobe-spoofing emails found in environments protected by Proofpoint deliver a PDF via an embedded link. The PDF contains a link to a credential phishing page.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 06/23/2021

TACTIC: Link

THEME: Adobe-Spoofing

PHISHING EXAMPLE DESCRIPTION: Adobe-spoofing emails found in environments protected by Proofpoint deliver a PDF via an embedded link. The PDF contains a link to a credential phishing page.

Real Phishing Example: Microsoft-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 06/23/2021

TACTIC: Link

THEME: Microsoft-spoofing

PHISHING EXAMPLE DESCRIPTION: Microsoft-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 06/22/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 06/22/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 06/22/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: DBA Janitorial Corp-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 06/22/2021

TACTIC: Link

THEME: DBA Janitorial Corp

PHISHING EXAMPLE DESCRIPTION: DBA Janitorial Corp-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Cisco Ironport deliver an attached Agent Tesla Keylogger.

ENVIRONMENTS: Cisco Ironport

TYPE: Agent Tesla Keylogger

POSTED ON: 06/22/2021

TACTIC: ZIPX Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Cisco Ironport deliver an attached Agent Tesla Keylogger.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver Metamorfo via a malicious batch script. The script is downloaded via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Metaformo

POSTED ON: 06/21/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Metamorfo via a malicious batch script. The script is downloaded via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Cisco Ironport deliver FormGrabber via an embedded URL.

ENVIRONMENTS: Cisco Ironport

TYPE: FormGrabber

POSTED ON: 06/17/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Cisco Ironport deliver FormGrabber via an embedded URL.

Real Phishing Example: Quote-themed emails found in environments protected by Proofpoint deliver VBS scripts via embedded URLs. The scripts run a DotNET loader which then runs Async RAT.

ENVIRONMENTS: Proofpoint

TYPE: Async RAT

POSTED ON: 06/17/2021

TACTIC: Link

THEME: Quote

PHISHING EXAMPLE DESCRIPTION: Quote-themed emails found in environments protected by Proofpoint deliver VBS scripts via embedded URLs. The scripts run a DotNET loader which then runs Async RAT.

Real Phishing Example: Docusign-spoofing emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 06/09/2021

TACTIC: Link

THEME: Docusign

PHISHING EXAMPLE DESCRIPTION: Docusign-spoofing emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

Real Phishing Example: Password-themed emails found in environments protected by Proofpoint and Mimecast deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 06/09/2021

TACTIC: Link

THEME: Password

PHISHING EXAMPLE DESCRIPTION: Password-themed emails found in environments protected by Proofpoint and Mimecast deliver Credential Phishing via an embedded link.

Real Phishing Example: Password-themed emails found in environments protected by Proofpoint and Mimecast deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 06/09/2021

TACTIC: Link

THEME: Password

PHISHING EXAMPLE DESCRIPTION: Password-themed emails found in environments protected by Proofpoint and Mimecast deliver Credential Phishing via an embedded link.

Real Phishing Example: First American Title-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via embedded links.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 06/08/2021

TACTIC: Link

THEME: First American Title-spoofing

PHISHING EXAMPLE DESCRIPTION: First American Title-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via embedded links.

Real Phishing Example: Finance-themed email found in environments protected by Proofpoint delivers IcedID via malicious office macros in a password-protected zip attachment.

ENVIRONMENTS: Proofpoint

TYPE: Iced-ID

POSTED ON: 06/07/2021

TACTIC: Zip Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed email found in environments protected by Proofpoint delivers IcedID via malicious office macros in a password-protected zip attachment.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded URL within an attached HTML file.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 06/05/2021

TACTIC: Attached HTML

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded URL within an attached HTML file.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 06/04/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Response-themed emails found in environments protected by Symantec and Microsoft ATP deliver Ursnif dropped from VBS scripts. The scripts are downloaded in password protected archives from embedded links.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Ursnif

POSTED ON: 06/03/2021

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Symantec and Microsoft ATP deliver Ursnif dropped from VBS scripts. The scripts are downloaded in password protected archives from embedded links.

Real Phishing Example: Response-themed emails found in environments protected by Symantec and Microsoft ATP deliver Ursnif dropped from VBS scripts. The scripts are downloaded in password protected archives from embedded links.

ENVIRONMENTS: Symantec

TYPE: Ursnif

POSTED ON: 06/03/2021

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Symantec and Microsoft ATP deliver Ursnif dropped from VBS scripts. The scripts are downloaded in password protected archives from embedded links.

Real Phishing Example: Brown-Forman spoofing emails found in environments protected by Cisco Ironport deliver links to a fake Brown-Forman web page. On Microsoft Windows computers, the page provides a link to download an Office macro laden spreadsheet. The spreadsheet then downloads and runs JSSLoader

ENVIRONMENTS: Cisco Ironport

TYPE: JSSLoader

POSTED ON: 06/01/2021

TACTIC: Link

THEME: Brown-Forman spoofing emails

PHISHING EXAMPLE DESCRIPTION: Brown-Forman spoofing emails found in environments protected by Cisco Ironport deliver links to a fake Brown-Forman web page. On Microsoft Windows computers, the page provides a link to download an Office macro laden spreadsheet. The spreadsheet then downloads and runs JSSLoader

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 05/28/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Invoice-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 05/28/2021

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 05/28/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 05/28/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver BitRAT via a JSDropper downloaded from an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: BitRAT

POSTED ON: 05/27/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver BitRAT via a JSDropper downloaded from an embedded link.

Real Phishing Example: Invoice-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an attached HTML file.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 05/26/2021

TACTIC: HTML Attachment

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an attached HTML file.

Real Phishing Example: Response-themed emails found in environments protected by Mimecast deliver Office macro laden documents in password protected archives. The Office macros drop .HTA files which download Gziploader. Gziploader then downloads Iced-ID.

ENVIRONMENTS: Mimecast

TYPE: Iced-ID

POSTED ON: 05/25/2021

TACTIC: Zip Attachment

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Mimecast deliver Office macro laden documents in password protected archives. The Office macros drop .HTA files which download Gziploader. Gziploader then downloads Iced-ID.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver STR RAT.

ENVIRONMENTS: Proofpoint

TYPE: STR RAT

POSTED ON: 05/24/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver STR RAT.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver STR RAT.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: STR RAT

POSTED ON: 05/24/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver STR RAT.

Real Phishing Example: Invoice-themed emails found in environments protected by Proofpoint and Mimecast deliver Snake keylogger via embedded links.

ENVIRONMENTS: Proofpoint

TYPE: Snake Keylogger

POSTED ON: 05/24/2021

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Proofpoint and Mimecast deliver Snake keylogger via embedded links.

Real Phishing Example: Invoice-themed emails found in environments protected by Proofpoint and Mimecast deliver Snake keylogger via embedded links.

