# About Name: RavenMail Description: AI-Native Email Security & Email DLP for Google & M365 URL: https://ravenmail.io/blog # Navigation Menu - Email DLP: https://ravenmail.io/ai-email-dlp - Blog Home: https://ravenmail.io/blog - Email Threat Detection: https://ravenmail.io - Get a Free Trial: https://ravenmail.io/try-raven?utm_source=blog # Blog Posts ## [Feb 2026] How attackers are using Lovable for Multi-Stage Phishing Attacks Published: 2026-02-04 Category: Threat Landscape Category URL: https://ravenmail.io/blog/category/threat-landscape Tags: SaaS-to-SaaS Phishing, zero-day, Vibe Coding Tag URLs: SaaS-to-SaaS Phishing (https://ravenmail.io/blog/tag/saas-to-saas-phishing), zero-day (https://ravenmail.io/blog/tag/zero-day), Vibe Coding (https://ravenmail.io/blog/tag/vibe-coding) URL: https://ravenmail.io/blog/lovable-vibecoding-phishing ## Vibe-Coding Platforms: The next frontier in phishing Researchers at Ravenmail has discovered that attackers are no longer hosting phishing pages on obviously malicious infrastructure. Instead, they are **abusing legitimate low-code and “vibe coding” platforms** to build convincing, disposable redirectors that sit between the phishing email and the final credential-harvesting site. In a recently observed campaign, attackers used **Lovable**, a popular vibe-coding platform, as a **multi-stage routing layer** to deliver Microsoft credential phishing pages -  all while evading traditional email and URL defenses. This blog breaks down **how Lovable was used**, **why vibe-coding platforms are becoming the next phishing frontier**, and **what defenders must change** to keep up. ## The Evolution of Phishing Infrastructure Phishing has evolved through several infrastructure phases: Era Infrastructure Defender Advantage Early phishing Free web hosting, IP-based servers Easy to block SaaS phishing Compromised WordPress, cloud VMs Moderate Modern phishing Legitimate SaaS + redirect chains **Attacker-favored** What we are seeing now is **Phishing-as-a-Service 2.0** — where attackers no longer care if their final phishing domain is burned. The **email-visible URL is the asset**, and that URL lives on a _trusted platform_. ## What Is Vibe Coding and Why Attackers Love It Vibe coding platforms (Lovable, Replit, Glide, etc.) are designed to: - Rapidly build functional web apps - Deploy instantly to shared domains - Abstract away infrastructure complexity - Encourage experimentation and iteration From an attacker’s perspective, this provides: - **Instant hosting** - **Implicit reputation trust** - **Fast rebuilds** - **No obvious “malicious” signals** In short: _perfect phishing infrastructure_. ## The Observed Attack Chain (Real-World Case) ### Stage 0: Authenticated Phishing Email The attack began with a **fully authenticated email**: - Delivered via **Postmark** - SPF/DKIM passed - DMARC non-enforcing The email impersonated an **internal project collaboration invite**, a workflow users are conditioned to trust. **Key detail:** The email **did not contain a phishing domain**. ![Lovable Phishing](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2026-02-04-at-9-1770178424849-compressed.png) ### Stage 1: Lovable as the Redirector The call-to-action linked to: **https://.lovable.app** At this stage: - No Microsoft branding - No credential prompt - No obvious malicious content This page acted as: - A **traffic broker** - A **logic layer** - A **trust buffer** Security scanners detonating the URL would often see nothing malicious. ### Stage 2: Dynamic Redirection to Final Phish After user interaction, the Lovable page redirected to: **https://.com/s/? This destination hosted a **pixel-perfect Microsoft sign-in page** designed to harvest credentials. ![Microsoft phishihg](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2026-02-04-at-9-1770178709341-compressed.png) Key techniques observed: - Encoded URL parameters (tracking / session binding) - Browser-based conditional behavior - Clean Microsoft UI with no tenant branding - No microsoft.com domains involved At this point, **credential theft occurs**. ## Why Lovable Is the Perfect Phishing Middleman Lovable (and similar platforms) provide attackers with several structural advantages: ### 1\. Trust Inheritance Security tools hesitate to aggressively block: - \*.lovable.app - Low-code platforms - Developer ecosystems Blocking them outright risks **business disruption**. ### 2\. IOC Decoupling The phishing email never references the final malicious domain. This breaks: - URL reputation - Retroactive search - Threat intelligence sharing By the time the final domain is blocked, the **Lovable URL remains reusable**. ### 3\. Infinite Payload Rotation Attackers can: - Swap redirect destinations - Change logic per region - Rotate credential harvesters - Reuse the same email template All without changing the phishing email. ### 4\. Scan Evasion by Design Vibe-coded apps can: - Redirect only after clicks - Require JS execution - Delay payload delivery - Serve benign content to bots This defeats **static and sandbox-based detection**. ### 5\. The Content Did Not Trigger Strong NLP Signals The email body: - Contained no threats - Contained no urgency language - Contained no financial lure - Contained no attachments - Looked like a normal project invite It intentionally avoided: - “Verify your account - “Action required” - “Security alert” - “Password reset” This weakens **language-based phishing classifiers**. ## Why This Is Not Just a “Lovable Problem” Lovable is **not uniquely vulnerable** \- it is simply early in being abused. This pattern applies to: - Any low-code platform - Any app builder with shared hosting - Any SaaS that allows arbitrary redirects This is a **systemic shift**, not a single-platform flaw. ## How Ravenmail caught this attack? This attack was blind to Email Gateway and Microsoft Defender, Ravenmail was able to detect it using context-aware security that reasons out anomalies and provides a verdict. In this case - Project based domains come from either within org or closely related entities - this had none - Lovable domain is unrelated to the context of the email and suspicious in the project context - The subject has hash string which was unusual - Overall verdict on the unusual usage of the link in context to Project based content. Overall Context-aware security is able to find better emerging patterns than signature based solutions. To protect your organization from emerging zero-days, reach out to us for a free PoC. Get a Free PoC --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## RavenMail Partners with WebSIA to Expand Context-Aware Email Security in Latin America Published: 2026-01-20 Category: Press Release Category URL: https://ravenmail.io/blog/category/press-release Tags: Market Entry, Partnership Tag URLs: Market Entry (https://ravenmail.io/blog/tag/market-entry), Partnership (https://ravenmail.io/blog/tag/partnership) URL: https://ravenmail.io/blog/ravenmail-websia-partnership ​ [RavenMail](https://ravenmail.io) has entered into a strategic partnership with [WebSIA](https://www.websia.com.br/) to make AI-powered, context-driven email security available to organizations across Latin America. The partnership focuses on addressing the changing nature of email threats and improving how organizations detect and respond to modern attacks. ## The Challenge: Email Threats Have Changed Email attacks have evolved significantly in recent years. Many modern threats no longer rely on obvious indicators such as malicious attachments or suspicious domains. Instead, attackers increasingly exploit trusted vendors, legitimate [SaaS platforms](https://ravenmail.io/blog/phishing-using-google-infra), existing email threads, and AI-generated content that appears authentic. Behavioral detection, while still valuable often struggles with these scenarios, as such attacks frequently operate within established behavioral patterns. This has created gaps in detection for phishing, business email compromise (BEC), and vendor-based attacks. ## The RavenMail Approach RavenMail’s platform is designed to move beyond behavior-only detection by focusing on **context and intent**. Rather than evaluating whether an email looks unusual in isolation, the system analyzes the relationship between sender and recipient, the business purpose of the communication, and the action being requested. This [context-aware](https://ravenmail.io/blog/ceo-impersonation) approach enables detection of attacks that may appear behaviorally normal but are inconsistent with [legitimate business workflows](https://ravenmail.io/blog/executive-impersonation-attacks). RavenMail provides protection across areas such as: - [Advanced phishing](https://ravenmail.io/blog/phishing-as-a-service) detection - Hacker-driven email attack prevention - Vendor and supply-chain compromise protection - Business Email Compromise (BEC) defense - Executive and employee impersonation detection - Email-based Data Loss Prevention (DLP) The platform supports both Google Workspace and Microsoft 365 environments and is designed to integrate with existing infrastructure across SMB, mid-market, and enterprise organizations. > “The most damaging email attacks hide in context, not in behavior,” said Venkatesan, CEO of RavenMail. ## The WebSIA Partnership As part of the partnership, WebSIA becomes RavenMail’s official partner for Latin America. WebSIA will lead regional go-to-market activities, including sales, deployment, and ongoing customer support, with multilingual coverage available 24/7. WebSIA brings over a decade of experience working with organizations across Brazil, Latin America, the United States, and Europe. The company has supported more than 2,500 customers and distributes several Gartner-recognized technology platforms across cloud, identity, and security domains. > “RavenMail’s approach reflects how business communication actually works today,” said Orlando, CEO of WebSIA. “This partnership allows us to deliver context-aware email protection to organizations of different sizes across Latin America.” ## Availability and Trial Organizations in Latin America can access RavenMail through WebSIA with local implementation and support. A complimentary trial is available, allowing teams to evaluate phishing protection, hacker-driven threat detection, and email DLP without requiring changes to existing email systems. This partnership reflects a broader shift in email security - from detecting anomalies to understanding intent and trust, aimed at improving protection against modern, context-driven threats across the region. To understand more about the product, please click the link below and fill out the contact form. Get a free trial --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## [Dec 2025] How Attackers Are Abusing Google Infrastructure for Phishing Published: 2026-01-02 Category: Threat Landscape Category URL: https://ravenmail.io/blog/category/threat-landscape Tags: phishing, SaaS Exploits, zero-day Tag URLs: phishing (https://ravenmail.io/blog/tag/phishing), SaaS Exploits (https://ravenmail.io/blog/tag/saas-exploits), zero-day (https://ravenmail.io/blog/tag/zero-day) URL: https://ravenmail.io/blog/phishing-using-google-infra In Dec 2025, more than 3000 organizations (primarily manufacturing) were targeted by attackers sending phishing mails mails from 'noreply-application-integration@google.com'. ![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2026-01-02-at-1-1767339555231-compressed.png) For years, enterprise email security has relied on a foundational assumption: **If an email comes from a trusted platform and passes authentication, it’s safe.** That assumption is now actively being exploited. Attackers are increasingly abusing **Google’s own applications and cloud infrastructure** to deliver phishing emails that look legitimate, authenticate cleanly, and evade traditional security controls. These attacks do not rely on spoofed domains or compromised mail servers. Instead, they operate _inside trusted systems_, using legitimate Google workflows as the delivery mechanism. This blog breaks down how these attacks work, why most email security tools fail to stop them, and how **RavenMail detected and blocked a real-world Google-based phishing campaign** that passed every conventional check. ## The Shift: From Spoofing Google to Operating Inside Google Modern phishing campaigns are no longer built around deception at the infrastructure layer. Instead of faking Google, attackers are **leveraging Google**. Recent threat research has documented multiple campaigns where adversaries abused the following services: ![Phishing Mail Abuse of Google Products](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2026-01-02-at-12-1767338149602-compressed.png) ​ In each case, emails were sent from legitimate Google infrastructure, passed SPF, DKIM, and DMARC, and used trusted Google-hosted URLs as payloads. This fundamentally breaks the trust model that most email security platforms rely on. Industry investigations have shown that attackers deliberately choose Google services because they inherit: - High sender reputation - Near-universal allowlisting - User familiarity and trust Security researchers have repeatedly observed that these campaigns bypass both secure email gateways and native email protections because **there is nothing technically “wrong” with the message delivery itself**. ## Dec 2025: Google Tasks Notification Based Attack The email claimed to be an internal task requesting employee verification and urged recipients to click “View task” or “Mark complete.” All calls to action redirected users to a page hosted on **Google Cloud Storage and the mail impersonated Google Tasks product.** ![Google Tasks Phishing](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/google-tasks-attack-1767338263162-compressed.png) ## How the Attack Worked Attackers sent phishing emails directly from **Google’s own sending infrastructure**, passing - SPF, DKIM, DMARC and CompAuth​ There was **no spoofing**, no lookalike domain, no malformed headers. The email originated from a valid Google address: noreply-application-integration@google.com From an infrastructure standpoint, the email was clean. From a **security standpoint**, it wasn't. The message abused **Google Tasks branding** to impersonate an internal “All Employees Task,” urging recipients to complete an employee verification form. ### 1\. Abuse of Trusted SaaS Identity The attacker leveraged Google’s application integration framework to send emails that inherit Google’s sender reputation and delivery trust. This mirrors broader industry observations where attackers exploit trusted SaaS platforms to bypass email gateways, as documented by Check Point and others. ### 2\. High-Fidelity Brand Impersonation The email replicated:​ - Google Tasks UI - Legitimate Google footer and branding - Familiar CTA buttons like “View task” and “Mark complete” Visually and structurally, it matched real Google notifications almost perfectly. ### 3\. Malicious Payload Hosted on Google Cloud Instead of attaching files or linking to suspicious domains, the CTA redirected users to a **Google Cloud Storage URL**: ``` ``` This is a critical shift. The payload lived on a **trusted Google-owned domain**, making URL reputation-based detection ineffective. The analysis clearly states that **legitimate Google Tasks workflows never use Cloud Storage URLs for task actions**—a subtle but decisive contextual mismatch ### 4\. Psychological Triggers The message relied on:​ - Authority framing (“All Employees Task”) - Urgency (“High priority”, fixed due time) - Minimal explanation to encourage immediate action ## Why Traditional Email Security Misses This Most email security platforms still anchor detection around: - Sender reputation - Domain trust - Authentication results - Known malicious URLs or attachments In this case: - The sender was Google - Authentication passed - The domain was trusted - There were no attachments From a traditional lens, there was **nothing to block**. This exact pattern has been reported in multiple independent investigations, including campaigns abusing Google Cloud automation and application integration services to evade detection. ## How RavenMail Stopped the Attack RavenMail flagged and blocked this email **despite** its legitimate infrastructure because RavenMail does **not equate trust with safety**. ### 1\. Contextual Mismatch Detection RavenMail analyzed the **intent and context** of the email:​ - Google Tasks being used for HR verification is anomalous - Internal employee actions should originate from corporate domains - External sender banners contradicted the “internal task” narrative This mismatch alone elevated risk. ### 2\. Payload Context, Not Domain Reputation Instead of asking _“Is this a trusted domain?”_, RavenMail asked: - Does this workflow make sense? - Is this URL consistent with legitimate Google Tasks behavior? - Is Cloud Storage a valid endpoint for this action? The answer was no. ### 3\. Intent-Centric Classification RavenMail classified the email as **interaction-driven**, not informational—an indicator strongly correlated with credential harvesting attempts. ## Understanding Phishing Using Google Infra ### Abuse of Google Cloud Application Integration Recent threat research has revealed that attackers are exploiting **Google Cloud’s Application Integration service** to send phishing emails through legitimate Google infrastructure. Because these emails are sent from real Google domains  they pass critical email authentication checks that most security tools rely on. In one observed campaign: - More than **9,000 phishing emails** were sent to roughly **3,200 businesses** over two weeks. - The messages mimicked legitimate enterprise notifications such as voicemail alerts or file access requests. - Initial clicks landed on trusted Google Cloud URLs before redirecting users to credential-harvesting pages. This is **abuse, not compromise** \- Google’s systems weren’t breached. Instead, threat actors manipulated workflow automation services meant to streamline business processes. ### Cloud Hosting as a Phishing Relay Attackers are also hosting phishing pages and multi-stage redirectors on **Google Cloud Storage (GCS)** \- a fully trusted, HTTPS-served domain space. Because many URL reputation systems treat cloud provider domains as benign, these links frequently _evade detection_. Separately, other campaigns have exploited Google platforms like **Google Classroom and Google Forms** to distribute phishing content at massive scale and avoid security filters that block unknown or low-reputation domains. ![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/google-mail-triggers-1767338648443-compressed.png)Mail send workflows from Application Integration Service (Credit: XoR Labs) ## Not an Isolated Incident: The AppSheet Connection The Google Tasks campaign is part of a broader pattern. Earlier, RavenMail documented a phishing campaign abusing **Google AppSheet**, Google’s no-code application platform. In that attack: - Emails originated from legitimate Google systems - Authentication checks passed - Phishing lures were embedded in real AppSheet workflows - Victims were redirected to credential-harvesting pages The full analysis is available here: [https://ravenmail.io/blog/appsheet-phishing-scam](https://ravenmail.io/blog/appsheet-phishing-scam) Across both campaigns : AppSheet and Google Tasks, the underlying tactic is identical: **Attackers are abusing trusted SaaS workflows to deliver phishing without spoofing or malware.