Filter by SEG

SEG

Tactic

Theme

A phishing attack is when a fraudster sends an email to trick the recipient. The idea is to persuade the target into giving up sensitive information, for instance, your corporate network credentials, or perhaps to authorize some type of financial transaction. The vast majority of data breaches against businesses today begin as phishing attacks.

Just a couple of famous phishing examples:

The infamous Target breach back in 2013 started with a phishing email that gave attackers a foothold in Target’s business systems for further attacks.
Phishing appeared prominently in the Mueller Report on the 2016 presidential election hacking.

Some quick phishing statistics:

Over 55% organizations experienced a successful phish last year.
$12 billion is the 5-year global cost of just one type of phishing attack, business email compromise (BEC).
The average phishing attack costs a mid-sized business $3.86 million.

Our database has thousands of phishing examples, but most fit into one of these 3 categories:

Phishing Emails with Malicious Links: Sometimes a phishing attack is simply an email with an embedded link. When you click, you either unknowingly activate malware or are directed to a webpage that looks perfectly legitimate but is designed to harvest your information.

Phishing Attacks with Malicious Attachments: Phishing attackers often send emails with attachments containing malware. When you click, look out. Many times phishing attackers use popular document types such as Microsoft Word or Excel or even Adobe PDFs. They take advantage of the trust people place in popular business tools.

Business Email Compromise (BEC): BEC emails, also known as CEO Fraud, typically don’t use malware but simply try to manipulate the target into sending money. Traditionally, BEC phishing attacks try to get employees in the finance department to authorize wire transfers, for instance, to a “vendor” or “partner.” This kind of attack often uses ‘CEO fraud phishing’ where attackers pretend to be the CEO or CFO to spur quick action.

Real Phishing Example: Humane Society of Wicomico County-spoofed emails found in environments protected by Cisco Ironport and Microsoft ATP deliver credential phishing.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 12/01/2021

TACTIC: link

THEME: Humane Society of Wicomico County

PHISHING EXAMPLE DESCRIPTION: Humane Society of Wicomico County-spoofed emails found in environments protected by Cisco Ironport and Microsoft ATP deliver credential phishing.

Real Phishing Example: Humane Society of Wicomico County-spoofed emails found in environments protected by Cisco Ironport and Microsoft ATP deliver credential phishing.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 12/01/2021

TACTIC: link

THEME: Humane Society of Wicomico County

PHISHING EXAMPLE DESCRIPTION: Humane Society of Wicomico County-spoofed emails found in environments protected by Cisco Ironport and Microsoft ATP deliver credential phishing.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 12/01/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 12/01/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver credential phishing.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 12/01/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver credential phishing.

Real Phishing Example: DHL-spoofing emails found in environments protected by Microsoft ATP and Cisco Ironport deliver a link to an item purchase on a legitimate payment processing site and request that victims complete the transaction.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 11/29/2021

TACTIC: Link

THEME: DHL-spoofing

PHISHING EXAMPLE DESCRIPTION: DHL-spoofing emails found in environments protected by Microsoft ATP and Cisco Ironport deliver a link to an item purchase on a legitimate payment processing site and request that victims complete the transaction.

Real Phishing Example: DHL-spoofing emails found in environments protected by Microsoft ATP and Cisco Ironport deliver a link to an item purchase on a legitimate payment processing site and request that victims complete the transaction.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 11/29/2021

TACTIC: Link

THEME: DHL-spoofing

PHISHING EXAMPLE DESCRIPTION: DHL-spoofing emails found in environments protected by Microsoft ATP and Cisco Ironport deliver a link to an item purchase on a legitimate payment processing site and request that victims complete the transaction.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP deliver Office documents with embedded links to credential phishing pages.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 11/29/2021

TACTIC: DOCX Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP deliver Office documents with embedded links to credential phishing pages.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 11/24/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL.

Real Phishing Example: Shared file-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 11/24/2021

TACTIC: Link

THEME: Shared file

PHISHING EXAMPLE DESCRIPTION: Shared file-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver credential phishing via an embedded URL.

Real Phishing Example: Shared file-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver credential phishing via an embedded URL.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 11/24/2021

TACTIC: Link

THEME: Shared file

PHISHING EXAMPLE DESCRIPTION: Shared file-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver credential phishing via an embedded URL.

Real Phishing Example: Dubai Electricity and Water Authority-spoofing emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 11/23/2021

TACTIC: DOC Attachment

THEME: Dubai Electricity and Water Authority-spoofing emails

PHISHING EXAMPLE DESCRIPTION: Dubai Electricity and Water Authority-spoofing emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver credential phishing via an embedded URL.

Real Phishing Example: Updating accounts payable accounts is another spin on the ever-so-popular direct-deposit scam. By asking to update account information, attackers are able to directly receive payments to accounts under their control.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Link

POSTED ON: 11/23/2021

TACTIC: BEC

THEME: Accounts Payable

PHISHING EXAMPLE DESCRIPTION: Updating accounts payable accounts is another spin on the ever-so-popular direct-deposit scam. By asking to update account information, attackers are able to directly receive payments to accounts under their control.

Real Phishing Example: Dubai Electricity and Water Authority-spoofing emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver credential phishing via an embedded URL.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 11/23/2021

TACTIC: DOC Attachment

THEME: Dubai Electricity and Water Authority-spoofing emails

PHISHING EXAMPLE DESCRIPTION: Dubai Electricity and Water Authority-spoofing emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver credential phishing via an embedded URL.

Real Phishing Example: Direct deposit scams frequently target HR departments, with the intent to defraud customers out of their weekly or bi-weekly pay. Bypassing every email security protocol, these attacks can take several pay cycles before they are detected.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Link

POSTED ON: 11/23/2021

TACTIC: BEC

THEME: Direct Deposit

PHISHING EXAMPLE DESCRIPTION: Direct deposit scams frequently target HR departments, with the intent to defraud customers out of their weekly or bi-weekly pay. Bypassing every email security protocol, these attacks can take several pay cycles before they are detected.

Real Phishing Example: A very common theme is for BEC threat actors to request the purchase of gift cards. Once a potential victim responds to a gift card phish, attackers use birthdays or employee gifts as a story to tell victims to purchase gift cards.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Link

POSTED ON: 11/23/2021

TACTIC: BEC

THEME: Gift Card

PHISHING EXAMPLE DESCRIPTION: A very common theme is for BEC threat actors to request the purchase of gift cards. Once a potential victim responds to a gift card phish, attackers use birthdays or employee gifts as a story to tell victims to purchase gift cards.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver Office documents with embedded links to credential phishing pages.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 11/23/2021

TACTIC: XLSB Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Office documents with embedded links to credential phishing pages.

Real Phishing Example: Notification-themed emails found in environments protected by Cisco Ironport and Proofpoint deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 11/22/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Cisco Ironport and Proofpoint deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Cisco Ironport and Proofpoint deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 11/22/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Cisco Ironport and Proofpoint deliver Credential Phishing via an embedded link.

Real Phishing Example: Microsoft-spoofing emails found in environments protected by Proofpoint deliver credential phishing.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 11/22/2021

TACTIC: Link

THEME: Microsoft-spoofing

PHISHING EXAMPLE DESCRIPTION: Microsoft-spoofing emails found in environments protected by Proofpoint deliver credential phishing.

Real Phishing Example: Request-themed emails found in environments protected by Microsoft ATP deliver credential phishing.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 11/22/2021

TACTIC: Link

THEME: Request

PHISHING EXAMPLE DESCRIPTION: Request-themed emails found in environments protected by Microsoft ATP deliver credential phishing.

Real Phishing Example: Finance-themed emails found in environments protected by Cisco Ironport deliver FormGrabber via GuLoader. FormGrabber is run in memory.

ENVIRONMENTS: Cisco Ironport

TYPE: FormGrabber

POSTED ON: 11/19/2021

TACTIC: EXE Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Cisco Ironport deliver FormGrabber via GuLoader. FormGrabber is run in memory.

Real Phishing Example: Commerz Bank-spoofing emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 11/18/2021

TACTIC: Link

THEME: Commerz Bank-spoofing

PHISHING EXAMPLE DESCRIPTION: Commerz Bank-spoofing emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL.

Real Phishing Example: New Zealand Transport Agency-spoofing emails found in environments protected by Proofpoint deliver credential phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 11/17/2021

TACTIC: Link

THEME: New Zealand Transport Agency-spoofing

PHISHING EXAMPLE DESCRIPTION: New Zealand Transport Agency-spoofing emails found in environments protected by Proofpoint deliver credential phishing via an embedded link.

Real Phishing Example: Response-themed emails found in environments protected by Proofpoint deliver Emotet/Geodo via an Office macro laden document. The document is enclosed in an attached password protected archive.