ENVIRONMENTS: Mimecast

TYPE: Snake Keylogger

POSTED ON: 05/24/2021

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Proofpoint and Mimecast deliver Snake keylogger via embedded links.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP deliver STR RAT via embedded links.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: STR RAT

POSTED ON: 05/21/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP deliver STR RAT via embedded links.

Real Phishing Example: Fax-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an attached HTML file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 05/20/2021

TACTIC: Link

THEME: Fax

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an attached HTML file.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: MIcrosoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 05/20/2021

TACTIC: HTML Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Fax-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 05/19/2021

TACTIC: Link

THEME: Fax

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Invoice-themed emails found in environments protected by Proofpoint deliver Remcos RAT via embedded links. The embedded links download an XXE file that contains a Remcos RAT executable.

ENVIRONMENTS: Proofpoint

TYPE: Remcos RAT

POSTED ON: 05/18/2021

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Proofpoint deliver Remcos RAT via embedded links. The embedded links download an XXE file that contains a Remcos RAT executable.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 05/17/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 05/17/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver Dridex via malicious Office macros. The Office macros are downloaded via embedded links.

ENVIRONMENTS: Proofpoint

TYPE: Dridex

POSTED ON: 05/14/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Dridex via malicious Office macros. The Office macros are downloaded via embedded links.

Real Phishing Example: Notification-themed emails found in environments protected by Symantec MessageLabs deliver Ursnif via and embedded link that led to a One Drive download.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Ursnif

POSTED ON: 05/14/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Symantec MessageLabs deliver Ursnif via and embedded link that led to a One Drive download.

Real Phishing Example: SharePA-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via links embedded in PDF files. The PDF files are downloaded from embedded URLs.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 05/13/2021

TACTIC: Link

THEME: SharePA-spoofing

PHISHING EXAMPLE DESCRIPTION: SharePA-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via links embedded in PDF files. The PDF files are downloaded from embedded URLs.

Real Phishing Example: Zoom-spoofing/ COVID-themed emails found in environments protected byMicrosoft ATP deliver credential phishing via an attached HTML file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 05/12/2021

TACTIC: HTML Attachment

THEME: Zoom-spoofing/ COVID-themed

PHISHING EXAMPLE DESCRIPTION: Zoom-spoofing/ COVID-themed emails found in environments protected byMicrosoft ATP deliver credential phishing via an attached HTML file.

Real Phishing Example: Quote-themed emails found in environments protected by Proofpoint deliver Async RAT and Revenge RAT via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Async RAT, Revenge RAT

POSTED ON: 05/11/2021

TACTIC: Link

THEME: Quote

PHISHING EXAMPLE DESCRIPTION: Quote-themed emails found in environments protected by Proofpoint deliver Async RAT and Revenge RAT via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Cisco Ironport deliver a sample of Agent Tesla keylogger via an archived attachment.

ENVIRONMENTS: Cisco Ironport

TYPE: Agent Tesla Keylogger

POSTED ON: 05/11/2021

TACTIC: Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Cisco Ironport deliver a sample of Agent Tesla keylogger via an archived attachment.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP delivers STR RAT via embedded URLs. Victims are required to pass a bot check in order to download the malware.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: STR RAT

POSTED ON: 05/10/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP delivers STR RAT via embedded URLs. Victims are required to pass a bot check in order to download the malware.

Real Phishing Example: Bioclone Corp-spoofing emails found in environments protected by Proofpoint deliver Loki Bot via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Loki Bot

POSTED ON: 05/10/2021

TACTIC: Link

THEME: Bioclone Corp-spoofing

PHISHING EXAMPLE DESCRIPTION: Bioclone Corp-spoofing emails found in environments protected by Proofpoint deliver Loki Bot via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint delivers a Reconnaissance Tool via a downloaded PowerShell Script from an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Reconnaissance Tool

POSTED ON: 05/10/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint delivers a Reconnaissance Tool via a downloaded PowerShell Script from an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, Mimecast, and Proofpoint delivers STR RAT via embedded URLs. Victims are required to pass a bot check in order to download the malware.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: STR RAT

POSTED ON: 05/04/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, Mimecast, and Proofpoint delivers STR RAT via embedded URLs. Victims are required to pass a bot check in order to download the malware.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, Mimecast, and Proofpoint delivers STR RAT via embedded URLs. Victims are required to pass a bot check in order to download the malware.

ENVIRONMENTS: Symantec

TYPE: STR RAT

POSTED ON: 05/04/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, Mimecast, and Proofpoint delivers STR RAT via embedded URLs. Victims are required to pass a bot check in order to download the malware.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, Mimecast, and Proofpoint delivers STR RAT via embedded URLs. Victims are required to pass a bot check in order to download the malware.

ENVIRONMENTS: MessageLabs

TYPE: STR RAT

POSTED ON: 05/04/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, Mimecast, and Proofpoint delivers STR RAT via embedded URLs. Victims are required to pass a bot check in order to download the malware.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, Mimecast, and Proofpoint delivers STR RAT via embedded URLs. Victims are required to pass a bot check in order to download the malware.

ENVIRONMENTS: Mimecast

TYPE: STR RAT

POSTED ON: 05/04/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, Mimecast, and Proofpoint delivers STR RAT via embedded URLs. Victims are required to pass a bot check in order to download the malware.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, Mimecast, and Proofpoint delivers STR RAT via embedded URLs. Victims are required to pass a bot check in order to download the malware.

ENVIRONMENTS: Proofpoint

TYPE: STR RAT

POSTED ON: 05/04/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, Mimecast, and Proofpoint delivers STR RAT via embedded URLs. Victims are required to pass a bot check in order to download the malware.

Real Phishing Example: SharePoint-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing embedded in an attached HTML file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 05/03/2021

TACTIC: HTML Attachment

THEME: SharePoint-spoofing

PHISHING EXAMPLE DESCRIPTION: SharePoint-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing embedded in an attached HTML file.

Real Phishing Example: Standard Chartered-spoofing emails found in environments protected by Proofpoint deliver Snake Keylogger via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Snake Keylogger

POSTED ON: 05/03/2021

TACTIC: Link

THEME: Standard Chartered-spoofing

PHISHING EXAMPLE DESCRIPTION: Standard Chartered-spoofing emails found in environments protected by Proofpoint deliver Snake Keylogger via an embedded URL.

Real Phishing Example: Fax-themed emails found in environments protected by Microsoft ATP deliver credential phishing embedded in an attached HTML file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 04/30/2021

TACTIC: HTML Attachment

THEME: Fax

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Microsoft ATP deliver credential phishing embedded in an attached HTML file.

Real Phishing Example: Order-themed emails found in environments protected by Cisco Ironport deliver NanoCore RAT via an embedded URL.

ENVIRONMENTS: Cisco Ironport

TYPE: NanoCore RAT

POSTED ON: 04/29/2021

TACTIC: Link

THEME: Order

PHISHING EXAMPLE DESCRIPTION: Order-themed emails found in environments protected by Cisco Ironport deliver NanoCore RAT via an embedded URL.

