Phishing & Email Spam

Phishing and email spam is estimated to cost industry more than $1 billion each year, and cybercriminals are becoming more sophisticated in the campaigns they launch to try to extract confidential data or passwords from unsuspecting Internet users.

Part of the reason why phishing and email spam continue to work is the language used within the communication. The message to “Act Now” because an account seems to have been compromised, or because a colleague appears to need urgent support, often causes individuals to act before they think.

Even experienced security experts have been caught by phishing and email spam, and the advice provided to every Internet user is:

  • If you are unsure of whether an email request is legitimate, try to verify it by contacting the sender independently of the information provided in the email.
  • Never reveal confidential data or passwords requested in an email or on a web page you have arrived at after following a link in an email.
  • Enable spam filters on your email, keep your anti-virus software up-to-date and enable two-step authentication on all your accounts whenever possible.
  • Always use different passwords for different accounts, and change them frequently to avoid being a victim of key-logging malware downloads.
  • Remember that phishing and email spam is not limited to email. Watch out for scams sent via social media channels.

Phishing in particular has become a popular attack vector for cybercriminals. Although phishing goes back to the early days of AOL, there has been a tenfold increase in phishing campaigns over the past decade reported to the Anti-Phishing Working Group (APWG).

Phishing is an extension of spam mail and can target small groups of people (spear phishing) or target executive-level management (whale phishing) in order to collect information or gain access to computer systems.

The best way to protect yourself from phishing and email spam is to follow the advice provided above and – most importantly – enable a reputable spam filter to block potentially unsafe emails from being delivered to your inbox.

Financial Institutions Targeted in Phishing Campaign That Delivers the JSOutProx RAT

A phishing campaign has been running since late March that tricks people into installing a new version of the remote access trojan, JSOutProx. JSOutProx was first identified in 2019 and is a backdoor that utilizes JavaScript and .NET that allows users to run shell commands, execute files, take screenshots, control peripheral devices, and download additional malware payloads. The malware is known to be used by a threat actor tracked as Solar Spider, which mostly targets financial institutions in Central Europe, South Asia, Southeast Asia, and Africa, with the latest version of the malware also being used to target organizations in the Middle East.

The malware has mostly been used on banks and other financial institutions. If infected, the malware collects information about its environment and the attackers then download any of around 14 different plug-ins from either GitHub or GitLab, based on the information the malware collects about its operating environment. The malware can be used to control proxy settings, access Microsoft Outlook account details, capture clipboard content, and steal one-time passwords from Symantec VIP.

Like many other remote access trojans, JSOutProx is primarily delivered via phishing emails. A variety of lures have been used in the phishing emails but the latest campaign uses fake notifications about SWIFT payments in targeted attacks on financial institutions and MoneyGram payment notifications in attacks on individuals, which aim to trick the recipients into installing the malware.

The latest campaign uses JavaScript attachments that masquerade as PDF files of financial documents contained in .zip files. If the user attempts to open the fake PDF file, the JavaScript is executed deploying the malware payload. The main aim of the campaign is to steal user account credentials, gather sensitive financial documents, and obtain payment account data, which can either be used to make fraudulent transactions or be sold to other threat actors on the dark web. Email accounts are often compromised which can be leveraged in Business Email Compromise (BEC) attacks to steal funds from clients. According to VISA, “The JSOutProx malware poses a serious threat to financial institutions around the world, and especially those in the AP region as those entities have been more frequently targeted with this malware.”

Since phishing is the main method of malware delivery, the best defense against attacks is advanced anti-spam software and end-user security awareness training. JSOutProx malware is able to bypass many traditional anti-spam solutions and anti-virus software due to the high level of obfuscation. The best defense is an anti-spam solution with AI and machine learning capabilities that can identify the signs of malicious emails by analyzing message headers and message content to determine how they deviate from the emails typically received by the business and also search for the signs of phishing and malware delivery based on the latest threat intelligence.

To identify the malicious attachments, an anti-spam solution requires sandboxing. Any messages that pass standard antivirus checks are sent to the sandbox where behavior is analyzed to identify malicious actions, rather than relying on malware signatures for detection. SpamTitan can extract and analyze files in compressed archives such as .zip and .rar files and in recent independent tests, SpamTitan achieved a phishing catch rate of 99.914%, a malware catch rate of 99.511%, with a false positive rate of 0.00%. SpamTitan from TitanHQ is delivered as either a hosted anti-spam service or an anti-spam gateway that is installed on-premises on existing hardware. SpamTitan has been developed to be easy to implement and use and meet the needs of businesses of all sizes and managed service providers.

Phishing emails target employees so it is important to teach them how to identify phishing emails. Due to the fast-changing threat landscape, security awareness training should be provided continuously to the workforce, and phishing simulations should be conducted to give employees practice at identifying threats. SafeTitan from TitanHQ can be used to easily create effective training programs that run continuously throughout the year and keep employees up to date on the latest threats and tactics, techniques, and procedures used by malicious actors. SafeTitan also delivers relevant training in real-time in response to security mistakes and phishing simulation failures. Check out these anti-spam tips for further information on improving your defenses against phishing and get in touch with TitanHQ for more information on SpamTitan email security and the SafeTitan security awareness training platform.

Monthly Salary Reports Used as Lure in RAT-delivering Phishing Campaign

One of the most effective ways of getting employees to open malicious emails is to make the emails appear to have been sent internally and to use a lure related to salaries, as is the case with a recently identified campaign that is used to deliver a Remote Access Trojan called NetSupport RAT.

The campaign was first identified by researchers at Perception Point who intercepted an email that appeared to have been sent by the accounts department and purported to be a monthly salary report. The recipient is told to review the report and get back in touch with the accounts department if they have any questions or concerns about the data.  Due to the sensitive nature of the data, the salary chart is in a password-protected document, and the employee is told to enter the password provided in the email if the enable editing option is unavailable. The user is prompted to download the .docx file, enter the password, and then click enable editing, after which they need to click on the image of a printer embedded in the document. Doing so will display the user’s salary graph.

The document uses an OLE (Object Linking and Embedding) template which is a legitimate tool that allows linking to documents and other objects, in this case, a malicious script that is executed by clicking on the printer icon. This method of infection is highly effective, as the malicious payload is not contained in the document itself, so standard antivirus scans of the document will not reveal any malicious content. If the user clicks the printer icon, a ZIP archive file will be opened that includes a single Windows shortcut file, which is a PowerShell dropper that will deliver the NetSupport RAT from the specified URL and execute it, also adding a registry key for persistence.

NetSupport RAT has been developed from a legitimate remote desktop tool called NetSupport Manager which is typically used to provide remote technical support and IT assistance. The malware allows a threat actor to gain persistent remote access to an infected device, gather data from the endpoint, and run commands. While the use of OLE template manipulation is not new, this method has not previously been used to deliver the NetSupport RAT via email.

The threat actor uses encrypted documents to deliver the malware to evade email security solutions, and the emails are sent using a legitimate email marketing platform called Brevo, which allows the emails to pass standard reputation checks. This campaign is another example of how threat actors are increasing the sophistication of their phishing campaigns and how they can bypass standard email security defenses, including Microsoft’s anti-malware and anti-phishing protections for Microsoft 365 environments.

While the lure and the steps users are taken through are reasonable, there are red flags at various stages of the infection process where end users should identify the email as potentially malicious. In order for that to happen, end users should be provided with regular security awareness training. TitanHQ offers a comprehensive security awareness training platform called SafeTitan, which includes training modules to teach employees how to identify the red flags in email campaigns such as this. The platform also includes a phishing simulator, that allows these types of emails to be sent to employees to test the effectiveness of their training. If they fail a simulation, they are immediately shown where they missed the opportunity to identify the threat, with relevant training generated instantly in real time.

Sophisticated phishing attacks require sophisticated anti-phishing defenses to block these emails before they reach end users’ inboxes. While standard antivirus checks can block many malicious payloads, behavioral analysis of attachments and files is essential. TitanHQ’s cloud-based anti-spam service – SpamTitan – performs a barrage of front-end checks of messages including reputation checks and Bayesian analysis, machine-learning algorithms analyze messages for potentially malicious and phishing content, scan attachments with twin antivirus engines, and messages are sent to a sandbox for deep analysis. In the sandbox, malicious behavior can be identified allowing even sophisticated phishing emails to be blocked by the cloud spam filter.

A hosted email filter is often the best fit for businesses, although SpamTitan is available as a gateway spam filter. The TitanHQ team will be happy to listen to your requirements and suggest the best option to meet your needs. Give the team a call today to find out more about improving your email defenses against sophisticated phishing and malware distribution campaigns and how to provide more effective security awareness training.

Sophisticated Phishing Campaign Delivers Rats via SVG File Attachments

A sophisticated phishing campaign has been detected that is being used to deliver a variety of Remote Access Trojan (RAT) malware, including Venom RAT, Remcos RAT, and NanoCore RAT, as well as a stealer that targets cryptocurrency wallets. The campaign uses email as the initial access vector with the messages purporting to be an invoice for a shipment that has recently been delivered. The emails include a Scalable Vector Graphics (SVG) file attachment – an increasingly common XML-based vector image format.

If the file is executed, it will drop a compressed (zip) file on the user’s device. The zip file contains a batch file that has been created with an obfuscation tool (most likely BatCloak) to allow it to evade anti-virus software. If not detected as malicious, a ScrubCrypt batch file is unpacked – another tool used to bypass antivirus protections – which delivers two executable files that are used to deliver and execute the RAT and establish persistence. This method of delivery allows the malware to evade AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) antivirus protections.

One of the primary payloads is Venom RAT, which establishes a connection with its command and control (C2) server, transmits sensitive information gathered from the compromised device and runs commands from its C2 server. Venon RAT can download additional modules and malware payloads, including a stealer malware that targets folders associated with cryptocurrency wallets and applications including Atomic Wallet, Electrum, Exodus, Foxmail, and Telegram.

The sophisticated nature of this campaign and the obfuscation used to hide the malicious payloads from traditional antivirus software demonstrates the need for advanced email defenses and end-user training. Email security solutions that rely on malware signatures are easily bypassed, which is why it is important to use an anti-spam solution that incorporates sandboxing for blocking malware and AI and machine learning capabilities to identify malicious emails.

SpamTitan uses AI and machine learning algorithms to detect phishing emails that other solutions miss – including Microsoft’s basic and advanced anti-phishing mechanisms for Microsoft 365. SpamTitan includes Sender Policy Framework (SPF), SURBL’s, RBL’s, Bayesian analysis, and more, and the machine learning algorithms can detect email messages that deviate from the typical messages received by a business and can identify header anomalies, address spoofing, and suspect email body content. All inbound messages are subjected to standard and advanced malware checks, including scans using twin anti-virus engines and email sandboxing.  If all anti-malware checks are passed, including unpacking and analyzing compressed files, messages are sent to the sandbox for behavioral analysis.

In the cloud-based sandbox, malicious actions are identified such as attempts to deliver additional files as is commonly seen in multi-stage attacks and C2 calls. In recent independent tests (Virus Bulletin), SpamTitan achieved a phishing catch rate of 99.914%, a malware catch rate of 99.511%, and a false positive rate of 0.00%. With phishing attacks becoming more sophisticated you need to have sophisticated defenses. With email security protection provided by SpamTitan and security awareness training delivered using TitanHQ’s award-winning SafeTitan security awareness training and phishing simulation platform you will be well protected from email-based attacks.

Give the TitanHQ team a call today to find out more about how you can improve your defenses against email-based attacks with sandboxing technology and how to add more layers to your defenses to block the full range of cyberattacks.

TitanHQ Achieves Virus Bulletin VBSpam+ Certification with 99.91% Phishing Catch Rate in Latest Tests

TitanHQ has claimed a Top 3 position in a recent Virus Bulletin email security test, achieving an exceptional 99.98% spam catch rate and 99.91% phishing catch rate for the cutting-edge filtering engine that powers the SpamTitan (email security) and PhishTitan (phishing protection) solutions, earning TitanHQ the prestigious VBSpam+ certification for the products.

Virus Bulletin is a security information portal and independent testing and certification body that has earned a formidable reputation within the cybersecurity community for providing security professionals with intelligence about the latest developments in the global threat landscape. Virus Bulletin conducts regular tests of security solutions to determine how well they perform at detecting and blocking threats, and for more than 20 years has been benchmarking cybersecurity solutions. Virus Bulletin’s public certifications cover all types of security threat protection, including anti-spam and anti-phishing solutions for enterprises.

In the Q1, 2024 tests, Virus Bulletin assessed nine comprehensive email security solutions, including TitanHQ’s email security suite which comprises SpamTitan and PhishTitan. The email security solutions were put to the test to assess how effective they are at blocking unsolicited and unwanted spam emails and malicious messages of all types. TitanHQ’s solutions achieved exceptional scores at blocking spam and phishing emails, with a spam catch rate of 99.983%, a malware catch rate of 99.511%, and a phishing catch rate of 99.914% with zero false positives. The final score for the Q1, 2024 tests was 99.983, cementing TitanHQ’s position as a leading provider of anti-phishing and anti-spam solutions for managed service providers and businesses.

“This test reaffirms TitanHQ’s unrivaled prowess in spam and phishing protection—we stand as the first choice for combating phishing attempts and spam infiltrations,” said Ronan Kavanagh, CEO at TitanHQ. “Our customers need not settle for anything less. With TitanHQ solutions, they receive unparalleled defense against phishing and spam and experience minimal false positives.

While there are many ways that cybercriminals and nation state actors breach company networks and gain access to sensitive data, phishing is the leading initial access vector. Despite phishing being such a prevalent threat, many businesses lack security solutions that can consistently identify and block these malicious messages, which results in costly compromises, data breaches, and devastating ransomware attacks. According to one study by researchers at CoreView on 1.6 million Microsoft 365 users, 90% lacked essential security protections that can combat threats such as phishing.

While Microsoft has security solutions that can block spam and phishing emails, they are unable to block advanced phishing threats. PhishTitan has been developed to work seamlessly with M365 and catch the phishing threats that M365 misses. Even Microsoft’s most advanced anti-phishing protection, the costly E5 premium security offering, fails to block many advanced threats. Testing has shown that for every 80,000 emails received, PhishTitan identifies and blocks 20 unique, sophisticated phishing attempts that Microsoft’s top solution misses, and many businesses cannot afford Microsoft’s top level of protection and are reliant on its basic anti-spam and anti-phishing protection.

If you want to improve your defenses against phishing and malware and block more spam emails, give the TitanHQ team a call and ask about SpamTitan and PhishTitan. Both email filtering solutions are available on a free trial, so you can put them to the test and see for yourself the difference they make.

Large-scale StrelaStealer Malware Campaign Spreads to US and Europe

A phishing campaign distributing StrelaStealer malware has expanded to Europe and the United States, with the attackers favoring the high-tech, finance, professional and legal services, manufacturing, government, energy, utilities, insurance, and construction sectors.

StrelaStealer malware was first identified in November 2022 and its primary purpose is to extract email account login credentials from popular email clients such as Microsoft Outlook and Mozilla Thunderbird, and exfiltrate them to its command-and-control server. StrelaStealer has previously been used to target companies in Spanish-speaking countries however, targeting has now been expanded to the United States and Europe, with attacks peaking in November 2023 and January 2023 with more than 500 attacks a day on companies in the United States and more than 100 attacks per day in Europe, according to tracking data from Palo Alto Networks Unit 42 team.

The campaign uses email as the initial access vector with the emails typically claiming to be an invoice. Early attacks used ISO file attachments that included a .lnk shortcut and an HTML file, which invoked the rundll32.exe process to execute the malware payload. The latest attacks use a different method, with .zip file attachments favored. These compressed files include Jscript files which, if executed, drop a batch file and base64-encoded file that decodes into a DLL file, which is executed using rundll32.exe to deploy the StrelaStealer payload.

Email sandboxing provides a vital layer of protection against malware, which can be difficult to detect using transitional signature-based email security solutions. Anti-virus solutions are generally signature-based, which means they can only detect known malware. Advanced email security solutions use sandboxing to analyze the behavior of files to identify and block novel malware threats. Suspicious files are sent to the sandbox for in-depth behavioral analysis. The control flow obfuscation technique used in this attack can make analysis difficult, even in sandboxed environments, with excessively long code blocks used that can result in timeouts when executed in some sandboxed environments. While sandboxing can delay email delivery, which is far from ideal for businesses that need to act on emails quickly, it is important to provide enough time to allow attachments to be fully analyzed, as StrelaStealer malware clearly demonstrates. The easiest way for businesses to sandbox email attachments is with SpamTitan Email Security.