ENVIRONMENTS: Proofpoint

TYPE: Emotet

POSTED ON: 11/16/2021

TACTIC: DOC Attachment

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Proofpoint deliver Emotet/Geodo via an Office macro laden document. The document is enclosed in an attached password protected archive.

Real Phishing Example: Notification-themed emails found in environments protected by Symantec MessageLabs deliver Credential Phishing embedded in an HTML file. The HTML file is downloaded via an embedded link.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 11/15/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Symantec MessageLabs deliver Credential Phishing embedded in an HTML file. The HTML file is downloaded via an embedded link.

Real Phishing Example: Real-estate themed emails found in environments protected by Cisco Ironport and Proofpoint deliver credential phishing via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 11/15/2021

TACTIC: Link

THEME: Real-Estate

PHISHING EXAMPLE DESCRIPTION: Real-estate themed emails found in environments protected by Cisco Ironport and Proofpoint deliver credential phishing via an embedded URL.

Real Phishing Example: Real-estate themed emails found in environments protected by Cisco Ironport and Proofpoint deliver credential phishing via an embedded URL.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 11/15/2021

TACTIC: Link

THEME: Real-Estate

PHISHING EXAMPLE DESCRIPTION: Real-estate themed emails found in environments protected by Cisco Ironport and Proofpoint deliver credential phishing via an embedded URL.

Real Phishing Example: Invoice-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 11/12/2021

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Invoice-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 11/12/2021

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Shipping-themed emails found in environments protected by Mimecast deliver a VBS in a .xxe archive. The VBS drops and runs GuLoader which downloads and runs NanoCore RAT in memory.

ENVIRONMENTS: Mimecast

TYPE: NanoCore RAT

POSTED ON: 11/12/2021

TACTIC: XXE Attachment

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: Shipping-themed emails found in environments protected by Mimecast deliver a VBS in a .xxe archive. The VBS drops and runs GuLoader which downloads and runs NanoCore RAT in memory.

Real Phishing Example: Invoice-themed emails (spoofing Microsoft Office 365) found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 11/11/2021

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails (spoofing Microsoft Office 365) found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Symantec MessageLabs, and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 11/09/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Symantec MessageLabs, and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Symantec MessageLabs, and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 11/09/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Symantec MessageLabs, and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 11/09/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Symantec MessageLabs, and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 11/09/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Symantec MessageLabs, and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Symantec MessageLabs, and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 11/09/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Symantec MessageLabs, and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver RedLine Stealer via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: RedLine Stealer

POSTED ON: 11/08/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver RedLine Stealer via an embedded link.

Real Phishing Example: USPS-spoofing emails found in environments protected by Symantec MessageLabs deliver TrickBot via an Office macro laden spreadsheet. The spreadsheet is downloaded from an embedded URL.

ENVIRONMENTS: Symantec MessageLabs

TYPE: TrickBot

POSTED ON: 11/08/2021

TACTIC: Link

THEME: USPS-spoofing

PHISHING EXAMPLE DESCRIPTION: USPS-spoofing emails found in environments protected by Symantec MessageLabs deliver TrickBot via an Office macro laden spreadsheet. The spreadsheet is downloaded from an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver RedLine Stealer via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: RedLine Stealer

POSTED ON: 11/08/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver RedLine Stealer via an embedded link.

Real Phishing Example: Voicemail-themed emails found in environments protected by Proofpoint deliver credential phishing via an HTML attachment.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 11/05/2021

TACTIC: HTML Attachment

THEME: Voicemail

PHISHING EXAMPLE DESCRIPTION: Voicemail-themed emails found in environments protected by Proofpoint deliver credential phishing via an HTML attachment.

Real Phishing Example: Document-themed emails found in environments protected by Proofpoint and Mimecast deliver credential phishing via an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 11/03/2021

TACTIC: Link

THEME: Document

PHISHING EXAMPLE DESCRIPTION: Document-themed emails found in environments protected by Proofpoint and Mimecast deliver credential phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver MIRCOP Ransomware. The email contains an embedded link that downloads a MHT downloader which downloads a DotNETLoader. The DotNETLoader delivers MIRCOP ransomware and an email password dump utility.

ENVIRONMENTS: Proofpoint

TYPE: MIRCOP Ransomware

POSTED ON: 11/02/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver MIRCOP Ransomware. The email contains an embedded link that downloads a MHT downloader which downloads a DotNETLoader. The DotNETLoader delivers MIRCOP ransomware and an email password dump utility.

Real Phishing Example: Payment-themed emails found in environments protected by Cisco Ironport deliver an Office macro laden document via an embedded link. The macro drops a VBS script which victims are encouraged to run. The VBS script drops components for a malware downloader which then downloads and runs NetWire RAT in memory.

ENVIRONMENTS: Cisco Ironport

TYPE: NetWire RAT

POSTED ON: 11/01/2021

TACTIC: Link

THEME: Payment

PHISHING EXAMPLE DESCRIPTION: Payment-themed emails found in environments protected by Cisco Ironport deliver an Office macro laden document via an embedded link. The macro drops a VBS script which victims are encouraged to run. The VBS script drops components for a malware downloader which then downloads and runs NetWire RAT in memory.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 10/29/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 10/29/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 10/29/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Document-themed emails found in environments protected by Proofpoint deliver HTML files via embedded URLs. The HTML files contain embedded credential phishing content.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 10/26/2021

TACTIC: Link

THEME: Document

PHISHING EXAMPLE DESCRIPTION: Document-themed emails found in environments protected by Proofpoint deliver HTML files via embedded URLs. The HTML files contain embedded credential phishing content.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP deliver NanoCore RAT via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: NanoCore RAT

POSTED ON: 10/25/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP deliver NanoCore RAT via an embedded URL.

Real Phishing Example: Response-themed emails found in environments protected by Proofpoint, Cisco Ironport, Symantec MessageLabs, and TrendMicro deliver SquirrelWaffle and QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: QakBot

POSTED ON: 10/22/2021

TACTIC: link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Proofpoint, Cisco Ironport, Symantec MessageLabs, and TrendMicro deliver SquirrelWaffle and QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

Real Phishing Example: Response-themed emails found in environments protected by Proofpoint, Cisco Ironport, Symantec MessageLabs, and TrendMicro deliver SquirrelWaffle and QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

ENVIRONMENTS: Cisco Ironport

TYPE: QakBot

POSTED ON: 10/22/2021

TACTIC: link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Proofpoint, Cisco Ironport, Symantec MessageLabs, and TrendMicro deliver SquirrelWaffle and QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

Real Phishing Example: Response-themed emails found in environments protected by Proofpoint, Cisco Ironport, Symantec MessageLabs, and TrendMicro deliver SquirrelWaffle and QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

ENVIRONMENTS: Symantec MessageLabs

TYPE: QakBot

POSTED ON: 10/22/2021

TACTIC: link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Proofpoint, Cisco Ironport, Symantec MessageLabs, and TrendMicro deliver SquirrelWaffle and QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

Real Phishing Example: Response-themed emails found in environments protected by Proofpoint, Cisco Ironport, Symantec MessageLabs, and TrendMicro deliver SquirrelWaffle and QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

ENVIRONMENTS: TrendMicro

TYPE: QakBot

POSTED ON: 10/22/2021

TACTIC: link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Proofpoint, Cisco Ironport, Symantec MessageLabs, and TrendMicro deliver SquirrelWaffle and QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

Real Phishing Example: Tax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 10/21/2021

TACTIC: link

THEME: Tax

PHISHING EXAMPLE DESCRIPTION: Tax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Tax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 10/21/2021

TACTIC: link

THEME: Tax

PHISHING EXAMPLE DESCRIPTION: Tax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 10/21/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 10/21/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Tax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 10/21/2021

TACTIC: link

THEME: Tax

PHISHING EXAMPLE DESCRIPTION: Tax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Tax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 10/21/2021

TACTIC: link

THEME: Tax

PHISHING EXAMPLE DESCRIPTION: Tax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Order-themed emails found in environments protected by Mimecast delivers Remcos RAT via GuLoader. The GuLoader executable is archived in an ACE file downloaded from an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Remcos RAT

POSTED ON: 10/20/2021

TACTIC: Link

THEME: Order

PHISHING EXAMPLE DESCRIPTION: Order-themed emails found in environments protected by Mimecast delivers Remcos RAT via GuLoader. The GuLoader executable is archived in an ACE file downloaded from an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver a PowerShell Script and accompanying files via an embedded URL. The PowerShell script downloads a reconnaissance tool which is run in memory.