Real Phishing Example: Order-themed emails found in environments protected by Proofpoint deliver Buer Loader via an Office macro laden spreadsheet. The spreadsheet is downloaded from an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Buer Loader

POSTED ON: 04/29/2021

TACTIC: Link

THEME: Order

PHISHING EXAMPLE DESCRIPTION: Order-themed emails found in environments protected by Proofpoint deliver Buer Loader via an Office macro laden spreadsheet. The spreadsheet is downloaded from an embedded URL.

Real Phishing Example: pCloud-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via a link embedded in a PDF. The PDF is downloaded from a link embedded in the email.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 04/28/2021

TACTIC: Link

THEME: pCloud-Spoofing

PHISHING EXAMPLE DESCRIPTION: pCloud-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via a link embedded in a PDF. The PDF is downloaded from a link embedded in the email.

Real Phishing Example: Closing Disclosure-themed emails spoofing First American Title were found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP and deliver credential phishing via embedded links.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 04/28/2021

TACTIC: Link

THEME: Closing Disclosure

PHISHING EXAMPLE DESCRIPTION: Closing Disclosure-themed emails spoofing First American Title were found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP and deliver credential phishing via embedded links.

Real Phishing Example: Closing Disclosure-themed emails spoofing First American Title were found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP and deliver credential phishing via embedded links.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 04/28/2021

TACTIC: Link

THEME: Closing Disclosure

PHISHING EXAMPLE DESCRIPTION: Closing Disclosure-themed emails spoofing First American Title were found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP and deliver credential phishing via embedded links.

Real Phishing Example: Closing Disclosure-themed emails spoofing First American Title were found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP and deliver credential phishing via embedded links.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 04/28/2021

TACTIC: Link

THEME: Closing Disclosure

PHISHING EXAMPLE DESCRIPTION: Closing Disclosure-themed emails spoofing First American Title were found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP and deliver credential phishing via embedded links.

Real Phishing Example: APT Mold-spoofing emails found in environments protected by Proofpoint deliver Agent Tesla Keylogger via an executable enclosed in an attached archive. This type of archive cannot be opened by most commonly used software.

ENVIRONMENTS: Proofpoint

TYPE: Agent Tesla Keylogger

POSTED ON: 04/27/2021

TACTIC: ARC Attachment

THEME: Spoofing

PHISHING EXAMPLE DESCRIPTION: APT Mold-spoofing emails found in environments protected by Proofpoint deliver Agent Tesla Keylogger via an executable enclosed in an attached archive. This type of archive cannot be opened by most commonly used software.

Real Phishing Example: Microsoft-spoofing emails found in environments protected by Proofpoint, Mimecast, and Microsoft ATP deliver credential phishing via a link hosted on a OneNote page. A link to the OneNote page is embedded in the email.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 04/26/2021

TACTIC: Link

THEME: Spoofing

PHISHING EXAMPLE DESCRIPTION: Microsoft-spoofing emails found in environments protected by Proofpoint, Mimecast, and Microsoft ATP deliver credential phishing via a link hosted on a OneNote page. A link to the OneNote page is embedded in the email.

Real Phishing Example: Microsoft-spoofing emails found in environments protected by Proofpoint, Mimecast, and Microsoft ATP deliver credential phishing via a link hosted on a OneNote page. A link to the OneNote page is embedded in the email.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 04/26/2021

TACTIC: Link

THEME: Spoofing

PHISHING EXAMPLE DESCRIPTION: Microsoft-spoofing emails found in environments protected by Proofpoint, Mimecast, and Microsoft ATP deliver credential phishing via a link hosted on a OneNote page. A link to the OneNote page is embedded in the email.

Real Phishing Example: Chase bank-spoofing emails found in environments protected by Proofpoint deliver credential phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 04/26/2021

TACTIC: Link

THEME: Spoofing

PHISHING EXAMPLE DESCRIPTION: Chase bank-spoofing emails found in environments protected by Proofpoint deliver credential phishing via an embedded link.

Real Phishing Example: Acento Real Estate Partners-spoofing emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 04/26/2021

TACTIC: Link

THEME: Spoofing

PHISHING EXAMPLE DESCRIPTION: Acento Real Estate Partners-spoofing emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL.

Real Phishing Example: Microsoft-spoofing emails found in environments protected by Proofpoint, Mimecast, and Microsoft ATP deliver credential phishing via a link hosted on a OneNote page. A link to the OneNote page is embedded in the email.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 04/26/2021

TACTIC: Link

THEME: Spoofing

PHISHING EXAMPLE DESCRIPTION: Microsoft-spoofing emails found in environments protected by Proofpoint, Mimecast, and Microsoft ATP deliver credential phishing via a link hosted on a OneNote page. A link to the OneNote page is embedded in the email.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP deliver Loki Bot via an attached spreadsheet with CVE-2017-11882.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Loki Bot

POSTED ON: 04/23/2021

TACTIC: XLSX Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP deliver Loki Bot via an attached spreadsheet with CVE-2017-11882.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, spoof DocuSign and deliver Office macros via embedded URLs. The Office macros drop and run Chanitor which then delivers Ficker Stealer.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Chanitor

POSTED ON: 04/22/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, spoof DocuSign and deliver Office macros via embedded URLs. The Office macros drop and run Chanitor which then delivers Ficker Stealer.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver attached HTML files. When opened, the HTML files deliver an embedded .zip archive containing a JavaScript dropper. The JavaScript dropper downloads BitRAT. BitRAT drops legitimate files which are repurposed and used to connect to a Tor hosted command and control location.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: BitRat

POSTED ON: 04/22/2021

TACTIC: HTML Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver attached HTML files. When opened, the HTML files deliver an embedded .zip archive containing a JavaScript dropper. The JavaScript dropper downloads BitRAT. BitRAT drops legitimate files which are repurposed and used to connect to a Tor hosted command and control location.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver attached HTML files. When opened, the HTML files deliver an embedded .zip archive containing a JavaScript dropper. The JavaScript dropper downloads BitRAT. BitRAT drops legitimate files which are repurposed and used to connect to a Tor hosted command and control location.

ENVIRONMENTS: Cisco Ironport

TYPE: BitRat

POSTED ON: 04/22/2021

TACTIC: HTML Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver attached HTML files. When opened, the HTML files deliver an embedded .zip archive containing a JavaScript dropper. The JavaScript dropper downloads BitRAT. BitRAT drops legitimate files which are repurposed and used to connect to a Tor hosted command and control location.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Proofpoint, Mimecast, and Cisco Ironport deliver Excel spreadsheets via embedded URLs. The spreadsheets contain links to download Office macro laden spreadsheets. The Office macros download ZLoader.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: ZLoader

POSTED ON: 04/21/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Proofpoint, Mimecast, and Cisco Ironport deliver Excel spreadsheets via embedded URLs. The spreadsheets contain links to download Office macro laden spreadsheets. The Office macros download ZLoader.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Proofpoint, Mimecast, and Cisco Ironport deliver Excel spreadsheets via embedded URLs. The spreadsheets contain links to download Office macro laden spreadsheets. The Office macros download ZLoader.