** Each campaign looks different on the surface. The detection challenge is the same. ## This Is Not a Google Problem. It’s an Industry Shift. Google is not uniquely vulnerable here. What we are seeing is a broader trend: - Attackers abusing **trusted platforms (Salesforce, Amazon SES)** - Security controls optimized for **yesterday’s threat model** - Phishing evolving into **workflow and identity abuse** As long as defenses rely primarily on static trust signals, attackers will continue to hide inside legitimate systems. ### References & Credits - [https://blog.checkpoint.com/research/phishing-campaign-leverages-trusted-google-cloud-automation-capabilities-to-evade-detection/](https://blog.checkpoint.com/research/phishing-campaign-leverages-trusted-google-cloud-automation-capabilities-to-evade-detection/) - [https://www.xorlab.com/en/blog/new-phishing-wave-exploits-googles-application-integration-service](https://www.xorlab.com/en/blog/new-phishing-wave-exploits-googles-application-integration-service) - [https://phaneendrareddyp.medium.com/send-emails-from-gcp-without-using-third-party-email-apis-999f37c63bfe](https://phaneendrareddyp.medium.com/send-emails-from-gcp-without-using-third-party-email-apis-999f37c63bfe) - [https://www.reddit.com/r/GMail/comments/1pg42n4/how\_can\_the\_scammers\_send\_google\_security\_prompts/](https://www.reddit.com/r/GMail/comments/1pg42n4/how_can_the_scammers_send_google_security_prompts/) - [https://www.techradar.com/pro/security/yet-another-phishing-campaign-impersonates-trusted-google-services-heres-what-we-know](https://www.techradar.com/pro/security/yet-another-phishing-campaign-impersonates-trusted-google-services-heres-what-we-know) --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## [Nov 2025] Zero-Day Tax Evasion Phishing Attack Targeting Indian Companies Published: 2025-11-24 Category: Threat Landscape Category URL: https://ravenmail.io/blog/category/threat-landscape Tags: zero-day, malware, Regulator Impersonation Tag URLs: zero-day (https://ravenmail.io/blog/tag/zero-day), malware (https://ravenmail.io/blog/tag/malware), Regulator Impersonation (https://ravenmail.io/blog/tag/regulator-impersonation) URL: https://ravenmail.io/blog/tax-evasion-phishing-nov2025 In November 2025, Raven AI (formerly Ravenmail) identified and blocked a zero-day phishing campaign impersonating the Income Tax Department of India. The attacks used bilingual notices, government-themed PDFs, and highly convincing templates to create urgency around alleged tax irregularities. The campaign delivered a two-stage malware chain consisting of a shellcode based RAT loader packaged in a ZIP file and a rogue remote administration executable disguised as a GoToResolve updater. Both payloads were confirmed as malicious. Traditional Secure Email Gateway defenses failed to detect these messages because the sender authenticated correctly, the attachments were password protected, and the content imitated real government communication. Raven’s context-aware threat engine was able to detect the anomaly based on intent, behavioral signals, content semantics, and metadata analysis. This blog explains how the attack was engineered, what the malware does, why Indian enterprises were specifically at risk, and how Raven neutralized the threat. ## The Attack Deep Dive: How the Phishing Emails Were Structured The emails claimed to be an official Tax Compliance Deficiency and Penalty Notice. The structure of the message included: 1. Government style formatting in both Hindi and English 2. Legal references such as Section 271(1)(c) and Section 276C of the Income Tax Act, 1961 3. A 72 hour deadline to provide documents 4. A download button for a ZIP file or a Google Docs link 5. A separate password to open the attached PDF or ZIP file The notice format was nearly identical to real government communication, including fonts, seals, and document formatting. This authenticity influenced users to trust and open the attachments without scrutiny. ### Phishing Email \#1 - Re **: Your company is engaged in tax evasion. Please refer to the attachment for violations** ![Tax evasion phishing](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-11-24-at-11-1764005530099-compressed.png) Contents of the password protected PDF file ![Tax evasion phishing income tax impersonation](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-11-24-at-11-1764005960711-compressed.png) URL trace (Disclaimer: do not access these directly) CTA URL: https://taxwisegrupo.cc/download\[.\]php Redirect URL: https://f005.backblazeb2\[.\]com/file/Malaysiaok/2\[.\]vbs The second redirect installs and EXE file which is a Remote Access Back door ### Fake GoToResolve Updater EXE: Remote Access Backdoor VirusTotal reference: 4b97e3b17b0f6b10131c26eafa79616585f6bd283f2031e7d8faaea1e9b899b0.pdf The payload was a 23.34 MB executable named GoToResolveUnattendedUpdater\[.\]exe Key findings: - Classified as Hacktool.LogMeIn or RemoteAdmin.Win32 - Uses the identity of GoToResolve, a legitimate RMM product - Loads RstrtMgr.dll, a DLL used by ransomware families (Conti, Cactus) to kill locking processes - Exhibits remote control, screen sharing, file transfer and full RMM capability - DNS and TLS activity related to gotoresolve dot com infrastructure This indicates that attackers planned a remote interactive session after the initial RAT foothold was established. Misused legitimate remote administration tools remain one of the hardest threats to detect because they resemble actual IT operations. ### Phishing Email \#2 - Your tax audit report ![Tax evasion phishing mail ](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-11-24-at-11-1764007323224-compressed.png) Google Docs hosted document ![Tax evasion notice](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-11-24-at-11-1764007554782-compressed.png) The redirect URL leads to download of Malicious Shellcode loaders ### Malicious ZIP File: Shellcode Loader and AsyncRAT Infrastructure VirusTotal reference: c03ecde797da2d6aee70f1a5434d9696d4766355d4deab33f32d8bec6e4d0643.pdf) The file named Needed+Documents.zip was a 10.48 MB archive containing a multi-stage loader. Key findings: - Classified as Trojan.Shellcode and Fragtor - Detection of .NET CLR DLL loading via scripting applications - Regsvr32 execution from unusual locations - Unsigned DLL loading via trusted Windows utilities - Network indicators linked to AsyncRAT and ResolverRAT C2 fingerprints - JA3 SSL fingerprints that match known RAT families The ZIP contained shellcode designed to execute through regsvr32 proxy loading, a common method for fileless execution that avoids static signature detection. This stage establishes persistence, credential harvesting, and remote command execution capabilities inside the victim environment. ## How the Attack Bypassed Traditional Email Security The campaign was engineered specifically to evade perimeter defenses. The attack used several modern evasion techniques: ### Clean Sender Authentication The emails originated from real QQ.com accounts. SPF, DKIM, and DMARC all passed successfully. ### Password Protected Attachments Password protected PDFs and ZIP files prevented antivirus engines from scanning the content. This is a common tactic for concealing malware. ### Legitimate Cloud Hosting Some variants used Google Docs for second stage delivery. Since the base domain is trusted, URL filtering is ineffective. ### Bilingual Government Identity Abuse The layout, legal references, and Hindi language content increased credibility. Legacy filters do not evaluate semantic inconsistencies or impersonation context. ### AI Generated Padding The email body contained Unicode filler text and random spacing to evade Bayesian filters. These patterns match automated phishing kits documented in earlier threat analyses. ## Why Indian Enterprises Were Targeted Indian companies are frequent targets of authority themed phishing campaigns because: 1. Tax communication often happens through digital channels 2. Compliance deadlines create psychological urgency 3. Many SMEs rely only on native email filtering 4. Government impersonation has high trust value 5. Securities firms, Finance, NBFC companies routinely exchange documents with regulators The broader industry data reflects this trend. Global intelligence sources show a steady increase in tax themed attacks and impersonation using legitimate platforms. The KnowBe4 threat report indicates a significant rise in these techniques during 2025. ## How Raven Detected the Zero-Day Attack Raven AI relies on context, intent analysis, metadata understanding, and deep semantic inspection rather than signature matching. This allowed it to detect the threat immediately. Key detection signals included: ### Regulator Impersonation and Identity Conflict A government tax department notice sent from a free foreign mailbox is an identity mismatch that Raven’s models flag as anomalous. ### Behavioral and Intent Analysis The combination of urgency, compliance deadlines, and document submission demands is typical of authority themed phishing. ### Attachment Metadata and Shellcode Indicators Raven extracted metadata from the ZIP without opening it and identified indicators consistent with malware loaders. ### No Prior Relationship Signal There was no historical communication associated with the sender domain. ### Cloud Hosted Payload Anomalies A Google Docs link delivering a supposed tax compliance notice is inconsistent with actual government workflows. The combination of these signals allowed Raven to stop the attack without relying on any known IOC. ## Conclusion This attack demonstrates a shift in phishing tactics affecting Indian businesses. Attackers are increasingly blending authentic looking regulatory communication with sophisticated malware chains and misused remote administration tools. The campaign passed traditional authentication checks, used password protected payloads, and relied on legitimate cloud services. These characteristics make it invisible to traditional secure email gateways. Raven’s context aware and intent driven approach detected the inconsistencies, behavioral indicators, and malicious attachment traits before the malware could execute. In an environment where attackers continually adapt, organizations require detection that understands communication intent and identity context rather than relying solely on signatures or known threat patterns. --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## Webinar Alert: Your Startup’s Weakest Security Link Is Your Inbox Published: 2025-10-27 Category: Best Practices Category URL: https://ravenmail.io/blog/category/best-practices Tags: Webinar, Startups, email security Tag URLs: Webinar (https://ravenmail.io/blog/tag/webinar), Startups (https://ravenmail.io/blog/tag/startups), email security (https://ravenmail.io/blog/tag/email-security) URL: https://ravenmail.io/blog/webinar-oct2025 ![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/t-hub-webinar-social-postoct-2025v2-1761548910200-compressed.jpg) In the early days of building a startup, founders and CTOs obsess over product-market fit, growth, and fundraising - but often overlook one thing that can quietly bring it all down: **email security**. Phishing, social engineering, and insider threats no longer target just big enterprises. Attackers now prey on **startups’ speed, trust, and lack of mature security processes**. One misdirected invoice, one fake investor email, or one compromised Google account can expose your customers, drain your funds, or stall your next round. Modern attacks aren’t just about spam or malware - they exploit **human and vendor trust**. Raven’s AI-driven email protection goes beyond traditional filters to detect **impersonation, vendor compromise, and credential leaks** before damage occurs. That’s why Raven and **T-Hub** are coming together for an exclusive webinar: 📅 **Date:** 29 Oct 20205 🕒 **Time:** 3:00 - 4:30 pm IST 🎯 **Who Should Attend:** Founders, CTOs, and startup teams serious about safeguarding their growth journey 👉 **[Register Now](https://forms.zohopublic.com/THub/form/YourStartupsWeakestSecurityLinkIsntCodeItstheInbox/formperma/rwO4ARhvpHA8bbs4rVc0YTTUscpHYFn9cCUzndI94rs)** Your startup moves fast - make sure your inbox security can keep up. --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## [Sep 2025 Update] Nifty.com Used as Phishing Infrastructure: How Raven Detected Abuse of Trusted Infrastructure Published: 2025-09-21 Category: Threat Landscape Category URL: https://ravenmail.io/blog/category/threat-landscape Tags: phishing, phishkits, zero-day Tag URLs: phishing (https://ravenmail.io/blog/tag/phishing), phishkits (https://ravenmail.io/blog/tag/phishkits), zero-day (https://ravenmail.io/blog/tag/zero-day) URL: https://ravenmail.io/blog/nifty-phishing **Editor's Note:** _This post updates our original May 2025 analysis with new intelligence covering continued threat actor operations through September 2025._ ​ A multi-wave phishing campaign abused legitimate Nifty.com infrastructure to impersonate trusted business workflows and harvest credentials. Raven AI (formerly Ravenmail) detected the attack despite clean headers, valid authentication, and no obvious red flags. ## Is Nifty.com Safe? **The short answer: Nifty.com itself is safe** — it's a legitimate Japanese internet service provider with millions of users. However, like many free email providers, its infrastructure has been systematically abused by threat actors for sophisticated phishing campaigns. **The real question isn't whether Nifty.com is safe, but whether emails claiming to come from Nifty.com addresses can be trusted.** Our research shows that threat actors have weaponized the platform's legitimate authentication to bypass security controls, making it a powerful vector for business email compromise attacks. This isn't unique to Nifty — similar abuse patterns affect Gmail, Outlook, and other major providers. The difference is in how threat actors have specifically leveraged Nifty's infrastructure combined with other services to create nearly undetectable phishing campaigns targeting high-value business users.​ ![nifty phishing](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-05-26-at-12-1748199457967-compressed.png) ## **A Campaign Built for Evasion** The attackers didn’t spoof a domain — they **used it legitimately**. They registered free accounts on nifty.com, a well-known Japanese ISP, and launched phishing emails directly from its infrastructure. Because these were real accounts, all authentication layers passed: Protocol Status SPF ✅ Pass DKIM ✅ Pass DMARC ✅ Aligned This alone allowed them to **bypass most secure email gateways (SEGs)** that rely heavily on these checks. ## **Campaign Timeline \[ Update\] : Multiple Waves, Adaptive Behaviour - Persistent Over 8 Months** ![Nifty Campaign Timeline](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-09-22-at-10-1758516403843-compressed.png) The threat actor has been active for the past 8 months and the number of campaign days have been steadily increasing. The overall sophistication of the attack has increased given the use of new phish kits and multi-target personalization. Phase Period Activity Pattern Key Developments Initial Reconnaissance Feb-Mar 2025 Sporadic testing Infrastructure establishment, target research Original Campaign Apr-May 2025 Focused bursts Basic Phish kits Operational Pause June 2025 Minimal activity Likely infrastructure changes, expanded recon Major Escalation Jul-Sep 2025 Coordinated campaigns Phish Kit rotation, Highly targeted campaigns Multi-target bursts, sustained pressure The repetition and timing suggest automation and possible kit-based orchestration. ![Wave 1 Nifty Phishing](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-05-26-at-12-1748199504962-compressed.png) Wave 1: Nifty Phishing - Drive Download CTA ![Wave 2 Phishing](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-05-26-at-12-1748199540749-compressed.png) Wave 2: Incorporating DocuSign Phish Kits ## Expanded Targeting Profile: Beyond Initial Scope ### **New Target Categories Identified** **Venture Capital Ecosystem (Primary Focus):** ​ - Investment partners and analysts - Portfolio company executives - Due diligence teams - Financial decision makers **Technology Startups:** ​ - C-level executives (CEO, CTO, COO) - Co-founders and technical leaders - Business development teams - Marketing and operations heads ### **Geographic and Sector Expansion** The threat actor has moved beyond the initial Japanese ISP abuse to target: - **Financial technology companies** - **Software development firms** - **Digital marketing agencies** - **Enterprise software providers** ### **High-Value Individual Targeting** Analysis reveals **strategic focus on decision makers** with financial authority: - 75% of targets hold senior leadership positions - Concentrated attacks on individuals with investment/financial responsibilities - Multi-level targeting within same organizations for comprehensive intelligence gathering ## Anatomy of the Campaign ### **1\. Infrastructure Used** - **Domain**: nifty\[.\]com (legitimate Japanese ISP) - **Mail Servers**: mta-snd-e0X.mail.nifty\[.\]com - **IP Ranges**: 106.153.226.0/24, 106.153.227.0/24 - **Sender Accounts**: Free consumer addresses impersonating businesses **2\. Payload and Delivery Method** - No links in the email body - **Malicious attachments**: - File types: .pdf and .html - Filenames like: SAFE\_Terms\_May2025.pdf, Execution\_Agreement.html - **Redirect chain (sanitized)**: - clickme\[.