ENVIRONMENTS: Proofpoint

TYPE: Reconnaissance Tool

POSTED ON: 10/19/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver a PowerShell Script and accompanying files via an embedded URL. The PowerShell script downloads a reconnaissance tool which is run in memory.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Mimecast, and Cisco Ironport deliver Credential Phishing via an attached HTML file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 10/18/2021

TACTIC: HTML Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Mimecast, and Cisco Ironport deliver Credential Phishing via an attached HTML file.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Mimecast, and Cisco Ironport deliver Credential Phishing via an attached HTML file.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 10/18/2021

TACTIC: HTML Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Mimecast, and Cisco Ironport deliver Credential Phishing via an attached HTML file.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Mimecast, and Cisco Ironport deliver Credential Phishing via an attached HTML file.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 10/18/2021

TACTIC: HTML Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Mimecast, and Cisco Ironport deliver Credential Phishing via an attached HTML file.

Real Phishing Example: Finance-themed emails found in environments protected by Mimecast, Microsoft ATP, and Proofpoint deliver credential phishing via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 10/15/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Mimecast, Microsoft ATP, and Proofpoint deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Mimecast, Microsoft ATP, and Proofpoint deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 10/15/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Mimecast, Microsoft ATP, and Proofpoint deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Mimecast, Microsoft ATP, and Proofpoint deliver credential phishing via an embedded URL.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 10/15/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Mimecast, Microsoft ATP, and Proofpoint deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver an attached RTF Office document. The document contains a link to download an HTML file which contains embedded credential phishing content.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 10/14/2021

TACTIC: RTF Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver an attached RTF Office document. The document contains a link to download an HTML file which contains embedded credential phishing content.

Real Phishing Example: Sparkasse-spoofing emails found in environments protected by Proofpoint deliver credential phishing via a URL from an embedded QR code image.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 10/13/2021

TACTIC: Link

THEME: Sparkasse-spoofing emails

PHISHING EXAMPLE DESCRIPTION: Sparkasse-spoofing emails found in environments protected by Proofpoint deliver credential phishing via a URL from an embedded QR code image.

Real Phishing Example: UK National Health Service-spoofing emails found in environments protected by Cisco Ironport and Symantec MessageLabs deliver COVID-19 themed credential phishing via an embedded URL.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 10/12/2021

TACTIC: Link

THEME: UK National Health Service-spoofing emails

PHISHING EXAMPLE DESCRIPTION: UK National Health Service-spoofing emails found in environments protected by Cisco Ironport and Symantec MessageLabs deliver COVID-19 themed credential phishing via an embedded URL.

Real Phishing Example: UK National Health Service-spoofing emails found in environments protected by Cisco Ironport and Symantec MessageLabs deliver COVID-19 themed credential phishing via an embedded URL.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 10/12/2021

TACTIC: Link

THEME: UK National Health Service-spoofing emails

PHISHING EXAMPLE DESCRIPTION: UK National Health Service-spoofing emails found in environments protected by Cisco Ironport and Symantec MessageLabs deliver COVID-19 themed credential phishing via an embedded URL.

Real Phishing Example: Sparkasse-spoofing emails found in environments protected by Microsoft ATP and Proofpoint deliver credential phishing via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 10/12/2021

TACTIC: Link

THEME: Sparkasse-spoofing emails

PHISHING EXAMPLE DESCRIPTION: Sparkasse-spoofing emails found in environments protected by Microsoft ATP and Proofpoint deliver credential phishing via an embedded URL.

Real Phishing Example: Sparkasse-spoofing emails found in environments protected by Microsoft ATP and Proofpoint deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 10/12/2021

TACTIC: Link

THEME: Sparkasse-spoofing emails

PHISHING EXAMPLE DESCRIPTION: Sparkasse-spoofing emails found in environments protected by Microsoft ATP and Proofpoint deliver credential phishing via an embedded URL.

Real Phishing Example: Information-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 10/12/2021

TACTIC: Link

THEME: Information

PHISHING EXAMPLE DESCRIPTION: Information-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Symantec MessageLabs and Proofpoint deliver Ave_Maria Stealer via a DotNET Loader. The DotNET Loader is downloaded from an embedded URL. Ave_Maria Stealer is run in memory.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Ave_Maria Stealer

POSTED ON: 10/11/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Symantec MessageLabs and Proofpoint deliver Ave_Maria Stealer via a DotNET Loader. The DotNET Loader is downloaded from an embedded URL. Ave_Maria Stealer is run in memory.

Real Phishing Example: Finance-themed emails found in environments protected by Symantec MessageLabs and Proofpoint deliver Ave_Maria Stealer via a DotNET Loader. The DotNET Loader is downloaded from an embedded URL. Ave_Maria Stealer is run in memory.

ENVIRONMENTS: Proofpoint

TYPE: Ave_Maria Stealer

POSTED ON: 10/11/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Symantec MessageLabs and Proofpoint deliver Ave_Maria Stealer via a DotNET Loader. The DotNET Loader is downloaded from an embedded URL. Ave_Maria Stealer is run in memory.

Real Phishing Example: Finance-themed emails found in environments protected by Mimecast deliver an Office macro laden document via an embedded URL. The Office macro downloads a DotNET Loader which in turn downloads Ave_Maria Stealer. Ave_Maria Stealer is run in memory.

ENVIRONMENTS: Mimecast

TYPE: Ave_Maria Stealer

POSTED ON: 10/08/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Mimecast deliver an Office macro laden document via an embedded URL. The Office macro downloads a DotNET Loader which in turn downloads Ave_Maria Stealer. Ave_Maria Stealer is run in memory.

Real Phishing Example: HSBC-spoofing emails found in environments protected by Proofpoint deliver FormGrabber via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: FormGrabber

POSTED ON: 10/07/2021

TACTIC: Link

THEME: HSBC-spoofing emails

PHISHING EXAMPLE DESCRIPTION: HSBC-spoofing emails found in environments protected by Proofpoint deliver FormGrabber via an embedded URL.

Real Phishing Example: Air Charter Service-spoofing emails found in environments protected by Cisco Ironport deliver a VBS script via an embedded URL. The VBS script downloads a PowerShell script which runs Dark Comet RAT.

ENVIRONMENTS: Cisco Ironport

TYPE: Dark Comet RAT

POSTED ON: 10/06/2021

TACTIC: Link

THEME: Air Charter Service-spoofing

PHISHING EXAMPLE DESCRIPTION: Air Charter Service-spoofing emails found in environments protected by Cisco Ironport deliver a VBS script via an embedded URL. The VBS script downloads a PowerShell script which runs Dark Comet RAT.

Real Phishing Example: Manulife-spoofing emails found in environments protected by Cisco Ironport, Microsoft ATP, Proofpoint, and Symantec MessageLabs deliver Office macro laden spreadsheets via an embedded URL. The Office macros download KiXtart malware which in turn downloads REBOL malware.

ENVIRONMENTS: Cisco Ironport

TYPE: REBOL Malware

POSTED ON: 10/05/2021

TACTIC: Link

THEME: Manulife-spoofing

PHISHING EXAMPLE DESCRIPTION: Manulife-spoofing emails found in environments protected by Cisco Ironport, Microsoft ATP, Proofpoint, and Symantec MessageLabs deliver Office macro laden spreadsheets via an embedded URL. The Office macros download KiXtart malware which in turn downloads REBOL malware.

Real Phishing Example: Manulife-spoofing emails found in environments protected by Cisco Ironport, Microsoft ATP, Proofpoint, and Symantec MessageLabs deliver Office macro laden spreadsheets via an embedded URL. The Office macros download KiXtart malware which in turn downloads REBOL malware.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: REBOL Malware

POSTED ON: 10/05/2021

TACTIC: Link

THEME: Manulife-spoofing

PHISHING EXAMPLE DESCRIPTION: Manulife-spoofing emails found in environments protected by Cisco Ironport, Microsoft ATP, Proofpoint, and Symantec MessageLabs deliver Office macro laden spreadsheets via an embedded URL. The Office macros download KiXtart malware which in turn downloads REBOL malware.

Real Phishing Example: Manulife-spoofing emails found in environments protected by Cisco Ironport, Microsoft ATP, Proofpoint, and Symantec MessageLabs deliver Office macro laden spreadsheets via an embedded URL. The Office macros download KiXtart malware which in turn downloads REBOL malware.

ENVIRONMENTS: Proofpoint

TYPE: REBOL Malware

POSTED ON: 10/05/2021

TACTIC: Link

THEME: Manulife-spoofing

PHISHING EXAMPLE DESCRIPTION: Manulife-spoofing emails found in environments protected by Cisco Ironport, Microsoft ATP, Proofpoint, and Symantec MessageLabs deliver Office macro laden spreadsheets via an embedded URL. The Office macros download KiXtart malware which in turn downloads REBOL malware.