ENVIRONMENTS: Proofpoint

TYPE: ZLoader

POSTED ON: 04/21/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Proofpoint, Mimecast, and Cisco Ironport deliver Excel spreadsheets via embedded URLs. The spreadsheets contain links to download Office macro laden spreadsheets. The Office macros download ZLoader.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Proofpoint, Mimecast, and Cisco Ironport deliver Excel spreadsheets via embedded URLs. The spreadsheets contain links to download Office macro laden spreadsheets. The Office macros download ZLoader.

ENVIRONMENTS: Mimecast

TYPE: ZLoader

POSTED ON: 04/21/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Proofpoint, Mimecast, and Cisco Ironport deliver Excel spreadsheets via embedded URLs. The spreadsheets contain links to download Office macro laden spreadsheets. The Office macros download ZLoader.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Proofpoint, Mimecast, and Cisco Ironport deliver Excel spreadsheets via embedded URLs. The spreadsheets contain links to download Office macro laden spreadsheets. The Office macros download ZLoader.

ENVIRONMENTS: Cisco Ironport

TYPE: ZLoader

POSTED ON: 04/21/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Proofpoint, Mimecast, and Cisco Ironport deliver Excel spreadsheets via embedded URLs. The spreadsheets contain links to download Office macro laden spreadsheets. The Office macros download ZLoader.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP deliver credential phishing embedded in an attached HTML file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 04/21/2021

TACTIC: HTML Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP deliver credential phishing embedded in an attached HTML file.

Real Phishing Example: Finance-themed emails deliver STR RAT via attached HTM files.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: STR RAT

POSTED ON: 04/20/2021

TACTIC: HTML Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails deliver STR RAT via attached HTM files.

Real Phishing Example: Finance-themed emails deliver STR RAT via attached HTM files.

ENVIRONMENTS: Proofpoint

TYPE: STR RAT

POSTED ON: 04/20/2021

TACTIC: HTML Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails deliver STR RAT via attached HTM files.

Real Phishing Example: Michael Page UK and Ireland-spoofing emails contain embedded links which redirect to a website also spoofing Michael Page UK and Ireland. Once victims pass a bot check they are provided with an Office macro laden spreadsheet. The spreadsheet downloads Ursnif.

ENVIRONMENTS: Cisco Ironport

TYPE: Ursnif

POSTED ON: 04/20/2021

TACTIC: Link

THEME: Spoofing

PHISHING EXAMPLE DESCRIPTION: Michael Page UK and Ireland-spoofing emails contain embedded links which redirect to a website also spoofing Michael Page UK and Ireland. Once victims pass a bot check they are provided with an Office macro laden spreadsheet. The spreadsheet downloads Ursnif.

Real Phishing Example: Michael Page UK and Ireland-spoofing emails contain embedded links which redirect to a website also spoofing Michael Page UK and Ireland. Once victims pass a bot check they are provided with an Office macro laden spreadsheet. The spreadsheet downloads Ursnif.

ENVIRONMENTS: Proofpoint

TYPE: Ursnif

POSTED ON: 04/20/2021

TACTIC: Link

THEME: Spoofing

PHISHING EXAMPLE DESCRIPTION: Michael Page UK and Ireland-spoofing emails contain embedded links which redirect to a website also spoofing Michael Page UK and Ireland. Once victims pass a bot check they are provided with an Office macro laden spreadsheet. The spreadsheet downloads Ursnif.

Real Phishing Example: Voicemail-themed emails found in environments protected by Microsoft ATP deliver credential phishing embedded in an attached HTML file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 04/16/2021

TACTIC: HTML Attachment

THEME: Voicemail

PHISHING EXAMPLE DESCRIPTION: Voicemail-themed emails found in environments protected by Microsoft ATP deliver credential phishing embedded in an attached HTML file.

Real Phishing Example: Response-themed email found in environments protected by Proofpoint, Microsoft ATP, Symantec, Mimecast, and Ironport delivers QakBot via malicious Office macros which are downloaded from embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: QakBot

POSTED ON: 04/15/2021

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed email found in environments protected by Proofpoint, Microsoft ATP, Symantec, Mimecast, and Ironport delivers QakBot via malicious Office macros which are downloaded from embedded URLs.

Real Phishing Example: Response-themed email found in environments protected by Proofpoint, Microsoft ATP, Symantec, Mimecast, and Ironport delivers QakBot via malicious Office macros which are downloaded from embedded URLs.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: QatBot

POSTED ON: 04/15/2021

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed email found in environments protected by Proofpoint, Microsoft ATP, Symantec, Mimecast, and Ironport delivers QakBot via malicious Office macros which are downloaded from embedded URLs.

Real Phishing Example: Response-themed email found in environments protected by Proofpoint, Microsoft ATP, Symantec, Mimecast, and Ironport delivers QakBot via malicious Office macros which are downloaded from embedded URLs.

ENVIRONMENTS: Symantec

TYPE: QatBot

POSTED ON: 04/15/2021

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed email found in environments protected by Proofpoint, Microsoft ATP, Symantec, Mimecast, and Ironport delivers QakBot via malicious Office macros which are downloaded from embedded URLs.

Real Phishing Example: Response-themed email found in environments protected by Proofpoint, Microsoft ATP, Symantec, Mimecast, and Ironport delivers QakBot via malicious Office macros which are downloaded from embedded URLs.

ENVIRONMENTS: Mimecast

TYPE: QatBot

POSTED ON: 04/15/2021

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed email found in environments protected by Proofpoint, Microsoft ATP, Symantec, Mimecast, and Ironport delivers QakBot via malicious Office macros which are downloaded from embedded URLs.

Real Phishing Example: Response-themed email found in environments protected by Proofpoint, Microsoft ATP, Symantec, Mimecast, and Ironport delivers QakBot via malicious Office macros which are downloaded from embedded URLs.

ENVIRONMENTS: Ironport

TYPE: QatBot

POSTED ON: 04/15/2021

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed email found in environments protected by Proofpoint, Microsoft ATP, Symantec, Mimecast, and Ironport delivers QakBot via malicious Office macros which are downloaded from embedded URLs.

Real Phishing Example: Documents-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 04/14/2021

TACTIC: Link

THEME: Document

PHISHING EXAMPLE DESCRIPTION: Documents-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver Pyrogenic Stealer via attached HTML files.

ENVIRONMENTS: Proofpoint

TYPE: Pyrogenic Stealer

POSTED ON: 04/13/2021

TACTIC: HTML Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Pyrogenic Stealer via attached HTML files.

Real Phishing Example: Finance-themed emails found in environments protected by Symantec deliver Agent Tesla Keylogger via an embedded URL.

ENVIRONMENTS: Symantec

TYPE: Agent Tesla Keylogger

POSTED ON: 04/12/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Symantec deliver Agent Tesla Keylogger via an embedded URL.