StrelaStealer malware is actively evolving, and new methods are being developed to deliver the malware and evade security solutions. Combatting sophisticated phishing attacks such as this, requires a defense-in-depth approach to security, using multiple security solutions that provide overlapping layers of protection such as SpamTitan Email Security, PhishTitan phishing protection, and SafeTitan security awareness training. Give the TitanHQ team a call today for more information on affordable cybersecurity solutions that are easy to use and capable of blocking advanced phishing threats.

Tycoon 2FA Phishing Kit Targets M365 and Gmail Credentials and Bypasses MFA

Phishing is one of the most common methods used to gain access to credentials; however, businesses are increasingly implementing multi-factor authentication (MFA) which adds an extra layer of protection and means stolen credentials cannot be used on their own to gain access to accounts. An additional authentication factor is required before access to the account is granted. While any form of MFA is better than none, MFA does not protect against all phishing attacks. There are several popular phishing-as-a-service (PhaaS) platforms that can steal credentials and bypass MFA including LabHost, Greatness, and Robin Banks. For a relatively small fee, any cybercriminal looking to compromise accounts can use the PhaaS platform and gain access to MFA-protected accounts.

A relatively new PhaaS platform has been growing in popularity since its discovery in October 2023 which has been causing concern in the cybersecurity community. Dubbed Tycoon 2FA, the PhaaS platform is being offered through private Telegram groups. Like many other PhaaS platforms, Tycoon 2FA uses adversary-in-the-middle (AiTM) tactics to steal MFA tokens, allowing access to be gained to accounts. The phishing kit uses at least 1,100 domains and has been used in thousands of phishing attacks.

Like most phishing attacks, initial contact is made with end users via email. The messages include a malicious link or a QR code. QR codes are popular with phishers as they communicate a URL to the end user and are difficult for email security solutions to identify as malicious. To ensure that the malicious URLs are not detected by security solutions, after clicking the link or visiting the website via the QR code, the user must pass a security challenge (Cloudflare Turnstile). The web page to which the user is directed targets Microsoft 365 or Gmail credentials. The user’s email address is captured and used to prefill the login page, and when the user enters their password it is captured and they are directed to a fake MFA page.

The phishing kit uses a reverse proxy server that relays the user’s credentials to the legitimate service being targeted in real-time and similarly captures the session cookie when the MFA challenge is passed. The user is unlikely to recognize that their account has been compromised as they are redirected to a legitimate-looking page when the MFA mechanism is passed. According to the researchers, many different threat actors have been using the kit for their phishing campaigns, with the Tycoon 2FA operators having received almost $395,000 in payments to their Bitcoin wallet as of March 2024. The price of the phishing kit is $120 for 10 days of usage which shows how popular the platform is with cybercriminals.

PhaaS platforms allow cybercriminals to conduct sophisticated attacks and bypass MFA without having to invest time and money setting up their own infrastructure they significantly lower the entry barrier for conducting MFA-bypassing phishing attacks. An advanced spam filtering service such as SpamTitan Plus will help to prevent malicious emails from reaching inboxes, and is an ideal spam filter for MSPs looking to provide the best level of protection for their clients. The SpamTitan suite of email security solutions combines phishing, spam, and antivirus filtering and independent tests show a spam block rate of 99.983% and a malware block rate of 99.51%.

PhishTitan from TitanHQ greatly improves protection against more advanced phishing campaigns such as those that use QR codes. Employees should be provided with regular security awareness training to help them identify and avoid phishing messages, and businesses should consider using phishing-resistant MFA rather than more basic forms of 2-factor authentication that use SMS or one-time passwords, which phishing kits such as Tycoon 2FA can easily bypass.

U.S. Government Entities Impersonated in Business Email Compromise Attacks

Business Email Compromise (BEC) attacks may not be as frequently encountered as phishing attacks but the losses to this type of attack are far greater. According to figures from the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3), $2.9 billion was lost last year to BEC attacks – The second most expensive type of cybercrime.

BEC attacks usually involve impersonation, with the attacker posing as a trusted individual. Contact is established and the scammer tricks the victim into divulging sensitive company information or transferring a large sum of money. For instance, the scammer may pose as a contractor and request that bank details are changed for an upcoming payment. The scam is not usually detected until after the transfer has been made and the funds have been withdrawn from the attacker-controlled account.

BEC attacks can be difficult for email security solutions to identify, as the emails are often sent from a known and trusted email account that has been compromised in a phishing attack. BEC scammers research their targets and may have access to past conversations between the victim and the person they are impersonating and can therefore disclose information from past conversations in email exchanges to convince the target that they are who they claim they are. The scams may also be spread across multiple emails, with trust building during the exchanges.

One of the latest BEC campaigns to be identified involves the impersonation of U.S. government entities, such as the U.S. Department of Transportation, Department of Agriculture, and Small Business Association. Initial contact is made via email and a PDF attachment is sent that includes a QR code, which has links about fake bidding processes. The targeted individual is told to use the QR code to find out more information about the bidding process.

The PDF file explains that the QR code is included as complaints have been received that the bid button in the email does not work with some browsers and that the QR code will direct them to a document that should be downloaded as it is required to submit a bid. The emails and the PDF are crafted to appear to have been sent by the spoofed organization, and the website to which the user is directed resembles the official portal used by the spoofed government agency.

If the QR code is scanned, the user will be directed to a phishing site where they will be required to enter their Office 365 credentials, which will provide the attacker with access to their email account. Once access has been gained, the scammers can proceed to the next phase of the attack. They search the email account for messages related to banking or finance and use that information for their BEC attack and send messages to contacts that include fraudulent invoices or payment requests. The emails are sent from a trusted account, so the emails will likely be delivered and there is a good chance that the attack will be successful.

Security awareness training can help to raise awareness of the threat of these attacks with individuals involved in financial transactions in a company, and policies should be in place that require any requested change to banking information to be verified by phone using a previously verified phone number. It is also important to have an email security solution in place to block or flag potential BEC messages.

TitanHQ’s PhishTitan is an ideal choice. PhishTitan can identify and flag sophisticated phishing and BEC emails and can also read and follow the URLs encoded in QR codes. When a suspicious email is detected a banner is added to warn the user, and the emails can be auto-remediated and sent to the junk folder. PhishTitan improves Microsoft’s Office 365 spam filter. Independent tests by Virus Bulletin show the engine that powers T

itanHQ’s SpamTitan spam filter for Office 365 and the PhishTitan 0365 anti-phishing solution has a phishing catch rate of 99.914% with zero false positives. For every 80,000 emails received, PhishTitan identifies and blocks 20 unique, sophisticated phishing attempts that Microsoft’s top anti-phishing solution misses. The solution is also just a fraction of the cost of the average loss to a single BEC attack.

For more information about PhishTitan and how it can protect your business from advanced phishing and BEC attacks, give the TitanHQ team a call.

Facebook Messages Used to Distribute Snake Infostealer Malware

Malware is often distributed via email or websites linked in emails, and advanced email security solutions such as SpamTitan Plus can protect you by preventing the messages from reaching inboxes. SpamTitan Plus uses dual antivirus engines to detect known malware and sandboxing to identify and block zero-day malware threats. SpamTitan Plus also rewrites URLs, uses predictive analysis to identify suspicious URLs, and blocks those URLs to prevent users from reaching the websites where malware is hosted. To get around email security solutions, cybercriminals use other methods for making initial contact with end users, and instant messaging services are a popular alternative.

Researchers at Cybereason recently identified a malware distribution campaign that distributes a Python-based information stealer via Facebook messages. The infostealer has been dubbed Snake and has been developed to steal credentials and other sensitive information. The campaign was first detected in the summer of 2023 and targets businesses. The messages use lures such as complaints and offers of products from suppliers to trick users into visiting a link and downloading a file. As is common with malware distribution campaigns, the threat actor uses legitimate public repositories for hosting the malicious file, such as GitHub and GitLab. The file to which the user is directed is a compressed file and, if extracted, will lead to the execution of a first-stage downloader. The first-stage downloader fetches a second compressed file,  extracts the contents, and executes a second downloader, which delivers the Python infostealer.

Three different variants of the infostealer have been identified, all of which gain persistence via the StartUp folder. Each variant targets web browsers, including Brave, Chromium, Chrome, Edge, Firefox, Opera, and the Vietnamese CoC CoC browser, with the latter and other evidence suggesting that the campaign is being conducted by a Vietnamese threat actor. All three variants also target Facebook cookies. The gathered data and cookies are exfiltrated in a .zip file via the Telegram Bot API or Discord.

One way of blocking these attacks is to use a web filter to block access to instant messaging services that are not required for business purposes, including Facebook Messenger. With WebTitan it is possible to block Messenger without blocking the Facebook site, and controls can be implemented for different users to allow users with responsibility for updating the organization’s social media sites to access the platforms while preventing access for other users. It is also a good practice to use WebTitan to block downloads of executable files from the Internet to prevent malware delivery and stop employees from downloading and installing unauthorized software.

Dropbox Abused in Novel Phishing Attack to Obtain M365 Credentials

The file hosting service Dropbox is being abused in a novel phishing campaign that exploits trust in the platform to harvest Microsoft 365 credentials. The campaign targeted 16 employees of an organization who received an email from the no-reply[@] account, a legitimate email account that is used by Dropbox. The emails included a link that directed the recipients to a Dropbox-hosted PDF file, which was named to appear as if it had been created by one of the organization’s partners. If the PDF file was opened, the user would see a link that directs them to an unrelated domain – mmv-security[.]top. One of the employees was then sent a follow-up email reminding them to open the PDF file that was sent in the first email. They did, and they were directed to a phishing page that spoofed the Microsoft 365 login page. A couple of days later, suspicious logins were detected in the user’s Microsoft 365 account from unknown IP addresses, which were investigated and found to be associated with ExpressVPN, indicating the attacker was using the VPN to access the account and mask their IP address.

Multifactor authentication was correctly configured on the account but this appears to have been bypassed, with the logins appearing to use a valid MFA token. After capturing credentials, the employee is thought to have unknowingly approved the MFA authentication request which allowed the account to be compromised. The attacker gained access to the user’s email account and set up a new rule that moved emails from the organization’s accounts team to the Conversation History folder to hide the malicious use of the mailbox. Emails were also sent from the account to the accounts team in an apparent attempt to compromise their accounts.

Phishing attacks are becoming increasingly sophisticated and much more difficult for end users to identify. Security awareness training programs often teach users about the red flags in emails they should look out for, such as unsolicited emails from unknown senders, links to unusual domains, and to be wary of any requests that have urgency and carry a threat should no action be taken. Impersonation is common in phishing attacks, but in this case, the impersonation went further with the emails sent from a valid and trusted account. That means that the email is more likely to be trusted and unlikely to be blocked by email security solutions, especially as the emails include a link to a file hosted on a trusted platform. This was also a staged attack, with follow-up emails sent, which in this case proved effective even though the second email was delivered to the junk email folder. The login page to which the user was directed looked exactly the same as the genuine login prompt for Microsoft 365, aside from the domain on which it was hosted.

Many businesses have configured multifactor authentication on their Microsoft 365 accounts, but as this attack demonstrates, MFA can be bypassed. The sophisticated nature of phishing attacks such as this demonstrates how important it is for businesses to have advanced defenses against phishing. TitanHQ’s anti-phishing solutions use AI and a large language model (LLM) with proprietary threat intelligence currently not found in any other anti-phishing and anti-spam software solutions on the market. All emails are scanned – internal and external – for phrases and keywords that are unusual and could indicate malicious intent. All URLs are checked against various threat intelligence feeds to identify malicious URLs, and URLs are rewritten to show their true destination. The solution also learns from feedback provided by users and detection improves further over time. The curated and unique email threat intelligence data is unmatched in visibility, coverage, and accuracy, and TitanHQ’s anti-spam and email security solutions feature sandboxing, where attachments are subjected to deep analysis in addition to signature-based anti-virus scanning. When a malicious email is detected, all other instances are removed from the entire M365 tenant.

If you want to improve your defenses against sophisticated phishing attacks give the TitanHQ team a call. If you are a Managed Service Provider looking for an easy-to-use solution to protect your clients from phishing and malware, look no further than TitanHQ. All solutions have been developed from the ground up to meet the needs of MSPs to better protect their customers from spam, phishing, malware, and BEC attacks.

CryptoChameleon Phishing Kit Targets FCC Employees and Cryptocurrency Platform Users

A new phishing kit has been identified that is being used to target employees of the U.S. Federal Communications Commission (FCC) and the cryptocurrency platforms Binance and Coinbase, as well as users of cryptocurrency platforms such as Binance, Coinbase, Caleb & Brown, Gemini, Kraken, ShakePay, and Trezor.

A phishing kit is a set of tools and templates that allows threat actors to conduct effective phishing campaigns. These kits are marketed on the dark web to hackers and allow them to conduct phishing campaigns without having to invest time and money into setting up their own infrastructure. Phishing kits range from simple kits that provide phishing templates and cloned login pages, to more advanced kits that are capable of adversary-in-the-middle attacks that can defeat multifactor authentication. These kits significantly lower the entry barrier for conducting phishing campaigns as they require little technical expertise. Pay a relatively small fee and sophisticated phishing campaigns can be conducted in a matter of minutes.

The new phishing kit is called CryptoChameleon and allows users to create carbon copies of the single sign-on (SSO) pages that are used by the targeted businesses. Employees are used to authenticating through a single solution, through which they authenticate with many business applications. The kit also includes templates for phishing pages to harvest the credentials of cryptocurrency platform users and employees, including pages that impersonate Okta, iCloud, Gmail, Outlook, Yahoo, AOL, and Twitter.

The phishing operation was discovered by researchers at Lookout and more than 100 high-value victims of this campaign have been identified to date. Threat actors using the kit have been contacting users via SMS, email, and phone calls to trick them into visiting a malicious site where their credentials are harvested. Users are redirected to a phishing site but before the content is displayed, they are required to pass an hCAPTCHA check. This helps with the credibility of the campaign, but most importantly it prevents automated analysis tools and security solutions from identifying the phishing site.

In the campaign targeting FCC employees, after passing the hCAPTCHA check, the user is presented with a login page that is a carbon copy of the FCC Okta page. The domain on which the page is hosted – fcc-okta[.com] – differs only slightly (1 character) from the legitimate FCC Okta login page. Login credentials alone are not normally enough to gain access to accounts as many are now protected by MFA. The captured login credentials are used to log in to the real account in real time, and the victim is then directed to the appropriate page where additional information is collected to pass the MFA checks. This could be a page that requests their SMS-based token or the MFA token from their authenticator app. Once the MFA check has been passed and the account has been accessed by the threat actor, the victim can be redirected anywhere. For instance, they could be shown a message that the login has been unsuccessful and they must try again later.

To target cryptocurrency platform users, messages are sent about security alerts such as warnings that their account has been accessed. These messages are likely to attract a rapid response due to the risk of substantial financial losses. In the campaign targeting Coinbase, the user is told they can secure their account and if they log in they can terminate suspicious devices. A similar process is used to obtain the credentials and MFA codes needed to access the account as the FCC campaign.

This is just one of many phishing kits offered on the dark web. Protecting against these phishing kits requires a combination of measures including an advanced spam filter, web filter, and security awareness training. For further information on cybersecurity solutions capable of combatting advanced phishing attempts, give the TitanHQ team a call.

Phishing-as-a-Service Poses a Serious Threat to Businesses

Cybercriminals are increasingly offering services that make it easy for anyone to conduct an attack. Skilled malware developers can concentrate on writing their malware and making it available for others to use for a fee, ransomware-as-a-service allows hackers who are skilled at breaching networks to conduct lucrative ransomware attacks without having to develop encryptors and pay for the infrastructure to their support attacks, and phishing-as-a-service provides a platform for conducting attacks to steal credentials and access accounts. These services benefit all parties and allow even more attacks to be conducted.