Real Phishing Example: Manulife-spoofing emails found in environments protected by Cisco Ironport, Microsoft ATP, Proofpoint, and Symantec MessageLabs deliver Office macro laden spreadsheets via an embedded URL. The Office macros download KiXtart malware which in turn downloads REBOL malware.

ENVIRONMENTS: Symantec MessageLabs

TYPE: REBOL Malware

POSTED ON: 10/05/2021

TACTIC: Link

THEME: Manulife-spoofing

PHISHING EXAMPLE DESCRIPTION: Manulife-spoofing emails found in environments protected by Cisco Ironport, Microsoft ATP, Proofpoint, and Symantec MessageLabs deliver Office macro laden spreadsheets via an embedded URL. The Office macros download KiXtart malware which in turn downloads REBOL malware.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP deliver Office documents with embedded links to credential phishing pages.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 10/05/2021

TACTIC: DOCX Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP deliver Office documents with embedded links to credential phishing pages.

Real Phishing Example: Shipping-themed emails found in environments protected by Proofpoint deliver Remcos RAT via GuLoader which was enclosed in an attached XXE archive. Remcos RAT is run in memory.

ENVIRONMENTS: Proofpoint

TYPE: Remcos RAT

POSTED ON: 10/04/2021

TACTIC: XXE Attachment

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: Shipping-themed emails found in environments protected by Proofpoint deliver Remcos RAT via GuLoader which was enclosed in an attached XXE archive. Remcos RAT is run in memory.

Real Phishing Example: Hope Technical Developments-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver credential phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 10/04/2021

TACTIC: Link

THEME: Hope Technical Developments-spoofing

PHISHING EXAMPLE DESCRIPTION: Hope Technical Developments-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver credential phishing via an embedded link.

Real Phishing Example: Hope Technical Developments-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver credential phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 10/04/2021

TACTIC: Link

THEME: Hope Technical Developments-spoofing

PHISHING EXAMPLE DESCRIPTION: Hope Technical Developments-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver credential phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Symantec MessageLabs delivers FormGrabber via a CVE-2017-11882 downloaded from an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: FormGrabber

POSTED ON: 10/01/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Symantec MessageLabs delivers FormGrabber via a CVE-2017-11882 downloaded from an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Symantec MessageLabs delivers FormGrabber via a CVE-2017-11882 downloaded from an embedded link.

ENVIRONMENTS: Symantec MessageLabs

TYPE: FormGrabber

POSTED ON: 10/01/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Symantec MessageLabs delivers FormGrabber via a CVE-2017-11882 downloaded from an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 09/30/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 09/29/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 09/29/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 09/29/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 09/29/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 09/29/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 09/29/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Mimecast and Microsoft ATP deliver Credential Phishing via an HTML attachment.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 09/28/2021

TACTIC: HTML Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Mimecast and Microsoft ATP deliver Credential Phishing via an HTML attachment.

Real Phishing Example: Finance-themed emails found in environments protected by Mimecast and Microsoft ATP deliver Credential Phishing via an HTML attachment.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 09/28/2021

TACTIC: HTML Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Mimecast and Microsoft ATP deliver Credential Phishing via an HTML attachment.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Mimecast delivers Agent Tesla keylogger via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Agent Tesla Keylogger

POSTED ON: 09/27/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Mimecast delivers Agent Tesla keylogger via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Mimecast delivers Agent Tesla keylogger via an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Agent Tesla Keylogger

POSTED ON: 09/27/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Mimecast delivers Agent Tesla keylogger via an embedded link.

Real Phishing Example: Response-themed emails found in environments protected by Cisco Ironport deliver SquirrelWaffle and QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

ENVIRONMENTS: Cisco Ironport

TYPE: QakBot

POSTED ON: 09/24/2021

TACTIC: Link

THEME: Response-themed

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Cisco Ironport deliver SquirrelWaffle and QakBot via Office macro laden spreadsheets. The spreadsheets are downloaded via embedded URLs.

Real Phishing Example: Information-themed emails found in environments protected by Symantec MessageLabs and Cisco Ironport deliver REBOL malware via malicious Office macros.

ENVIRONMENTS: Symantec MessageLabs

TYPE: REBOL Malware

POSTED ON: 09/23/2021

TACTIC: XLS Attachment

THEME: Information-themed

PHISHING EXAMPLE DESCRIPTION: Information-themed emails found in environments protected by Symantec MessageLabs and Cisco Ironport deliver REBOL malware via malicious Office macros.

Real Phishing Example: Information-themed emails found in environments protected by Symantec MessageLabs and Cisco Ironport deliver REBOL malware via malicious Office macros.

ENVIRONMENTS: Cisco Ironport

TYPE: REBOL Malware

POSTED ON: 09/23/2021

TACTIC: XLS Attachment

THEME: Information-themed

PHISHING EXAMPLE DESCRIPTION: Information-themed emails found in environments protected by Symantec MessageLabs and Cisco Ironport deliver REBOL malware via malicious Office macros.

Real Phishing Example: Property Capsule-spoofing emails found in environments protected by Proofpoint deliver BazarBackdoor via a JavaScript Dropper which is downloaded from an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: BazarBackdoor

POSTED ON: 09/22/2021

TACTIC: Link

THEME: Property Capsule-spoofing

PHISHING EXAMPLE DESCRIPTION: Property Capsule-spoofing emails found in environments protected by Proofpoint deliver BazarBackdoor via a JavaScript Dropper which is downloaded from an embedded URL.

Real Phishing Example: Fax-themed emails found in environments protected by Mimecast and Proofpoint deliver credential phishing embedded in attached HTML files.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 09/21/2021

TACTIC: HTML Attachment

THEME: Fax

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Mimecast and Proofpoint deliver credential phishing embedded in attached HTML files.

Real Phishing Example: Fax-themed emails found in environments protected by Mimecast and Proofpoint deliver credential phishing embedded in attached HTML files.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 09/21/2021

TACTIC: HTML Attachment

THEME: Fax

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Mimecast and Proofpoint deliver credential phishing embedded in attached HTML files.

Real Phishing Example: DocuSign-spoofing emails found in environments protected by Mimecast deliver a Malware Downloader via an embedded URL. The Malware downloader drops a legitimate wget binary and uses it to download Raccoon Stealer.

ENVIRONMENTS: Mimecast

TYPE: Racoon Stealer

POSTED ON: 09/20/2021

TACTIC: Link

THEME: DocuSign-spoofing

PHISHING EXAMPLE DESCRIPTION: DocuSign-spoofing emails found in environments protected by Mimecast deliver a Malware Downloader via an embedded URL. The Malware downloader drops a legitimate wget binary and uses it to download Raccoon Stealer.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 09/17/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 09/17/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 09/17/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 09/17/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Zoom-spoofing emails found in environments protected by Microsoft ATP deliver an LNK downloader via an embedded URL. The LNK file downloads BazarBackdoor.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: BazarBackdoor

POSTED ON: 09/16/2021

TACTIC: Link

THEME: Zoom-spoofing

PHISHING EXAMPLE DESCRIPTION: Zoom-spoofing emails found in environments protected by Microsoft ATP deliver an LNK downloader via an embedded URL. The LNK file downloads BazarBackdoor.

Real Phishing Example: SharePoint-spoofing emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 09/16/2021

TACTIC: Link

THEME: SharePoint-spoofing

PHISHING EXAMPLE DESCRIPTION: SharePoint-spoofing emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: DocuSign-spoofing emails found in environments protected Proofpoint deliver a Reconnaissance Tool via a CVE-2021-40444 to HTA download chain. The document with CVE-2021-40444 is downloaded via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Reconnaissance Tool

POSTED ON: 09/16/2021

TACTIC: Link

THEME: DocuSign-spoofing

PHISHING EXAMPLE DESCRIPTION: DocuSign-spoofing emails found in environments protected Proofpoint deliver a Reconnaissance Tool via a CVE-2021-40444 to HTA download chain. The document with CVE-2021-40444 is downloaded via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 09/14/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 09/14/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 09/14/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 09/14/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Cisco Ironport deliver attached HTML files. The HTML files redirect and download STR RAT.

ENVIRONMENTS: Cisco Ironport

TYPE: STR RAT

POSTED ON: 09/13/2021

TACTIC: HTML Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Cisco Ironport deliver attached HTML files. The HTML files redirect and download STR RAT.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver Async RAT via an attached XXE which was a sample of GuLoader.

ENVIRONMENTS: Proofpoint

TYPE: Async RAT

POSTED ON: 09/13/2021

TACTIC: XXE Attachment

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver Async RAT via an attached XXE which was a sample of GuLoader.