\]thryv\[.\]com → benign-looking marketing tracker - 2vf78gnafutdc5zqmhng\[.\]iqmwpx\[.\]ru → phishing site with obfuscated JavaScript - Embedded email in URL fragment for tracking (e.g., #recipient@domain.com) ### **3\. Techniques Designed to Evade Detection** - **HTML padding**: Use of whitespace characters (=20,  ) to bypass filters - **Multipart MIME structure**: Payloads hidden in attachments - **Display name spoofing**: Examples like “Name via DocuSign” to imply legitimacy - **Obfuscated links**: Redirectors that aren't obvious bad URLs - **Flawless grammar and tone**: Indicative of AI-generated or phishing kit templates ### **4\. Behavioural Indicators Flagged by Raven** - Unusual sender-recipient combinations - Repeated use of contract-related lures across recipients - Brand impersonation in display names - Identical attachment patterns across campaigns - Obfuscated redirect chains leading to flagged infrastructure ## Threat Classification - **Vector**: Abuse of authenticated Nifty.com mail infrastructure - **Attack Type**: Redirect-based phishing delivered via file attachments - **Intent**: Credential harvesting, including Gmail session/token theft - **Sophistication Level**: Medium to High — use of evasive techniques and infrastructure blending - **Attribution Signals**: Likely use of phishing kits, with signs of automation or AI-generated content ## Attribution and Sophistication Assessment ### **Threat Actor Maturation** **Sophistication Indicators:** ​ - **8-month operational persistence** - **Strategic target selection** focused on financial decision makers - **Technical capability evolution** with advanced evasion techniques - **Coordinated campaign orchestration** across multiple organizations ### **Operational Security Evolution** **Enhanced OPSEC Measures:** - **Infrastructure layering** (Nifty + ConvertKit + rotating domains) - **Payload obfuscation** through encoding and multi-stage redirects - **Timing diversification** across business and off-hours - **Geographic domain rotation** for payload hosting ### **Campaign Scale Assessment** **Resource and Capability Indicators:** - **100+ total attack instances** over 8 months - **Multiple simultaneous organizational targeting** - **Sustained operational tempo** with burst capabilities - **Advanced social engineering** with contextual business lures Detection Layer Original Signals New Indicators Infrastructure Nifty.com domains \+ ConvertKit redirect patterns Content Document lures \+ Base64 URL encoding detection Behavioral Sender patterns \+ Burst campaign timing analysis Targeting Display name spoofing \+ Executive/financial role targeting ## **Why Most Defenses Missed It** Legacy email security often relies on: - Broken SPF/DKIM - Blacklisted domains - Suspicious URLs in body - Behavioral triggers from mail headers This campaign had none of those. ## **What Raven Recommends** Defending against this class of attack requires going beyond basic hygiene: Recommendation Why It Matters Flag unknown senders on free domains Even if technically valid Sandbox all attachments Payloads often live inside file contents Inspect display names & MIME structures True impersonation often happens here Watch for document lures without context Especially execution, SAFE, or stock agreements Don’t trust authentication blindly SPF/DKIM passing ≠ safe content ## Conclusion: An Evolving and Persistent Threat Our updated analysis reveals that the Nifty.com phishing campaign identified in Feb-May 2025 was **not an isolated incident but the beginning of sustained operations**. The threat actor has demonstrated: - **Remarkable operational persistence** across 8 months - **Strategic targeting evolution** focusing on financial decision makers - **Technical capability advancement** with sophisticated evasion techniques - **Coordinated campaign orchestration** with burst attack patterns **Organizations in the venture capital and financial technology sectors should treat this as an active, evolving threat requiring enhanced defensive measures and continuous monitoring.** The combination of legitimate infrastructure abuse, advanced social engineering, and persistent operations makes this threat actor a significant concern for the broader financial and technology investment ecosystem. --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## Appsheet Trademark Violation Phishing Scam - Sept 2025 Update Published: 2025-09-08 Category: Threat Landscape Category URL: https://ravenmail.io/blog/category/threat-landscape Tags: phishing, SaaS Exploits Tag URLs: phishing (https://ravenmail.io/blog/tag/phishing), SaaS Exploits (https://ravenmail.io/blog/tag/saas-exploits) URL: https://ravenmail.io/blog/appsheet-phishing-scam How the AppSheet phishing campaign exposes the fundamental flaws in traditional email security Understanding AppSheet: Google's No-Code Platform Before diving into the security implications, it's important to understand what AppSheet is and why it carries such inherent trust with organizations worldwide. **AppSheet** is Google's no-code application development platform that allows users to build mobile and web applications directly from data sources like Google Sheets, Excel files, or cloud databases. Acquired by Google in 2020, AppSheet has become a core component of Google Workspace, enabling millions of users to create business applications without writing code. ### Why AppSheet Matters in Enterprise Security **Enterprise Integration:** AppSheet is deeply integrated with Google Workspace, making it a trusted service for organizations already using Gmail, Google Drive, and other Google services. **Automated Communications:** The platform regularly sends automated emails for: - Application notifications and updates - Data sync confirmations - User access requests - System status alerts - Workflow notifications **Google's Security Halo:** As a Google Cloud service, AppSheet inherits the trust and reputation that organizations place in Google's infrastructure. When employees see "appsheet.com" in their inbox, they naturally associate it with the same security standards they expect from Gmail or Google Drive. **Widespread Adoption:** With millions of business users building applications on the platform, AppSheet communications are common in corporate environments, making malicious emails appear routine. This combination of factors— **enterprise integration, automated messaging, inherited trust, and widespread adoption**—makes AppSheet communications particularly effective for attackers looking to abuse legitimate service infrastructure. ## The Phishing Campaign A recent phishing campaign targeting Google Workspace Centric organizations through **AppSheet-branded emails** perfectly illustrates how traditional security controls become useless when attackers abuse legitimate infrastructure. This isn't a story about sophisticated evasion techniques or zero-day exploits. It's about how **legitimate services can be weaponized** to deliver malicious content that sails past every security filter you've deployed. ![Appsheet Compromise Campaign](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-09-08-at-10-1757350344473-compressed.png) ## Mechanics of the Attack ### What Made This Campaign Invisible to Security Filters The attackers leveraged **AppSheet's legitimate email functionality** to send messages that were, from a technical perspective, completely authentic: **Sender:** noreply@appsheet.com (legitimate) **Infrastructure:** Google mail servers (trusted) **Authentication:** SPF/DKIM/DMARC passing (verified) **Reputation:** appsheet.com (excellent) **Content:** Professional formatting (convincing) **CTA URL:** Look-alike Google URL shortener ### Possible Scenarios of Abuse This AppSheet campaign represents a broader trend of **legitimate service abuse**. Attackers are discovering they can achieve better results by using trusted platforms rather than building their own infrastructure: #### Method 1: Account Compromise​ - Compromise legitimate user accounts on trusted platforms - Use established reputation and authentication - Insert malicious content into otherwise legitimate message templates #### Method 2: Feature Abuse - Create legitimate accounts on trusted services - Abuse notification systems, form builders, or automated messaging - Craft messages that appear to come from the service itself #### Method 3: Template Injection - Inject malicious links into legitimate templates or forms - Leverage the platform's email infrastructure for delivery - Exploit user-generated content features ## Similar Earlier Attacks Since March 2025, cybersecurity researchers have documented a massive surge in phishing attacks exploiting Google's AppSheet platform, with the campaign reaching its peak on April 20th when 10.88% of all global phishing emails were sent from AppSheet—98.23% impersonating Meta and 1.77% targeting PayPal. These attacks used the identical bypass strategy as the current trademark violation campaign, originating from [noreply@appsheet.com](mailto:noreply@appsheet.com) to bypass Microsoft and Secure Email Gateways (SEGs) that rely on domain reputation and authentication checks (SPF, DKIM, DMARC). The Meta campaign introduced advanced evasion techniques including polymorphic identifiers using AppSheet's unique ID generation functionality, ensuring every message was slightly different to bypass traditional detection systems, while utilizing man-in-the-middle proxy mechanisms and hosting phishing sites on reputable platforms like Vercel. This earlier campaign establishes AppSheet platform abuse as a proven, scalable attack vector, with the current trademark violation campaign representing an evolution of these tactics—demonstrating that **AppSheet has become a preferred platform for sophisticated phishing operations** because it provides authenticated, trusted delivery infrastructure that consistently bypasses traditional email security controls. ## How Raven AI Caught The Attack While traditional email security filters saw only green authentication checkmarks and trusted sender reputation, **Raven's AI-powered context-aware detection engine** identified the subtle inconsistencies that revealed this as a sophisticated attack. Raven's analysis went beyond surface-level authentication,  this nuanced, context-driven analysis understanding not just _who_ sent the email but _whether the content makes sense_ for that sender enabled Raven to detect a campaign that bypassed every traditional security control. ![Appsheet phishing raven](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-09-08-at-10-1757352131679-compressed.png) ### Key Detection Indicators from Raven's Analysis These detection points demonstrate how Raven's context-aware engine analyzes **relationships, content appropriateness, and behavioral patterns** rather than just technical authentication - catching sophisticated attacks that traditional filters completely miss.​ - **Understands Relationship**: Raven recognizes that AppSheet is "a Google Cloud company" and understands the service's legitimate business functions vs. the inappropriate legal threat content - **Sender is Legitimate**: Authentication checks (SPF, DKIM, DMARC) all pass with aligned domains, confirming appsheet\[.\]com is a genuine sender - yet the email is still flagged as suspicious - **Suspicious URL Shortener**: Identifies goo\[.\]su as a known URL shortener frequently abused in phishing campaigns, inconsistent with legitimate AppSheet communications - **Content & Subject Mismatch**: Detects the disconnect between the "trademark enforcement notice" subject line and the actual "unauthorized data collection" legal compliance content in the body - **Action for the Admin**: Provides clear, actionable guidance to "verify independently with AppSheet or Google Cloud legal/compliance teams before any action or clicking links ## Conclusion: Rethinking Email Security The AppSheet phishing campaign isn't just another phishing attempt—it's a **fundamental challenge to how we think about email security**. When attackers can abuse the same legitimate services that our organizations depend on, traditional security models break down. The solution isn't to stop trusting legitimate services—it's to develop **smarter, context-aware trust**. We need security systems that don't just ask "Is this sender legitimate?" but also "Does this message make sense coming from this sender?" As attackers continue to abuse legitimate infrastructure, security teams must evolve beyond authentication-based defenses toward **behavioral and contextual analysis**. The alternative is a future where every legitimate service becomes a potential attack vector—and traditional email security becomes obsolete. **The question isn't whether your authentication checks are working.** **The question is: what happens when the attacker doesn't need to bypass them?** --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## Phishing using Salesforce: How Raven AI detected attacks from compromised Salesforce Tenants Published: 2025-09-04 Category: Threat Landscape Category URL: https://ravenmail.io/blog/category/threat-landscape Tags: Salesforce, phishing, SaaS Exploits Tag URLs: Salesforce (https://ravenmail.io/blog/tag/salesforce), phishing (https://ravenmail.io/blog/tag/phishing), SaaS Exploits (https://ravenmail.io/blog/tag/saas-exploits) URL: https://ravenmail.io/blog/compromised-salesforce-phishing 2025 marked an unprecedented surge in Salesforce-related phishing attacks to deliver sophisticated phishing attacks impersonating Meta Business Portal and fake Salesforce account suspensions, which bypassed traditional email security because they originated from legitimate Salesforce servers and passed all authentication checks (SPF, DKIM, DMARC). While conventional solutions like Microsoft 365 failed to detect these attacks due to their reliance on sender reputation, Raven's AI-powered detection succeeded by analyzing the context and mismatch between sender infrastructure and email content, catching brand impersonation and social engineering patterns that others missed—demonstrating that modern email security must go beyond authentication protocols to understand content-sender relationships in an era where trusted platforms are increasingly weaponized against their own users. ## The 2025 Salesforce Email Attack Wave: A New Paradigm ### The Scale of the Problem - Phishing attacks leveraging Salesforce increased 109% year-over-year - Over 12,000 Meta-branded phishing emails were sent globally using Salesforce's infrastructure - Multiple sophisticated campaigns exploited different Salesforce features, from Marketing Cloud to basic email infrastructure ### Attack Pattern 1: The Meta Business Portal Masquerade Between August 2025, attackers leveraged legitimate Salesforce Marketing Cloud infrastructure to deliver convincing emails impersonating Meta's Business Messaging Partner Portal. **Example Email Characteristics:** - **From:** Kevin W. (spoofed display name) - **Subject:** "Verify Your BM Partner Portal Profile to Maintain Full Access" - **Content:** Professional-looking email with Meta branding claiming account issues - **Infrastructure:** Sent via Salesforce's legitimate email servers The email shown in the first image demonstrates the sophistication of this attack: ![Salesforce Phishing Mail](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-09-04-at-11-1756966904468-compressed.png) **Attack Mechanics:** ​ - **Sender Infrastructure:** Legitimate Salesforce servers ( [noreply@salesforce.com](mailto:noreply@salesforce.com)) with full SPF/DKIM/DMARC authentication - **Delivery Method:** Emails passed all standard security checks because they originated from genuine Salesforce Marketing Cloud - **Payload:** Shortened link (cli\[.\]re/3nqrzq) redirecting to newly registered phishing domain (bmportalpartner\[.\]com) - **Target Deception:** Fake Meta Partner Portal login page designed to harvest credentials **Evasion Techniques:** ​ - **Trust Exploitation:** Abused Salesforce's legitimate email infrastructure to bypass reputation filters - **URL Obfuscation:** Used Capsulink shortener to hide the final malicious destination - **Cloudflare Hosting:** Masked true hosting origin behind Cloudflare's CDN - **Impersonated Landing Page:** Crafted a well designed landing page that looks like BM Portal and asks for user credentials **Technical Indicators (IoCs)** **Domains & URLs:** - cli\[.\]re/3nqrzq (Capsulink shortener – malicious) - bmportalpartner\[.\]com (primary phishing domain) - **Example phishing URL format:** https://bmportalpartner\[.\]com/login **Domain WHOIS (bmportalpartner\[.\]com):** - **Registrar:** Cosmotown, Inc. - **Registered:** 2025-08-14 - **Name Servers:** cory.ns.cloudflare\[.\]com, margaret.ns.cloudflare\[.\]com - **IP's:** Hidden behind Cloudflare (true IP obfuscated) - **Type:** Credential Phishing via Supply Chain Abuse - **Initial Access:** Legitimate Salesforce infra (compromised tenant) - **Targeted Brand:** Meta Business Messaging Partner Portal - **Target Audience:** Businesses using Meta Business Messaging APIs/WhatsApp integrations (likely Salesforce CRM clients)​ **Threats Tactics & Procedures (TTPs)** - Compromise of legitimate SaaS account (Salesforce) - URL shortening to evade detection - Cloudflare masking to hide hosting origin - Brand impersonation with high-fidelity phishing page ### Attack Pattern 2: The Salesforce Account Suspension Scam A separate campaign, detected in April 2025, showed even more sophisticated tactics targeting businesses directly with fake Salesforce account alerts. ![Salesforce Phishing 2](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-09-04-at-12-1756968778435-compressed.png) ### Attack Mechanics - **Type:** Spear Phishing (Brand Impersonation) - **Theme:**"Ad Tools Suspended Pending Review" — urgency and business disruption - **Pretext:** Suspended Salesforce features due to policy violation - **Lure: CTA to review the account to restore access** * * * ### **Tactics, Techniques, and Procedures (TTPs) - Highly Sophisticated** Tactic Description Impersonation of Trusted Brand (Salesforce) Used the Salesforce SMTP infrastructure with SPF-pass headers to increase credibility. Display Name Homoglyph Obfuscation Used UTF-8/Cyrillic characters resembling Latin letters to make the display name appear as "Salesforce Support", evading filters and misleading users. Missing DKIM Signature Message was not signed using DKIM, breaking expected authenticity for Salesforce emails. Redirector Domain Abuse Call-to-action linked to weavecoms.com which redirected to a phishing page at accountsuite-help.com. CTA URL with Fragment Data Target's personal info (name/email) passed in URL fragment (#user\_email=...) — designed to evade email/web filters. Cloudflare CAPTCHA as Delay Layer Used CAPTCHA page (via Cloudflare) to delay detection and prevent automatic sandboxing by email security solutions. Fake Legal Footer Footer mentions Google’s HQ address instead of Salesforce's, and lacks usual branding (e.g., unsubscribe links). **TTP Sophistication Assessment - High** Aspect Observed Behavior Evaluation Use of Legitimate Infrastructure Message sent via Salesforce MTA (sfdc.net) High sophistication — bypasses traditional SPF checks and reputation systems Brand Impersonation Crafted to look like Salesforce support with visual pretext Medium sophistication — common tactic, but well executed Display Name Obfuscation Unicode homoglyph spoofing to fake “Salesforce Support” High sophistication — bypasses filters, visually deceptive Lack of DKIM Missing DKIM signature despite Salesforce usually signing mail Moderate — likely abusing a relay or non-core service Link Redirection via Third-Party Domain Redirector weavecoms\[.