Phishing campaigns may appear simple, but they require a lot of time and skill to set up. Stephanie Carruthers, who leads an IBM X-Force phishing research project, said it takes her team about 16 hours to craft a phishing email, not including the time it takes to set up all the necessary infrastructure to send the email and steal credentials. Setting up the infrastructure is time-consuming and costly, and many businesses now have multi-factor authentication (MFA) to thwart attacks.

With phishing-as-a-service (PhaaS), anyone who wants to run a phishing campaign can simply pay a subscription and will be provided with all the tools they need to conduct attacks. They do not need to craft the phishing emails, they just need to set a few parameters and provide the email addresses for the campaign. PhaaS makes conducting sophisticated attacks simple and significantly lowers the bar for conducting campaigns.

Take LabHost, for example, a PhaaS platform that recently introduced functionality for targeting financial institutions and banks in North America and Canada. Since this new functionality was included in the first half of 2023, attacks have increased considerably. A monthly subscription is paid, and customers are provided with a turnkey phishing kit, which includes the infrastructure for hosting phishing pages, a content generator for creating phishing emails, and a portal for monitoring the progress of campaigns. Customers can choose to pay $179 per month to target Canadian banks, $249 per month to expand the targets to North America, and $300 a month to also target 70 financial institutions worldwide. Customers are also provided with phishing pages for collecting credentials or a variety of other companies, including music streaming sites, delivery services, and telecommunications companies.

Important to the success of any campaign is the ability to defeat multi-factor authentication. The LabHost phishing kit incorporates LabRat, a phishing tool that allows real-time management of phishing campaigns and allows adversary-in-the-middle attacks where two-factor authentication codes and cookies are obtained in addition to usernames and passwords. That means the additional security processes on the online portals of banks can be circumvented. The platform also allows SMS-based attacks to be conducted.

PhaaS allows unskilled hackers to conduct effective campaigns that they otherwise would not be able to conduct. Further, with the use of AI to craft convincing phishing emails, phishing emails are becoming much harder for humans and security solutions to detect, and even MFA and other security measures can be bypassed.

Defending against attacks is therefore challenging, and there is no single cybersecurity solution that will block all attacks. What is needed is a defense-in-depth approach, with multiple, overlapping layers of protection. Cybersecurity solutions are required to block the phishing emails. SpamTitan is an advanced email security solution with AI and machine learning capabilities for identifying novel phishing threats. SpamTitan blocks known malware through AV controls and unknown malware through sandboxing. The message sandboxing feature uses pattern filtering to identify malware from its behavior, which allows zero-day malware threats to be identified and blocked. Malware sandboxing is vital for email security since so many novel malware threats are now being released. SpamTitan is also capable of identifying even machine-crafted phishing content.

End user training is also vital, as no email security solution will block all email threats without also blocking an unacceptable number of genuine emails. End users should be trained on how to identify, avoid, and report phishing emails. The SafeTitan security awareness training platform makes security awareness training simple, and the constantly updated content allows businesses to respond to changing phishing tactics and conduct phishing simulations on the workforce to reinforce training and identify knowledge gaps.

Given the number of phishing kits that are capable of bypassing multi-factor authentication, simply enabling MFA on accounts is no longer sufficient to protect against unauthorized access. Phishing-resistant multi-factor authentication is required – FIDO/ WebAuthn authentication or Public key infrastructure (PKI)-based MFA – to block adversary-in-the-middle attacks that can be conducted through PhaaS.

If you want to improve your defenses against phishing and other cybercriminal services, give the TitanHQ team a call to discuss your options.

Massive Spamming Campaign Uses Thousands of Hijacked Subdomains

A massive email spamming campaign has been detected that is generating up to 5 million emails per day that direct recipients of the emails to a variety of scam sites. The emails are sent through hijacked subdomains and domains of trusted companies, which help these emails evade email security solutions and be delivered to inboxes. Companies that have had domains and subdomains hijacked include eBay, CBS, McAfee, MSN, and Symantec.

Email security solutions perform a range of checks on inbound emails, including reputation checks on the senders of emails. If a domain is trusted and has not previously been associated with spamming, these checks – using SPK, DKIM, and DMARC – are likely to be passed, resulting in the emails being delivered to end users. The use of these legitimate domains also makes it harder for end users to determine whether the messages are genuine. Security awareness training programs often teach end users to check the sender of the email and make sure that it matches the company being spoofed. If the domain is eBay, and the email uses eBay branding, end users are likely to think that the communication is genuine. These emails include links to websites that generate fraudulent ad revenue, and often several redirects occur before the user lands on the destination scam or phishing site.

The ‘SubdoMailing’ campaign was identified by researchers at Guardio Labs, with the legitimate domains typically hijacked through SPF record exploitation or CNAME hijacking. The former involves searching for domains that use the ‘include’ configuration option that points to external domains that are no longer registered. Those domains are then registered by the threat actor and the SPF records are changed to authorize the use of their own email servers. When those servers are used to send emails, they appear to have been sent by the targeted brand, such as eBay.

With CNAME hijacking, scans are conducted to identify subdomains of reputable brands with CNAME records that point to external domains that are no longer registered. The threat actor then registers those domains, SPF records are injected, and emails can be sent from their email servers to show that they have been sent by a legitimate company. By hijacking huge numbers of domains and subdomains, the threat actor is able to conduct massive spamming campaigns. The researchers identified more than 13,000 subdomains and more than 8,000 domains that were used in the campaign, with more than 1000 residential lines used and almost 22,000 unique IPs. The researchers developed a tool to allow domain owners to check whether their own domains have been hijacked and take action to stop that abuse. An advanced spam filter is required to block the messages that are set from these hijacked domains and subdomains – one that does not rely on SPF, DKIM, and DMARC for identifying spam emails.

Travel Companies Impersonated in Malware Distribution Campaign

Cybercriminals are constantly devising new email campaigns for distributing malware. These campaigns usually impersonate a trusted entity and advise the email recipient about a pressing issue that requires immediate attention. The emails often have an attached file that must be opened to find out further information about the issue detailed in the email.

One recently detected campaign impersonates travel service providers such as and advises the recipient about a problem with a recent booking. One of the intercepted emails explains that an error has occurred with a booking that has resulted in a double charge to the user’s credit card which requires immediate attention. The email has a PDF attachment which needs to be opened for further information. PDF files are increasingly being used in email campaigns for distributing malware. The PDF files often contain a script that generates an error message when the file is opened that tells the user that the content of the file cannot be displayed, and they are provided with an option to download the file.

In this campaign, the PDF file contains a script that generates a fake popup message. If clicked, a connection is made to a malicious URL and a download of an obfuscated JavaScript file is initiated. The script downloads the next stage PowerShell payload, and on execution, drops a malicious DLL file on the device. The DLL file searches for certain critical system processes and attempts to forcibly stop them, makes changes to the registry that affect the Windows Antimalware Scan Interface (AMSI) and ensures that the malware is executed without being detected by security solutions. An analysis of the DLL file by researchers at Forcepoint shows the file is from the Agent Tesla malware family. Agent Tesla is a remote access trojan (RAT) that first appeared in 2014 and grew in popularity during the COVID-19 pandemic. Agent Tesla is provided under the malware-as-a-service model and is popular with initial access brokers, who specialize in gaining access to devices and accounts and then sell that access to other cybercriminals such as ransomware gangs.

Agent Tesla allows commands to be run on compromised systems and is capable of stealing sensitive information, such as login credentials stored in browsers. The malware can also take screenshots, log keystrokes, and perform other malicious actions. The malware uses multiple layers of obfuscation to ensure it is not detected by antivirus solutions. The malware is commonly used to gain initial access to business networks, primarily through phishing campaigns. In this campaign, by impersonating a popular travel service company there is a reasonable chance that the user may have used the service in the past or have a current booking and will therefore open the email. However, since the emails reference a charge to a credit card, that may be sufficient to get the user to open the attachment.

To protect against this and other malware distribution campaigns, businesses should ensure that they protect all endpoints with email security and antivirus solutions that are capable of behavioral analysis of files, as Agent Tesla and many other popular malware variants use obfuscation to bypass signature-based security solutions. Web filtering solutions provide added protection as they block connections to the malicious URLs that host malware and they can be configured to block downloads of executable files from the Internet. It is also important to provide security awareness training to the workforce to raise awareness of cyber threats and conduct phishing simulations to test the effectiveness of training.

TitanHQ offers a range of cybersecurity solutions for businesses and managed service providers to help them defend against cyber threats delivered via email and the Internet, including spam filtering with email sandboxing, web filtering, and security awareness training. Give the team a call today to find out more about improving your defenses against phishing and malware. All TitanHQ solutions are available on a free trial to allow you to test the products and see for yourself the difference they make.

Massive Phishing Campaign Leverages Google Cloud Run to Deliver Banking Trojans

A massive malware distribution campaign has been detected that uses phishing emails for initial contact with businesses and Google Cloud Run for hosting the malware. A variety of banking trojans are being distributed including Astaroth, Mekotio, and Ousaban. The campaign primarily targets countries in Latin America, and as such the majority of the phishing emails are in Spanish, but Italian versions have also been detected and there are indications that the campaign is spreading to other regions including Europe and North America.

The phishing emails used in this campaign appear to be legitimate invoices, statements, and communications from government and tax agencies and include a link that the recipient must click to view the attached invoice, statement, or demand. The link directs the user to services on Google Cloud Run, which is a popular service for hosting frontend and backend services and deploying websites and applications without having to manage infrastructure. Google Cloud Run has been used for hosting malware throughout 2023 but there was a massive spike in activity that started in September 2023 and has continued through January and February.

Over the past few months, Google’s service has been proving popular with cybercriminals for hosting malware as it is both cost-effective and is generally not blocked by security solutions. If a user clicks the email link, an MSI file is downloaded onto their device. MSI files are executable files, which in this case include embedded JavaScript that downloads additional files and delivers one or more banking trojans.

The banking trojans achieve persistence through LNK files in the startup folder that execute a PowerShell command on boot that runs the infection script. The banking trojans are capable of keylogging, clipboard monitoring, screenshots, credential theft, and traffic manipulation to direct users to cloned websites of financial institutions to capture banking credentials. The Astaroth banking trojan alone targets more than 300 financial institutions as well as cryptocurrency exchanges.

To protect against this and other malware distribution campaigns, businesses need to adopt a defense-in-depth approach and should implement multiple layers of protection. The first line of defense is a spam filter or email security solution to block the initial phishing emails. SpamTitan Plus is a leading-edge anti-spam service that provides maximum protection against malicious emails. The solution has better coverage, faster phishing link detections, and the lowest false positive rate of any product, which makes it the best spam filter for businesses and an ideal MSP spam filtering solution In addition to including all leading phishing feeds to ensure the fastest possible detection of new phishing threats, SpamTitan Plus uses predictive analysis to identify suspicious URLs that have not yet been detected as malicious.

A web filter, such as WebTitan, can be used to control access to the Internet. For example, blocks can be placed on websites and certain categories of websites down to the user level, the solution prevents access to all known malicious URLs, and can be configured to block file downloads from the Internet, such as MSI files and other executable files that are often used for malware delivery.

Cybercriminals often host malware on legitimate hosting platforms which are usually trusted by security solutions, which means malicious emails may be delivered to end users. It is therefore important to provide security awareness training for the workforce. Security awareness training raises awareness of the threats that employees are likely to encounter and teaches them security best practices to help them identify, avoid, and report cyber threats. Combined with phishing simulations, it is possible to greatly reduce susceptibility to phishing and malspam emails. Data from companies that use the SafeTitan security awareness training platform and phishing simulator shows susceptibility to phishing threats can be reduced by up to 80%.

If you are looking to improve your defenses against phishing and malware, give the TitanHQ team a call to find out more about these products and to help get you set up for a free trial to put these solutions to the test in your own environment.

Spear Phishing is the Most Common Method of Initial Access in the EU

A recent report from the Computer Emergency Response Team (CERT-EU) has provided insights into how EU organizations are being targeted by nation-state-sponsored actors and cybercriminal groups. The majority of nation-state activity has been linked to hacking groups in the Russian Federation and the People’s Republic of China, and while it is not always possible to determine the motives behind cyberattacks and intrusions, the majority of nation-state hacking activity is believed to be conducted to achieve cyberespionage objectives. The aim of these campaigns is to gain access to accounts/emails or servers where sensitive data is stored. Around 73% of all attacks within the EU are believed to be conducted for espionage purposes, with 16% of attacks conducted by hacktivists. Some of the hacktivism incidents are thought to be a front for nation-state activity.

In contrast to the United States, cybercriminal activity accounts for a low percentage of all malicious activity, with only 7% of intrusions attributed to cybercrime. CERT-EU reports that only a very limited number of cybercrime actors are conducting attacks within the EU, and the majority of that activity comes from ransomware groups. These groups gain access to internal networks, steal sensitive data, and encrypt files then demand payment to prevent the publication of the stolen data and for the keys to decrypt data.

In 2023, CERT-EU identified 55 ransomware operations that were active within the EU, and 906 victims were identified from data leak sites and open sources. It should be noted that not all ransomware attacks are reported and many companies quietly pay the ransom, so the true total could be substantially higher. Many of these attacks appeared to be opportunistic in nature rather than targeted. While there are many different ransomware groups, the most active in the EU were LockBit, Play, and BlackBasta, although in Q4, 2023 there was a large increase in attacks by the 8Base group, with NoEscape also highly active in the second half of the year. Ransomware groups attacked a wide range of sectors, with manufacturing the worst affected with 24% of attacks, followed by legal/professional services (14%), and construction/engineering (12%).

A variety of methods were used to gain access to targeted networks. 104 software products were targeted with these attacks often exploiting vulnerabilities in internet-facing products, involving trojanized software, fake software, and abuse of public repositories used for programming languages. Some of the most significant attacks of the year involved networking products, such Fortinet, Cisco, and Citrix products, as well as password managers such as 1Password or LastPass, content management and collaboration tools such as WordPress and Altassian Confluence, and cloud services. While many attacks used these methods for initial access, by far the most common method was spear phishing for both cybercriminal and nation-state threat actors.

Spear phishing attacks include malicious links to websites where credentials are harvested or malicious attachments. There was a significant increase in spear phishing attacks that used lures related to EU affairs, with it common to include decoy PDF files that were originally internal or publicly available documents related to EU policies, for example, documents relating to the Swedish Presidency of the Council of the European Union,  EU – Community of Latin American and Caribbean States (CELAC) Summit, and the Working Party of Foreign Relations Counsellors (RELEX). These campaigns were directed at individuals and organizations involved in EU policies, and the emails often impersonated staff members of union entities or the public administration of EU countries to add credibility. Public administration entities were the most targeted, followed by entities in diplomacy, defense, transport, finance, health, energy, and technologies. While spear phishing is usually performed via email, CERT-EU notes some diversification of communications, with attacks also conducted via social media networks, instant messaging services, and SMS messages.

Entities in the EU should implement layered defenses against the most common initial access vectors. An advanced email security solution should be implemented that is capable of signature and behavioral analysis of emailed files, with extensive threat intelligence feeds, and AI/machine learning capabilities. SpamTitan anti-spam software has all of these features and more and will protect your business from all types of email-based attacks. SpamTitan is offered as a cloud-based anti-spam service or can be provided as an anti-spam gateway for on-premises environments. A web filter such as WebTitan will protect against the internet-based component of cyberattacks by blocking access to malicious sites, and security awareness training and phishing simulations should be conducted on the workforce using a solution such as SafeTitan. To protect against unauthorized account access, multi-factor authentication should be implemented and software should be kept up to date with the latest updates and patches applied promptly.

Malware Increasingly Distributed via Emailed PDF Files

There has been a marked increase in email campaigns using malicious PDF files to distribute malware, rather than the typical uses of PDF files for obtaining sensitive information such as login credentials.

Increased security measures implemented by Microsoft have made it harder for cybercriminals to use macros in Office documents in their email campaigns, with PDF files a good alternative. Malicious links can be embedded in PDF files that drive victims to web pages where credentials are harvested. By using PDF files to house the links, they are less likely to be blocked by email security solutions.