Real Phishing Example: UPS-spoofing emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 09/10/2021

TACTIC: Link

THEME: UPS-spoofing

PHISHING EXAMPLE DESCRIPTION: UPS-spoofing emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Fax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Mimecast deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 09/09/2021

TACTIC: Link

THEME: Fax

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Mimecast deliver Credential Phishing via an embedded link.

Real Phishing Example: Fax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Mimecast deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 09/09/2021

TACTIC: Link

THEME: Fax

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Mimecast deliver Credential Phishing via an embedded link.

Real Phishing Example: Fax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Mimecast deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 09/09/2021

TACTIC: Link

THEME: Fax

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Mimecast deliver Credential Phishing via an embedded link.

Real Phishing Example: Fax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Mimecast deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 09/09/2021

TACTIC: Link

THEME: Fax

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Proofpoint, Microsoft ATP, Cisco Ironport, and Mimecast deliver Credential Phishing via an embedded link.

Real Phishing Example: Proposal-themed emails found in environments protected by Microsoft ATP and Barracuda deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 09/08/2021

TACTIC: Link

THEME: Proposal

PHISHING EXAMPLE DESCRIPTION: Proposal-themed emails found in environments protected by Microsoft ATP and Barracuda deliver Credential Phishing via an embedded link.

Real Phishing Example: Proposal-themed emails found in environments protected by Microsoft ATP and Barracuda deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Barracuda

TYPE: Credential Phishing

POSTED ON: 09/08/2021

TACTIC: Link

THEME: Proposal

PHISHING EXAMPLE DESCRIPTION: Proposal-themed emails found in environments protected by Microsoft ATP and Barracuda deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP and Barracuda deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 09/08/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP and Barracuda deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP and Barracuda deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Barracuda

TYPE: Credential Phishing

POSTED ON: 09/08/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP and Barracuda deliver Credential Phishing via an embedded link.

Real Phishing Example: Invoice-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 09/08/2021

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP and Barracuda deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 09/08/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP and Barracuda deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP and Barracuda deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Barracuda

TYPE: Credential Phishing

POSTED ON: 09/08/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP and Barracuda deliver Credential Phishing via an embedded link.

Real Phishing Example: Quotation-themed emails found in environments protected by Proofpoint deliver a VBS script via an embedded URL. The VBS script downloads a PowerShell Script which drops and runs Async RAT.

ENVIRONMENTS: Proofpoint

TYPE: Async RAT

POSTED ON: 09/07/2021

TACTIC: Link

THEME: Quotation

PHISHING EXAMPLE DESCRIPTION: Quotation-themed emails found in environments protected by Proofpoint deliver a VBS script via an embedded URL. The VBS script downloads a PowerShell Script which drops and runs Async RAT.

Real Phishing Example: HSBC-spoofed emails found in environments protected by Microsoft-ATP deliver Credential Phishing via an attached HTML file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 09/06/2021

TACTIC: HTML Attachment

THEME: HSBC-spoofed email

PHISHING EXAMPLE DESCRIPTION: HSBC-spoofed emails found in environments protected by Microsoft-ATP deliver Credential Phishing via an attached HTML file.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver FormGrabber via an embedded link which downloaded AutoIT Loader. AutoIT Loader then downloaded FormGrabber and executed it in memory.

ENVIRONMENTS: Proofpoint

TYPE: FormGrabber

POSTED ON: 09/02/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver FormGrabber via an embedded link which downloaded AutoIT Loader. AutoIT Loader then downloaded FormGrabber and executed it in memory.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver an attached PDF file. The PDF contains a link to download a JS Dropper file. The JS Dropper file drops and runs a VBS script. The VBS script downloads a series of PowerShell Scripts which in turn download Modern Loader. Modern Loader downloads Revenge RAT.

ENVIRONMENTS: Proofpoint

TYPE: Revenge RAT

POSTED ON: 09/02/2021

TACTIC: PDF Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver an attached PDF file. The PDF contains a link to download a JS Dropper file. The JS Dropper file drops and runs a VBS script. The VBS script downloads a series of PowerShell Scripts which in turn download Modern Loader. Modern Loader downloads Revenge RAT.

Real Phishing Example: AmeriJet-spoofing emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver a CHM downloader via an embedded URL. The CHM file downloads a VBS script which drops a malicious batch script. The batch script downloads TrickBot.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: TrickBot

POSTED ON: 09/02/2021

TACTIC: Link

THEME: AmeriJet-spoofing email

PHISHING EXAMPLE DESCRIPTION: AmeriJet-spoofing emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver a CHM downloader via an embedded URL. The CHM file downloads a VBS script which drops a malicious batch script. The batch script downloads TrickBot.

Real Phishing Example: AmeriJet-spoofing emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver a CHM downloader via an embedded URL. The CHM file downloads a VBS script which drops a malicious batch script. The batch script downloads TrickBot.

ENVIRONMENTS: Symantec MessageLabs

TYPE: TrickBot

POSTED ON: 09/02/2021

TACTIC: Link

THEME: AmeriJet-spoofing email

PHISHING EXAMPLE DESCRIPTION: AmeriJet-spoofing emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver a CHM downloader via an embedded URL. The CHM file downloads a VBS script which drops a malicious batch script. The batch script downloads TrickBot.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver Async RAT via an attached XXE which was a sample of GuLoader.

ENVIRONMENTS: Proofpoint

TYPE: Async RAT

POSTED ON: 08/31/2021

TACTIC: XXE Attachment

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver Async RAT via an attached XXE which was a sample of GuLoader.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 08/30/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft-ATP and Proofpoint deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 08/30/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft-ATP and Proofpoint deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft-ATP and Proofpoint deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 08/30/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft-ATP and Proofpoint deliver Credential Phishing via an embedded link.

Real Phishing Example: Standard Bank-spoofed emails found in environments protected by Mimecast deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 08/30/2021

TACTIC: Link

THEME: Standard Bank-spoofed email

PHISHING EXAMPLE DESCRIPTION: Standard Bank-spoofed emails found in environments protected by Mimecast deliver Credential Phishing via an embedded link.

Real Phishing Example: WeTransfer-spoofed emails found in environments protected by Microsoft-ATP deliver Credential Phishing via an attached HTML file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 08/30/2021

TACTIC: HTML Attachment

THEME: WeTransfer-spoofed email

PHISHING EXAMPLE DESCRIPTION: WeTransfer-spoofed emails found in environments protected by Microsoft-ATP deliver Credential Phishing via an attached HTML file.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft-ATP deliver Credential Phishing via an attached DOCX file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 08/26/2021

TACTIC: DOCX Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft-ATP deliver Credential Phishing via an attached DOCX file.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Symantec MessageLabs deliver Credential Phishing via an attached HTM file.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 08/25/2021

TACTIC: HTM Attachment

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Symantec MessageLabs deliver Credential Phishing via an attached HTM file.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Symantec MessageLabs deliver Credential Phishing via an attached HTM file.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 08/25/2021

TACTIC: HTM Attachment

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Symantec MessageLabs deliver Credential Phishing via an attached HTM file.

Real Phishing Example: UPS-spoofing emails found in environments protected by Proofpoint to deliver Office macro laden document via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Office Macro

POSTED ON: 08/24/2021

TACTIC: Link

THEME: UPS-spoofing

PHISHING EXAMPLE DESCRIPTION: UPS-spoofing emails found in environments protected by Proofpoint to deliver Office macro laden document via an embedded URL.

Real Phishing Example: Docusign-spoofed emails found in environments protected by Microsoft-ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 08/24/2021

TACTIC: Link

THEME: DocuSign-spoofing

PHISHING EXAMPLE DESCRIPTION: Docusign-spoofed emails found in environments protected by Microsoft-ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Cisco Ironport deliver Remcos RAT via an embedded URL that downloaded an XLL which downloaded a Delphi Loader that led to Remcos.

ENVIRONMENTS: Cisco Ironport

TYPE: Remcos RAT

POSTED ON: 08/23/2021

TACTIC: XXE Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Cisco Ironport deliver Remcos RAT via an embedded URL that downloaded an XLL which downloaded a Delphi Loader that led to Remcos.

Real Phishing Example: Department of Labor-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via an attached PDF.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 08/20/2021

TACTIC: PDF Attachment

THEME: Department of Labor-spoofing

PHISHING EXAMPLE DESCRIPTION: Department of Labor-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via an attached PDF.

Real Phishing Example: Chemsol-spoofing emails found in environments protected by Proofpoint deliver GuLoader via an embedded URL. GuLoader downloads NanoCore RAT and runs it in memory.

ENVIRONMENTS: Proofpoint

TYPE: NanoCore RAT

POSTED ON: 08/19/2021

TACTIC: Link

THEME: Chemsol-spoofing

PHISHING EXAMPLE DESCRIPTION: Chemsol-spoofing emails found in environments protected by Proofpoint deliver GuLoader via an embedded URL. GuLoader downloads NanoCore RAT and runs it in memory.