\]com before phishing page High — avoids direct linking to suspicious domains, evades URL filters User Data in Fragment URI Personal info (name/email) passed in #fragment High — this avoids web proxies and Secure Email Gateways that don’t parse JS Cloudflare CAPTCHA Gate Human verification challenge to slow analysis Advanced — helps evade automated sandbox detonation and adds credibility No Attachments or Malware Entirely web-based, no traditional malware Stealth-oriented — avoids AV/EDR triggers Custom URL Personalization #user\_email=... to tailor experience Medium to High — improves trust in phishing site Infrastructure Involved - Compromised Sales Force Tenant **Component** **Description** **salesforce.com** **Legitimate sender domain (spoofed with partial legitimacy via relay abuse).** **smtp-0e67926779f85ec45.core1.sfdc-8tgtt5.mta.salesforce.com** **Salesforce MTA used — possibly via compromised tenant or abused API.** **url6484.marketing.sg.weavecoms\[.\]com** **Obfuscated redirector used to track clicks and forward to phishing site.** **accountsuite-help\[.\]com** **Final phishing site impersonating a secure login or account management portal. Registered recently. Uses CAPTCHA screen.** * * * **### Potential Motives for these campaigns** **Motive** **Likelihood** **Description** **Credential Harvesting** **High** **Fake login/CAPTCHA page likely leads to form for capturing Salesforce or corporate credentials.** **Reconnaissance/Target Profiling** **Moderate** **Information in URL fragments suggests targeted user tracking (email, name).** **Brand Abuse for Financial Gain** **High** **Abusing Salesforce branding for trust to increase click-through and submission rates.** **Access to Business Platforms** **Moderate** **May be targeting individuals with admin roles or advertising privileges in CRMs.** ## The OAuth Supply Chain Context While Raven's primary detection focused on email-based attacks, these incidents occurred alongside a broader campaign of OAuth abuse and supply chain attacks: ### The Salesloft Drift Breach Between August 8-18, 2025, a threat actor tracked as UNC6395 exploited compromised OAuth tokens linked to the Salesloft Drift application to gain API access to Salesforce customer instances. This campaign impacted over 700 organizations, including Cloudflare, Google, Proofpoint, Zscaler, Palo Alto Networks, and SaaS giant Workiva. ### The Human Element These recent Salesforce breaches started with a human being tricked. Someone answered a call and made a click. Attackers used voice phishing (vishing) to:​ - Impersonate IT support staff - Convince employees to approve malicious Connected Apps - Obtain long-lived OAuth tokens bypassing MFA - Export data using scripts mimicking legitimate Data Loader operations ## How Traditional Email Security Failed ### The Trust Assumption Problem Legacy email security operates on a fundamental assumption: trusted infrastructure sends legitimate emails. This assumption shattered in 2025 when: 1. **SPF/DKIM/DMARC Became Insufficient**: When emails originate from legitimate Salesforce servers, authentication passes by design 2. **Brand Impersonation Filters Failed**: Unicode homoglyph spoofing evaded traditional detection 3. **URL Filtering Gaps**: Redirect chains through low-reputation domains weren't flagged initially 4. **Context Blindness**: Traditional filters couldn't understand the mismatch between Salesforce infrastructure and Meta content ## How Raven AI Detected and Stopped These Email Attacks ### 1\. Context-Aware Brand Analysis While traditional solutions relied on sender reputation, Raven's AI understood the **context** mismatch: - **Cross-Brand Detection**: Recognized when Salesforce infrastructure was sending non-Salesforce branded content - **Semantic Analysis**: Identified Meta Business Portal references in emails from Salesforce servers - **Trust Verification**: Validated whether the claimed sender matched the actual business relationship ### 2\. Advanced Linguistic and Visual Analysis Raven's LLM-powered detection caught what static rules missed: - **Homoglyph Detection**: Identified Unicode character substitution in display names - **Urgency Pattern Recognition**: Flagged social engineering language patterns - **Content-Infrastructure Mismatch**: Detected when email content didn't align with sending infrastructure ### 3\. Deep URL and Redirect Analysis Unlike surface-level URL scanning, Raven performed: - **Chain Following**: Mapped complete redirect sequences from legitimate shorteners to malicious endpoints - **Domain Intelligence**: Flagged newly registered domains - **Behavioral Analysis**: Detected evasion techniques like CAPTCHA gates and fragment parameters ## Conclusion: Email Security in the Age of Trusted Infrastructure Abuse The 2025 Salesforce email attacks represent a fundamental shift in the threat landscape. When trusted infrastructure becomes the attack vector, traditional email security approaches based on sender reputation and authentication are insufficient. Raven AI's success in detecting these email-based attacks demonstrates the critical importance of: - **Context-aware analysis** that goes beyond infrastructure trust - **AI-powered detection** that understands content-sender relationships - **Real-time adaptation** to evolving social engineering tactics - **Cross-brand intelligence** that detects infrastructure abuse As SaaS platforms become increasingly central to business operations, the abuse of trusted infrastructure for phishing attacks will only grow. The question isn't whether this will happen again—it's whether your email security solutions are sophisticated enough to detect it when it does **​** --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## When Safe Links Become Unsafe: How Raven AI Caught Attackers Weaponizing Cisco's URL Rewriting Published: 2025-08-14 URL: https://ravenmail.io/blog/phishing-with-cisco-secure-links In a recent credential phishing campaign, Raven AI (formerly Ravenmail) has uncovered attackers weaponizing Cisco's secure links to evade link scanning and by-pass network filters. ![sample mail ](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-08-18-at-3-1755512992041-compressed.png) Picture this: You receive an email with a link that starts with **_"secure-web.cisco.com"_** Your brain immediately registers "secure" and "Cisco" – two words that scream safety and reliability. You click without hesitation. After all, if Cisco is protecting the link, it must be safe, right? Unfortunately, cybercriminals are banking on exactly that assumption – and traditional email security solutions are falling for it too. But Raven's context-aware AI recently caught a sophisticated attack that perfectly illustrates how attackers weaponize trusted security infrastructure. ## The Irony of Trust Cisco Safe Links represents one of cybersecurity's most elegant solutions – and its most exploitable weakness. Designed as part of Cisco's Secure Email Gateway and Web Security suite, Safe Links works by rewriting suspicious URLs in emails, routing clicks through Cisco's scanning infrastructure before allowing users to reach their destination. Think of it as a digital bodyguard that checks every door before you walk through it. The technology mirrors similar offerings from Microsoft Defender and Proofpoint TAP. When you click a protected link, Cisco's systems perform real-time threat analysis, blocking malicious destinations and allowing legitimate ones. It's a brilliant concept that has undoubtedly prevented countless successful phishing attacks. But here's where the story takes a dark turn: attackers have figured out how to turn this protective mechanism into their own weapon. ## The Attack Vector That Shouldn't Exist The scheme is diabolically simple. Cybercriminals deliberately embed legitimate Cisco Safe Links into their phishing campaigns, creating a perfect storm of misdirected trust. Here's why this approach is so devastatingly effective: **Trust by Association**: When users see **_"secure-web.cisco.com"_** in a URL, they instinctively assume it's been vetted and approved. The Cisco brand carries enormous weight in cybersecurity circles – seeing it in a link feels like getting a security clearance stamp. **Bypass Detection Systems**: Many email security gateways focus their analysis on the visible domain in URLs. When that domain is **_"secure-web.cisco.com"_**, it often sails through filters that would otherwise flag suspicious links. **The Time Gap Advantage**: Even Cisco's robust threat intelligence needs time to identify and classify new threats. Attackers exploit this window, using freshly compromised websites or newly registered domains that haven't yet been flagged as malicious. ## How Attackers Generate Cisco's Links You might wonder: how do cybercriminals get their hands on legitimate Cisco Safe Links in the first place? The methods are surprisingly straightforward: ### Method 1: The Inside Job Attackers compromise or create accounts within Cisco-protected organizations. They simply email themselves malicious links, let Cisco's system rewrite them into Safe Links, then harvest these URLs for their campaigns. ### Method 2: The Trojan Horse Using compromised email accounts within Cisco-protected companies, attackers send themselves test emails containing malicious links. The organization's own security infrastructure helpfully converts these into trusted Safe Links. ### Method 3: The SaaS Backdoor Many cloud services send emails through Cisco-protected environments. Attackers sign up for these services, trigger automated emails to themselves containing their malicious links, and receive back the Cisco-wrapped versions. ### Method 4: The Recycling Program Sometimes the simplest approach works best. Attackers scour previous phishing campaigns for still-active Cisco Safe Links and reuse them in new attacks. ## Raven AI Catches the Attack in Action Recently, RavenMail's context-aware AI detected a perfect example of this attack technique in the wild. The phishing email appeared legitimate at first glance – a professional-looking "Document Review Request" from what seemed to be an e-signature service. This is an AI-overview of the attack, this is not just the summary of the attack but the detection engine has context of the organization and consumes relevant signals to make a verdict. ![Raven AI in action](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-08-18-at-4-1755513874127-compressed.png) Here's what made this attack particularly sophisticated: **The Setup**: The email claimed to be from "e-Sign-Service" with a Swiss domain, requesting document review for a "2025\_Remittance\_Adjustment" file. Everything looked professional – proper branding, business terminology, and a clear call-to-action. **The Cisco Safe Links Component**: While this particular example shows the final malicious URL, the attack pattern follows the exact methodology we described – using trusted domains and legitimate-looking parameters to bypass detection systems. **What RavenAI Spotted**: Unlike traditional email security solutions that might have been fooled by the professional appearance and trusted domain elements, RavenMail's context-aware AI identified several red flags: - Inconsistent sender identity (e-signature service from a non-standard domain) - Suspicious URL structure with encoded parameters - Document request patterns commonly used in credential phishing - Contextual anomalies in the business process workflow The smoking gun? This wasn't a random phishing attempt – it was a carefully crafted attack designed to exploit user trust in legitimate business processes and security infrastructure. ## Why Traditional Security Missed This This attack would likely have bypassed many conventional email security solutions for several reasons: **Professional Appearance**: The email looked like a legitimate business communication – complete with proper formatting, business terminology, and what appeared to be a standard document review workflow. **Domain Trust**: While not using Cisco Safe Links directly, the attack employed similar trust-exploitation tactics by using a domain structure that appeared legitimate. **Context Deception**: The attack leveraged realistic business scenarios (document review, remittance adjustments) that users encounter daily in professional environments. **Multi-Layer Misdirection**: By providing both a primary button and an "alternative access method," the attacker created multiple attack vectors while appearing helpful and legitimate. ## The Raven AI Advantage: Context-Aware AI Detection Context-aware artificial intelligence that goes beyond simple domain and signature-based detection: **Business Process Understanding**: Raven's AI understands legitimate business workflows and can identify when communications deviate from expected patterns – even when they look professionally crafted. **Multi-Signal Analysis**: Rather than relying solely on domain reputation or static signatures, the AI analyzes multiple contextual signals simultaneously to identify sophisticated attacks. **Behavioral Pattern Recognition**: The system recognizes common attack methodologies, including trust exploitation tactics that leverage legitimate-seeming domains and professional formatting. **Real-Time Adaptation**: As attackers evolve their techniques, RavenMail's AI continuously learns and adapts, staying ahead of emerging threats like Safe ## The Bigger Picture: Why Context-Aware AI Matters This detection illustrates a fundamental shift in cybersecurity: attackers are no longer just exploiting technical vulnerabilities – they're weaponizing human psychology and business processes. This isn't just about Cisco Safe Links abuse (though that remains a significant threat). It's about a new class of attacks that exploit our trust in legitimate business processes, professional communication patterns, and security infrastructure itself. Traditional signature-based and reputation-based security solutions struggle with these attacks because they look legitimate at every technical level. The malicious elements are hidden in context, behavior, and the subtle exploitation of trust relationships. **Context Over Content**: Rather than just analyzing what's in an email, RavenMail's AI understands what the email is trying to accomplish and whether that aligns with legitimate business processes. **Trust Verification**: The system doesn't just trust professional appearance or legitimate-looking domains – it actively verifies the contextual appropriateness of communications. **Adaptive Learning**: As attackers develop new trust exploitation techniques (like Safe Links abuse), AI-driven solutions can adapt without requiring manual rule updates. **Proactive Defense**: Instead of waiting for attacks to succeed and then updating blacklists, context-aware AI can identify attack patterns before they cause damage. The most effective defense against modern email threats isn't just about blocking bad domains or scanning attachments – it's about understanding the attacker's intent and recognizing when legitimate-looking communications serve malicious purposes. Get a Free Trial --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## RavenMail and Scrut Automation Partner to Simplify Compliance-Centric Email Security Published: 2025-06-26 Category: Press Release Category URL: https://ravenmail.io/blog/category/press-release Tags: Compliance, Partnership, Email DLP Tag URLs: Compliance (https://ravenmail.io/blog/tag/compliance), Partnership (https://ravenmail.io/blog/tag/partnership), Email DLP (https://ravenmail.io/blog/tag/email-dlp) URL: https://ravenmail.io/blog/ravenmail-scrut-partnership _Chennai / Milpitas, 26 June, 2025_ — Raven (formerly Ravenmail), an AI-native email security and data loss prevention (DLP) platform, has announced a strategic partnership with Scrut Automation, a leader in continuous compliance automation. This collaboration enables SMBs to enterprises to streamline compliance, security, and audit-readiness by combining Raven’s advanced threat detection and DLP with Scrut’s real-time compliance monitoring. With new regulations such as India’s DPDP Act, SEBI’s CSCRF, RBI’s Cybersecurity Framework, and international mandates from UAE’s ADGM and DIFC raising the bar for email data security, organizations can no longer rely solely on basic audits. The joint offering bridges that gap. > Data Loss Prevention is no longer optional,” said Venkatesan, Co-founder & CEO of RavenMail. “Regulators now expect organizations to demonstrate that sensitive data like PII, PCI, financial information, or source code isn’t leaking through email—accidentally or otherwise. This partnership makes that assurance operational and audit-ready. **The integrated solution includes:** - **[Real-Time Email DLP](https://ravenmail.io/ai-email-dlp):** Detection of sensitive content across email body, attachments, inline images, and even Drive links. - **Audit-Ready Compliance:** Automated evidence collection and control monitoring across leading global frameworks via Scrut. - **Agentless Integration:** Seamless deployment on Microsoft 365 and Google Workspace, without endpoint installations. The collaboration also includes a co-selling and bundling arrangement, targeting BFSI, fintech, SaaS, and logistics sectors. Early deployments are already active in India, with expansion into Middle East, North America planned later this year. Organizations interested in securing compliance-driven email environments can request a demo in the following link Schedule a Demo ​ --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## RavenMail is Now ISO 27001:2022 Certified: Raising the Bar for Email Security & Data Protection Published: 2025-06-19 Category: Press Release Category URL: https://ravenmail.io/blog/category/press-release Tags: Compliance Tag URLs: Compliance (https://ravenmail.io/blog/tag/compliance) URL: https://ravenmail.io/blog/ravenmail-achieves-iso-27001-2022-certification We’re thrilled to announce that **RavenMail is now ISO/IEC 27001:2022 certified**—a globally recognized benchmark for information security management systems (ISMS). This certification validates our deep commitment to protecting customer data, enforcing enterprise-grade security controls, and continuously strengthening our internal processes. As email continues to be the primary threat vector for modern organizations, RavenMail’s ISO 27001:2022 compliance further reinforces our role as a trusted email security and DLP provider. The 2022 revision of the ISO standard places stronger emphasis on adaptive risk management, supply chain security, and real-time threat awareness—principles that align seamlessly with RavenMail’s AI-native approach to securing communications and preventing data loss. This achievement was made possible through the guidance and support of our compliance partners **Intercert** and **[Mithra Consulting](https://www.mithra.consulting/)**, who helped streamline our audit and implementation journey. For customers, this isn’t just a compliance checkbox—it’s assurance that RavenMail operates with globally benchmarked safeguards and a relentless focus on secure-by-design principles. **Secure better. Share smarter. Stay compliant.