Over the past few months, PDF files have been increasingly used to distribute malware. One of the currently active campaigns uses malicious emailed PDF files to infect users with DarkGate malware. DarkGate malware is offered under the malware-as-a-service model and provides cybercriminals with backdoor access to infected devices. In this campaign, emails are sent to targets that contain a PDF attachment that displays a fake image from Microsoft OneDrive that suggests there was a problem connecting which has prevented the content from being displayed. The user is given the option to download the PDF file; however, the downloaded files will install DarkGate malware.

In this campaign, clicking the link does not directly lead to the malware download, instead, the click routes through an ad network, so the final destination cannot be identified by checking the link of the download button. Further, since the ad network uses CAPTCHAs, the threat actors can make sure that the destination URL is not revealed to email security solutions. If the CAPTCHA is passed, the user will be redirected to the malicious URL where they can download the file.  This is often a compressed file that contains a text file and a URL file, with the latter downloading and running JavaScript code which executes a PowerShell command that downloads and executes the malicious payload.

PDF files have been used in many other malware campaigns, including those that distribute the Ursnif banking Trojan and WikiLoader malware. Recent campaigns distributing these malware variants have used parcel delivery lures with PDF file attachments that contain a link that prompts the user to download a fake invoice. Instead of the invoice, a zip file is downloaded that contains a JavaScript file. If executed, the JavaScript file downloads an archive, extracts the contents, and executes the malware payload. Another campaign uses PDF files to install the Agent Tesla remote access trojan using lures.

Not only do PDF files have a greater chance of evading email security solutions, they are also more trusted by end users than Office file attachments. Security awareness campaigns are often focused on training employees about the risks of phishing, such as clicking links in unsolicited emails and the risks of opening unsolicited office files. Malicious email campaigns using PDF files arouse less suspicion and end users are more likely to be tricked by these campaigns.

It is important for businesses to incorporate PDF files into their security awareness training and phishing simulation campaigns to better prepare employees for this growing threat. With SafeTitan, adding new content in response to the changing tactics, techniques, and procedures of threat actors is a quick and easy process. Get in touch with the TitanHQ team today to find out more about the SafeTitan security awareness training and phishing simulation platform and discover the difference the solution can make to your organization’s security posture.

Bumblebee Malware Returns With a Large-Scale Phishing Campaign

A large-scale phishing campaign has been identified that has already targeted many thousands of organizations in the United States and could be expanded geographically. The purpose of the campaign is to distribute Bumblebee malware, a malware loader that was first identified in 2022 and is thought to be a replacement for the widely used BazarLoader malware loader. Bumblebee malware is used for gaining initial access to networks and has been used in many successful cyberattacks. The malware is rented out to cybercriminals or access to compromised networks is sold to cybercriminal groups such as ransomware gangs. The malware has been linked to several high-profile threat actors and notorious ransomware gangs, including the now-defunct Conti ransomware group.

Over the past four months, Bumblebee malware has not been detected but it has now returned with a massive campaign. A variety of lures are used in phishing emails, which incorporate social engineering techniques to trick the recipients into downloading and executing the malware. For instance, the latest campaign included thousands of emails using the subject Voicemail February, with messages indicating the user had missed a voice call. The emails instructed the recipient to download the recording, the opening of which triggered the infection process. Other emails used in the campaign have used Word documents with malicious macros with the emails spoofing trusted companies, such as the electronics firm Humane. Rather than include the document attached to the email, a OneDrive link was provided in the email from which the document could be downloaded. This was an effort to prevent detection by email security solutions, as OneDrive is a legitimate and trusted service. Previous campaigns have used DocuSign branded emails that trick users into downloading a zipped ISO file from OneDrive.The group is known to hijack email threads to make it appear that the emails are responses to previous conversations with contacts.

Multiple threat actors are believed to rent out the malware, including the initial access brokers who work with ransomware gangs. Bumblebee malware infections are often accompanied by other payloads, including Cobalt Strike, Meterpreter, Sliver, and shellcode, and often lead to ransomware attacks. To combat Bumblebee malware infections, businesses should implement robust defenses against phishing. An advanced email security solution is required with AI and machine learning capabilities that can detect novel phishing attempts. SpamTitan Plus uses a machine learning algorithm that can identify emails that deviate from those typically received by a business, links are rewritten and followed and the destination URL is assessed. All emails are subjected to antivirus scans and suspicious attachments are sent to a Bitdefender-powered sandbox for behavioral analysis.

Security awareness training should be provided to the workforce to improve resilience to phishing attempts by teaching security best practices and how to identify phishing attempts. SafeTitan is a comprehensive security awareness training platform and phishing simulator that is updated with new content regularly in response to changing phishing tactics, including those used in Bumblebee campaigns. It is also recommended to implement multi-factor authentication on accounts, perform daily backups and store them offline, implement next-generation antivirus technology on endpoints, and implement network hierarchy protocols and network segmentation to prevent lateral movement.

Business Microsoft 365 Accounts Attacks Using Greatness Phishing Kit

Phishing has long been the most common way that cybercriminals gain initial access to business networks. A successful attack allows a threat actor to steal credentials and gain a foothold in the network, providing access to sensitive data and giving them the access they need to conduct a range of nefarious actions. Phishers must develop campaigns that are capable of bypassing email security solutions and use lures that are likely to fool end users into disclosing their credentials or opening malicious email attachments. In recent years, the entry barrier for conducting phishing campaigns has been significantly lowered through phishing-as-a-service (PhaaS), which has proven popular with would-be cybercriminals.

Phishing kits are offered that provide everything needed to launch successful phishing campaigns, without having to spend hours setting up the infrastructure, creating convincing emails, and incorporating anti-detection measures to ensure emails land in inboxes. A relatively new phishing kit is proving to be particularly popular. The Greatness phishing kit has been available since mid-2022 and lowers the bar for starting phishing campaigns, requiring a payment of just $120 a month to use the kit. The Greatness phishing kit allows emails to be customized to suit the hacker’s needs and add attachments, links, or QR codes to the emails. The kit makes it easy to generate and send emails and create obfuscated messages that can bypass many cybersecurity solutions and land in inboxes. The kit also supports multi-factor authentication (MFA) bypass by performing a man-in-the-middle attack to steal authentication codes and can be integrated with Telegram bots.

The kit has an attachment and link builder that creates convincing login pages for harvesting Microsoft 365 credentials and even pre-fills the victim’s email address into the login box, only requiring them to enter their password. The kit also adds the targeted company’s logo to the phishing page along with a background image that is extracted from the targeted organization’s M365 login page. As such, the Greatness phishing kit is aimed at individuals looking to target businesses and can be easily purchased through the developer’s Telegram channel. There were several spikes in Greatness phishing kit activity in 2023, with the latest detected in December 2023 and the increased activity has continued into 2024. Phishing kits such as Greatness significantly lower the barrier for entry to cybercrime and make it as easy as possible to start phishing, and the low cost of the kit has made it an attractive option for would-be cybercriminals. This phishing kit is used to target Microsoft 365 users, and the emails can be convincing and are likely to fool many end users.

The key to defending against phishing attacks is to implement layered defenses to ensure that a failure of one defensive measure does not leave the business unprotected. TitanHQ has developed a suite of cybersecurity solutions for businesses and the MSPs that serve them to improve their defenses against phishing, including AI-generated phishing emails and sophisticated phishing kits capable of stealing passwords and MFA codes.

TitanHQ’s PhishTitan provides advanced phishing protection and remediation for Microsoft 365. TitanHQ’s proprietary machine-learning algorithm integrates directly with Microsoft 365 and catches and remediates sophisticated phishing including AI-generated phishing emails, business email compromise, spear phishing, and phishing attacks that bypass MFA. The solution augments rather than replaces EOP and Defender and catches the phishing attempts that those defensive measures often miss.

PhishTitan uses AI and a large language model (LLM) with proprietary threat intelligence currently not found in any other anti-phishing solution on the market, and will scan attachments for malicious links and malware, rewrite URLs, apply banner notifications, and block malicious links. PhishTitna also provides time-of-click protection to combat the weaponization of links after delivery. The solution uses machine learning algorithms to scan the message body to assess email content and identify words, phrasing, and formatting of emails indicating a phishing attempt, and will learn over time and become even more effective.

PhishTitan is suitable for businesses of all types and sizes and has been developed from the ground up to meet the needs of MSPs. The solution can be set up in less than 10 minutes, and MSPs can add new clients in less than 6 minutes and start protecting them from highly sophisticated phishing attacks. For maximum protection, TitanHQ also offers WebTitan DNS filter to protect against web-based attacks, ArcTitan email archiving for security and compliance, EncryptTitan for email encryption, SafeTitan for security awareness training and phishing simulations, and the SpamTitan Suite of email security solutions. All products are available on a no-obligation, 100% free trial and product demonstrations are available on request. For more information on PhishTitan and other TitanHQ solutions, give the TitanHQ team a call today.

Microsoft Teams Used to Push DarkGate Malware

Phishing is most commonly associated with email; however, there are a variety of ways that cybercriminals can make contact with end users and other forms of phishing are becoming much more common. Smishing is the use of SMS messages for phishing which targets users via their smartphones, which tend to have far weaker security controls than laptops and PCs. Voice phishing is also common, where malicious actors trick people into disclosing sensitive information or installing malware over the phone. Phishing can also take place via social media networks and video conferencing platforms such as Microsoft Teams.

A campaign has recently been identified that uses Microsoft Teams group chat requests for phishing. A threat actor appears to be using a compromised account to send Teams group chat invites to thousands of individuals. The compromised User’s Teams account is likely to have been compromised in a phishing, credential stuffing, or brute force attack. This campaign aims to install malware on users’ systems – a malware variant called DarkGate. DarkGate malware was first identified in 2018 and is a remote access Trojan that can install a hidden virtual network computing (hVNC) module to provide remote access to a victim’s device. The malware has keylogging and information-stealing capabilities and can steal cookies and information stored in browsers, Discord tokens, and cryptocurrency wallets. The malware can also download other payloads such as ransomware.

In this campaign, if a user accepts the group chat request, the threat actor uses social engineering techniques to trick them into downloading a file to their device. The user is tricked into thinking that they are downloading a PDF file, but they download an executable file. The file – Navigating Future Changes October 2023.pdf.msi – has a double extension. On Windows systems, which are typically configured to hide known file extensions, the file will be displayed as Navigating Future Changes October 2023.pdf. If the user double-clicks on the file, the malware will be installed and will connect to its command-and-control server, giving the treat actor control over the user’s device.

Microsoft Teams has become a popular target for threat actors for malware distribution. There are around 280 million monthly users, and the default settings allow Microsoft Teams users to receive chat requests from external Microsoft Teams users. While most users will have antivirus software on their devices for detecting malware, DarkGate malware is stealthy and often evades antivirus software. There are several steps that businesses can take to combat these attacks. The most important of which is to disable External Access in Microsoft Teams unless it is absolutely necessary for day-to-day business use. This will ensure that users can only receive chat requests internally, which will greatly reduce risk.

Another important measure is to provide regular security awareness training to the workforce. Employees should be taught cybersecurity basics such as how to recognize a phishing attempt and should be made aware of the latest tactics used by cybercriminals in attacks on employees. Training should be provided continuously, with short training sessions conducted every month. When new phishing techniques are identified, short training modules can be pushed out to employees to make them aware of the threat. With the SafeTitan security awareness training platform this is easy. The platform has a wide range of CBT content, with training modules lasting no more than 10 minutes so they are easy to fit in to workflows.

If you do not currently provide regular security awareness training to your workforce, contact TitanHQ about SafeTitan. Product demonstrations can be arranged on request, and you can test the product for yourself in a free trial.

Advanced Phishing Protection for Managed Service Providers

Alarmingly, 71% of Microsoft business users report that they suffer at least one compromised account each month. The biggest cause of account compromises is phishing. Phishing is the fraudulent practice of making contact with an individual and tricking them into taking an action that the attacker wants, which is usually to disclose their credentials to allow an attacker to remotely access their account. Phishing attacks usually involve impersonation, where the attacker claims they are an authority figure, such as the CEO of the company, a friend or colleague, or a representative of a reputable company.

The capturing of credentials usually occurs on a website with initial contact with the individual usually occurring via email, although phishing attacks are also conducted via SMS messages (smishing), telephone (vishing), social media networks, and instant messaging services.

Phishing targets members of the workforce, including employees and board members, and it is the responsibility of security teams and managed service providers to block as many phishing attempts as possible and ensure that if phishing attempts do bypass defenses, end users have been trained to recognize phishing attempts and report them. Security teams naturally concentrate on the former, as phishing will only succeed if an attacker can make contact. The problem is that cybercriminals are developing highly sophisticated phishing campaigns that are difficult for traditional email security solutions to identify and block.

Cybercriminals target Microsoft 365 credentials as they provide access to a wealth of sensitive data and to email accounts which can be used to conduct further phishing attacks internally and on the company’s customers and vendors. Once credentials have been obtained, they can be used for a much more extensive attack on a company. TitanHQ has received feedback from its managed service provider (MSP) customers that Microsoft 365 phishing is the number one problem to solve in the email security community.

TitanHQ already has products that can protect against phishing. There is the SpamTitan suite of products for email security, WebTitan for protecting against web-based attacks, including blocking access to the websites where credentials are obtained, and the SafeTitan security awareness and phishing simulation platform for educating the workforce on cybersecurity threats and testing resilience through simulated phishing emails.

What was needed, however, was a new solution that is specifically focused on phishing. “We therefore allocated resources and investment to develop a solution with new, cutting-edge, robust, fast phishing threat intelligence driven by a team of security specialists,” said TitanHQ CEO, Ronan Kavanagh. “We are pleased to be able to meet the market’s needs with a product that delivers.”

PhishTitan has been developed to help MSPs and businesses improve their phishing defenses for Microsoft 365, as Microsoft’s defensive measures – EOP and Defender – are failing to identify and block many phishing attempts. PhishTitan is a next-generation phishing protection and remediation solution for Microsoft 365, which integrates TitanHQ’s proprietary machine-learning algorithm directly with Microsoft 365 to augment EOP and Defender and catch and remediate the sophisticated phishing attacks that EOP and Defender miss.

PhishTitan has been developed from the ground up to meet the needs of MSPs and allow them to block more phishing attempts on their clients and remediate phishing attempts rapidly, without having to commit extensive resources to managing email security for each client.

PhishTitan is functionally rich, offering multiple integration options, and has granular policy controls, a full reporting suite, and provides comprehensive protection. Businesses can set up the solution themselves in around 10 minutes, and MSPs can add new clients in just 6 minutes.

PhishTitan Features

  • AI-driven solution that is capable of identifying and blocking zero-day threats
  • Scans and blocks malicious links
  • Scans and neutralizes malware
  • Detects unique and sophisticated phishing and BEC attacks over and above those detected by EOP and Defender
  • Rewrites URLs and applies banner notifications
  • Time of click protection to combat links that are weaponized after delivery
  • Protection against data leakage of sensitive company information
  • Instant remediation across an entire tenant
  • Real-time visibility and reporting suite on emerging threats
  • Phishing intelligence data that is unmatched in visibility, coverage, and accuracy.

If you are struggling to block phishing attacks on your M365 accounts or are a managed service provider who wants to improve phishing protection for your customers, give the TitanHQ team a call to find out more about how PhishTitan works and how it can improve your defenses against phishing. Product demonstrations can be arranged on request and PhishTitan is available on a free trial.

PikaBot Malware Now Distributed via Fake Ads for AnyDesk

There has been a change in the distribution method of PikaBot malware, which is now being pushed in a malvertising campaign. Previously PikaBot was only distributed via phishing emails. PikaBot malware was first identified in early 2023 and is a modular malware Trojan that consists of two components: a loader and a core module. The malware allows the operator to gain remote access to compromised systems and execute a range of commands, including shell commands and fetching and running EXE or DLL files. The malware also allows downloads of additional malware payloads and post-compromise tools. The malware is known to be used by a prolific threat actor tracked as TA577, with infection leading to the deployment of Cobalt Strike.

The malvertising campaign uses Google Ads for AnyDesk, a remote desktop application popular with businesses. Google has security checks in place to prevent malicious adverts from being displayed and these are being bypassed by using a tracking URL with a legitimate marketing platform, with the custom domain for the redirect protected by Cloudflare. The malicious adverts are displayed when users search for popular software such as Zoom, Advanced IP Scanner, and WinSCP.