Real Phishing Example: Microsoft-spoofing emails found in environments protected by Microsoft ATP and Mimecast deliver credential phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 08/17/2021

TACTIC: Link

THEME: Microsoft-spoofing

PHISHING EXAMPLE DESCRIPTION: Microsoft-spoofing emails found in environments protected by Microsoft ATP and Mimecast deliver credential phishing via an embedded link.

Real Phishing Example: Microsoft-spoofing emails found in environments protected by Microsoft ATP and Mimecast deliver credential phishing via an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 08/17/2021

TACTIC: Link

THEME: Microsoft-spoofing

PHISHING EXAMPLE DESCRIPTION: Microsoft-spoofing emails found in environments protected by Microsoft ATP and Mimecast deliver credential phishing via an embedded link.

Real Phishing Example: Volksbanken Raiffeisenbanken-spoofing emails found in environments protected by Microsoft ATP deliver Coronavirus related credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 08/17/2021

TACTIC: Link

THEME: Volksbanken Raiffeisenbanken-spoofing

PHISHING EXAMPLE DESCRIPTION: Volksbanken Raiffeisenbanken-spoofing emails found in environments protected by Microsoft ATP deliver Coronavirus related credential phishing via an embedded URL.

Real Phishing Example: WeTransfer-spoofing emails found in environments protected by Proofpoint deliver an HTML file via an embedded link. The HTML file contains embedded credential phishing content.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 08/16/2021

TACTIC: Link

THEME: WeTransfer-spoofing

PHISHING EXAMPLE DESCRIPTION: WeTransfer-spoofing emails found in environments protected by Proofpoint deliver an HTML file via an embedded link. The HTML file contains embedded credential phishing content.

Real Phishing Example: Coronavirus-themed emails found in environments protected by Proofpoint and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 08/16/2021

TACTIC: Link

THEME: Coronavirus

PHISHING EXAMPLE DESCRIPTION: Coronavirus-themed emails found in environments protected by Proofpoint and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Coronavirus-themed emails found in environments protected by Proofpoint and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 08/16/2021

TACTIC: Link

THEME: Coronavirus

PHISHING EXAMPLE DESCRIPTION: Coronavirus-themed emails found in environments protected by Proofpoint and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver Raccoon Stealer via links embedded in the email and in the attached HTML file.

ENVIRONMENTS: Proofpoint

TYPE: Racoon Stealer

POSTED ON: 08/13/2021

TACTIC: HTML Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Raccoon Stealer via links embedded in the email and in the attached HTML file.

Real Phishing Example: TransferNow-spoofing emails found in environments protected by Proofpoint deliver Snake Keylogger via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Snake Keylogger

POSTED ON: 08/13/2021

TACTIC: Link

THEME: TransferNow-spoofing

PHISHING EXAMPLE DESCRIPTION: TransferNow-spoofing emails found in environments protected by Proofpoint deliver Snake Keylogger via an embedded URL.

Real Phishing Example: Message-themed emails found in environments protected by Microsoft ATP deliver HTML files with embedded credential phishing content.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 08/13/2021

TACTIC: HTML Attachment

THEME: Message

PHISHING EXAMPLE DESCRIPTION: Message-themed emails found in environments protected by Microsoft ATP deliver HTML files with embedded credential phishing content.

Real Phishing Example: Response-themed emails found in environments protected by Mimecast deliver Belial Loader via an embedded URL. Belial Loader then downloads a second stage before connecting to its command and control locations.

ENVIRONMENTS: Mimecast

TYPE: Belial Loader

POSTED ON: 08/13/2021

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Mimecast deliver Belial Loader via an embedded URL. Belial Loader then downloads a second stage before connecting to its command and control locations.

Real Phishing Example: DocuSign-spoofing emails found in environments protected by Proofpoint deliver RedLine Stealer via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: RedLine Stealer

POSTED ON: 08/12/2021

TACTIC: Link

THEME: DocuSign-spoofing

PHISHING EXAMPLE DESCRIPTION: DocuSign-spoofing emails found in environments protected by Proofpoint deliver RedLine Stealer via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 08/11/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

Real Phishing Example: Voicemail-themed emails found in environments protected by Proofpoint deliver credential phishing via a link embedded in an HTML file and via a link embedded in the email.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 08/10/2021

TACTIC: HTML Attachment

THEME: Voicemail

PHISHING EXAMPLE DESCRIPTION: Voicemail-themed emails found in environments protected by Proofpoint deliver credential phishing via a link embedded in an HTML file and via a link embedded in the email.

Real Phishing Example: Refund-themed emails found in environments protected by Symantec MessageLabs deliver DanaBot via a JNLP Shortcut to JAR Downloader download chain.

ENVIRONMENTS: Symantec MessageLabs

TYPE: DanaBot

POSTED ON: 08/10/2021

TACTIC: JNLP Attachment

THEME: Refund

PHISHING EXAMPLE DESCRIPTION: Refund-themed emails found in environments protected by Symantec MessageLabs deliver DanaBot via a JNLP Shortcut to JAR Downloader download chain.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 08/10/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Bongo-spoofing emails found in environments protected by Proofpoint deliver a VBS reconnaissance tool via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Reconnaissance Tool

POSTED ON: 08/06/2021

TACTIC: Link

THEME: Bongo-spoofing

PHISHING EXAMPLE DESCRIPTION: Bongo-spoofing emails found in environments protected by Proofpoint deliver a VBS reconnaissance tool via an embedded link.

Real Phishing Example: Supreme Court-themed emails found in environments protected by Proofpoint, Mimecast, Symantec MessageLabs, and Microsoft ATP deliver credential phishing via a link embedded in an attached calendar file.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 08/06/2021

TACTIC: ICS Attachment

THEME: Supreme Court

PHISHING EXAMPLE DESCRIPTION: Supreme Court-themed emails found in environments protected by Proofpoint, Mimecast, Symantec MessageLabs, and Microsoft ATP deliver credential phishing via a link embedded in an attached calendar file.

Real Phishing Example: Supreme Court-themed emails found in environments protected by Proofpoint, Mimecast, Symantec MessageLabs, and Microsoft ATP deliver credential phishing via a link embedded in an attached calendar file.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 08/06/2021

TACTIC: ICS Attachment

THEME: Supreme Court

PHISHING EXAMPLE DESCRIPTION: Supreme Court-themed emails found in environments protected by Proofpoint, Mimecast, Symantec MessageLabs, and Microsoft ATP deliver credential phishing via a link embedded in an attached calendar file.

Real Phishing Example: Supreme Court-themed emails found in environments protected by Proofpoint, Mimecast, Symantec MessageLabs, and Microsoft ATP deliver credential phishing via a link embedded in an attached calendar file.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 08/06/2021

TACTIC: ICS Attachment

THEME: Supreme Court

PHISHING EXAMPLE DESCRIPTION: Supreme Court-themed emails found in environments protected by Proofpoint, Mimecast, Symantec MessageLabs, and Microsoft ATP deliver credential phishing via a link embedded in an attached calendar file.

Real Phishing Example: Supreme Court-themed emails found in environments protected by Proofpoint, Mimecast, Symantec MessageLabs, and Microsoft ATP deliver credential phishing via a link embedded in an attached calendar file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 08/06/2021

TACTIC: ICS Attachment

THEME: Supreme Court

PHISHING EXAMPLE DESCRIPTION: Supreme Court-themed emails found in environments protected by Proofpoint, Mimecast, Symantec MessageLabs, and Microsoft ATP deliver credential phishing via a link embedded in an attached calendar file.

Real Phishing Example: eFax-spoofing emails found in environments protected by Ironport and Mimecast deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 08/05/2021

TACTIC: Link

THEME: eFax-spoofing

PHISHING EXAMPLE DESCRIPTION: eFax-spoofing emails found in environments protected by Ironport and Mimecast deliver Credential Phishing via an embedded link.

Real Phishing Example: eFax-spoofing emails found in environments protected by Ironport and Mimecast deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 08/05/2021

TACTIC: Link

THEME: eFax-spoofing

PHISHING EXAMPLE DESCRIPTION: eFax-spoofing emails found in environments protected by Ironport and Mimecast deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver Async RAT via an attached XXE file.

ENVIRONMENTS: Proofpoint

TYPE: Async RAT

POSTED ON: 08/04/2021

TACTIC: XXE Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Async RAT via an attached XXE file.

Real Phishing Example: Purchase order-themed campaign found in environments protected by Proofpoint delivers NanoCore RAT via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: NanoCore RAT

POSTED ON: 08/04/2021

TACTIC: Link

THEME: Purchase order

PHISHING EXAMPLE DESCRIPTION: Purchase order-themed campaign found in environments protected by Proofpoint delivers NanoCore RAT via an embedded URL.