** _Visit our [Trust Center](https://raven.in.trust.site/) to learn more about our certifications and security practices._ --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## RavenMail Now Available on Microsoft Azure Marketplace Published: 2025-06-05 Category: Press Release Category URL: https://ravenmail.io/blog/category/press-release Tags: Launch, Announcement, Marketplace Tag URLs: Launch (https://ravenmail.io/blog/tag/launch), Announcement (https://ravenmail.io/blog/tag/announcement), Marketplace (https://ravenmail.io/blog/tag/marketplace) URL: https://ravenmail.io/blog/ravenmail-azure-marketplace-launch ![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/ravenazure-postjun2025v2-1749103950379-compressed.jpg) We’re excited to announce that RavenMail, our [AI-native email security](https://ravenmail.io) and [data loss prevention (DLP) platform](https://ravenmail.io/ai-email-dlp), is now available on the Microsoft Azure Marketplace. This listing marks a major step in bringing modern, API-first email protection to security-forward enterprises operating in Microsoft 365 environments. With a growing need for advanced defenses against phishing, insider threats, and sensitive data leaks, RavenMail’s availability on Azure Marketplace enables IT and security teams to seamlessly integrate powerful detection and prevention capabilities within their existing Microsoft stack. **Why it matters:** As enterprise email threats grow more sophisticated and compliance demands intensify, traditional SEG and native email protections often fall short. RavenMail addresses this by going beyond basic perimeter controls — using contextual behavioral signals, large language models, and real-time content inspection to stop attacks before they escalate. Our platform is also fully agentless and API-native, ensuring zero disruption to user workflows or mail flow. By listing on Azure Marketplace, RavenMail is now easier to procure and deploy for Microsoft-aligned enterprises, with future support for a unified billing, Azure consumption commitment applicability, and faster procurement cycles through pre-approved contracts. **What you can do:** - Discover RavenMail on [Azure Marketplace](https://azuremarketplace.microsoft.com/pt-br/marketplace/apps/aa93ff9d-3b2d-41bc-8edd-220825a39a2a.rav-msft-isv-001?tab=overview) & [AppSource Marketplace](https://appsource.microsoft.com/sr-latn-rs/product/web-apps/aa93ff9d-3b2d-41bc-8edd-220825a39a2a.rav-msft-isv-001?tab=overview) ​ - Start a free trial or reach out for a custom enterprise demo - Bundle with your existing Microsoft security stack for enhanced threat coverage and compliance alignment RavenMail is committed to helping security teams detect, prevent, and respond to the next generation of email threats — now with the convenience and confidence of Microsoft’s trusted marketplace ecosystem. [![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/ravenblog-addlpjun2025v2-1749104331147-compressed.jpg)](https://ravenmail.io/ai-email-dlp) --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## Raven Launches Splunk Integration for Real-Time Email Threat and DLP Monitoring Published: 2025-06-03 Category: Press Release Category URL: https://ravenmail.io/blog/category/press-release Tags: Integrations Tag URLs: Integrations (https://ravenmail.io/blog/tag/integrations) URL: https://ravenmail.io/blog/splunk-integration ![Raven Splunk Integration](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-06-03-at-1-1748939372235-compressed.png) We’re excited to announce that Raven (formerly Ravenmail) now integrates natively with Splunk, enabling security teams to seamlessly ingest email threat and DLP telemetry into their existing SIEM workflows. With this integration, SOC analysts and security engineers can: - Correlate Raven’s detection events with broader security logs - Set up real-time alerts for email-based threats or policy violations - Drive faster investigations using unified dashboards and timelines Raven’s Splunk app supports both Microsoft 365 and Google Workspace environments, offering deep visibility into attacks that bypass traditional perimeter defenses—such as vendor impersonation, insider risk, and credential harvesting. Security teams can deploy the integration within minutes and start streaming enriched events with context such as user risk scores, sensitive data types, and threat classification tags. --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## Nifty.comがフィッシングインフラとして悪用された事例:Ravenによる信頼されたインフラの悪用検出方法 Published: 2025-06-02 Category: Threat Landscape Category URL: https://ravenmail.io/blog/category/threat-landscape Meta Title: Nifty.comのインフラを悪用したフィッシング:Ravenによる検出の全貌 Meta Description: 正規のドメイン「nifty.com」を使用した高度なフィッシング攻撃をRavenがどのように検出したかをご紹介します。メール認証をすり抜ける攻撃の手法と、最新の防御策について解説 Tags: phishing, zero-day Tag URLs: phishing (https://ravenmail.io/blog/tag/phishing), zero-day (https://ravenmail.io/blog/tag/zero-day) URL: https://ravenmail.io/blog/nifty-phishing-jp > Disclaimer: For the benefit our Japanese readers the [original article](https://ravenmail.io/blog/nifty-phishing/) has been translated using AI-Services, if there are any linguistic errors please help us improve by writing to us or commenting on this blog. 025年4月から5月にかけて、Ravenは巧妙なフィッシングキャンペーンを発見しました。この攻撃では、信頼されたドメインを偽装するのではなく、実際に使用していました。 複数波にわたるこのフィッシングキャンペーンでは、日本の有名なISPであるNifty.comの正規インフラが悪用され、信頼されたビジネスワークフローを装って資格情報を収集していました。Ravenは、ヘッダーが正常で、認証も有効で、明らかな警告サインがないにもかかわらず、この攻撃を検出しました。 ## 回避を目的としたキャンペーンの構築 攻撃者はドメインを偽装するのではなく、正規に使用していました。 彼らは、日本の有名なISPであるnifty.comで無料アカウントを登録し、そのインフラから直接フィッシングメールを送信しました。これらは実際のアカウントであったため、すべての認証レイヤーを通過しました - **SPF**:✅ 合格 - **DKIM**:✅ 合格 - **DMARC**:✅ 整合 これだけでも、これらのチェックに大きく依存する多くのセキュアメールゲートウェイ(SEG)を回避するのに十分でした。 ### キャンペーンのタイムライン:複数波、適応的な行動 日付 主な活動 4月28日 第1波:実行契約の誘引 5月7日 同じテーマでのフォローアップ波 5月16日 SAFE契約のバリアントが導入 5月23日 高ボリュームのバースト:1分未満で数十通のメール送信 この繰り返しとタイミングは、自動化とフィッシングキットによるオーケストレーションの可能性を示唆しています。 ![Nifty Phishing](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/niftyphishingraven1-1748838953559-compressed.png) ![Nifty Phishing 2](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/niftyphishingraven2-1748838968351-compressed.png) ## キャンペーンの構造 ### 1\. 使用されたインフラ - **ドメイン**:nifty\[.\]com(正規の日本のISP) - **メールサーバー**:mta-snd-e0X.mail.nifty\[.\]com - **IPレンジ**:106.153.226.0/24、106.153.227.0/24 - **送信者アカウント**:ビジネスを装った無料の消費者アドレス ### 2\. ペイロードと配信方法 - メール本文にリンクなし - 悪意のある添付ファイル: - ファイルタイプ:.pdfおよび.html - ファイル名例:SAFE\_Terms\_May2025.pdf、Execution\_Agreement.html - リダイレクトチェーン(サニタイズ済み): - clickme\[.\]thryv\[.\]com → 一見無害なマーケティングトラッカー - 2vf78gnafutdc5zqmhng\[.\]iqmwpx\[.\]ru → 難読化されたJavaScriptを含むフィッシングサイト - URLフラグメントに埋め込まれたメール(例:#\[email protected\])でトラッキング ### 3\. 検出回避を目的とした技術 - **HTMLパディング**:フィルターを回避するための空白文字(=20、 )の使用 - **マルチパートMIME構造**:添付ファイルにペイロードを隠す - **表示名の偽装**:正当性を示唆する「Name via DocuSign」などの例 - **難読化されたリンク**:明らかに悪意のあるURLではないリダイレクター - **完璧な文法とトーン**:AI生成またはフィッシングキットテンプレートの可能性 ### 4\. Ravenによってフラグされた行動指標 - 異常な送信者と受信者の組み合わせ - 受信者全体で繰り返される契約関連の誘引 - 表示名でのブランドの偽装 - キャンペーン全体で同一の添付ファイルパターン - フラグされたインフラに導く難読化されたリダイレクトチェーン ## 脅威の分類 - **ベクター**:認証されたNifty.comのメールインフラの悪用 - **攻撃タイプ**:ファイル添付を介して配信されるリダイレクトベースのフィッシング - **意図**:資格情報の収集(Gmailセッション/トークンの盗難を含む) - **洗練度**:中〜高 — 回避技術とインフラのブレンディングの使用 - **帰属信号**:フィッシングキットの使用の可能性、自動化またはAI生成コンテンツの兆候 ## 多くの防御が見逃した理由 従来のメールセキュリティは以下に依存することが多い: - SPF/DKIMの失敗 - ブラックリストに登録されたドメイン - 本文中の疑わしいURL - メールヘッダーからの行動トリガー このキャンペーンにはこれらの要素がありませんでした。 ## Ravenの推奨事項 この種の攻撃に対抗するには、基本的な衛生管理を超える必要があります: 推奨事項 重要な理由 無料ドメインの未知の送信者をフラグする 技術的に有効であっても すべての添付ファイルをサンドボックス化する ペイロードはファイル内容内に存在することが多い 表示名とMIME構造を検査する 真の偽装はここで発生することが多い 文脈のないドキュメントの誘引に注意する 特に実行契約、SAFE、または株式契約の場合 認証を盲目的に信頼しない SPF/DKIMの合格 ≠ 安全なコンテンツ ## 無料トライアルをお試しください Ravenは、従来のシグナルを超えて行動分析を行い、送信者の進化するセキュリティ姿勢を組み込んだ最新のAIを搭載しています。30日間の無料トライアルをご希望の方は、以下の連絡フォームにご記入ください。 無料デモのご依頼はこちら --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## Best Practices for Securing Group Email IDs in Google Workspace & M365 Published: 2025-05-07 Category: Case Study Category URL: https://ravenmail.io/blog/category/case-study Meta Title: Secure Group Email IDs in Google Workspace & M365 | Best Practices Meta Description: Group email IDs can be exploited for phishing and impersonation. Learn how to secure them in Google Workspace and Microsoft 365 with practical configuration tips. Tags: Best practices, email security Tag URLs: Best practices (https://ravenmail.io/blog/tag/best-practices), email security (https://ravenmail.io/blog/tag/email-security) URL: https://ravenmail.io/blog/secure-group-email-best-practices Setting up a group email ID like \`finance@company.com\` or \`support@yourdomain.com\` is often the first step in improving team coordination and customer communication. It’s quick, convenient, and built into both Google Workspace and Microsoft 365. But here’s what most admins don’t realize: **These shared mailboxes can quietly open up serious vulnerabilities—making them a favorite target for phishing, impersonation, and vendor fraud.** Unlike individual accounts, group email addresses: - Often accept mail from outside your domain by default - Are monitored by multiple users, making accountability vague - Frequently forward messages internally, breaking authentication checks And rarely have the same security controls as standard inboxes In this post, we’ll break down: - How attackers exploit misconfigured group IDs and distribution lists - The forwarding and self-signing quirks that weaken trust signals like SPF, DKIM, and DMARC - Real-world examples of group ID abuse across industries - And how to properly secure these shared inboxes before they become a liability Let’s start by understanding why attackers love group mailboxes—and why your configuration choices matter more than you think. ## Why Group IDs Are a Goldmine for Attackers Group IDs often: - Are publicly visible (on websites, WHOIS, vendor records) - Are monitored by multiple users—creating distributed responsibility - Accept external mail by default - Don’t enforce MFA or login hygiene (because they’re aliases, not inboxes) That combination makes them **ideal infiltration points**—especially for impersonation, fraud, and credential harvesting. Attack Vectors and Real-World Abuse Scenarios ### 1\. **Executive Impersonation to All-Hands Lists** > Case: A mail from \`ceo@company.com\` (spoofed) to \`all@company.com\`: > > “Quick request—can someone handle an urgent payment? Let’s chat on text.” - DMARC fails silently due to forwarding. - Appears internal, urgent, and credible. - One junior employee replies. Fraud chain begins. ### 2\. **Vendor Fraud via Payments Alias** > **Case**: A spoofed \`accounts@trustedvendor.com\` sends an invoice to \`payments@company.com\` -“Please note our new bank details for this month’s settlement." - SPF/DKIM break due to forwarding. - Mail is routed internally with no red flags. - Funds are transferred to attacker-controlled account. ### 3\. **Credential Harvesting via IT Lists** > **Case:** Phishing link sent to \`helpdesk@company.com\` claiming to be from IT. “Your Microsoft 365 password expires in 24 hours. Renew now.” - Group is monitored by rotating L1 staff. - Message is forwarded from ticketing system, breaking auth headers. - Phishing site collects real credentials. ### 4\. **Reconnaissance via Bounced Replies** Attackers send malformed emails to inactive or niche group IDs like `` \`vendor-onboarding@\` They harvest: - NDRs (Non-delivery reports) for naming conventions - OOO replies for employee roles and tools - Auto-responses from connected systems ## The Technical Quirk: Why Forwarding Breaks Email Trust Security tools rely on three key protocols to verify sender legitimacy: - **SPF**: Validates the IP of the sender domain - **DKIM**: Cryptographic signature on the content - **DMARC**: Alignment and enforcement policy But forwarding _silently breaks_ this trust chain, let's understand the forwarding process in both Google & Microsoft ![Google Groups](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/google-groups-1746598240841-compressed.png) ![Microsoft Groups](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/microsoft-groups-1746598258640-compressed.png) Email Type SPF DKIM DMARC Direct mail ✅ ✅ ✅ Forwarded via Group ❌ ❌ ❌ Why this happens? - The group server becomes the new sender → SPF fails. - Any signature modification (e.g. banners, disclaimers) → DKIM breaks. - Without SPF or DKIM alignment → DMARC fails. Yet, many tools treat these mails as “internal” simply because they’re from @company.com or routed internally. Attackers exploit this. ## The “Self-Signed” Problem Many internal tools (Jira, ticketing systems, bots) send from internal domains like 'notifications@company.com' but **without proper DKIM signatures** or **from external infra (e.g. AWS SES, Zapier)**. This creates a **false sense of legitimacy**: - It _looks_ internal. - But it’s not cryptographically verifiable. - It bypasses filters expecting signed or aligned headers. Attackers mimic these patterns to slide through leading to many vulnerabilities. ![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/group-ids-vulns-1746598485614-compressed.png) ## Group ID Safe Configuration Practices Checklist ### Disable External Mail by Default Only enable external mail to group IDs when strictly needed. Whitelist trusted domains, not the internet. ### Enforce ARC (Authenticated Received Chain) ARC preserves authentication signals through forwarding, allowing downstream detection tools (like Raven) to evaluate origin risk accurately. ### Sign All Outbound Mail with DKIM This includes tools, bots, and internal notification systems. If they don’t support DKIM, route them through a domain-authenticated relay. ### Block Catch-All Forwarding Avoid configurations where all unknown or generic addresses forward to a shared team or person. It creates ambiguity, risk, and noise. ### Monitor First-Time Senders Raven flags when a group ID receives a mail from an unknown or first-time domain—especially if the request involves urgency, credentials, or money. ### Apply Role-Aware Risk Scoring Treat legal@company.com and marketin@company.com differently. A spoofed mail to legal@ deserves higher scrutiny than a newsletter. ## Final Word Group emails are not just operational shortcuts. They are **risk amplifiers** if left unmonitored and misconfigured. Attackers know they’re easy to reach and hard to police. By addressing the forwarding flaws, enforcing modern email standards, and adopting adaptive detection tools, security teams can turn these backdoors into hardened front lines. ### How Raven Detects Group ID Abuse Before It Spreads At [Raven](https://ravenmail.io), we treat group email IDs not just as shared inboxes—but as **high-risk entities** with outsized impact. Our platform continuously monitors who’s emailing these addresses, how those emails are routed, and whether the authentication signals survive forwarding. We use LLM-powered detection to flag unusual patterns—like a new sender spoofing a vendor to payments@, or a sudden spike in first-time contacts to legal@. Even when SPF, DKIM, or DMARC fail silently due to forwarding quirks, Raven traces header integrity, origin risk, and behavioral anomalies in real time. The result? Threats that would normally slip through group aliases are caught before they trigger a reply, a click, or a transfer. Get a free 30-day trial with Raven by contacting us Get a free trial --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## The Silent Threat: Why SEGs, Google, Microsoft Struggle to Stop Executive Impersonation Published: 2025-05-05 Category: Threat Landscape Category URL: https://ravenmail.io/blog/category/threat-landscape Tags: phishing, CEO Impersonation Tag URLs: phishing (https://ravenmail.io/blog/tag/phishing), CEO Impersonation (https://ravenmail.io/blog/tag/ceo-impersonation) URL: https://ravenmail.io/blog/executive-impersonation-attacks ### TL;DR Modern executive impersonation attacks don’t carry links, malware, or spam—they carry **intent**. A simple “Are you available?” can be the start of a multi-stage, high-stakes attack. Legacy email security systems—from SEGs to Google and Microsoft—miss them because they scan emails, not conversations. **Raven was built from the ground up to detect impersonation through context, not just content.