Real Phishing Example: SharePoint-spoofing emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 04/09/2021

TACTIC: Link

THEME: SharePoint-spoofing

PHISHING EXAMPLE DESCRIPTION: SharePoint-spoofing emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: DocuSign-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver attached HTML files. The HTML files contain a link to a Google Docs hosted page which contains another link. When that link is clicked an Office macro laden document is downloaded which installs Chanitor.

ENVIRONMENTS: Proofpoint

TYPE: Chanitor

POSTED ON: 04/08/2021

TACTIC: HTML Attachment

THEME: DocuSign-spoofing

PHISHING EXAMPLE DESCRIPTION: DocuSign-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver attached HTML files. The HTML files contain a link to a Google Docs hosted page which contains another link. When that link is clicked an Office macro laden document is downloaded which installs Chanitor.

Real Phishing Example: DocuSign-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver attached HTML files. The HTML files contain a link to a Google Docs hosted page which contains another link. When that link is clicked an Office macro laden document is downloaded which installs Chanitor.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Chanitor

POSTED ON: 04/08/2021

TACTIC: HTML Attachment

THEME: DocuSign-spoofing

PHISHING EXAMPLE DESCRIPTION: DocuSign-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver attached HTML files. The HTML files contain a link to a Google Docs hosted page which contains another link. When that link is clicked an Office macro laden document is downloaded which installs Chanitor.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

ENVIRONMENTS: Proofpoint

TYPE: Amadey

POSTED ON: 04/07/2021

TACTIC: RAR Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

Real Phishing Example: Verification-themed emails found in environments protected by Microsoft ATP deliver TrickBot via malicious Office macros.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: TrickBot

POSTED ON: 04/06/2021

TACTIC: XLS Attachment

THEME: Verification

PHISHING EXAMPLE DESCRIPTION: Verification-themed emails found in environments protected by Microsoft ATP deliver TrickBot via malicious Office macros.

Real Phishing Example: Voicemail-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an attached HTML file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 04/05/2021

TACTIC: HTML

THEME: Voicemail

PHISHING EXAMPLE DESCRIPTION: Voicemail-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an attached HTML file.

Real Phishing Example: Document-themed emails found in environments protected by Microsoft ATP and Mimecast deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 04/02/2021

TACTIC: Link

THEME: Document

PHISHING EXAMPLE DESCRIPTION: Document-themed emails found in environments protected by Microsoft ATP and Mimecast deliver Credential Phishing via an embedded link.

Real Phishing Example: Document-themed emails found in environments protected by Microsoft ATP and Mimecast deliver Credential Phishing via an embedded link.

ENVIRONMENTS: 170675

TYPE: Credential Phishing

POSTED ON: 04/02/2021

TACTIC: Link

THEME: Document

PHISHING EXAMPLE DESCRIPTION: Document-themed emails found in environments protected by Microsoft ATP and Mimecast deliver Credential Phishing via an embedded link.

Real Phishing Example: Shared File-themed emails found in environments protected by Proofpoint deliver FormGrabber via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Form Grabber

POSTED ON: 04/01/2021

TACTIC: Link

THEME: Shared File

PHISHING EXAMPLE DESCRIPTION: Shared File-themed emails found in environments protected by Proofpoint deliver FormGrabber via an embedded URL.

Real Phishing Example: Microsoft Office 365-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 04/01/2021

TACTIC: Link

THEME: Microsoft Office 365-spoofing

PHISHING EXAMPLE DESCRIPTION: Microsoft Office 365-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Microsoft Office 365-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 04/01/2021

TACTIC: Link

THEME: Microsoft Office 365-spoofing

PHISHING EXAMPLE DESCRIPTION: Microsoft Office 365-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 03/31/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 03/31/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 03/30/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 03/30/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver Agent Tesla keylogger via embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: Agent Tesla Keylogger

POSTED ON: 03/29/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Agent Tesla keylogger via embedded URLs.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 03/29/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Symantec MessageLabs deliver FormGrabber via CVE-2017-11882 downloaded from an embedded URL.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Form Grabber

POSTED ON: 03/26/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Symantec MessageLabs deliver FormGrabber via CVE-2017-11882 downloaded from an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 03/26/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

Real Phishing Example: Voicemail-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 03/26/2021

TACTIC: Link

THEME: Voicemail

PHISHING EXAMPLE DESCRIPTION: Voicemail-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: DHL-spoofing emails found in environments protected by Proofpoint deliver Agent Tesla keylogger via embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: Agent Tesla Keylogger

POSTED ON: 03/23/2021

TACTIC: Link

THEME: Spoofing

PHISHING EXAMPLE DESCRIPTION: DHL-spoofing emails found in environments protected by Proofpoint deliver Agent Tesla keylogger via embedded URLs.

Real Phishing Example: Finance-themed emails bypass Proofpoint, Microsoft ATP, and Mimecast to deliver Pyrogenic stealer via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Pyrogenic Stealer

POSTED ON: 03/22/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails bypass Proofpoint, Microsoft ATP, and Mimecast to deliver Pyrogenic stealer via an embedded URL.

Real Phishing Example: Finance-themed emails bypass Proofpoint, Microsoft ATP, and Mimecast to deliver Pyrogenic stealer via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Pyrogenic Stealer

POSTED ON: 03/22/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails bypass Proofpoint, Microsoft ATP, and Mimecast to deliver Pyrogenic stealer via an embedded URL.

Real Phishing Example: Finance-themed emails bypass Proofpoint, Microsoft ATP, and Mimecast to deliver Pyrogenic stealer via an embedded URL.

ENVIRONMENTS: Mimecast

TYPE: Pyrogenic Stealer

POSTED ON: 03/22/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails bypass Proofpoint, Microsoft ATP, and Mimecast to deliver Pyrogenic stealer via an embedded URL.

Real Phishing Example: Shared File-themed emails found in environments protected by Proofpoint and Mimecast deliver credential phishing via an attached HTML file.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 03/22/2021

TACTIC: HTML Attachment

THEME: Shared File

PHISHING EXAMPLE DESCRIPTION: Shared File-themed emails found in environments protected by Proofpoint and Mimecast deliver credential phishing via an attached HTML file.

Real Phishing Example: Shared File-themed emails found in environments protected by Proofpoint and Mimecast deliver credential phishing via an attached HTML file.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 03/22/2021

TACTIC: HTML Attachment

THEME: Shared File

PHISHING EXAMPLE DESCRIPTION: Shared File-themed emails found in environments protected by Proofpoint and Mimecast deliver credential phishing via an attached HTML file.

Real Phishing Example: Notification-themed emails found in environments protected by Cisco Ironport  deliver credential phishing via an attached HTM file.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 03/19/2021

TACTIC: Attached HTML

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Cisco Ironport deliver credential phishing via an attached HTM file.