Real Phishing Example: Fax-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 08/03/2021

TACTIC: Link

THEME: Fax

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver NanoCore RAT via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: NanoCore RAT

POSTED ON: 08/02/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver NanoCore RAT via an embedded URL.

Real Phishing Example: Fireload-spoofing emails found in environments protected by Symantec MessageLabs deliver Agent Tesla Keylogger via an embedded URL.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Agent Tesla Keylogger

POSTED ON: 07/30/2021

TACTIC: Link

THEME: Brand-Spoofing

PHISHING EXAMPLE DESCRIPTION: Fireload-spoofing emails found in environments protected by Symantec MessageLabs deliver Agent Tesla Keylogger via an embedded URL.

Real Phishing Example: Microsoft-spoofing emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/29/2021

TACTIC: Link

THEME: Brand-Spoofing

PHISHING EXAMPLE DESCRIPTION: Microsoft-spoofing emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver credential phishing via an embedded URL.

Real Phishing Example: Microsoft-spoofing emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver credential phishing via an embedded URL.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 07/29/2021

TACTIC: Link

THEME: Brand-Spoofing

PHISHING EXAMPLE DESCRIPTION: Microsoft-spoofing emails found in environments protected by Microsoft ATP and Symantec MessageLabs deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails deliver Office macro laden spreadsheets via embedded URLs found in Cisco Ironport protected environments. The spreadsheets drop WSC files which download Dridex.

ENVIRONMENTS: Cisco Ironport

TYPE: Dridex

POSTED ON: 07/28/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails deliver Office macro laden spreadsheets via embedded URLs found in Cisco Ironport protected environments. The spreadsheets drop WSC files which download Dridex.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Microsoft STP deliver Raccoon Stealer via an embedded link. The link would then download a password protected .rar archive.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Raccoon Stealer

POSTED ON: 07/27/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Microsoft STP deliver Raccoon Stealer via an embedded link. The link would then download a password protected .rar archive.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Microsoft STP deliver Raccoon Stealer via an embedded link. The link would then download a password protected .rar archive.

ENVIRONMENTS: Proofpoint

TYPE: Raccoon Stealer

POSTED ON: 07/27/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Microsoft STP deliver Raccoon Stealer via an embedded link. The link would then download a password protected .rar archive.

Real Phishing Example: Quotation-themed emails found in environments protected by Proofpoint and TrendMicro deliver Loki Bot via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Loki Bot

POSTED ON: 07/26/2021

TACTIC: Link

THEME: Quotation

PHISHING EXAMPLE DESCRIPTION: Quotation-themed emails found in environments protected by Proofpoint and TrendMicro deliver Loki Bot via an embedded link.

Real Phishing Example: Quotation-themed emails found in environments protected by Proofpoint and TrendMicro deliver Loki Bot via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Loki Bot

POSTED ON: 07/26/2021

TACTIC: Link

THEME: Quotation

PHISHING EXAMPLE DESCRIPTION: Quotation-themed emails found in environments protected by Proofpoint and TrendMicro deliver Loki Bot via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, and Mimecast deliver credential phishing via a link embedded in an attached image file.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 07/23/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, and Mimecast deliver credential phishing via a link embedded in an attached image file.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, and Mimecast deliver credential phishing via a link embedded in an attached image file.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 07/23/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, and Mimecast deliver credential phishing via a link embedded in an attached image file.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, and Mimecast deliver credential phishing via a link embedded in an attached image file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/23/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Symantec MessageLabs, and Mimecast deliver credential phishing via a link embedded in an attached image file.

Real Phishing Example: Coronavirus-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/23/2021

TACTIC: Link

THEME: Coronavirus

PHISHING EXAMPLE DESCRIPTION: Coronavirus-themed emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

Real Phishing Example: Supreme Court-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Mimecast deliver credential phishing via a link embedded in an attached calendar file.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/22/2021

TACTIC: ICS Attachment

THEME: Government-Spoofing

PHISHING EXAMPLE DESCRIPTION: Supreme Court-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Mimecast deliver credential phishing via a link embedded in an attached calendar file.

Real Phishing Example: Supreme Court-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Mimecast deliver credential phishing via a link embedded in an attached calendar file.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 07/22/2021

TACTIC: ICS Attachment

THEME: Government-Spoofing

PHISHING EXAMPLE DESCRIPTION: Supreme Court-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Mimecast deliver credential phishing via a link embedded in an attached calendar file.

Real Phishing Example: Supreme Court-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Mimecast deliver credential phishing via a link embedded in an attached calendar file.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 07/22/2021

TACTIC: ICS Attachment

THEME: Government-Spoofing

PHISHING EXAMPLE DESCRIPTION: Supreme Court-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Mimecast deliver credential phishing via a link embedded in an attached calendar file.

Real Phishing Example: Finance-themed emails found in environments protected by Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 07/21/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 07/21/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/20/2021

TACTIC: link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 07/20/2021

TACTIC: link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 07/20/2021

TACTIC: link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, and Symantec MessageLabs deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environment protected by Proofpoint deliver Agent Tesla keylogger via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Agent Tesla Keylogger

POSTED ON: 07/19/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environment protected by Proofpoint deliver Agent Tesla keylogger via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/19/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded link.

Real Phishing Example: Quotation-themed emails found in environments protected by Proofpoint delivers an LZH archive via an embedded link. The archive contains both an Agent Tesla keylogger and FormGrabber executable.

ENVIRONMENTS: Proofpoint

TYPE: Agent Tesla Keylogger

POSTED ON: 07/16/2021

TACTIC: Link

THEME: Quotation

PHISHING EXAMPLE DESCRIPTION: Quotation-themed emails found in environments protected by Proofpoint delivers an LZH archive via an embedded link. The archive contains both an Agent Tesla keylogger and FormGrabber executable.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/15/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 07/15/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Message-themed emails found in environments protected by Symantec spoof various financial brands to deliver Office macro laden documents via embedded URLs. The documents drop and run a reconnaissance tool.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Reconnaissance Tool

POSTED ON: 07/15/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Message-themed emails found in environments protected by Symantec spoof various financial brands to deliver Office macro laden documents via embedded URLs. The documents drop and run a reconnaissance tool.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Cisco Ironport delivers Credential Phishing via an attached HTM file.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/14/2021

TACTIC: HTML Attachment

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Cisco Ironport delivers Credential Phishing via an attached HTM file.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint and Cisco Ironport delivers Credential Phishing via an attached HTM file.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 07/14/2021

TACTIC: HTML Attachment

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint and Cisco Ironport delivers Credential Phishing via an attached HTM file.

Real Phishing Example: Innovative Health Diagnostic-spoofing emails found in environments protected by Proofpoint deliver credential phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/12/2021

TACTIC: Link

THEME: Brand-Spoofing

PHISHING EXAMPLE DESCRIPTION: Innovative Health Diagnostic-spoofing emails found in environments protected by Proofpoint deliver credential phishing via an embedded link.

Real Phishing Example: Trend Micro-spoofing emails found in environments protected by Cisco Ironport claim to have a Kaseya advisory and detection tool available via an embedded link. The link delivers Dridex.

ENVIRONMENTS: Cisco Ironport

TYPE: Dridex

POSTED ON: 07/12/2021

TACTIC: Link

THEME: Brand-Spoofing

PHISHING EXAMPLE DESCRIPTION: Trend Micro-spoofing emails found in environments protected by Cisco Ironport claim to have a Kaseya advisory and detection tool available via an embedded link. The link delivers Dridex.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/09/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL inside an attached XLSX file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/08/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL inside an attached XLSX file.

Real Phishing Example: Fax-themed emails found in environments protected by Proofpoint to deliver credential phishing via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/08/2021

TACTIC: Link

THEME: Fax

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Proofpoint to deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver a downloaded Agent Tesla Keylogger.

ENVIRONMENTS: Proofpoint

TYPE: Agent Tesla Keylogger

POSTED ON: 07/07/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver a downloaded Agent Tesla Keylogger.

Real Phishing Example: Environmental day-themed emails found in environments protected by Microsoft ATP deliver a series of broken attachments and a JavaScript file. The JavaScript file downloads BazarBackdoor.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: BazarBackdoor

POSTED ON: 07/07/2021

TACTIC: JS Attachment

THEME: Environmental day

PHISHING EXAMPLE DESCRIPTION: Environmental day-themed emails found in environments protected by Microsoft ATP deliver a series of broken attachments and a JavaScript file. The JavaScript file downloads BazarBackdoor.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP and Proofpoint to deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/06/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP and Proofpoint to deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP and Proofpoint to deliver credential phishing via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/06/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP and Proofpoint to deliver credential phishing via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded URL within an attached HTML file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/05/2021

TACTIC: HTML Attachment

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded URL within an attached HTML file.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded URL within an attached HTML file.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 07/05/2021

TACTIC: HTML Attachment

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded URL within an attached HTML file.