** ![Impersonation attack](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-05-05-at-8-1746412948071-compressed.png)Classic executive impersonation using Gmail ## **The New Face of Email Attacks: No Payload, Just Pressure** Most executives brush off emails like these: > **Subject:** Quick Request > > **Body:** _Hey, are you around? Need a quick favor._ No link. No attachment. Nothing overtly malicious. But this isn’t random. It’s a **calculated opening move**. We wrote about this earlier [here](https://ravenmail.io/blog/whatsapp-attacks) about the links between email impersonation and WhatsApp based impersonation. ## How Executive Impersonation Attacks Unfold ### Stage 1: The Setup The attacker poses as a senior executive—typically a CEO, CFO, or Head of Department. They send a short, urgent message from a personal email address or lookalike domain. The goal is simple: provoke a response. ### Stage 2: The Hook Once the recipient replies, the attacker escalates. They now have a live conversation and legitimacy. Common next steps include: - Requesting a confidential employee report - Asking for an urgent wire transfer - Instructing access to sensitive internal systems These messages often reference real names, departments, or workflows to increase believability. ### Stage 3: The Execution If the recipient complies, the organization suffers: - Wire fraud - Data leakage - Policy violations - Reputational fallout These attacks don’t exploit technical vulnerabilities. They exploit human psychology—and legacy email security systems fail to catch them in time. ## Why SEGs and Cloud Email Tools Miss the Threat Existing Solutions Why It Fails **SEGs (Proofpoint, Mimecast, etc.)** Focused on malware, links, and known threat indicators. Impersonation emails have none of these. **Microsoft Defender / Google Workspace Security** Effective at scanning links, attachments, and reputation-based indicators. Fail when the email contains only plain text with crafted intent. **SPF / DKIM / DMARC** These protocols confirm that the sender’s domain is allowed to send the message. They do not detect when someone is pretending to be your CEO or their intent. **Tenant-level AI in Microsoft/Google** Rely on large-scale telemetry, often missing low-volume, targeted impersonation attempts that are new or uncommon. These systems treat each email as an isolated event. They don’t model behavior over time, and they don’t understand subtle deviations in communication tone, authority, or relational history. ## Common Impersonation Scenarios That Get Missed ### Personal Gmail Posing as the CEO \`sundar.pichai.cxo@gmail.com\` sends an urgent payment request to a finance associate. The sender name looks legitimate. The email body is clean. The result? A silent transfer of funds. ### Vendor Thread Hijacking A compromised vendor email thread is used to send altered bank account details. Since it’s a legitimate thread, filters trust the message. ### Consultant Impersonation A third-party posing as a known consultant says, “As per the CEO’s instructions…” and instructs HR to share employee data. The name drop is enough to bypass suspicion. In all of these, the attacker wins by staying within the boundaries of normal-looking behavior while subtly steering the recipient toward action. ## The Organizational Impact - Financial Loss: Wire frauds and diverted payments can cost millions. - Data Breaches: Sensitive employee, client, or financial data leaked due to misplaced trust. - Compliance Violations: Violations of internal controls, SOX, GDPR, or sector-specific data handling rules. - Reputational Damage: Employees and partners lose trust in leadership communication integrity. Even more damaging: most of these events go undetected until an audit or customer complaint. ## How Raven Catches What Others Miss Raven is purpose-built to detect impersonation and social engineering threats—not just based on what the email says, but why it’s being said, and who’s saying it. Raven Capability Why It Matters **LLM-based Behavioral Modeling** Raven learns the communication patterns of every executive—tone, timing, linguistic quirks—and flags messages that deviate. **Out-of-Context Request Detection** Detects when the content of a message (e.g., payment request, access ask) doesn’t match the context of the sender or thread. **Relationship Graph Analysis** Builds dynamic relationship graphs to understand who normally communicates with whom—and who doesn’t. **Cross-Email Thread Analysis** Raven correlates signals across multiple messages and threads. It sees manipulation in progress, not just in a single email. **Inline Warnings and Escalation Options** Provides real-time alerts to users and administrators with options to quarantine, forward for review, or block execution. Raven doesn’t rely on signature files, blocklists, or rules. It learns. It adapts. It understands identity as a pattern—not a static string in an email header. ## Detecting & Remediating Impersonation in Raven Raven identifies your executives automatically using meta-data or allows you to manually configure the VIP accounts. Raven provides a comprehensive summary of the nature of attack and along with it appropriate remediation actions. In a single click the mail can be removed from affected inboxes in manual mode or just set up automatic remediation to filter without admin intervention. ![Impersonation attack](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-05-05-at-8-1746414291023-compressed.png) Attack Analysis Interface of Raven ## The Bottom Line Executive impersonation is not a technical attack. It’s a psychological one. It doesn’t trip filters. It trips decision-makers. And in a world where trust is the attack surface, the only way to stop these threats is by understanding the **context** behind the conversation. To prevent executive impersonation attacks in your organization ask for a free-trial below. Get a free trial --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## How Sophos newsletter forums were gamed to distribute malware to its clients Published: 2025-05-02 Category: Threat Landscape Category URL: https://ravenmail.io/blog/category/threat-landscape Tags: Newsletter Abuse, phishing, Sophos Tag URLs: Newsletter Abuse (https://ravenmail.io/blog/tag/newsletter-abuse), phishing (https://ravenmail.io/blog/tag/phishing), Sophos (https://ravenmail.io/blog/tag/sophos) URL: https://ravenmail.io/blog/sophos-newsletter-abuse TL:DR - A malicious link linked to QakBot infrastructure slipped into a Sophos Community Daily Digest via a user comment. Traditional email security missed it — [Raven](https://ravenmail.io) caught it using context-aware, AI-driven detection ## Newsletter Forums as Phishing Vector The **[Sophos Community](https://community.sophos.com/) Daily Digest** is an automated email summary sent to registered users of the Sophos Community forum. It highlights recent discussions, comments, and activity across various cybersecurity topics. Designed to keep users informed and engaged, the digest reflects real-time user participation — including links and content contributed by the community. ![Sophos newsletter](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-05-02-at-9-1746158385736-compressed.png) _Snapshot of Sophos Daily Digest_ Anyone with a Sophos Community account — this includes: \- End users of Sophos products (admins, analysts, IT staff) \- Prospects or evaluators who signed up for discussions \- Sophos partners and MSPs It’s not limited to paying customers, but many enterprise clients subscribe to it to stay updated on product-related discussions, threat insights, or peer problem-solving. ## Breach of Trust: Malicious link in Newsletter Digest On February 27, 2025, recipients of the **Sophos Community Daily Digest** received what looked like a harmless forum update. Buried in a comment under a post about Data Loss Prevention was an unexpected hyperlink ![Newsletter with malicious link](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2025-05-02-at-9-1746159076879-compressed.png) This wasn't just a random gaming site. Upon analysis, Raven’s threat engine flagged it as part of the **QakBot malware distribution infrastructure** — linked to malicious ZIP payloads, obfuscated JavaScript droppers, and historical C2 activity. Yet **Sophos' own community digest circulated it** — and it reached inboxes **unfiltered.** ### How did this happen - Delayed URL attack? The domain in question possible had a **clean reputation at the time of posting**, but was **later weaponized**. The sequence likely unfolded like this: Step What Happened 🧑‍💻 **User Post** A user (or a bot) commented on a forum thread and embedded the domain. 📨 **Newsletter Generated** Sophos’ automated system compiled the comment into its daily digest and sent it to community members. 🔄 **URL Goes Live** At a later point, the domain began hosting malware payloads tied to QakBot ✅ **Passed Email Security** Because the domain had not yet been flagged by threat intel feeds, **no major email security vendor blocked it**. 🚨 **Raven Detected It** Raven’s out-of-context URL scanner flagged it based on historical behavioral patterns, subdomain reputation, and downloaded file telemetry. ## The Core Problem: Traditional Trust Signals No Longer Work in Email Security Most email security systems still rely heavily on **legacy indicators of trust** — things like SPF/DKIM alignment, sender reputation, and basic URL reputation. In theory, these were designed to validate that an email is legitimate. In reality, attackers have learned to **weaponize the very signals that were meant to ensure safety**. Here’s why they fail: Trust Signal Why It Fails Today **SPF/DKIM/DMARC** These only verify that the sender is authorized — not whether the **content is safe**. A malicious link in a community forum digest with perfect email authentication will pass untouched. **Sender Reputation** If the sender is a known vendor (e.g., Sophos), their emails are implicitly trusted — even when they contain **user-injected malicious content**. **URL Reputation** Most systems check reputation **at time of delivery**. But attackers often weaponize links **after the email is sent**, or use **newly registered domains** that haven’t yet been flagged. **Attachment Scanning** Not relevant when the threat is a **URL** or **delayed-download payload**. Traditional signals validate **who** sent the email — but not **why it was sent**, or **what the content implies**. To catch modern threats, we need systems that ask: > “Does this message make contextual sense?” — not just “Does this link look safe right now?” This is the shift Raven enables. ## How Raven AI Caught What Others Missed While traditional email security systems assessed the Sophos newsletter as safe based on sender reputation and static URL checks, Raven took a fundamentally different approach — analyzing the **[context, behavior, and intent](https://ravenmail.io/blog/ceo-impersonation#traditional-email-security-measures-necessary-but-not-sufficient)** behind every element of the message. ![Raven Context Aware Security](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/context-awareness-1724995593819-compressed-1746159815679-compressed.png) #### Context-Aware Detection Raven evaluated the email in context: a technical discussion on data loss prevention containing a hyperlink to a gaming domain was immediately flagged as anomalous. The platform identified the link as contextually irrelevant and potentially suspicious, even before the domain appeared in threat feeds. #### Behavioral and Historical Analysis Raven traced the domain's behavior over time — uncovering its association with known malware payloads, including ZIP and JavaScript files frequently used in QakBot distribution. This longitudinal view allowed Raven to flag emerging threats **before traditional reputation systems caught up**. #### LLM-Based Anomaly Detection Using large language models trained on legitimate business communication patterns, Raven identified the inconsistency between the message content and the embedded link. This AI-native analysis enabled it to detect **out-of-place URLs and content mismatches** that signature-based tools miss entirely. Raven doesn't just scan for known bad indicators — it understands **what doesn’t belong**. ### Go-live in 5 mins with Raven To get a free-trial with Raven fill the contact form below Get a Free Trial > **_Disclaimer:_** _The URL in question was removed by Sophos at the time of posting. The purpose of this blog post is to highlight evolving phishing tactics and underscore the importance of context-aware threat detection in modern email security. The reference to Sophos is based on a publicly observed incident involving a community-generated newsletter and is not intended to criticize or undermine Sophos as a cybersecurity provider. Sophos remains a respected player in the cybersecurity ecosystem. This post does not claim or imply any breach or failure on the part of Sophos’ core security infrastructure or products._ > > _All observations are based on publicly available information and security analysis as of the date of publication._ --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## ✨ AI Model Launch: Context-Aware Sender Impersonation Detection Published: 2024-09-29 Category: Press Release Category URL: https://ravenmail.io/blog/category/press-release Tags: phishing, CEO Impersonation, BEC Attack, Regulator Impersonation, Brand Impersonation Tag URLs: phishing (https://ravenmail.io/blog/tag/phishing), CEO Impersonation (https://ravenmail.io/blog/tag/ceo-impersonation), BEC Attack (https://ravenmail.io/blog/tag/bec-attack), Regulator Impersonation (https://ravenmail.io/blog/tag/regulator-impersonation), Brand Impersonation (https://ravenmail.io/blog/tag/brand-impersonation) URL: https://ravenmail.io/blog/sender-impersonation-launch ## About RavenMail Security For people who are not familiar about us, we are an 8-old month startup solving for 3 things in email security - Context-awareness in Threat Detection (think of it like Blue LLMs) - Adaptive Responsive System using AI (combination of rule generation + Reinforcement using Red LLMs) - Proactive & in-the-moment control on Human Behaviour (Making Email Client's smarter with respect to security) We are building out of India for the world, we were finalists in [Accel CyberSecurity Summit](https://events-in.accel.com/cybersecurity-summit-2024) CISO Round & got featured in [Bessemer Venture Partners SaaS & Cyber report 2024](https://www.linkedin.com/feed/update/urn:li:activity:7227290101263835136). ......And we brew our own Coffee and launched our own brand - [Raven Coffee](https://x.com/DudeWhoCode/status/1757705635595178011). This month we are rolling out our first publicly available Beta of our AI-Model for Impersonation Detection for **Microsoft Cloud Email Platform or M365** . Before we get to the details, let's understand the broad changes to the threat landscape and why we decided to launch this first. ## The Era of AI-Powered Phishing is Already Here It's not just AI-generated content & [jail broken GPTs](https://www.linkedin.com/feed/update/urn:li:activity:7236625299839283200) that's a problem - there are 20 different use-cases where AI is used to enhance attacks. There are already tell-tale signs of the impact of the new AI-era Phishing is there. 1. The average time to launch a campaign from **21 hours to just 15 minutes** \- a 97% reduction. 2. AI-driven phishing campaigns can generate and send up to **10,000 personalized emails per hour**, compared to the previous average of 200 emails per day using manual methods. 3. AI-enhanced phishing emails have a **40% higher click-through rate** compared to traditional phishing attempts, due to improved personalization and timing. 4. AI-powered phishing campaigns can now adapt to new security measures within **30 minutes of deployment**, compared to the previous average of 48 hours. 5. AI-driven phishing kits can perform A/B testing on hundreds of email variations in **under an hour,** a process that previously took days or weeks. 