Real Phishing Example: Finance-spoofed emails found in environments protected by Microsoft ATP to deliver credential phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 03/19/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-spoofed emails found in environments protected by Microsoft ATP to deliver credential phishing via an embedded link.

Real Phishing Example: Finance-spoofed emails found in environments protected by Microsoft ATP to deliver credential phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 03/18/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-spoofed emails found in environments protected by Microsoft ATP to deliver credential phishing via an embedded link.

Real Phishing Example: Finance-spoofed emails found in environments protected by Microsoft ATP, Proofpoint and Cisco Ironport deliver credential phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 03/17/2021

TACTIC: embedded URLs

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-spoofed emails found in environments protected by Microsoft ATP, Proofpoint and Cisco Ironport deliver credential phishing via an embedded link.

Real Phishing Example: Finance-spoofed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 03/17/2021

TACTIC: embedded URLs

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-spoofed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded link.

Real Phishing Example: Finance-spoofed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 03/17/2021

TACTIC: embedded URLs

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-spoofed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded link.

Real Phishing Example: Finance-spoofed emails found in environments protected by Proofpoint deliver FormGrabber via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Form Grabber

POSTED ON: 03/16/2021

TACTIC: embedded URLs

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-spoofed emails found in environments protected by Proofpoint deliver FormGrabber via an embedded link.

Real Phishing Example: IRS-spoofed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 03/15/2021

TACTIC: embedded URLs

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: IRS-spoofed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an attached HTML.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 03/11/2021

TACTIC: attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an attached HTML.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 03/10/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 03/10/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Mimecast deliver credential phishing via an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 03/10/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Mimecast deliver credential phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft Defender O365 deliver Credential Phishing via an attached HTML file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 03/10/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft Defender O365 deliver Credential Phishing via an attached HTML file.

Real Phishing Example: Fax-themed emails found in environments protected by Microsoft Defender O365 deliver credential phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 03/09/2021

TACTIC: Link

THEME: Fax-themed

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Microsoft Defender O365 deliver credential phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Mimecast and Proofpoint deliver credential phishing via an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 03/08/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Mimecast and Proofpoint deliver credential phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Mimecast and Proofpoint deliver credential phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 03/08/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Mimecast and Proofpoint deliver credential phishing via an embedded link.

Real Phishing Example: IRS-spoofing emails found in environments protected by Symantec MessageLabs, Mimecast, and Proofpoint claim to deliver information on the President’s Rescue Plan via an embedded URL. The URL delivers an Office macro laden spreadsheet. The Office macro downloads Dridex.

ENVIRONMENTS: Proofpoint

TYPE: Dridex

POSTED ON: 03/04/2021

TACTIC: Link

THEME: IRS-spoofing

PHISHING EXAMPLE DESCRIPTION: IRS-spoofing emails found in environments protected by Symantec MessageLabs, Mimecast, and Proofpoint claim to deliver information on the President’s Rescue Plan via an embedded URL. The URL delivers an Office macro laden spreadsheet. The Office macro downloads Dridex.

Real Phishing Example: IRS-spoofing emails found in environments protected by Symantec MessageLabs, Mimecast, and Proofpoint claim to deliver information on the President’s Rescue Plan via an embedded URL. The URL delivers an Office macro laden spreadsheet. The Office macro downloads Dridex.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Dridex

POSTED ON: 03/04/2021

TACTIC: Link

THEME: IRS-spooging

PHISHING EXAMPLE DESCRIPTION: IRS-spoofing emails found in environments protected by Symantec MessageLabs, Mimecast, and Proofpoint claim to deliver information on the President’s Rescue Plan via an embedded URL. The URL delivers an Office macro laden spreadsheet. The Office macro downloads Dridex.

Real Phishing Example: IRS-spoofing emails found in environments protected by Symantec MessageLabs, Mimecast, and Proofpoint claim to deliver information on the President’s Rescue Plan via an embedded URL. The URL delivers an Office macro laden spreadsheet. The Office macro downloads Dridex.

ENVIRONMENTS: Mimecast

TYPE: Dridex

POSTED ON: 03/04/2021

TACTIC: Link

THEME: IRS-spooging

PHISHING EXAMPLE DESCRIPTION: IRS-spoofing emails found in environments protected by Symantec MessageLabs, Mimecast, and Proofpoint claim to deliver information on the President’s Rescue Plan via an embedded URL. The URL delivers an Office macro laden spreadsheet. The Office macro downloads Dridex.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Symantec

TYPE: ZLoader

POSTED ON: 03/02/2021

TACTIC: embedded URLs

THEME: fInance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver a JavaScript file via an embedded URL. The JavaScript file unpacks and runs STRRAT.

ENVIRONMENTS: Proofpoint

TYPE: STRRAT

POSTED ON: 03/02/2021

TACTIC: embedded URLs

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver a JavaScript file via an embedded URL. The JavaScript file unpacks and runs STRRAT.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver JNLP shortcut files via XXE archives. The JNLP files download and run a JAR Downloader which in turn downloads Smoke Loader.

ENVIRONMENTS: Proofpoint

TYPE: Smoke Loader

POSTED ON: 03/02/2021

TACTIC: downloader attachment

THEME: FInance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver JNLP shortcut files via XXE archives. The JNLP files download and run a JAR Downloader which in turn downloads Smoke Loader.

Real Phishing Example: Microsoft-spoofing emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 03/02/2021

TACTIC: embedded URLs

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Microsoft-spoofing emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Xerox-spoofing emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 03/02/2021

TACTIC: embedded URLs

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Xerox-spoofing emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Microsoft Defender for O365, Cisco Ironport, Proofpoint, and Symantec MessageLabs

TYPE: ZLoader

POSTED ON: 03/02/2021

TACTIC: embedded URLs

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: Zloader

POSTED ON: 03/02/2021

TACTIC: embedded URLs

THEME: fInance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Cisco Ironport

TYPE: ZLoader

POSTED ON: 03/02/2021

TACTIC: embedded URLs

THEME: fInance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver JNLP shortcut files via XXE archives. The JNLP files download and run a JAR Downloader which in turn downloads Smoke Loader.