Real Phishing Example: Invoice-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 07/02/2021

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Symantec MessageLabs deliver credential phishing via an embedded URL that downloaded a HTML with a credential phishing link inside.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Credential Phishing

POSTED ON: 07/01/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Symantec MessageLabs deliver credential phishing via an embedded URL that downloaded a HTML with a credential phishing link inside.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver FormGrabber via embedded link inside an attached PDF.

ENVIRONMENTS: Proofpoint

TYPE: FormGrabber

POSTED ON: 06/30/2021

TACTIC: PDF Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver FormGrabber via embedded link inside an attached PDF.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver FormGrabber via embedded link.

ENVIRONMENTS: Proofpoint

TYPE: FormGrabber

POSTED ON: 06/29/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver FormGrabber via embedded link.

Real Phishing Example: WeTransfer-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL that downloaded a PDF with a credential phishing link inside.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 06/28/2021

TACTIC: Link

THEME: Brand-Spoofing

PHISHING EXAMPLE DESCRIPTION: WeTransfer-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL that downloaded a PDF with a credential phishing link inside.

Real Phishing Example: Coronavirus-themed emails found in environments protected by Cisco Ironport deliver Buer Loader via an attached Office macro.

ENVIRONMENTS: Cisco Ironport

TYPE: Buer Loader

POSTED ON: 06/28/2021

TACTIC: XLSM Attachment

THEME: Coronavirus

PHISHING EXAMPLE DESCRIPTION: Coronavirus-themed emails found in environments protected by Cisco Ironport deliver Buer Loader via an attached Office macro.

Real Phishing Example: Shipping-themed emails found in environments protected by Proofpoint deliver an attached document with CVE-2017-0199. The document downloads an Office macro laden document which drops and runs a VBS script. The script downloads BazarBackdoor.

ENVIRONMENTS: Proofpoint

TYPE: BazarBackdoor

POSTED ON: 06/25/2021

TACTIC: DOCX Attachment

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: Shipping-themed emails found in environments protected by Proofpoint deliver an attached document with CVE-2017-0199. The document downloads an Office macro laden document which drops and runs a VBS script. The script downloads BazarBackdoor.

Real Phishing Example: Airbus-spoofing emails found in environments protected by Microsoft ATP deliver VBS scripts via embedded URLs. The scripts run a DotNET loader which then runs Async RAT.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Async RAT

POSTED ON: 06/24/2021

TACTIC: Link

THEME: Brand-Spoofing

PHISHING EXAMPLE DESCRIPTION: Airbus-spoofing emails found in environments protected by Microsoft ATP deliver VBS scripts via embedded URLs. The scripts run a DotNET loader which then runs Async RAT.

Real Phishing Example: Adobe-spoofing emails found in environments protected by Proofpoint deliver a PDF via an embedded link. The PDF contains a link to a credential phishing page.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 06/23/2021

TACTIC: Link

THEME: Brand-Spoofing

PHISHING EXAMPLE DESCRIPTION: Adobe-spoofing emails found in environments protected by Proofpoint deliver a PDF via an embedded link. The PDF contains a link to a credential phishing page.

Real Phishing Example: Microsoft-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 06/23/2021

TACTIC: Link

THEME: Brand-Spoofing

PHISHING EXAMPLE DESCRIPTION: Microsoft-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 06/22/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 06/22/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 06/22/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Cisco Ironport, and Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: DBA Janitorial Corp-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 06/22/2021

TACTIC: Link

THEME: Brand-Spoofing

PHISHING EXAMPLE DESCRIPTION: DBA Janitorial Corp-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Cisco Ironport deliver an attached Agent Tesla Keylogger.

ENVIRONMENTS: Cisco Ironport

TYPE: Agent Tesla Keylogger

POSTED ON: 06/22/2021

TACTIC: ZIPX Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Cisco Ironport deliver an attached Agent Tesla Keylogger.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver Metamorfo via a malicious batch script. The script is downloaded via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Metaformo

POSTED ON: 06/21/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Metamorfo via a malicious batch script. The script is downloaded via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Cisco Ironport deliver FormGrabber via an embedded URL.

ENVIRONMENTS: Cisco Ironport

TYPE: FormGrabber

POSTED ON: 06/17/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Cisco Ironport deliver FormGrabber via an embedded URL.

Real Phishing Example: Quotation-themed emails found in environments protected by Proofpoint deliver VBS scripts via embedded URLs. The scripts run a DotNET loader which then runs Async RAT.

ENVIRONMENTS: Proofpoint

TYPE: Async RAT

POSTED ON: 06/17/2021

TACTIC: Link

THEME: Quotation

PHISHING EXAMPLE DESCRIPTION: Quotation-themed emails found in environments protected by Proofpoint deliver VBS scripts via embedded URLs. The scripts run a DotNET loader which then runs Async RAT.

Real Phishing Example: Docusign-spoofing emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 06/09/2021

TACTIC: Link

THEME: Brand-Spoofing

PHISHING EXAMPLE DESCRIPTION: Docusign-spoofing emails found in environments protected by Proofpoint deliver Credential Phishing via an embedded link.

Real Phishing Example: Password-themed emails found in environments protected by Proofpoint and Mimecast deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 06/09/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Password-themed emails found in environments protected by Proofpoint and Mimecast deliver Credential Phishing via an embedded link.

Real Phishing Example: Password-themed emails found in environments protected by Proofpoint and Mimecast deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 06/09/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Password-themed emails found in environments protected by Proofpoint and Mimecast deliver Credential Phishing via an embedded link.

Real Phishing Example: First American Title-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via embedded links.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 06/08/2021

TACTIC: Link

THEME: Brand-Spoofing

PHISHING EXAMPLE DESCRIPTION: First American Title-spoofing emails found in environments protected by Microsoft ATP deliver credential phishing via embedded links.

Real Phishing Example: Finance-themed email found in environments protected by Proofpoint delivers IcedID via malicious office macros in a password-protected zip attachment.

ENVIRONMENTS: Proofpoint

TYPE: Iced-ID

POSTED ON: 06/07/2021

TACTIC: Zip Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed email found in environments protected by Proofpoint delivers IcedID via malicious office macros in a password-protected zip attachment.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded URL within an attached HTML file.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 06/05/2021

TACTIC: HTML Attachment

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP, Proofpoint, and Cisco Ironport to deliver credential phishing via an embedded URL within an attached HTML file.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 06/04/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Response-themed emails found in environments protected by Symantec and Microsoft ATP deliver Ursnif dropped from VBS scripts. The scripts are downloaded in password protected archives from embedded links.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Ursnif

POSTED ON: 06/03/2021

TACTIC: Link

THEME: Reply Chain

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Symantec and Microsoft ATP deliver Ursnif dropped from VBS scripts. The scripts are downloaded in password protected archives from embedded links.

Real Phishing Example: Response-themed emails found in environments protected by Symantec and Microsoft ATP deliver Ursnif dropped from VBS scripts. The scripts are downloaded in password protected archives from embedded links.

ENVIRONMENTS: Symantec MessageLabs

TYPE: Ursnif

POSTED ON: 06/03/2021

TACTIC: Link

THEME: Reply Chain

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Symantec and Microsoft ATP deliver Ursnif dropped from VBS scripts. The scripts are downloaded in password protected archives from embedded links.

Real Phishing Example: Brown-Forman spoofing emails found in environments protected by Cisco Ironport deliver links to a fake Brown-Forman web page. On Microsoft Windows computers, the page provides a link to download an Office macro laden spreadsheet. The spreadsheet then downloads and runs JSSLoader

ENVIRONMENTS: Cisco Ironport

TYPE: JSSLoader

POSTED ON: 06/01/2021

TACTIC: Link

THEME: Brand-Spoofing

PHISHING EXAMPLE DESCRIPTION: Brown-Forman spoofing emails found in environments protected by Cisco Ironport deliver links to a fake Brown-Forman web page. On Microsoft Windows computers, the page provides a link to download an Office macro laden spreadsheet. The spreadsheet then downloads and runs JSSLoader

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 05/28/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Invoice-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 05/28/2021

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 05/28/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Mimecast

TYPE: Credential Phishing

POSTED ON: 05/28/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Cisco Ironport deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver BitRAT via a JSDropper downloaded from an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: BitRAT

POSTED ON: 05/27/2021

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver BitRAT via a JSDropper downloaded from an embedded link.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.