If the Ad is clicked by a user, they are directed to a spoofed AnyDesk download site that will deliver an MSI installer hosted on Dropbox. Checks are also performed before redirection to the malicious site, with redirection not occurring if fingerprinting checks determine the request is originating from a virtual machine. Before the MSI download is initiated, another check is performed to test whether the request is coming from a virtual environment. On download, Pikabot uses an injector to run anti-analysis tests and will only decrypt and inject the core module payload if these checks are passed, otherwise, execution is aborted.

The use of malvertising in malware campaigns is increasing and this initial access vector is often successful as most security awareness training programs concentrate on phishing. It is important to ensure that malvertising is covered in security awareness training sessions and that employees are told about the risks of downloading software and are made aware of the checks they should perform to make sure the source of the software is legitimate.

Businesses can further protect themselves against malware distribution via the internet with a DNS filter. The WebTitan DNS filter can be used to control the web pages that can be accessed by employees. Access can be restricted to whitelisted sites, and websites can be easily blocked by category. WebTitan is constantly updated by multiple threat intelligence feeds and will block access to all URLs known to be used for malware distribution. While this malvertising campaign involves many checks to determine if a web filter is accessing the content, which may result in the content being accessible, WebTitan can be configured to block the downloading of certain files from the Internet, including executable files such as MSI files. Not only will this help to prevent malware downloads, it will also allow IT teams to curb shadow IT – unauthorized software downloads by employees – which are a security risk.

The WebTitan DNS Filter and the SafeTitan Security Awareness Training Platform are both available on a free trial and product demonstrations can be arranged on request. For further information give the TitanHQ team a call.

AI will Fuel Rise in Ransomware and Phishing Attacks

Ransomware attacks hit record levels in 2023 and are set to increase further along with the phishing attacks that provide ransomware groups with initial access to business networks.

The ransomware remediation firm Coveware reports that ransomware groups are now much less likely to receive ransom payments, with only 29% of victims choosing to pay up to obtain the keys to decrypt their data and prevent their data from being added to data leak sites. At the start of 2019, 85% of victims of ransomware attacks paid the ransom.

There are several reasons for the fall in payments. First, businesses are better prepared and have incident response plans for attacks that minimize disruption and more effective backup strategies that allow them to restore data themselves. While they are unable to prevent the leaking of sensitive data if they choose not to pay the ransom, there is widespread mistrust that paying the ransom will actually prevent data from being leaked or sold.

Falling revenues from attacks mean ransomware actors need to increase the number of attacks they conduct in order to maintain their incomes. NCC Group reports an 84% increase in attacks between 2022 and 2023, and 2024 is likely to continue to see high numbers of attacks and the UK’s National Cyber Security Centre (NCSC) has warned that ransomware attacks are likely to increase.

The NCSC predicts that by 2025, and perhaps sooner, generative AI and large language models will be extensively used by cybercriminals and will allow them to craft phishing and spear phishing emails and develop new social engineering tactics to conduct more effective phishing campaigns. Since phishing is one of the most common initial access vectors in ransomware attacks, the NCSC predicts that AI will contribute to the global ransomware threat in the near term and other types of cybercrime that rely on phishing and social engineering.

The use of AI will make it more difficult for security professionals to identify and block phishing emails and social engineering attempts and it will be much harder for end users to differentiate between genuine emails and AI-generated phishing attempts. Generative AI tools also lower the barrier for would-be cybercriminals looking to conduct phishing and ransomware attacks, allowing novice and less skilled threat actors to conduct attacks successfully. This has already been the case with ransomware-as-a-service (RaaS), and generative AI-as-a-service may also start to be offered. Generative AI tools are also allowing threat actors to process and analyze the data stolen in these attacks more efficiently.

“Threat actors, including ransomware actors, are already using AI to increase the efficiency and effectiveness of aspects of cyber operations, such as reconnaissance, phishing, and coding,” explained NCSC. “Enhanced access will likely contribute to the global ransomware threat over the next two years.”

The NCSC paints a bleak picture but while AI tools can be used for offensive purposes, they can also be used by network defenders. TitanHQ’s cybersecurity solutions already use AI and machine learning tools for identifying phishing and other email threats. These tools are able to identify novel phishing threats, including those that are created using generative AI tools.

If you want to improve your defenses against malicious use of AI, speak with TitanHQ about how you can add advanced AI-driven detection capabilities to your cybersecurity arsenal and better defend your networks and data from increasingly sophisticated cyberattacks.

Important Information About Quishing – Phishing Attacks Using QR Codes

QR codes are a convenient way of transmitting information, especially URLs. They can be scanned with a smartphone and direct the user to a website. They are on flyers, posters, and other marketing material to quickly direct users to a website to find out more information, greatly improving the response to marketing campaigns. Use of these codes has grown and they are now found everywhere, even in restaurants to direct diners to menus. Unfortunately, QR codes are also perfect for scammers for stealing sensitive information and distributing malware, and QR codes are now being extensively used in phishing campaigns (quishing) in place of embedded URLs. The advantage of this is that they make it hard for users to check the destination of the URL before clicking and email security solutions are now designed to follow QR codes. According to Check Point, there was a 587% increase in QR code phishing attacks between August and September 2023 and recently detected 20,000 instances of QR code-based attacks over a 2-week period.

Campaigns have recently been detected that incorporate conditional redirection based on the user’s device, browser, screen size, and many other parameters, tailoring each attack to the individual via the same QR code. In one of these campaigns, users were directed to a credential harvesting page, with the redirection chain adjusted based on the fingerprinting of the user’s device. Similar campaigns are conducted to direct users to malware distribution sites. QR codes have also been used to direct users to deep fake YouTube videos, where celebrities appear to be endorsing investment schemes, usually related to cryptocurrency, where people are tricked into investing with a promise that they can rapidly double their money or get even better returns.

Email security solutions are designed to assess messages for phishing content, check embedded URLs to determine if they link to malicious websites, and scan email attachments to check for malware, but they are not suited to checking QR codes to determine where the user will be directed. Further, QR codes move the threat to a different device. QR code phishing emails are likely to be received on a company-owned laptop or PC, but the user is then required to switch to their mobile phone to scan the QR code, and mobile devices typically lack the same level of protection making it more likely that the attack will go undetected.

The best defense against these attacks is user education. Security awareness training should cover quishing to make employees aware of this increasingly popular tactic and the threat that QR codes pose. With SafeTitan it is easy to add new training content to your security awareness training programs and push out these training modules to all users. When any new threat is detected, you can add educational content to your training program and push that content out to all users, user groups, or individuals. All training modules last a maximum of 10 minutes, so they are easy to fit into busy workflows.  SafeTitan also includes a phishing simulator that allows you to send out fake quishing emails to the workforce to see who opens the emails and responds.

For further information on security awareness training with SafeTitan and how you can improve your defenses against all types of cyberattacks, give the TitanHQ team a call.

Callback Phishing Campaign Warns of Imminent Charge for Antivirus Subscription

Phishing is the fraudulent practice of sending messages, typically emails, that trick the recipient into doing something that they normally would not do, such as disclosing sensitive information or installing malware on their device. Phishers often include a link to a website that spoofs a well-known brand and victims are tricked into disclosing sensitive data or malicious files are attached to emails. Email security solutions are now much better at detecting malicious hyperlinks, and advanced email security solutions such as SpamTitan Plus can detect all known malware and have email sandboxing for behavioral analysis of suspicious emails to identify and block zero-day malware threats.

Cybercriminals Turn to Callback Phishing to Evade Cybersecurity Solutions

The first goal of a phishing attack is to get a message, be that an email, SMS, or instant message to an end user, and one of the ways that this is achieved is by sending emails with no malicious content – no hyperlinks or email attachments. Instead, the messages have a realistic call to action that requires immediate attention, and a phone number is provided in the email that the recipient must call to address the pressing problem that is outlined in the email. The phone line is manned by the threat actor who then talks the user through performing certain actions that provide remote access to their device.

Callback phishing typically involves an email warning the recipient about a charge for a product that is about to be taken, such as the expiry of a free trial or the end of a subscription term. The charge is excessive and the number provided in the email must be called to stop the charge. One such campaign that has recently been uncovered involves a fictitious charge for an antivirus subscription. In one of these attacks, the threat actor spoofs the antivirus software provider Norton. The email advises the recipient that the subscription period has come to an end and a charge for the next subscription period will be applied – $349.95. Naturally, such a high charge for a product would prompt many people to call the number to block it.

As with other callback phishing campaigns, the attacker tricks the recipient into downloading a program to their device that they are told is necessary to prevent the renewal of the subscription. The program gives the attacker remote access to the user’s device. Once access has been gained, the attacker can conduct a variety of nefarious activities.

Victim Transferred $34,000 to Attacker’s Account

In one of these scams, after access was gained to a victim’s device, the attacker transferred $34,000 from the user’s account. After providing the attacker with remote access to their laptop, the victim was instructed to perform other actions, one of which was entering their credentials into a phishing page. The victim was told that the payment for the antivirus software had already been taken, so a refund needed to be processed. The attacker then told the victim that an error had been made and a refund of $34,000 had been deposited in his account and immediate action was required to correct the error to avoid legal trouble.

The attacker remained on the phone while the victim called his bank, and while the victim was on the phone, the attacker transferred $34,000 from the victim’s Money Market account to his checking account. When the victim saw the $34,000 deposit, he assumed it to be the refund from Norton, and arranged the transfer to the bank account provided by the attacker. The attacker told the victim that in order not to arouse suspicion at the bank, he should inform the bank that the payment was for a vehicle. The victim was unable to see the malicious activity as the attacker had overlayed a blue screen on his laptop.

In this case, suspicions were raised and the funds were put into a suspense account at the recipient bank. U.S. Secret Service Special Agent Iris Joliff was able to obtain a seizure warrant from a judge allowing the money to be recovered; however, scams such as these are often only detected when the transferred funds have been withdrawn from the attacker-controlled account.

Improve Resilience to Callback Phishing with SafeTitan

Email security solutions may be effective at blocking malicious attachments and hyperlinks in emails, but they can rarely identify callback phishing scams as it is difficult to determine if a phone number is malicious. The most effective way that businesses can combat callback phishing is through security awareness training. Callback phishing should be covered in security awareness training sessions and also added to phishing simulation campaigns, to test whether the training has been understood and is being applied. SafeTitan from TitanHQ makes this easy, as callback phishing modules can easily be added to training courses and SafeTitan also includes a phishing simulator with phishing templates to test resilience to callback phishing and identify individuals who require further training in this area.

For further information on the SafeTitan platform and advice on how to further improve your defenses against phishing, give the TitanHQ team a call.

TitanHQ Launches PhishTitan – AI-Driven Phishing Protection for M365

TitanHQ is proud to announce the addition of a new solution to its cybersecurity portfolio that helps businesses combat the growing threat of phishing. PhishTitan provides powerful phishing protection for Microsoft 365 that is capable of catching and remediating sophisticated phishing attempts, including spear phishing attacks, business email compromise, phishing emails generated by artificial intelligence tools, and zero-day phishing threats that Microsoft’s native defenses for M365 fail to detect and block. It is these threats that pose the biggest threat since they are missed by Microsoft’s email security defenses and are difficult for employees to identify as malicious since they lack many of the red flags that employees are taught to look out for in security awareness training programs.

PhishTitan incorporates TitanHQ’s proprietary machine-learning algorithm, which integrates directly with M365. PhishTitan performs an AI-driven analysis of inbound emails (internal and external) which includes textual analysis, link analysis, and attachment scanning. Links are analyzed via multiple curated feeds that constantly update the solution to allow malicious websites linked to phishing and malware distribution to be identified and blocked. Phishing emails often include links that have been masked to hide the true destination URL. PhishTitan rewrites URLs to show the true destination. One tactic used by phishers to bypass email security solutions is to only weaponize links in emails after delivery. To protect against this tactic, PhishTitan checks inbound emails before delivery to inboxes and also offers time-of-click protection against malicious links in emails.

Attachments are scanned with twin antivirus engines, and suspicious email attachments are sent to the sandbox for behavioral analysis. Machine learning detection models scour the body of emails looking for tell-tale signs of phishing and adapt to constantly changing phishing tactics.  The machine learning algorithms also learn from reports of phishing attempts by end users, which they can report with a single click using a TitanHQ-supplied Outlook add-in. PhishTitan can also be configured to apply banner notifications to external emails and protect against the leakage of sensitive company information.

The solution has been designed to meet the needs of businesses of all types and sizes and has been developed from the ground up to meet the needs of managed service providers (MSPs) to allow them to easily add advanced phishing protection to their service stacks. It takes around 10 minutes to set up the solution, and around 6 minutes for MSPs to onboard new clients.

The solution was trialed across the TitanHQ user database of more 12,000 customers and 3,000 MSPs in Q4, 2023, with TitanHQ customers reporting that the solution outperforms their existing anti-phishing solutions. TitanHQ is now pleased to start offering the new product to new customers. For more information on PhishTitan phishing protection Microsoft 365 contact TitanHQ today. PhishTitan is available on a 14-day free trial and product demonstrations can be arranged on request to show you how easy the product is to use and exactly what it can do.

“A staggering 71% of MS business users suffer at least one compromised account monthly. With this in mind, the overwhelming feedback from our customer base has been that phishing is the number one problem to solve in the email security community,” said TitanHQ CEO, Ronan Kavanagh. “We therefore allocated resources and investment to develop a solution with new, cutting-edge, robust, fast phishing threat intelligence driven by a team of security specialists. We are pleased to be able to meet the market’s needs with a product that delivers.”

Malicious File Deliveries Increased in 2023

The cyber threat landscape is constantly changing, with cybercriminals and nation-state actors developing new tactics, techniques, and procedures for use in attacks on businesses to steal intellectual property and sensitive customer data, and for extortion. Threat actors gain access to internal networks by exploiting human weaknesses through social engineering and phishing, exploiting vulnerabilities such as unpatched and misconfigured software, and using malware for remote access.

The latter has seen an increase in 2023, with Kaspersky reporting in its end-of-the-year statistics report that malicious file detections have increased by 3% from 2022, with an average of 411,000 malicious files detected each day. The biggest increase was malicious desktop files such as Word documents, Excel spreadsheets, and PDF files, which are used for distributing malware. More than 125 million malicious desktop files were detected in 2023, with documents such as Word files and PDF files seeing the biggest increase, up 53% from 2022.

The company attributed the large increase to the number of email phishing attacks using malicious PDF files. PDF files have become more popular due to the steps Microsoft has taken to block email attacks using Office documents and spreadsheets. In the summer of 2022, Microsoft started blocking Visual Basic Applications (VBA) macros in Office apps by default to stop malicious actors from using them to deliver malware. Macros are now blocked by default in all Office documents that are delivered via the Internet. Threat actors responded by switching to other file formats for delivering malware such as LNK, ISO, RAR, ZIP, and PDF files, with the latter commonly used to hide links to malicious websites from email security solutions. These links direct users to malicious websites where drive-by malware downloads occur and also to phishing sites that steal credentials. The most common malware types in 2023 were Trojans such as Magniber, WannaCry, and Stop/Djvu, with a notable increase in backdoors, which provide threat actors with remote access to victims’ devices and allow them to steal, alter, and delete sensitive data and download other malware variants such as ransomware.

These email-based attacks usually require some user interaction to succeed, such as opening a malicious file or clicking a link. Threat actors are adept at social engineering and trick users into taking the action they need but the availability of artificial intelligence tools has made social engineering even easier. AI has significantly lowered the entry barrier into cybercrime and can be used by anyone to create convincing phishing lures and social engineering tricks. Artificial intelligence tools are also being leveraged to develop new malware variants faster than before, which allows threat actors to defeat signature-based antivirus and antimalware solutions.

With cyberattacks increasing in both number and sophistication, businesses need to ensure they have appropriate defenses in place. To defend against attacks, businesses need to take a defense-in-depth approach to security and implement multiple overlapping layers of protection. Should one single component fail to detect a threat, others will be in place to provide protection. Endpoint detection solutions such as antivirus software are essential. These solutions work after malware has been delivered and can detect and neutralize the threat; however, multiple layers of security should be in place to make sure threats are not delivered, especially due to the increase in zero-day malware threats – novel malware variants that have yet to have their signatures added to the malware definition lists used by these solutions.