ENVIRONMENTS: Proofpoint

TYPE: Smoke Loader

POSTED ON: 03/01/2021

TACTIC: downloader attachment

THEME: FInance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver JNLP shortcut files via XXE archives. The JNLP files download and run a JAR Downloader which in turn downloads Smoke Loader.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

ENVIRONMENTS: Proofpoint

TYPE: Dridex

POSTED ON: 02/24/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

ENVIRONMENTS: Cisco Ironport

TYPE: Dridex

POSTED ON: 02/24/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Dridex

POSTED ON: 02/24/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

ENVIRONMENTS: Mimecast

TYPE: Dridex

POSTED ON: 02/24/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

Real Phishing Example: Fax-themed emails found in environments protected by Proofpoint deliver Agent Tesla Keylogger via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Agent Tesla Keylogger

POSTED ON: 02/23/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Proofpoint deliver Agent Tesla Keylogger via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft Defender for O365 deliver credential phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 02/23/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft Defender for O365 deliver credential phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Microsoft Defender for O365 deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

ENVIRONMENTS: Proofpoint

TYPE: Remcos RAT

POSTED ON: 02/22/2021

TACTIC: RAR Attachment

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Microsoft Defender for O365 deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Microsoft Defender for O365 deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Remcos RAT

POSTED ON: 02/22/2021

TACTIC: RAR Attachment

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Microsoft Defender for O365 deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft Defender for O365 deliver Credential Phishing via an embedded link

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 02/19/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft Defender for O365 deliver Credential Phishing via an embedded link

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Zloader

POSTED ON: 02/18/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Mimecast

TYPE: Zloader

POSTED ON: 02/18/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Ironport

TYPE: Zloader

POSTED ON: 02/18/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: Zloader

POSTED ON: 02/18/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and O365-ATP deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

ENVIRONMENTS: Proofpoint

TYPE: Remcos RAT

POSTED ON: 02/09/2021

TACTIC: RAR Attachment

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and O365-ATP deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and O365-ATP deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Remcos RAT

POSTED ON: 02/09/2021

TACTIC: RAR Attachment

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and O365-ATP deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver NanoCore RAT via embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 02/01/2021

TACTIC: URL link embedded

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver NanoCore RAT via embedded URLs.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via a MailChimp Click Tracking URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 02/01/2021

TACTIC: URL link embedded

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via a MailChimp Click Tracking URL.

Real Phishing Example: DHL-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver Agent Tesla keylogger via embedded links. The embedded links download a 7Z archive that contains an Agent Tesla executable.

ENVIRONMENTS: Proofpoint

TYPE: Keylogger

POSTED ON: 02/01/2021

TACTIC: URL link embedded

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: DHL-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver Agent Tesla keylogger via embedded links. The embedded links download a 7Z archive that contains an Agent Tesla executable.

Real Phishing Example: Document-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 01/28/2021

TACTIC: URL link embedded

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Document-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver Quasar RAT via Office Macros downloaded from embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 01/28/2021

TACTIC: URL link embedded

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver Quasar RAT via Office Macros downloaded from embedded URLs.

Real Phishing Example: LAN Associates-spoofing emails found in environments protected by O365-ATP deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 01/22/2021

TACTIC: URL link embedded

THEME: Consumer Goods

PHISHING EXAMPLE DESCRIPTION: LAN Associates-spoofing emails found in environments protected by O365-ATP deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP to deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 01/22/2021

TACTIC: URL link embedded

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP to deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver ZLoader via malicious Office macros.

ENVIRONMENTS: Proofpoint

TYPE: ZLoader

POSTED ON: 01/22/2021

TACTIC: DCOM Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver ZLoader via malicious Office macros.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 01/22/2021

TACTIC: URL Link embedded

THEME: Healthcare

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded URL.

Real Phishing Example: IRS-spoofed emails found in environments protected by Proofpoint and Microsoft ATP to deliver credential phishing via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 01/22/2021

TACTIC: URL link embedded

THEME: Real Estate

PHISHING EXAMPLE DESCRIPTION: IRS-spoofed emails found in environments protected by Proofpoint and Microsoft ATP to deliver credential phishing via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 01/22/2021

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links.

Real Phishing Example: Order-themed emails found in environments protected by Proofpoint and O365-ATP deliver TrickBot via Office macro laden spreadsheets downloaded from embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: Keylogger

POSTED ON: 01/21/2021

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Order-themed emails found in environments protected by Proofpoint and O365-ATP deliver TrickBot via Office macro laden spreadsheets downloaded from embedded URLs.

Real Phishing Example: Impots-spoofing emails found in environments protected by Proofpoint deliver Client Maximus banking trojan via an Advanced INF Installer which is downloaded from an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 01/20/2021

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Impots-spoofing emails found in environments protected by Proofpoint deliver Client Maximus banking trojan via an Advanced INF Installer which is downloaded from an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Symantec deliver Agent Tesla keylogger via an embedded URL.

ENVIRONMENTS: Symantec

TYPE: Keylogger

POSTED ON: 01/15/2021

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Symantec deliver Agent Tesla keylogger via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL. Note: This was in Spanish.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 01/15/2021

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL. Note: This was in Spanish.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL

ENVIRONMENTS: Proofpoint

TYPE: credential phish

POSTED ON: 01/15/2021

TACTIC: URL link

THEME: Manufacturing

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL

Real Phishing Example: Support-themed emails found in environments protected by Symantec deliver NetWire RAT hosted on Microsoft OneDrive. The hosted file is a RAR archive containing NetWire.

ENVIRONMENTS: Symantec

TYPE: NetWire

POSTED ON: 01/08/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Support-themed emails found in environments protected by Symantec deliver NetWire RAT hosted on Microsoft OneDrive. The hosted file is a RAR archive containing NetWire.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec deliver Dridex via Office Macros downloaded from Embedded URLs. The Office Macros download and run Dridex.

ENVIRONMENTS: Symantec

TYPE: Dridex

POSTED ON: 01/04/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec deliver Dridex via Office Macros downloaded from Embedded URLs. The Office Macros download and run Dridex.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver Ave_Maria stealer via embedded links. The embedded links download an Office Macro that downloads an Ave_Maria executable.

ENVIRONMENTS: Proofpoint

TYPE: Ava_Maria_Stealer

POSTED ON: 01/04/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver Ave_Maria stealer via embedded links. The embedded links download an Office Macro that downloads an Ave_Maria executable.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 01/04/2021

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links.

Real Phishing Example: Invoice-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver BazarBackdoor via PDF attachments. The attached PDF redirects to a site that collects invoice order numbers, once the order number is entered it redirects to a payload URL that downloads an OfficeMacro. The OfficeMacro downloads and runs BazarBackdoor.

ENVIRONMENTS: Proofpoint

TYPE: BazarBackdoor

POSTED ON: 01/04/2021

TACTIC: PDF Attachment

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver BazarBackdoor via PDF attachments. The attached PDF redirects to a site that collects invoice order numbers, once the order number is entered it redirects to a payload URL that downloads an OfficeMacro. The OfficeMacro downloads and runs BazarBackdoor.

Real Phishing Example: Invoice-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver BazarBackdoor via PDF attachments. The attached PDF redirects to a site that collects invoice order numbers, once the order number is entered it redirects to a payload URL that downloads an OfficeMacro. The OfficeMacro downloads and runs BazarBackdoor.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: BazarBackdoor

POSTED ON: 01/04/2021

TACTIC: PDF Attachment

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver BazarBackdoor via PDF attachments. The attached PDF redirects to a site that collects invoice order numbers, once the order number is entered it redirects to a payload URL that downloads an OfficeMacro. The OfficeMacro downloads and runs BazarBackdoor.