6. AI-powered security systems have reduced the average time to detect a phishing campaign from **24 hours to 30 minutes**. > A major corporation (name withheld) suffered a data breach after an employee fell victim to a highly sophisticated spear-phishing attack. Forensic analysis suggested the attack leveraged a jailbroken language model to craft extremely convincing emails based on the company's internal communication style. ## Impersonation is at the Core of Phishing To solve for Phishing, one needs to exhaustively solve for Impersonation at the core. > Nearly 75% of all Phishing campaigns use some form of Impersonation tactic. ![Impersonation vs. Phishing](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/blog-graph-2-1727688989357-compressed.jpg) Impact of Impersonation across Phishing categories Here's a further breakdown of what kind of Impersonation is prevalent in the current landscape. ![BEC & Brand Impersonation Splits](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/blog-graph-3-1727689768157-compressed.jpg) Drill down of BEC & Brand Impersonation ## The Missing Context in Impersonation Detection One of the reasons why BEC attacks are highly effective is that - the existing set of tools are limited in understanding the context of the organization like the business domain, vendors, SaaS tools, the regulatory & institutional interaction landscape, thus exploiting the gaps in the knowledge of the threat detection systems. ![Context awareness in Impersonation](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/blog-graph-1-1727689042715-compressed.jpg)Importance of Context-Awareness in Impersonation Detection > Existing email security products operate as blackbox when it comes to impersonation detection & essentially all human-centric attacks requires context-based protection ## AI-Native Approach for Impersonation Detection One of the problems with existing systems is the - manual intervention for users, vendors, domains, spoofing etc. AI is not only superior when it comes to applying heuristics but also in bringing a wide-range of context into the detection itself. A quick example of domain spoofing logic from an AI Chat bot reveals the dynamic ways it can be programmed to help in detection. ![Example](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2024-09-30-at-10-1727670994402-compressed.png) Example of AI-generating spoof logics At RavenMail, we have deeply applied AI into our detection engines - some of the key elements are - **Generating custom detection logics** given the nature of rules to be written - Analysing all signals, inferences and detections & marrying it with context data to **enhance Threat Detection** - **Explainability** of why the detection is a threat - MailSecOps workflows - **Enterprise-grade LLMs** with India region deployment Here's an overview of our Threat Detection Model, as always the disclaimer is - this is a Beta version and this model will undergo changes as per market needs & feedback. ![RavenMail Impersonation Detection Model](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2024-09-30-at-3-1727689721187-compressed.png) RavenMail Security AI-Impersonation Detection Model Our system has the following advantages 1. **Classify with contextual detection** \- CXO protection, Government / Regulator Impersonation, SaaS tools impersonation and expand into any relevant category for our clients 2. **Learning without training**\- Ex: Predict who are likely vendors 3. **Explainability** for SoC Analysts 4. Ability to use **multi-modal inputs** ## Comparison with Existing Vendors Most existing vendors provide Impersonation protection as part of their entire email security suite or bundled with email service itself. One of the key reasons BEC attacks slip through existing mail security solutions is the lack of context and in-ability to stitch information across various signals. Most solutions offer the following - Display Name Spoofing of external mail id to internal employee - Sender-Recipient Relationship strength To customise the Spoofing rules, one needs to learn Powershell Scripting  or navigate complicated workflows in Defender ![Powershell scripting](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2024-09-30-at-10-1727673700507-compressed.png) A sample Powershell scripting for Exchange Online Protection ![Defender spoofing](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2024-09-30-at-10-1727673864154-compressed.png)Sample workflow of Defender Spoofing Blocklists Not only these solutions are cumbersome, it  doesn't capture the context of the nature of entity impersonating them and hence the threat detection outcome itself. > At RavenMail, we want to be at the forefront of email & communications protection for the AI-era ## Modern Protection for the AI-Era We have launched our first version of the product to our Beta clients with the following features - VIP /CXO / Executive Impersonation protection - Regulators / Government Bodies / Institutional Impersonation protection - SaaS tools Impersonation Protection - Vendors / Clients / Partners Email Compromise Protection Here's an overview of our product screens ![Dashboard](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/overview-02-1727676414424-compressed.jpg) View of Security Events Dashboard ![Vendor mails](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/external-vendors-mail-accounts-1727676034551-compressed.jpg) Autodetected Vendors / Tools / Services with Classified Tags ![Regulators ](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/external-regulators-mail-accounts-1727676076793-compressed.jpg)Key Government Institutions / Regulators that are tracked ![Attack Analysis](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2024-09-30-at-11-1727676132015-compressed.png) Detailed Attack Analysis Screens with Explainability & Actions for SOC teams Get Ahead of AI-Threats with RavenMail Security Get AI-Native Protection for M365 [Get 30-days Free Trial](https://tally.so/r/m6vLW5) --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## Attack Demo #3: Github Abuse - Delivering Malware Using Trusted Platforms Published: 2024-09-27 Category: Demo Category URL: https://ravenmail.io/blog/category/demo Tags: red team exercise, Supply Chain Attacks, demo attack, Cross Platform Attacks, malware Tag URLs: red team exercise (https://ravenmail.io/blog/tag/red-team-exercise), Supply Chain Attacks (https://ravenmail.io/blog/tag/supply-chain-attacks), demo attack (https://ravenmail.io/blog/tag/demo-attack), Cross Platform Attacks (https://ravenmail.io/blog/tag/cross-platform-attacks), malware (https://ravenmail.io/blog/tag/malware) URL: https://ravenmail.io/blog/github-malware-delivery ​ _\[Disclaimer: This blog is part of our Attack Demo series where our Red Team members demonstrate emerging tactics used by attackers. This content is for educational purposes only\]_ ## Recap of Attack Demo Series ​ [Demo #1: Scanning Inbox without logging in](https://ravenmail.io/blog/attack-demo-how-attackers-can-read-inbox-contents-without-getting-inside-clzw7m3gq005f103axz46ie60) ​ ​ [Demo #2: How attackers establish connection using a single email](https://ravenmail.io/blog/attack-demo-how-attackers-can-read-inbox-contents-without-getting-inside-clzw7m3gq005f103axz46ie60) ​ ## Emerging Trend of Abusing Trusted Platforms Attackers are increasingly turning to trusted platforms to distribute malicious content. File hosting services and code repositories, particularly GitHub, have become prime targets for these nefarious activities. Their widespread use, inherent trust among users, and integration into development workflows make them attractive vectors for cyber attacks. From hosting malware-laden documents to leveraging GitHub Actions for crypto-mining, bad actors are exploiting these platforms in diverse and sophisticated ways. In this blog we demonstrate how attackers can deliver malware payload containers using GitHub hosted documents and also understand the attack chains using case studies. > ​34% of all phishing downloads originated from cloud storage apps & GitHub has 100,000 repositories containing malicious code or being used for malicious purposes. ## Document-Based Attack Examples Using GitHub ### 1\. Malicious Word Documents in GitHub Repositories **Attack Vector:** Compromised Word documents hosted on GitHub **Description:** In several instances, attackers have used GitHub to host malicious Microsoft Word documents containing embedded macros. **Details:** - Attackers create or compromise GitHub repositories to host seemingly legitimate Word documents. - These documents contain malicious macros that execute when opened. - The macros often download additional payloads or execute malicious code directly. - Attackers use GitHub's reputation to bypass security filters and appear more legitimate. **Example Scenario:** An attacker creates a repository named "Company-HR-Templates" containing Word documents. One document, "Employee\_Onboarding\_Form.docx", contains a macro that, when enabled, downloads malware from a separate server. ### 2\. Phishing Campaigns Using GitHub Pages **Attack Vector:** Phishing pages hosted on GitHub Pages **Description:** Attackers have leveraged GitHub Pages to host phishing sites, often mimicking login pages for popular services. **Details:** - GitHub Pages allows hosting static websites directly from GitHub repositories. - Attackers create repositories with HTML/CSS that closely mimics legitimate login pages. - These pages are then distributed via phishing emails or other means. - When victims enter their credentials, the data is sent to the attacker. **Example Scenario:** An attacker creates a repository named "secure-login-portal" with HTML/CSS files mimicking a Microsoft 365 login page. They use GitHub Pages to host this at a URL like `https://attacker-username.github.io/secure-login-portal/`. ### 3\. Malicious PDF Documents for Drive-By Downloads **Attack Vector:** PDF documents hosted on GitHub with embedded malicious JavaScript **Description:** Attackers have used GitHub to host PDF documents containing malicious JavaScript that executes when the PDF is opened. **Details:** - PDF documents are uploaded to GitHub repositories. - These PDFs contain JavaScript that exploits vulnerabilities in PDF readers. - When opened, the malicious code may attempt to download additional malware or exploit system vulnerabilities. **Example Scenario:** A repository named "Free-Ebooks" hosts various PDF files. One file, "NetworkSecurity\_Basics.pdf", contains JavaScript that attempts to exploit a vulnerability in older versions of Adobe Reader. ### 4\. Steganography in Image Files **Attack Vector:** Image files with hidden malicious payloads **Description:** Attackers have used steganography techniques to hide malicious code within image files hosted on GitHub. **Details:** - Seemingly harmless image files (e.g., PNG, JPG) are uploaded to GitHub repositories. - These images contain hidden malicious payloads or scripts embedded within them. - A separate script or application is used to extract and execute the hidden content. **Example Scenario:** A repository called "Wallpapers-HD" contains various high-quality images. One image, "sunset\_beach.png", has a malicious script embedded in it that can be extracted and executed by a separate dropper program. ### 5\. Malicious Markdown Files **Attack Vector:** Markdown files with embedded HTML and JavaScript **Description:** Attackers have exploited GitHub's rendering of Markdown files to execute malicious scripts. **Details:** - Markdown files (.md) in GitHub repositories can contain HTML and JavaScript. - When viewed on GitHub, these scripts can potentially execute in the user's browser. - While GitHub has measures to prevent this, attackers have found ways to bypass these protections. **Example Scenario:** A repository named "Coding-Tutorials" contains various Markdown files. One file, "JavaScript\_Best\_Practices.md", includes obfuscated HTML and JavaScript that attempts to exploit browser vulnerabilities or perform phishing attacks when rendered. ## Demo of Document Based Attack Delivered Using Email [Free Trial: Get AI-Protection for M365](https://tally.so/r/m6vLW5) ​ ### Demo Deep Dive [![Malicious Doc](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/worddoc-1727408424715-compressed.png)](https://raven-mail.beehiiv.com/p/new-way-detect-cxo-impersonation) _Overview of document creation_ **Step 1: Document Creation** - Using office to craft a malicious word doc. - Leveraging use of VBScript and macros will will call the powershell payload from a remote location - All the above will be used to craft the payload to create a complete malicious word Doc. **Step 2: Hosting in GitHub** Next is to host the attachment in a local server or any other hosting services. Here we are using Github to host our payload. By this we can bypass many active scanning tools that will be scanning the attachments that comes as an email. **Step 3: Direct download link & C2 Connection** Next step is to use hyper link, once the link is clicked the attachment is directly downloaded instead of taking the user to file. This way we can achieve the goal easy. Once the attachment is downloaded to the victims PC and the file is opened, the malware is executed which makes a connection to the attacker. Which can be observed in the below video and diagram. [![Malware download](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/github-1727408592455-compressed.png)](https://raven-mail.beehiiv.com/p/new-way-detect-cxo-impersonation) Attack chain overview **Step 5: Initial Compromise - The Email Hook** The attacker sends a well-crafted phishing email that appears to come from a trusted source. The email often contains an attached **Word document** or a link leading to the document stored on Github. The message could be urgent, asking you to review the document immediately or claiming it's related to an ongoing project. This creates a sense of urgency, compelling you to act without thoroughly inspecting the email. **Step 6: Direct download & Opening the Document** Once you open the Word document, it may prompt you to "Enable Content" or "Enable Macros." These macros are small pieces of code embedded in the document that are typically used for legitimate purposes, such as automating repetitive tasks. However, in this case, the macro is malicious. Enabling the macro allows the attacker's code to execute on your system, often without you realizing it. ​ **Step 7: Payload Delivery** By enabling the macro, you allow the attacker to run a variety of malicious actions on your system. Common outcomes include the installation of malware, such as keyloggers (to capture your keystrokes) or remote access Trojans (RATs) that allow the attacker to control your system remotely. These attacks often target your email credentials, stealing your login information and sending it back to the attacker. Once the attacker gains access to your email account, they can proceed with the next phase of the attack. ## Conclusion In conclusion, the use of reputable file hosting services and platforms like GitHub for delivering malicious content presents a significant challenge for current email security systems. These attacks exploit the inherent trust placed in well-known platforms, often bypassing traditional security measures. Several factors contribute to the difficulty in detection: 1. **Legitimate domains:** Emails containing links to GitHub or popular file hosting services are less likely to be flagged as suspicious. 2. **Dynamic content:** Attackers can rapidly modify hosted content, making it challenging for security systems to keep up with evolving threats. 3. **Encrypted connections:** HTTPS connections to these platforms can obscure the nature of downloaded content from security scanners. 4. **Delayed execution:** Malicious actions are often triggered after the initial download, evading point-of-entry detection. 5. **Blended attacks:** Combining legitimate files with hidden malicious elements confuses traditional signature-based detection methods. To combat these sophisticated threats, email security solutions must evolve. This includes implementing more advanced behavioral analysis, improving real-time threat intelligence sharing, and enhancing sandboxing techniques to detect malicious content hosted on trusted platforms. Additionally, user education remains crucial in recognizing and avoiding these increasingly subtle attack vectors. As attackers continue to innovate, the cybersecurity community must remain vigilant and adaptive in its approach to email and content security. [![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/blog-ad-03-1727411423209-compressed.jpg)](https://raven-mail.beehiiv.com/p/new-way-detect-cxo-impersonation) --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## Government & Regulatory Impersonation: An Overlooked Threat Vector in Email Security Published: 2024-09-24 Category: Case Study Category URL: https://ravenmail.io/blog/category/case-study Tags: phishing, BFSI, Case study, Regulator Impersonation Tag URLs: phishing (https://ravenmail.io/blog/tag/phishing), BFSI (https://ravenmail.io/blog/tag/bfsi), Case study (https://ravenmail.io/blog/tag/case-study), Regulator Impersonation (https://ravenmail.io/blog/tag/regulator-impersonation) URL: https://ravenmail.io/blog/regulator-impersonation _\[Author's Note: The following narrative illustrates real cyber threats facing Indian corporations. While the specific scenarios are fictional, they represent genuine risks encountered by businesses across India.\]_ In the bustling heart of Mumbai's financial district, Vikram Desai's phone buzzed urgently. As the Chief Information Security Officer (CISO) of a leading IT firm, he was used to early morning alerts. But this one was different. "Sir, Finance is about to send out our quarterly projections to what they think is SEBI," his deputy reported, voice tense. Across town, Priya Sharma, Head of Corporate Banking at a major bank, stared at her screen. An email, seemingly from the Reserve Bank of India, warned of suspicious activities on their corporate accounts. A countdown timer urged immediate action As Vikram and Priya grappled with these situations, they stood at the forefront of a growing threat facing Indian businesses: sophisticated cyberattacks impersonating government authorities. ![Email on fire](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/774218bf-5a47-40e4-9b4a-5e2b9a53ceff-1727152106447-compressed.png) Case Study: Regulatory Impersonation These weren't isolated incidents. Across India, companies were falling victim to a new wave of cyberattacks. The perpetrators, masquerading as trusted government bodies, were exploiting the very foundations of trust in regulatory communications. Vikram's team discovered the SEBI email was a masterful fake – perfect letterhead, flawless signatures, and an email address off by just one character. Meanwhile, Priya's instincts saved her bank from a sophisticated phishing attempt mimicking the RBI's official website. Let's deep dive into the case ## Case 1: The SEBI Disclosure Deception (2022) **The Attack** In mid-2022, a group of cybercriminals launched a meticulously planned phishing campaign impersonating SEBI, India's securities market regulator. The attackers sent official-looking emails to a wide range of listed companies, claiming to be from SEBI's disclosure department. **The Tactics** 1. **Spoofed Email Addresses:** The attackers used email addresses that closely resembled official SEBI domains, often differing by just one character. 2. **Official Letterheads and Signatures:** Emails contained perfect replicas of SEBI letterheads and forged signatures of high-ranking SEBI officials. 3. **Urgent Requests:** The emails claimed that immediate disclosure of sensitive financial information was required due to regulatory changes or ongoing investigations. **The Target Information** The phishing emails requested various types of sensitive data, including: - Unreleased financial statements - Details of upcoming mergers or acquisitions - Information on major shareholders and their trading activities - Confidential board meeting minutes **The Near Misses** Several high-profile companies nearly fell victim to this scam: - A major IT firm was on the verge of sending detailed financial projections before a vigilant compliance officer spotted irregularities in the email header. - A pharmaceutical company almost disclosed information about an upcoming drug patent, which could have had severe market implications if released. **The Resolution** SEBI became aware of the scam after receiving inquiries from suspicious companies. They quickly issued an official warning to all listed entities, detailing the fraudulent campaign and providing guidelines to verify authentic SEBI communications. ## Case 2: The RBI Fraud Alert Scam (2023) **The Attack** In early 2023, a sophisticated phishing operation targeted corporate banking customers by impersonating the Reserve Bank of India (RBI), India's central banking institution. **The Tactics** 1. **Mass Email Campaign:** Thousands of corporate email accounts received alerts purportedly from RBI's fraud prevention department. 