TitanHQ offers three layers of protection through SpamTitan Email Security, Web Titan Web Filtering, and SafeTitan Security Awareness Training. SpamTitan is an advanced email security solution that protects against all email threats, including known and zero-day threats. SpamTitan offers protection against malicious links in emails, and features dual antivirus engines and email sandboxing to protect against malware threats, with the latter used to detect previously unseen malware variants. SpamTitan also uses artificial intelligence and machine learning to predict new attacks.

WebTitan is a leading DNS filtering solution that allows businesses to carefully control the web content that can be accessed via wired and wireless networks. The solution blocks access to known malicious websites, and high-risk websites, and can be configured to block the file types that are commonly used for malware delivery, such as executable files. SafeTitan is a comprehensive security awareness training and phishing simulation platform for teaching employees security best practices and improving resilience to the full range of cybersecurity threats. The platform provides training in real-time in response to poor security behaviors, with training sessions triggered immediately when bad behaviors are detected. This ensures that training is delivered when it is likely to have the biggest impact.

To improve protection against the full range of cyber threats, give the TitanHQ team a call today. You can discuss your needs and explain the current security solutions you have, and the TitanHQ team will be more than happy to talk about the TitanHQ solutions that can plug the security gaps. All solutions are competitively priced and are available on a free trial to allow you to test them thoroughly before making a purchase decision.

New Callback Phishing Campaign uses Google Forms for Initial Contact

A new callback phishing campaign has been detected that uses Google Forms to add credibility to the campaign. Callback phishing involves sending an email and tricking the recipient into calling a customer service helpline, where they are convinced to download software that provides the attacker with remote access to their device. Since the emails contain no malicious content, only a phone number, these emails are usually delivered to inboxes.

A typical campaign involves an email about an impending charge for a subscription for software or a service, payment for which is about to be taken shortly. The user is told that they must respond within 24 hours if they have any dispute and that the subscription will auto-renew if no action is taken. Companies typically impersonated in these attacks include Netflix, Hulu, Disney+, Masterclass, McAfee, Norton, and GeekSquad.

The impending charge is excessive, typically $50 to $500, and the only way to prevent the payment is to call the customer service number included in the email. Subscriptions for software, streaming platforms, and other services are often set to auto-renew by default, and many people end up paying for another term even if they have discontinued using that service. The lure is therefore plausible, and since the charge is excessive, the recipient is likely to make the call.

The phone number is manned by the threat actor who pretends to be customer support and helps the user block the charge; however, in order to do so, software must be downloaded onto the user’s device. The user is convinced to install the software, the threat actor appears to remove the offending software, and the payment issue is resolved; however, the threat actor has installed malware that provides access to the user’s device.

In late 2020/ early 2021, this method was used in BazarCall attacks, so named because they were conducted to deliver BazarLoader malware. The malware is used to download additional malware payloads to the user’s device, such as ransomware. A new version of this campaign has recently been detected that employs Google Forms to add legitimacy to the campaign. Google Forms is free to use and allows forms to be easily created for surveys and quizzes, which can be integrated with websites or shared. In the latest BazarCall campaign, Google Forms is used to create details of a fake transaction, complete with invoice number, payment method, payment date, and information about the product or service.

Google Forms includes the option for a response receipt in the settings, so when a form is completed, it is submitted to the entered email address – that of the target. Google sends the completed form from its own servers, which adds legitimacy to the campaign and increases the probability of the form reaching an inbox. Email security solutions trust the sender ( and the messages contain no malware or phishing links, the email is guaranteed to be delivered. The form instructs the recipient to call the number within 24 hours if they have any dispute about the charge.

Google is aware of the campaign and is taking steps to improve detection and said that the campaign has so far been used for a small number of users; however, it is worthwhile updating your security awareness training to include this new method of attack. That is quick and easy to do and roll out with the SafeTitan security awareness training platform. SafeTitan also allows you to easily add this method of phishing to the phishing simulator, to see if your employees are likely to fall for callback phishing scams.

QakBot Malware Returns with Phishing Campaign Targeting Hospitality Sector

In the summer of 2023, a multinational law enforcement operation caused major disruption to the botnet and malware known as QakBot, aka Qbot & pinkslipbot. Now the malware is back and being used in a campaign targeting the hospitality industry.

QakBot was first detected in 2008 and was primarily a banking Trojan which was used to steal financial information from infected devices; however, the malware has evolved over the years and its capabilities have been significantly enhanced. Check Point researchers have described the malware as “a Swiss army knife” due to its extensive capabilities. QakBot can steal financial information, browser data, and has keylogging capabilities, allowing it to steal credentials and other sensitive information. Infected devices are added to a botnet that can be used for a range of nefarious activities, and the malware also serves as a downloader and can deliver other malicious payloads, including ransomware. QakBot has previously partnered with major ransomware groups including Egregor, REvil, Conti, and ALPHV/BlackCat.

At the time of the takedown, QakBot had been installed on more than 700,000 computers worldwide. According to the U.S. Department of Justice, the August takedown was “the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.” The law enforcement operation resulted in access being gained to the botnet’s encryption keys that were used for malware communication The botnet was hijacked and a custom Windows DLL was pushed out to all infected devices, which terminated the malware and disabled the botnet. These takedowns are, unfortunately, only temporary. As was the case with the takedown of the Emotet botnet, the threat actors simply rebuild their infrastructure.

QakBot malware is primarily distributed via phishing emails and the first QakBot malware campaign since the takedown was detected on Monday. The latest campaign uses an Internal Revenue Service (IRS) themed lure, where an IRS employee is impersonated. As is common in these campaigns, there is little body text in the emails, apart from the IRS logo and contact information. The emails contain a PDF attachment called GuestListVegas.pdf, and the subject line is “clients information”.

The recipient is told that they cannot preview the PDF file and must download it; however, the file they download is an MSI installer that will launch QakBot in the memory. Microsoft confirmed that this version of QakBot has not been seen before. While this appears to only be a relatively small campaign, distribution is expected to be significantly ramped up. In addition to this method of distribution, the QakBot operators have previously used OneNote files, Office files with malicious macros, Windows shortcut files, ISO attachments, and other executables, some of which have been known to exploit unpatched vulnerabilities.

Defending against attacks requires a combination of measures to block the initial access vector, the most important of which are an advanced spam filter – such as SpamTitan – security awareness training, and phishing simulations. A spam filter will block the majority of malicious emails to reduce the number of threats that are delivered to inboxes. By providing ongoing security awareness training to the workforce, employees will learn how to recognize, avoid, and report potential threats. Phishing simulations are an important part of the training process and allow employees to be tested to determine whether they are applying their training. When a phishing simulation is failed it can be turned into a training opportunity. With the SafeTitan platform, training is automated and delivered in real-time in response to failed phishing simulations.

For more information on advanced spam filtering and workforce cybersecurity training, give the TitanHQ team a call.

DarkGate/PikaBot Malware Phishing Campaign the Work of Qakbot Operators?

A malware phishing campaign has been running since September 2023 that is distributing DarkGate malware. Now, the threat actor behind the campaign has switched to PikaBot malware, and the campaign has several similarities to those conducted by the threat actor behind Qakbot.

DarkGate malware was first detected in 2017 but was only offered to other cybercrime groups this summer. Since then, distribution of the malware has increased significantly, with phishing emails and malvertising – malicious adverts – the most common methods of delivery. DarkGate malware is a multi-purpose Windows malware with a range of capabilities, including information stealing, malware loading, and remote access. In September, security researchers at Cofense identified a malware phishing campaign that was spreading DarkGate malware that has since evolved into one of the most advanced active phishing campaigns making it clear that it is being conducted by an experienced threat group. Then in October 2023, the threat actor behind the campaign switched to distributing Pikabot malware. Pikabot malware was first detected in early 2023 and functions as a downloader/installer, loader, and backdoor.

Security researchers have analyzed the malware phishing campaign and have identified several similarities to those used to distribute Qakbot (Qbot) malware including the behavior of the malware upon infection, the method of distribution, as well as internal campaign identifiers. Qakbot was one of the most active malware botnets; however, in August this year, an international law enforcement operation headed by the U.S. Department of Justice successfully took down the infrastructure of Qakbot.

The emergence of the phishing DarkGate/Pikabot campaign around a month after the Qakbot takedown, the use of a similar campaign that was used to distribute Qakbot, and no detected Qakbot activity since the takedown has led security researchers to believe the operators of Qakbot have switched to distributing DarkGate/Pikabot. Both of those malware families have similar capabilities to Qakbot and that could indicate the Qakbot operators have switched to newer malware botnets. As was the case with Qakbot, the new malware variants provide the threat actor with initial access to networks and it is probable that attacks will result in data theft and potentially the use of ransomware. Given the pervasive nature of Qakbot, if the same threat actors are behind the latest DarkGate/Pikabot campaign it poses a significant threat to businesses. The phishing campaign starts with an email that forwards or replies to a stolen message thread. Since the message threat contains genuine previous conversations there is a much higher probability of the recipient responding to the message. The emails contain an embedded URL that directs the user to a.ZIP archive that contains a malware dropper, which delivers the final DarkGate or Pikabot payload.

The phishing campaign continues to evolve and it is the work of a very experienced threat actor. One of the best defenses against these attacks is security awareness training. Employees should be warned of the tactics that are being used to distribute the malware and should be instructed to be vigilant, especially requests received via email that appear to be responses to previous communications that prompt them to visit a website and download a compressed file. They should be instructed to report any such email to their security teams for analysis.

With SafeTitan, TitanHQ’s security awareness training platform, it is easy to incorporate the latest threat intelligence into training content and push out short training sessions to employees to raise awareness of the latest malware phishing campaigns. SafeTitan also includes a phishing simulator that allows custom simulated phishing emails to be sent out to the workforce, including simulated phishing emails that include the tactics used in the DarkGate/Pikabot campaign. Security teams can use the simulator to determine how employees react and can then take proactive steps to address any knowledge gaps before a real DarkGate/Pikabot phishing email lands in an inbox.

An advanced spam filter should also be implemented that is capable of scanning and following links in emails along with a WebFilter for blocking access to malicious websites and restricting file downloads from the Internet, such as TitanHQ’s SpamTitan Plus and WebTitan DNS filter. For more information on the SafeTitan security awareness training and phishing simulation platform, advanced spam filtering with SpamTitan Plus, and web filtering with WebTitan, call TitanHQ today. All TitanHQ solutions are also available on a free trial.

Watch Out for Black Friday Phishing and Cyber Monday Scams!

You may be able to grab a bargain on Black Friday and Cyber Monday but you need to be extra vigilant for Black Friday phishing attacks and Cyber Monday scams. Cybercriminals are waiting to take advantage of unwary online shoppers on Black Friday and scams are rife throughout the holiday season.

Black Friday and Cyber Monday are two of the busiest shopping days of the year. Many people take advantage of the deals on offer and delay major purchases to try to get a Black Friday or Cyber Monday bargain, and savvy shoppers get started on their Christmas shopping early and try to grab the best gifts while they are available, often at a sizeable discount. On Black Friday, Cyber Monday, and throughout the holiday season, cybercriminals are hard at work. It is the perfect time for them to fill their pockets before the Christmas break. There are huge numbers of people looking to make purchases online, and cybercriminals are more than happy to offer the bargains and special deals that they seek.

During this shopping frenzy, people who delay making a purchase often miss out due to limited product availability. That means it is the perfect time to conduct a phishing attack offering a high-value product at a rock-bottom price, as it is exactly what consumers are expecting and hoping to find. The whole retail event plays into cybercriminals’ hands. People are made to think that they need to act fast and make a quick purchase when what they need to do is stop and think about whether the offer being presented is really what it seems.

Last year, UK residents lost more than £10 million to cybercriminals over the festive shopping period, according to the UK National Cyber Security Centre, with each victim losing an average of £639 to scams between November 2022 and January 2023. This year, the outlook looks even bleaker due to the ease at which artificial intelligence can be used to create convincing scams. While phishing attempts, scam emails, and malicious websites often contain red flags that indicate all is not what it seems, those red flaws are often missing from AI-generated content. Cybercriminals are leveraging large language models, such as ChatGPT, to create convincing emails, scams, fake adverts, and fraudulent websites. The aim of these attacks is to get unsuspecting consumers to disclose their usernames and passwords, provide their credit card and bank details, make purchases for non-existent products, or download malware. AI allows cybercriminals to conduct these scams on an increasingly large scale.

Tips for Avoiding Black Friday Phishing Scams and Online Fraud

AI tools allow cybercriminals to generate phishing emails with perfect grammar and no spelling mistakes and even generate convincing lures targeted at specific groups of people, but the same social engineering techniques are used in these phishing attempts as human-generated phishing emails. With phishing attempts, there is a sense of urgency. Phishing emails have a call to action and only a limited time to respond and there will usually be a threat of negative consequences if prompt action is not taken. With Black Friday phishing scams, product scarcity or a special offer expiring are often how cybercriminals get urgent action to be taken, or there may be a threat of pending costs, charges, or account closures if the email is ignored. Another common ploy is to generate a security alert about unauthorized account access or a potentially fraudulent purchase that has been made, with immediate action required to block the charge or protect the account. Everyone needs to be extra vigilant during the holiday season and should carefully check the sender of the email and stop and think before taking any action suggested in an email.

With so many purchases being made at this time of year, it is the perfect time for phishing lures warning about unsuccessful deliveries. Most people will be expecting packages to be delivered over the next few days and weeks. If you are notified about a failed delivery attempt, make sure that the message has been sent from the domain of the company that claims not to be able to deliver the package. If the email claims to have been sent by FedEx, UPS, DPD, Yodel, or Evri, check it has been sent from the official domain used by that company and watch out for hyphenated domain names, spelling mistakes, and transposed letters.

While email scams are common, so are scams on social media platforms. Malicious advertisements are posted offering products that are never dispatched. According to the Federal Trade Commission, $2.7 billion has been lost in the United States to social media scams over the past 2 years. While there may be genuine offers on social media sites, any vendor should be carefully vetted before making a purchase through an advert and checked to make sure they are who they claim to be and that they are a reputable retailer. It is also far better to use a credit card for any purchases, as credit card companies offer much greater protection against fraud than banks do for debit cards.

While non-delivery scams are common, and credit card theft is rife, many Black Friday and Cyber Monday scams try to obtain access to accounts. In addition to being extra vigilant, it is important to ensure that accounts are properly protected, which means setting a strong, unique password for each account and ensuring multifactor authentication is enabled. If passwords are reused across multiple sites, if that password is obtained, all accounts that use the same password will be put at risk. Multifactor authentication will provide greater protection for accounts should passwords be guessed or otherwise obtained. A password alone is not sufficient to gain access to an account, as an additional form of authentication must be provided.

Quishing: The Fast-Growing Phishing Trend

What is Quishing?

Quishing is a fast-growing phishing trend involving QR codes, which are now used in more than one-fifth of phishing attacks. QR Codes, or Quick Response codes to give them their full name, have become a popular way of communicating information, most commonly URLs for websites and PDF files. QR codes were originally developed and used for tracking parts in manufacturing, but their uses have grown considerably and QR codes are now everywhere.

They are also used by restaurants for directing diners to their menus – something that became more common during the COVID-19 pandemic as a way of reducing the risk of virus transmission as well as reducing costs by not having to print menus. They are used by advertisers at bus stops and train stations, in magazines and printed pamphlets, and even TV commercials. They allow advertisers to get smartphone users to quickly and easily visit a website to find out more about products and services and make a purchase.

The ubiquity of QR codes and how they have been embraced by consumers, coupled with the difficulty of distinguishing between a benign and useful QR code and a malicious one has made them perfect for malicious actors for driving traffic to their malicious websites. QR codes are sent via emails, instant messaging services, and on social media sites and direct users to a malicious website where credentials are harvested or malware is downloaded. Another key benefit of QR codes is they are read by smartphones, rather than laptops or desktop computers. Smartphones are far less likely to have security software installed that can detect either the phishing message or the malicious URL that users are directed to.