Real Phishing Example: Invoice-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver BazarBackdoor via PDF attachments. The attached PDF redirects to a site that collects invoice order numbers, once the order number is entered it redirects to a payload URL that downloads an OfficeMacro. The OfficeMacro downloads and runs BazarBackdoor.

ENVIRONMENTS: Symantec

TYPE: BazarBackdoor

POSTED ON: 01/04/2021

TACTIC: PDF Attachment

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver BazarBackdoor via PDF attachments. The attached PDF redirects to a site that collects invoice order numbers, once the order number is entered it redirects to a payload URL that downloads an OfficeMacro. The OfficeMacro downloads and runs BazarBackdoor.

Real Phishing Example: Finance-themed emails found in environments protected by Symantec deliverdeliver attached XLS files. These files download and run Buer Loader.

ENVIRONMENTS: Symantec

TYPE: Buer Loader

POSTED ON: 01/04/2021

TACTIC: XLS Attachment

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Symantec deliverdeliver attached XLS files. These files download and run Buer Loader.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec deliver Dridex via Office Macros downloaded from Embedded URLs. The Office Macros download and run Dridex.

ENVIRONMENTS: Proofpoint

TYPE: Dridex

POSTED ON: 01/04/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec deliver Dridex via Office Macros downloaded from Embedded URLs. The Office Macros download and run Dridex.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec deliver Dridex via Office Macros downloaded from Embedded URLs. The Office Macros download and run Dridex.

ENVIRONMENTS: Mimecast

TYPE: Dridex

POSTED ON: 01/04/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec deliver Dridex via Office Macros downloaded from Embedded URLs. The Office Macros download and run Dridex.

Real Phishing Example: Finance or response-themed emails found in environments protected by Proofpoint deliver Office macro laden documents directly attached or via attached password protected archives. The documents download Emotet.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 12/29/2020

TACTIC: Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance or response-themed emails found in environments protected by Proofpoint deliver Office macro laden documents directly attached or via attached password protected archives. The documents download Emotet.

Real Phishing Example: Information on staffing updates-themed emails found in environments protected by Proofpoint deliver TrickBot via attached Office macro laden spreadsheets.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 12/28/2020

TACTIC: Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Information on staffing updates-themed emails found in environments protected by Proofpoint deliver TrickBot via attached Office macro laden spreadsheets.

Real Phishing Example: Finance-themed campaign found in environments protected by O365-ATP delivers PDF files hosted on Google Drive. The PDF files provide links which download archives containing scripts. The scripts act as a Reconnaissance Tool, initiating an ongoing connection to a C2 to exfiltrate information and download additional payloads.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Trojan

POSTED ON: 12/28/2020

TACTIC: Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed campaign found in environments protected by O365-ATP delivers PDF files hosted on Google Drive. The PDF files provide links which download archives containing scripts. The scripts act as a Reconnaissance Tool, initiating an ongoing connection to a C2 to exfiltrate information and download additional payloads.

Real Phishing Example: Finance-themed emails found in environments protected by Mimecast deliver Dridex via Office macro laden documents downloaded from embedded URLs.

ENVIRONMENTS: Mimecast

TYPE: Trojan

POSTED ON: 12/28/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Mimecast deliver Dridex via Office macro laden documents downloaded from embedded URLs.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an attached HTM file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 12/18/2020

TACTIC: Attachment

THEME: Fiannce

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an attached HTM file.

Real Phishing Example: Copyright Violation-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Makop ransomware via an ALZ attachment.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Ransomware

POSTED ON: 12/18/2020

TACTIC: Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Copyright Violation-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Makop ransomware via an ALZ attachment.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver credential phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver credential phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver LuminosityLink RAT via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver LuminosityLink RAT via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver credential phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver credential phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver credential phishing via an embedded link.

ENVIRONMENTS: Symantec

TYPE: Credential Phish

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver credential phishing via an embedded link.

Real Phishing Example: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

ENVIRONMENTS: Cisco Ironport

TYPE: Keylogger

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

Real Phishing Example: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Keylogger

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

Real Phishing Example: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

ENVIRONMENTS: Mimecast

TYPE: Keylogger

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

Real Phishing Example: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

ENVIRONMENTS: Symantec

TYPE: Keylogger

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

Real Phishing Example: FedEx-spoofed emails found in environments protected by Proofpoint and Microsoft ATP deliver Async RAT via an OneDrive embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Trojan

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: FedEx-spoofed emails found in environments protected by Proofpoint and Microsoft ATP deliver Async RAT via an OneDrive embedded link.

Real Phishing Example: FedEx-spoofed emails found in environments protected by Proofpoint and Microsoft ATP deliver Async RAT via an OneDrive embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: FedEx-spoofed emails found in environments protected by Proofpoint and Microsoft ATP deliver Async RAT via an OneDrive embedded link.

Real Phishing Example: Copyright Violation-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Makop ransomware via an ALZ attachment.

ENVIRONMENTS: Proofpoint

TYPE: Ransomware

POSTED ON: 12/18/2020

TACTIC: Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Copyright Violation-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Makop ransomware via an ALZ attachment.

Real Phishing Example: TNT-spoofing emails found in environments protected by TrendMicro deliver Agent Tesla keylogger via embedded links. The embedded links download an archive that contains an Agent Tesla keylogger executable.

ENVIRONMENTS: TrendMicro

TYPE: Keylogger

POSTED ON: 12/09/2020

TACTIC: URL Link

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: TNT-spoofing emails found in environments protected by TrendMicro deliver Agent Tesla keylogger via embedded links. The embedded links download an archive that contains an Agent Tesla keylogger executable.

Real Phishing Example: Finance-themed emails found in environments protected by O365-ATP and TrendMicro deliver Agent Tesla keylogger via embedded links. The embedded links download a VBS script that downloads a Powershell script which drops and runs an Agent Tesla binary.

ENVIRONMENTS: TrendMicro

TYPE: Keylogger

POSTED ON: 12/09/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by O365-ATP and TrendMicro deliver Agent Tesla keylogger via embedded links. The embedded links download a VBS script that downloads a Powershell script which drops and runs an Agent Tesla binary.

Real Phishing Example: Finance-themed emails found in environments protected by O365-ATP and TrendMicro deliver Agent Tesla keylogger via embedded links. The embedded links download a VBS script that downloads a Powershell script which drops and runs an Agent Tesla binary.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Keylogger

POSTED ON: 12/09/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by O365-ATP and TrendMicro deliver Agent Tesla keylogger via embedded links. The embedded links download a VBS script that downloads a Powershell script which drops and runs an Agent Tesla binary.

Real Phishing Example: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

ENVIRONMENTS: Cisco Ironport

TYPE: Trojan

POSTED ON: 12/09/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

Real Phishing Example: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Trojan

POSTED ON: 12/09/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

Real Phishing Example: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

ENVIRONMENTS: Mimecast

TYPE: Trojan

POSTED ON: 12/09/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.