Malicious actors have embraced QR codes and commonly use them in phishing campaigns. One analysis of phishing emails revealed 22% of phishing emails intercepted in October 2023 used QR codes, many of which used standard phishing lures to get users to scan the QR code, such as a security alert requiring immediate action. Other types of quishing attacks have exploited the “login with QR Code” feature that is now used by apps and websites as a secure way of logging in. In this type of attack, termed QRLJacking, the attacker initiates a client-side QR session of the targeted app or website, and clones the login QR code to display a fake but realistic clone of the targeted app. Social engineering techniques are used to send a user to that page, the user scans the malicious QRL using the mobile application the QRL code was created for, and the attacker gains access to the victim’s account. The app is unaware this is fraudulent access and provides the user’s data to the attacker.

Protecting against these attacks is much harder than protecting against standard phishing attempts since security solutions struggle to detect these malicious QR codes. That said, protecting against QRLJacking is simple. Don’t ever use QRLs for logging in. Avoiding other quishing attacks involves similar advice. Avoid using QR codes entirely, or at least avoid using QR codes from untrusted sources. If a QR code is received via email, the source of the email needs to be verified, and even then it is best to avoid using it and just visit the website of the company that claims to have sent it.

Companies should also consider adding quishing to their security awareness training programs given how commonly QR codes are being used in phishing. That’s easy to do with the SafeTitan Security Awareness Training Platform – just choose the Quishing content and add it to your training program and incorporate the quishing templates into your phishing simulations.

Has AI Surpassed Humans at Writing Phishing Emails?

Has AI surpassed humans at writing phishing emails? A team of researchers at IBM decided to put that to the test and the results are now in. Humans still have the edge, but AI is not far behind and will soon overtake humans.

There has been a lot of press coverage recently about the capabilities of AI and significant concern has been voiced about the threat AI-based systems pose. While there are legitimate concerns that AI systems could turn against humans, one of the most pressing immediate cybersecurity concerns is that cybercriminals could use generative AI tools to devastating effect in their cyberattacks.

Many security researchers have demonstrated that generative AI chatbots such as ChatGPT can write perfect phishing emails, free of spelling mistakes and grammatical errors, and can also create convincing lures to trick humans into opening a malicious email attachment or visiting a malicious website. ChatGPT and other generative AI tools can also be used to write malware code, and there have been demonstrations of AI tools being used to create functional polymorphic malware and ransomware code. One of the key advantages of AI tools such as ChatGPT is the speed at which phishing emails, social engineering lures, and malware code can be generated, which could greatly improve the efficiency and even the quality of a range of malicious campaigns.

Tools such as ChatGPT have guardrails in place to prevent them from being used for malicious purposes such as writing malware or phishing emails. If you ask ChatGPT to write ransomware code or a phishing email, it will refuse to do so as it violates OpenAI’s terms and conditions of use. Those controls can, however, be easily bypassed, plus there are generative AI tools that have been developed specifically for cybercriminal use, such as WormGPT and FraudGPT.

Are Cybercriminals Using AI in Their Campaigns?

Security researchers have shown that it is possible to use generative AI tools for offensive cybersecurity purposes, but are cybercriminals actually using these tools? While there is limited evidence on the extent to which these tools have been used, it is clear that they are being put to use. An August 2023 report by the U.S. cyber defense and threat intelligence firm Mandiant explored this and found threat actors are certainly interested in generative AI but use remains limited. The main area where these AI tools are being used is in information operations, specifically to efficiently scale their activity beyond their inherent means and to produce more realistic content.

Financially motivated threat actors have been using generative AI such as deepfake technology to increase the effectiveness of their social engineering, fraud, and extortion operations, including the use of face swap tools. The main focus currently is on social engineering, such as phishing attacks, for generating convincing lures for phishing emails and greatly reducing the time spent researching potential targets.

Are Generative AI Tools Better than Humans at Phishing?

An IBM X-Force team of social engineering experts recently went head-to-head with a generative AI chatbot to see which was better at creating phishing emails. The researchers would typically take around two days to construct a phishing campaign, with most of the time taken on researching targets to identify potential social engineering lures, such as topics for targeting specific industries, the persons to impersonate, and for creating convincing emails.

They developed 5 simple prompts to get a generative AI chatbot to do this, and the entire campaign was created in just 5 minutes, thus saving a cybercriminal around 2 days of their time. The good news is that the security researchers’ email performed better in terms of a higher click rate and a lower reporting rate, but the margins were very small. Humans still have the edge when it comes to emotional manipulation in social engineering, but AI is not very far behind and is likely to overtake humans at some point.

How to Combat AI-generated Phishing

Generative AI can save cybercriminals a great amount of time and the content generated is almost as good as human-generated content, and certainly good enough to fool many users. The best defense is to provide more extensive and regular security awareness training to employees to improve resilience to phishing attempts and to put cybersecurity solutions in place that incorporate AI and machine learning tools.

TitanHQ’s Email Security solution, SpamTitan, has AI and machine learning capabilities that are used to detect previously unseen phishing threats, such as those generated by AI tools. These capabilities also apply to email attachments, which are sent to an email sandbox for deep analysis of their behavior, allowing SpamTitan to detect and block zero-day malware threats. TitanHQ can also help with security awareness training. SafeTitan is an easy-to-use security awareness training and phishing simulation platform that has been shown to reduce susceptibility to phishing by up to 80%. Combined with multifactor authentication and endpoint detection tools, these solutions can help organizations improve their defenses against cyberattacks that leverage generative AI.

U.S. Federal Agencies Offer Guidance on Combating Phishing

Phishing is the most common way that malicious actors gain access to the networks of their victims. A single response to a phishing email by an employee is all it takes for a threat actor to get the foothold they need in the network to conduct a devastating attack. Once initial access has been gained, threat actors escalate privileges, move laterally, and conduct a range of malicious activities. What starts with a phishing email, often ends up with ransomware being deployed, with vast amounts of sensitive data stolen in between. This month, as part of Cybersecurity Awareness Week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued joint guidance on combatting phishing.

Phishing is a term that covers social engineering techniques used by malicious actors to trick people into revealing sensitive information such as login credentials or installing malware. The federal agencies explained that it is all too common for IT security teams to put the blame on employees for clicking links in emails, opening malicious attachments, and disclosing their credentials, but this blame game doesn’t solve the problem. Organizations need to create, implement, and maintain phishing defenses that account for human error, as it is inevitable and impossible to avoid.

Various tactics, techniques, and procedures (TTPs) are used by cyber actors in these campaigns, and different mitigations are required for each type of attack. Credential phishing attacks are usually conducted via email, so one of the most important defenses in an email security solution. Email security solutions will reduce the volume of spam and phishing emails reaching inboxes. SpamTitan, for example, blocks more than 99.99% of spam and phishing emails. The federal agencies recommend using DMARC, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) for verifying the sending server of received emails by checking published rules and DMARC, SPF, and DKIM, are all incorporated into SpamTitan.

An email security solution that relies on signature-based detection methods such as anti-virus engines will block all known malware but cannot block novel malware threats that have not yet been identified, and more novel malware variants are now being released than ever before. To improve defenses against malware-based phishing, email security solutions should incorporate machine-learning and AI-based detection, which look for the actions performed by emailed files rather than malware signatures. This is usually implemented through email sandboxing. Emails are sent to a safe and secure isolated environment where they are detonated, and their actions are analyzed for malicious actions.

No email security solution will block all malicious emails without also blocking an unacceptable number of genuine messages, and as the federal agencies point out, email security solutions cannot detect and block phishing attempts via SMS, instant messaging services, and voice phishing. It is therefore important to provide security awareness training to all members of the workforce. The purpose of security awareness training is to reduce susceptibility to phishing attempts by teaching employees about the threat of phishing, providing examples to help them recognize phishing attempts, and conditioning employees to stop and think and report any suspicious emails, SMS messages, and voice calls to their security teams.

Over time, employees will improve and get better at identifying phishing attempts, especially when training is combined with phishing simulations. Phishing simulations are a safe way to give employees practice at putting their training to the test, and these internal campaigns allow security teams to identify individuals who have not taken the training on board, as well as types of phishing emails that are proving effective, both of which can be addressed through further training. Security awareness training using SafeTitan has been shown to reduce susceptibility to phishing attempts by up to 80%; however, training will not totally eliminate employee mistakes. Employees are, after all, humans and not machines.

In addition to email security solutions and training, it is vital to add multi-factor authentication (MFA) to accounts. In the event that a phishing email bypasses technical defenses and fools an employee, MFA should prevent the obtained credentials from being used to access accounts. While any form of MFA is better than none, phishing-resistant MFA is recommended – FIDO or PKI-based MFA.

To increase protection against malware execution, denylists should be used to block malicious domains, URLs, and IP addresses, and rules should be implemented to prevent downloads of common executable files from the internet such as scr, .exe, .pif, .bat, .js, and .cpl files. This is easiest to implement with a web filtering solution such as WebTitan. WebTitan will also block all attempted visits to known malicious websites and can restrict access to only trusted, white-listed domains or URLs, or URLs and domains can be blocked by category.

Further information on improving phishing defenses can be found on the CISA website, and TitanHQ’s friendly sales team will be happy to discuss email security, web security, and security awareness training solutions with you and will help get you set up for a free trial of SpamTitan, WebTitan, and/or SafeTitan. The important thing is not to ignore the threat of phishing and to start taking steps to improve your defenses.

How to Sandbox Email Attachments

Do you know how to sandbox email attachments? If you have yet to start using a sandbox for email, you will be exposed to advanced malware and phishing threats. The good news is it is quick and easy to improve protection with a sandbox, and it requires no advanced techniques or skills, but before presenting an easy email sandboxing solution, we should explain why email sandboxing is now a vital part of email security

Email Sandboxing Detects Advanced and Sophisticated Threats

A hacker writes the code for a new malware variant or generates the code using an AI tool, and then sends that malware via email. A traditional email security solution will not block that malware, as it has not detected it before and it doesn’t have the malware signature in its definition list. The email would most likely be delivered, and the intended recipient could open it and infect their device with malware. From there, the entire network could be compromised and ransomware could be deployed.

How could a new, previously unseen threat be blocked? The answer is email sandboxing. When a file passes initial checks, such as AV scans, the attachment is sent to an email sandbox where its behavior is analyzed. It doesn’t matter if the malware has not been seen before. If the file performs any malicious actions, they will be detected, the threat will be blocked, and if that threat is encountered again, it will be immediately neutralized.

Email sandboxing is now an essential part of email security due to the sheer number of novel malware variants now being released. That includes brand new malware samples, malware with obfuscated code, polymorphic malware, and known malware samples that differ just enough to avoid signature-based detection mechanisms. Without behavioral analysis in a sandbox, these threats will be delivered.

The Easy Way to Sandbox Email Attachments

Setting up an email sandbox need not be complicated and time-consuming. All you need to do is sign up for an advanced cloud-based email security solution such as SpamTitan Email Security. SpamTitan is a 100% cloud-based email security solution that requires no software downloads or complex configurations. Just point your MX record to the SpamTitan Cloud and use your login credentials to access the web-based interface. You can adjust the settings to suit your needs, and the setup process is quick, easy, and intuitive, and generally takes around 20-30 minutes.

The solution is fed threat intelligence from a global network of more than 500 million endpoints, ensuring it is kept up to date and can block all known and emerging threats. You will be immediately protected from known malware and ransomware threats, phishing emails, spam, BEC attacks, and spear phishing, and you will benefit from email sandboxing, where suspicious emails are sent for deep analysis to identify zero-day phishing and malware threats.

The SpamTitan email sandbox is powered by Bitdefender and has purpose-built, advanced machine learning algorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis. If a file is analyzed in the sandbox and found to be malicious, SpamTitan updates Bitdefender’s Global Protective Network, ensuring that the new threat is blocked globally.

Email sandboxing doesn’t need to be complicated. Just use SpamTitan from TitanHQ. SpamTitan is available on a free trial, with customer support provided throughout the 14-day trial to help you get the most out of the solution. We are sure you will love it for the level of protection provided and how easy it is to use.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

TitanHQ’s Email Sandbox Service

Businesses are now targeted by advanced persistent threat actors looking for proprietary data, financially motivated threat actors looking to steal sensitive data and conduct extortion attacks, and hacktivist groups that aim to disrupt business operations.

Many of these attacks see initial access to internal networks and accounts gained via email. Credential phishing and malware phishing attempts serve a similar purpose and allow threat actors to obtain initial access to allow them to achieve their objectives, whether that is to gain persistent access for espionage purposes, to steal data, use ransomware, or wipe devices.

Email techniques such as phishing and spear phishing for credential theft or the use of malspam emails for delivering malware can be sophisticated and difficult for end users to detect. Further, advances in artificial intelligence have led to generative AI solutions that are capable of producing flawless phishing emails and generating novel social engineering techniques to trick users into taking the required actions – following a link, disclosing sensitive data, or downloading and executing malware.

Spam filters and secure email gateways have long protected businesses against these threats, but increasingly sophisticated techniques are now used that can bypass the protections of traditional email security solutions and reach end users. To combat these threats email security solutions have had to adapt. Cutting-edge email security solutions such as SpamTitan Email Security have AI and machine learning capabilities that are capable of detecting advanced and sophisticated attacks, in addition to DMARC, SPK, and DKIM reputation checks, and blacklists of known malicious IP addresses and domains.

One of the biggest threats comes from malware, either attached to emails or downloaded from URLs that are linked in email messages. For many years, antivirus engines have been effective at detecting and blocking malware threats, and while they still provide a degree of protection, AV engines are signature-based. When a new malware sample is detected, a unique signature is detected and added to a malware definition list. When a new file is received, it will be checked against all known signatures. If that signature is detected, the file will be quarantined or deleted.

New malware samples, which are being released at an incredible rate, will not be detected as malicious, as their signature has yet to be created and added to the list. These files will therefore not be detected as malicious and will be delivered to inboxes. To protect against this, advanced email security solutions use email sandboxing.

Email sandboxing involves creating an isolated, protected environment for analyzing suspicious emails. If front-end checks are passed, the email is sent to the sandbox for deep analysis. The sandbox is a protected environment where no harm can be caused, and files can be safely analyzed for malicious behavior.

TitanHQ’s Email Sandbox Service

In response to growing threats, TitanHQ added a next-generation email sandbox to its SpamTitan Email Security solution in 2019 to better protect users against malware, spear-phishing, advanced persistent threats (APTs), and to provide security teams with insights into new threats.

TitanHQ’s email sandbox service incorporates award-winning machine learning and behavioral analysis technologies, allowing security teams to safely detonate suspicious files in a secure environment that mirrors production endpoints. Malicious actors are tricked into thinking their malicious payloads have reached their intended target, and the malicious activities are detected. The sandbox analyzes documents, spreadsheets, application files, and executable files, and can detect malware, including polymorphic malware, and other sophisticated threats that have been developed for use in undetectable targeted attacks.

The TitanHQ email sandbox service leverages purpose-built, advanced machine learning algorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis, and all results are checked against an extensive array of online repositories. The analysis takes from a few seconds to a few minutes, and if a malicious file is detected, the results will be uploaded to a cloud threat intelligence service and all users will be protected. If that threat is detected on any device globally, it will not need to be sent to the sandbox again and will be instantly neutralized.

SpamTitan email sandbox service greatly increases the detection rate of elusive threats in the pre-execution stage, including APTs, targeted attacks, evasion techniques, obfuscated malware, custom malware, and ransomware, allows security teams to quickly integrate advanced emulation-based malware analysis, and protects against a rapidly evolving threat landscape.

You can put the SpamTitan email sandbox service to the test today by signing up for a 100% free trial and instantly start protecting your business with sandbox technology.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

How Does a Sandbox Work?

Sandboxing is a security feature that protects against malicious code. Rather than execute potentially unsafe code in a standard environment, it is sent to the sandbox – an isolated environment where no harm can be caused.

How Does a Sandbox Work?

A sandbox is an important cybersecurity tool for protecting host devices, operating systems, and data from being exposed to potential threats. The sandbox is a highly controlled system that is used to analyze untrusted applications, files, or code. The sandbox is isolated from the network and real data, and there are only essential resources that are authorized for use. It is not possible for a sandboxed file to access other parts of the network, resources, or the file system, only those specifically set up for the sandbox.

Sandboxes can have different environments. One of the most common implementations uses virtualization. A virtual machine (VM) is set up specifically to examine suspicious programs and code. Some sandboxes include emulation of operating systems to mimic a standard endpoint. Some malware samples perform checks of their environment before executing malicious routines to make sure they are not in a VM. If a VM is detected, the malware will not execute malicious routes and may self-delete to prevent analysis. By emulating a standard endpoint, these checks can be passed to allow analysis. Some sandboxes have full system emulation, which includes the host machine’s physical hardware as well as its operating system and software. These sandboxes provide deeper visibility into the behavior and impact of a program.

In email security, files, attachments, URLs, and programs are sent to the sandbox to check whether they are benign or malicious. The analyses can take between a few seconds to a few minutes, and if any malicious activity is detected, the file will be either quarantined and made available for further study or it will be deleted. Any other instances of that file will be removed from the email system, and any future encounters will see the file, attachment, URL, or program deleted.

SpamTitan Email Sandboxing

SpamTitan Email Security includes a Bitdefender-powered email sandbox to ensure users are protected against zero-day threats. All emails are subjected to a barrage of checks and tests, including scans using two different antivirus engines. SpamTitan features strong machine learning, static analysis, and behavior detection technologies to ensure that only files that require deep analysis get sent to the sandbox. This is important, as deeper analysis may take several minutes, so verified clean and safe messages will not be unduly delayed.

Files that are sent to the sandbox for deep analysis are executed and monitored for signs of malicious activity, with self-protection mechanisms in place to ensure every evasion attempt by a piece of malware is properly marked. The sandbox has purpose-built, advanced machine learning algorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis. All results are checked across known threats in an extensive array of online repositories. If a malicious file is detected, the sandbox updates the Bitdefender’s cloud threat intelligence service – the Bitdefender Global Protective Network – and the sandbox will never have to analyze that threat again as it will be blocked globally.

If you want to improve protection against zero-day threats, give the TitanHQ team a call to find out more about SpamTitan. SpamTitan is available on a free trial to allow you to test it out in your own environment before making a purchase decision.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

What is Sandbox Security?

What is sandbox security? In an IT sense, sandbox security refers to the use of an isolated environment for testing potentially malicious or unsafe code. The sandbox is an environment that resembles the organization’s real environment. The sandbox is made to look like it is a legitimate rather than a virtual environment; however, the sandbox is totally isolated from other systems and contains no real data.

A sandbox is used for malware analysis, testing potentially unsafe code, or as a guest environment with a tightly controlled set of resources, with no ability to inspect the host system or gain access to the networks, therefore not exposing any threats to real systems or data. For example, if a file needs to be opened and it is unclear whether it contains malicious code, it is opened in a sandbox. Security teams can assess the behavior of the file to determine if it is benign or malicious, and if it is the latter, no harm will be caused.

Sandboxes are commonly used for testing new code to determine whether it is safe and compatible with other systems, without actually putting those systems at risk. The sandbox is used to perform troubleshooting to identify any problematic parts of the code. One of the main benefits of sandbox security is blocking cyberattacks, and sandboxing has become indispensable for email security.

Email Sandboxing

Email sandboxing is the use of a sandbox environment for inbound email, which can be used to protect against phishing and malware threats. When an email is received that contains an attachment or a hyperlink, these can be evaluated in the sandbox before the message is released for delivery to the end user’s inbox. Phishing is one of the most common ways that malicious actors gain initial access to internal networks.  Emails are often sent that contain hyperlinks to URLs that host phishing kits that steal credentials or sites hosting malware. These emails can be sent to a sandbox where the links can be followed, and the content of the URLs assessed. If a file download is triggered, the file can be analyzed to determine its behavior.

The same applies to email attachments. An email attachment such as a Word document or Excel spreadsheet may contain a malicious macro or other malicious code, which could provide a threat actor with remote access to the device and network. By opening the attachment in the sandbox, the behavior of the file can be analyzed safely. If found to be malicious, all other instances of that malware can be removed and if the file is received again, it will be automatically deleted. Security teams can also safely study malware to determine the nature of the threat and learn important information about the adversary and their intentions.

Why Is Email Sandboxing So Important?

Traditional email security solutions are effective at detecting and blocking known malware threats. They use one or more antivirus engines for scanning email attachments for known signatures of viruses and malware. If these signatures are detected, the threat will be blocked. The problem with signature-based detection is the signature must be known. While virus definition lists are updated on a daily or even hourly basis, new malware threats are constantly being released. If a new malware variant is received for which there is no signature, it will not be detected as malicious and will be delivered to an inbox where it can be executed.

Sandbox security plugs this security gap. If an attachment passes AV checks, it is sent to the sandbox for deep analysis of its behavior, allowing zero-day malware threats to be detected and blocked. Cybercriminals do not just use one version of a malware sample, they use many different versions, each differing sufficiently to evade AV checks. Without sandbox security, organizations are at risk of infection with these malware variants.

TitanHQ’s SpamTitan Email Security solution features dual antivirus engines for detecting known malware threats, and a Bitdefender-powered email sandbox for detecting zero day malware and phishing threats and provides security teams with valuable insights into new threats to help them mitigate risks. Give the TitanHQ team a call to find out more about how SpamTitan with sandbox security can improve your security posture. SpamTitan is also available on a free trial to allow you to put the product to the test and see for yourself the difference it makes.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Email Sandboxing is the Key to Blocking More Malware Threats security solutions with email sandboxing block more malware threats than traditional spam filters, even novel malware variants that have yet to be identified as malicious. Without this important feature, emails with malicious attachments will likely be delivered to inboxes where they can be opened by employees. All it takes is for one employee to open a malicious file for malware to be installed that gives a threat actor the foothold they need for a comprehensive attack on the network.

What is an Email Sandbox?

In cybersecurity terms, a sandbox is an isolated, virtual machine where potentially unsafe code can be executed in safety, files can be subjected to deep analysis, and URLs can be visited without risk. In the sandbox, the behavior of files, code, and URLs is inspected, and since the sandbox is not networked and there is no access to real data or applications, there is no risk of causing any damage. Email sandboxing is used to identify malicious code and URLs in emails. The email sandbox mirrors standard endpoints to trick malicious actors into thinking that they have reached their intended target. Emails may pass front-end tests that look at the reputation of the sender, email headers, the content of the messages, and subject attachments to signature-based anti-virus tests, but there is no guarantee that the emails are safe without sandbox-based behavioral analysis.

Why is Email Sandboxing Important?

Cyber threat actors have been developing techniques for bypassing standard email security solutions such as embedding malicious URLs in PDF attachments, hiding malicious content in compressed files, using multiple redirects on hyperlinks, and including links to legitimate cloud-based platforms such as SharePoint for distributing malware. Traditional email security solutions can filter out spam and phishing emails, but they often fail to block more sophisticated threats, especially zero-day malware threats. Email sandboxing provides an extra layer of protection against sophisticated threats such as spear-phishing emails, advanced persistent threats (APTs), and novel malware variants.

A few years ago, new malware variants were released at a fairly slow pace; however, threat actors are now using automation and artificial intelligence to generate new malware variants at an alarming rate. Malware samples are used that deviate sufficiently from a known threat to be able to bypass signature-based detection mechanisms, ensuring they reach their intended targets. Rather than just using one version of malware in their email campaigns, dozens of versions are created on a daily basis. While security awareness training will help employees identify and avoid suspicious emails, threat actors have become adept at social engineering and often hoodwink employees.

The SpamTitan Email Sandbox

The SpamTitan email sandbox is a powerful next-generation security feature with award-winning machine-learning and behavioral analysis technologies. Powered by Bitdefender, the SpamTitan sandbox for email allows files to be safely detonated where they can do no harm. Email attachments that pass the barrage of checks performed by SpamTitan are sent to the sandbox for deep analysis. The sandbox is a virtual environment that is configured to appear to be a typical endpoint and incorporates purpose-built, advanced machine learning algorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis. Files are also subjected to checks across an extensive array of online repositories, with the sandbox checks taking just a few minutes. That ensures that genuine emails are not unduly delayed. If malicious properties are detected in the sandbox, the threat intelligence is passed to Bitdefender’s Global Protective Network (cloud threat intelligence service). If the threat is encountered again, it will be detected and blocked without having to be analyzed again in the sandbox.

The SpamTitan sandbox is used for a wide range of attachments, including office documents to check for malicious URLs, macros, and scripts, and all executable and application files. The sandbox allows SpamTitan to detect polymorphic malware and other threats that have been designed for use in undetectable targeted attacks. If a malicious file is detected, the email is not sent to a spam folder where it could be opened by an end user, it is quarantined in a directory on the local email server which only an administrator can access. Administrators may wish to conduct further investigations to gain insights into how their organization is being targeted.

Threat actors are conducting increasingly sophisticated attacks, so email security solutions need to be deployed that are capable of detecting these advanced threats. With zero-day threats on the rise, now is the ideal time to improve your email defenses with SpamTitan. Why not sign up for a free trial of SpamTitan today to put the solution to the test to see the difference the advanced threat detection capabilities make to your security posture? Product demonstrations can also be requested by contacting TitanHQ, and our friendly sales team will be more than happy to discuss SpamTitan with you and the best deployment options to meet the needs of your business.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Commonly Asked Questions About Email Sandboxing

Commonly asked questions about email sandboxing so you know what to expect from an email security solution with a sandbox, and why this advanced feature is vital for email security.

What is an Email Sandbox?

One of the commonly asked questions about email sandboxing is what is an email sandbox? Like the children’s equivalent, it is a safe space for building, destroying, and experimenting. In cybersecurity terms, it is an isolated environment where harm cannot be caused to anything outside of that environment. An email sandbox is an isolated virtual machine that is used for performing risky actions, such as opening unknown attachments and analyzing files and URLs in depth, rather than using a real machine where there is a risk of harm being caused such as file encryption by ransomware, theft of sensitive information, or wiping of data.

Why is an Email Sandbox Important?

Email is the most common vector used in cyberattacks. Through emails, cyber threat actors can gain initial access to a protected network from where they can steal sensitive data or move laterally for a more comprehensive attack. One of the most common ways of gaining remote access is through malware. Once malware is downloaded, an attacker can remotely perform commands and gain full control of an infected device. While businesses use antivirus software to detect and remove malware, these solutions are signature-based. In order to detect malware, the signature of the malware must be in the definition list used by the anti-virus solution, which means the malware must have previously been encountered. Novel malware variants that have not yet been determined to be malicious will not be identified as such and will therefore be delivered to inboxes where they can be executed by employees. An email sandbox is used to safely detonate suspicious files and inspect their behaviors. The behavioral analysis allows previously unknown malware samples can be identified and blocked. This is important due to the volume of new malware samples that are now being released.

How Does an Email Sandbox Protect Against Malware?

Email security solutions with sandboxing perform the same front-end checks as traditional email security solutions and will identify and block many malicious messages. If the initial checks are passed, and the messages are determined to potentially pose a risk, they will be sent to the sandbox for behavioral analysis. Once inside the safety of the sandbox, the attachments will be opened and subjected to various tests. The sandbox is configured to appear to be a normal endpoint, so any malware will be tricked into running malicious commands as it would if it had reached its intended target. The actions of the file are assessed, and if they are determined to be malicious they will be sent to a quarantine folder. By performing these checks, new malware variants can be identified and blocked before any harm is caused.

Will Sandboxing Delay Message Delivery?

Performing standard checks of messages is a quick process, often causing imperceptible delays in mail delivery. Performing in-depth analysis takes longer, so there will be a delay in message delivery. Many emails will not need to be sent to the sandbox and will be delivered immediately, but if sandboxing is required, there will be a delay while the behaviors of the email and attachments are analyzed. Some malware has built-in anti-analysis capabilities and will delay any malicious processes to combat sandboxing. Time is therefore required to ensure full analysis. With SpamTitan, the delay will be no longer than 20 minutes.

How Can I Avoid Message Delivery Delays?

SpamTitan incorporates artificial intelligence and machine learning capabilities which minimize the number of emails that are sent to the sandbox, and SpamTitan will check every 15 seconds to ensure that emails are delivered as soon as the sandbox analysis is complete. SpamTitan’s sandbox is part of Bitdefender’s Global Protective Network, which ensures rapid checks of suspicious messages. To avoid delays, certain email addresses and domains can be added to a whitelist, which means they will not be sent to the sandbox for analysis, ensuring rapid delivery.

What are the Benefits of Email Sandboxing?

The sandbox provides an important extra layer of protection against malware threats and malicious links. It will detect advanced attacks early and prevent breaches, reduce incident response costs and efforts, reduce the threat-hunting burden, and increase the detection rate of elusive threats in the pre-execution stage, including APTs, targeted attacks, evasion techniques, obfuscated malware, custom malware, ransomware.

How Does the SpamTitan Sandbox Work?

SpamTitan will subject all inbound emails to a battery of front-end tests, and if these are passed but the email is still suspicious, the message and attachment will be sent to the sandbox and the user will be informed that the message is in the sandbox for review. The email and attachments will then be opened in an isolated cloud platform or a secure customer virtual environment. If malware is detected, the email is blocked and assigned ATP.Sandbox and will be listed under “Viruses” in the relevant quarantine report and the intelligence gathered will be used to protect all users from that threat in the future. After twenty minutes of interrogation, if no malicious actions are identified, the file is marked clean and the email is passed onto the recipient.

How Can I Find Out More About Email Security and Sandboxing?

If you have unacceptable numbers of spam and malicious messages being delivered to inboxes, are receiving large numbers of queries about suspicious emails from your employees, or if you have experienced a malware infection via email recently, you should speak with TitanHQ about improving email security with SpamTitan.

SpamTitan has artificial intelligence and machine learning capabilities, a next-gen email sandbox, and a 99.99% detection rate with a very low false positive rate. Further, SpamTitan is very competitively priced, easy to use, and requires little maintenance. The solution is also available on a 100% free trial, with full product support provided for the duration of the trial.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

DarkGate Malware Infections Increase via Microsoft Teams Phishing and Malvertising Campaigns

Infections with DarkGate malware have been increasing in recent weeks. DarkGate malware was first identified in 2017 but was only used in limited attacks as the developer chose to use the malware privately against highly specific targets; however, over the summer the malware started being advertised on Russian-language cybercriminal forums and the developer has recruited a limited number of affiliates under the malware-as-a-service model. Reportedly, the developer offered the malware for sale to 10 people for an annual cost of $100,000.

DarkGate malware is written in Delphi and primarily serves as a malware loader, capable of downloading and executing other malware payloads. Typically, the malware payloads are executed in the memory which makes them hard to detect, since no files are written to the disk. The malware can also steal browser histories and Discord tokens and has a Windows Defender exclusion, reverse shell, hidden VNC, and keylogging capabilities.

The malware uses a variety of mechanisms to evade detection, including conducting checks for identifiers used by virtual machines, sandboxes, and anti-virus solutions and will alter its behavior based on the results of the checks, and has persistence mechanisms to ensure it is reloaded on reboot.

The advertising campaign appears to have been successful as distribution of the malware has increased significantly through spamming and phishing campaigns. One of those phishing campaigns uses compromised Office 365 accounts to send phishing messages that deliver DarkGate malware via Microsoft Teams messages.

Researchers at TrueSec identified messages that tricked recipients into clicking a link in the message that directs the or a SharePoint-hosted file called “Changes to the vacation” with the message advising employees that due to circumstances out of the company’s control, vacation time for certain employees has been canceled. The Zip file contains a malicious LNK file which masquerades as a PDF file with the same name as the zip file. Clicking the file will launch a VBScript file that will ultimately lead to the downloading and execution of DarkGate malware. Microsoft has security features to block attacks such as this – Safe Attachments and Safe Links – but neither of these features identified the file or link as malicious.

Other distribution campaigns have been detected in recent months, including a malvertising campaign that uses Google Ads to direct web users to a malicious site where the malware is hosted. The web page used in this campaign offered a legitimate network scanning tool, and while that tool was provided, extra files were bundled with the installation file that executed DarkGate malware.

Businesses are encouraged to defend against attacks through a defense-in-depth approach, involving multiple layers of protection such as an advanced AI-driven spam filtering solution, web filter, and endpoint protection software. Web filters will protect against malvertising campaigns, redirects to malicious websites, and malicious file downloads from the web. The increases in the use of SMS, Teams, and instant messaging services for distributing malicious links means these methods of link distribution should be incorporated into your security awareness training programs.

If you are interested in improving email security, web security, and security awareness training, contact TitanHQ today for more information on SpamTitan, WebTitan, and SafeTitan.