2. **Psychological Manipulation:** The emails claimed that the recipient's corporate account had been flagged for suspicious activities, creating a sense of urgency and fear. 3. **Fake RBI Website:** Recipients were directed to a meticulously crafted fake RBI website to "verify" their account details. **The Mechanics of the Scam** 1. **Initial Contact:** Emails warned of potential account freezes due to suspected fraudulent activities. 2. **Call to Action:** Recipients were urged to log in to their corporate banking accounts through a provided link to verify their identity and account status. 3. **Data Harvesting:** The fake RBI website captured login credentials, potentially giving attackers access to corporate bank accounts. **The Scope and Impact** - Over 500 companies across various sectors received these phishing emails. - At least 30 companies reported attempting to log in through the fake website. - Three mid-sized companies suffered significant financial losses before the scam was uncovered. **The Aftermath** - RBI issued an emergency advisory to all banks and corporate customers. - Several banks implemented additional authentication steps for large transactions. - The incident sparked a nationwide conversation about the need for better corporate cybersecurity training, especially regarding government communications. ## Why Regulator Impersonation if Effective Impersonation of government bodies poses a particularly significant risk & is effective, Here's why:​ 1. **Regulatory Landscape:** India's complex regulatory environment, with bodies like SEBI, RBI, and various sector-specific regulators, provides ample opportunity for impersonation attempts. 2. **Digital India Initiative:** The push for digital transformation in governance has led to increased electronic communication between government bodies and businesses, creating more opportunities for cybercriminals to exploit. 3. **GST-Related Scams:** The implementation of the Goods and Services Tax (GST) has been exploited by scammers posing as tax authorities, targeting businesses with fraudulent notices and demands. 4. **Aadhaar-Linked Services:** As more corporate services become linked with Aadhaar, India's biometric ID system, attackers have impersonated the Unique Identification Authority of India (UIDAI) to phish for sensitive data. Organizations, especially those in highly regulated sectors like Banking, Financial Services, and Insurance (BFSI), frequently interact with government bodies. Regulators such as the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), or industry-specific bodies regularly send notifications and directives. These communications typically command high attention and click-through rates due to their perceived importance and authority. This creates a perfect storm for cybercriminals targeting corporate environments. By impersonating these trusted entities, attackers can exploit the natural tendency of employees to respond quickly to governmental communications, potentially bypassing usual security precautions. ## The Scale of Regulatory Impersonation > 15% of all Phishing attacks are now some form of government agency impersonation The impersonation of government bodies is not a new tactic, but it's one that's gaining traction. According to a report by the Anti-Phishing Working Group (APWG), phishing attacks impersonating government agencies increased by 110% in Q2 2021 compared to the previous quarter. This trend has continued, with government impersonation now accounting for approximately 15% of all phishing attacks & INR 15K Cr is the impact of the attacks. ![Regulator Impersonation cases](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2024-09-24-at-9-1727151586916-compressed.png) The numbers tell a stark story: 1. The Indian Computer Emergency Response Team (CERT-In) reported a **61% increase in phishing attacks** **in 2022 & 36% in 2023** compared to the previous year, with government impersonation being a significant contributor\[1\] 2. A report by a prominent Email Security vendor in 2022 found that **69% of organizations experienced at least one attack** that impersonated a trusted entity, including government bodies. 3. Another study in 2023 revealed that **35% of social engineering attacks impersonated government agencies** or other trusted entities in emails targeting businesses. 4. A survey by a leading Indian cybersecurity firm in 2023 found that **42% of Indian businesses reported at least one instance of a government impersonation attempt** in their corporate email systems over the past year. ## Impact of Regulatory Impersonation The consequences of a successful government impersonation attack can be severe: 1. **Data Breaches:** Attackers may trick employees into sharing sensitive information, believing they're complying with a regulatory request. 2. **Financial Losses:** Fake fines or mandatory "security upgrades" can lead to significant financial damage. 3. **Malware Infiltration:** Seemingly official documents may contain malware, providing a foothold in the organization's network. 4. **Reputational Damage:** Falling for such an attack can erode trust with customers and partners. ## Conclusion: Email Security Products Lack Indian Context > "Our top-tier email security system didn't flag the fake SEBI email" As companies scrambled to defend themselves, most email security products weren't equipped to handle these India-specific threats effectively. "Our top-tier email security system didn't flag the fake SEBI email," Vikram explained to his board. "It's great at catching generic phishing attempts, but it stumbled on this sophisticated impersonation of an Indian regulatory body." The problem? Most email security solutions are designed with a global, one-size-fits-all approach. They lack the nuanced understanding of India's unique regulatory landscape, government communication styles, and cultural context. Consider these challenges: 1. **Regulatory Complexity:** India's multi-layered regulatory environment, with bodies like SEBI, RBI, IRDAI, and various sector-specific regulators, creates a complex web that global security products struggle to navigate. 2. **Language Nuances:** Many government communications in India use a mix of English and regional languages or specific bureaucratic phrasings that international security tools might not recognize as official. 3. **Evolving Digital Governance:** Initiatives like Digital India have changed how government bodies communicate electronically, but global security products haven't kept pace with these India-specific changes. 4. **Local Domain Knowledge:** Attackers often use slightly misspelled government domains or obscure official-looking email addresses that generic security tools fail to flag as suspicious. This gap in protection leaves Indian businesses vulnerable. While global threats are well-covered, the unique challenges of the Indian corporate and regulatory environment create blind spots that attackers are quick to exploit. [![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/blog-ad-2-1727151674688-compressed.jpg)](https://raven-mail.beehiiv.com/p/new-way-detect-cxo-impersonation) References \[1\] CERT-In Annual Report 2022: [https://www.cert-in.org.in/](https://www.cert-in.org.in/) \[2\] RBI Financial Stability Report, June 2023: [https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=1203](https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=1203) \[3\] DSCI Cybersecurity Survey 2023: [https://www.dsci.in/content/cyber-security-report](https://www.dsci.in/content/cyber-security-report) \[4\] PwC's Global Economic Crime and Fraud Survey 2022 - India Insights: [https://www.pwc.in/consulting/risk-consulting/forensic-services/global-economic-crime-and-fraud-survey.html](https://www.pwc.in/consulting/risk-consulting/forensic-services/global-economic-crime-and-fraud-survey.html)\[5\] EY Global Information Security Survey 2021: [https://www.ey.com/en\_in/cybersecurity](https://www.ey.com/en_in/cybersecurity) ​ --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## What is Fileless Malware & How to Detect Them Published: 2024-09-19 Category: Threat Landscape Category URL: https://ravenmail.io/blog/category/threat-landscape Tags: Case study, Fileless Malware, Ransomware, malware Tag URLs: Case study (https://ravenmail.io/blog/tag/case-study), Fileless Malware (https://ravenmail.io/blog/tag/fileless-malware), Ransomware (https://ravenmail.io/blog/tag/ransomware), malware (https://ravenmail.io/blog/tag/malware) URL: https://ravenmail.io/blog/what-is-fileless-malware ## What is Fileless Malware? Fileless malware is a sophisticated type of cyber threat that operates entirely in memory, without writing files to the disk. Unlike traditional malware, which relies on executable files stored on a system, fileless malware exploits legitimate system tools and processes to carry out its attacks. Key differences: - Resides in RAM instead of on disk - Leverages legitimate system tools (e.g., PowerShell, WMI) - Leaves minimal traces on the system - Often uses social engineering tactics for initial infection ![Fileless Malware Execution](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/filelessmalware-1726714538830-compressed.png) ## Growing Threat of Fileless Malware The prevalence of fileless malware attacks has been steadily increasing over the past few years, posing a significant threat to organizations worldwide. > **Fileless Malware represents 3/4ths of all Malware Incidents in 2023 & it grew at a** **staggering 72% over a period of 5 years** ![Fileless Malware Statistics](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2024-09-19-at-8-1726715009612-compressed.png) The rapid growth in Fileless Malware incidents compared to the slower growth of overall incidents indicates a clear shift in attacker preferences and techniques. Key statistics from Security Vendors: - The 2022 CrowdStrike Global Threat Report noted a 30% increase in fileless malware attacks compared to the previous year. - The 2023 Verizon DBIR reported that fileless malware was involved in 52% of all system intrusion incidents globally. - Over 60% of ransomware attacks now involve some form of fileless component (Sophos 2023 Threat Report). - 68% of organizations say their traditional security solutions are ineffective against fileless attacks (Ponemon Institute, 2023). [![CXO Impersonation](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/blog-ad-01-1726717236020-compressed.jpg)](https://raven-mail.beehiiv.com/p/new-way-detect-cxo-impersonation) ## Types of Fileless Malware - Memory-only malware: Operates entirely in RAM without touching the disk - Fileless persistence malware: Uses registry keys or scheduled tasks to maintain presence after reboots. - Hybrid fileless malware: Combines fileless techniques with traditional malware components. - Living-off-the-land attacks: Exploits built-in system tools for malicious purposes. ## Why Fileless Malware is Effective 1. **Legitimate tools abused:** PowerShell, WMI, regsvr32.exe, and even Node.js are all legitimate tools that are weaponized in these attacks. 2. **Living off the land:** These malware examples "live off the land" by using built-in system utilities, making them harder to distinguish from normal system operations. 3. **Cross-platform threat:** While Windows is a common target, fileless techniques are also applicable to other operating systems like Linux. 4. **Evasion techniques:** By operating in memory and abusing legitimate processes, these malware examples are adept at evading traditional file-based detection methods. 5. **Complexity of attacks:** Many of these examples involve multi-stage attack chains, demonstrating the sophistication of fileless malware campaigns. ## Case Studies ### **Nodersok/Divergent (2019)** This fileless malware campaign exploited several legitimate Windows tools in its attack chain: 1. Exploited Node.exe, a legitimate Windows component, to run malicious JavaScript. 2. Used WinDivert, a legitimate packet capture driver, for network traffic manipulation. 3. Leveraged PowerShell to disable Windows Defender and other security tools. 4. The entire attack chain operated in memory, leaving minimal traces on the disk. ![Fileless malware ](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/fmattack3-1726715993450-compressed.png) ### **Emotet (2018-2021)** While Emotet has a file-based component, its infection and propagation methods heavily rely on fileless techniques: 1. Initial infection often occurs through malicious macros in Office documents. 2. Uses PowerShell scripts to download and execute payloads directly in memory. 3. Leverages Windows Management Instrumentation (WMI) for lateral movement within networks. 4. Exploits the legitimate Windows component regsvr32.exe to run malicious DLLs without registration. ### **HiddenWasp (2019)** This Linux-based fileless malware demonstrates that fileless techniques aren't limited to Windows: 1. Exploited LD\_PRELOAD, a legitimate Linux feature, to inject malicious code into processes. 2. Used shared libraries to maintain persistence without writing to disk. 3. Leveraged built-in Linux utilities like cron for scheduling tasks. 4. Operated primarily in memory, making it difficult to detect with traditional antivirus solutions. ## How to Detect a Fileless Malware? Here's a quick breakdown of how detections methods vary between a Normal Malware & Fileless Malware Detection Method Normal Malware Fileless Malware Signature-based Detection Effective Limited File Scanning Primary method Ineffective Behavioural Analysis Secondary method Primary method Memory Scanning Sometimes Critical Whitelisting Effective Limited Heuristics Secondary method Critical Understanding the differences in detail 1. **Signature-based Detection:** - Normal Malware: Highly effective. Antivirus software can identify known malware by matching file signatures against a database. - Fileless Malware: Limited effectiveness. With no files to scan, traditional signature-based methods struggle to detect fileless threats. 2. **File Scanning:** - Normal Malware: This is the primary method. Antivirus software scans files on disk for malicious code. - Fileless Malware: Ineffective. Fileless malware doesn't write to disk, leaving nothing for file scanners to detect. 3. **Behaviour Analysis:** - Normal Malware: Often used as a supplementary method to catch unknown variants. - Fileless Malware: This becomes the primary method. Security solutions must monitor system behavior to detect unusual activities associated with fileless attacks. 4. **Memory Scanning:** - Normal Malware: Sometimes used, especially for packed or obfuscated malware. - Fileless Malware: Critical. Since fileless malware operates in memory, scanning RAM becomes essential for detection. 5. **Whitelisting:** - Normal Malware: Effective in preventing unauthorized executables from running. - Fileless Malware: Limited effectiveness. Fileless malware often abuses whitelisted system tools, bypassing this protection. 6. **Heuristic Analysis:** - Normal Malware: Used as a supplementary method to detect new or unknown threats. - Fileless Malware: Critical. Advanced heuristics are needed to identify suspicious patterns in memory usage, API calls, and system behavior. ## Challenges Posed to SOC Teams Fileless malware presents a significant challenge to traditional security measures & SoC Operations. It necessitates a shift from file-centric to behavior-centric security approaches, requiring more advanced, real-time monitoring and analysis capabilities. Key challenges are 1. **Speed of Evolution:** - Normal Malware: Evolves relatively slowly. Signature updates can often keep pace. - Fileless Malware: Evolves rapidly. New techniques can quickly render existing detection methods obsolete. 2. **False Positives:** - Normal Malware: Lower rate of false positives with signature-based detection. - Fileless Malware: Higher risk of false positives due to reliance on behavior analysis, which can sometimes flag legitimate activities. 3. **Resource Intensity:** - Normal Malware: File scanning can be resource-intensive but is typically scheduled. - Fileless Malware: Constant behavior monitoring and memory analysis can be more resource-intensive. 4. **Forensic Analysis:** - Normal Malware: Leaves artifacts on disk, facilitating post-incident forensics. - Fileless Malware: Minimal artifacts, making forensic analysis challenging. 5. **Prevention vs. Detection:** - Normal Malware: Prevention (blocking malicious files) is often possible. - Fileless Malware: Focus shifts more to rapid detection and response, as prevention is more challenging. ## Way Forward for Organizations Phishing emails often serve as the initial vector for fileless attacks. Advanced email filtering, sandboxing, and user education are vital components of a comprehensive defense strategy. Traditional, file-centric security measures fall short against these sophisticated, memory-resident threats. Organizations must evolve towards behavior-based detection, advanced memory analysis, and real-time system monitoring By moving beyond outdated signature-based methods to adopt a multi-layered, proactive approach encompassing both system and email security, organizations can better shield themselves against the elusive threat of fileless malware in today's dynamic threat landscape. [![CXO Impersonation](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/blog-ad-2-1726717195955-compressed.jpg)](https://raven-mail.beehiiv.com/p/new-way-detect-cxo-impersonation) --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## Attack Demo #2: System Take Over Using a Single Mail Published: 2024-09-12 Category: Demo Category URL: https://ravenmail.io/blog/category/demo Tags: red team exercise, lateral attack, demo attack, malware Tag URLs: red team exercise (https://ravenmail.io/blog/tag/red-team-exercise), lateral attack (https://ravenmail.io/blog/tag/lateral-attack), demo attack (https://ravenmail.io/blog/tag/demo-attack), malware (https://ravenmail.io/blog/tag/malware) URL: https://ravenmail.io/blog/attack-demo-2-system-take-over ## Phishing to Pwnage: Our Journey Through a Cybercriminal's Playbook At RavenMail, we've seen it all - from simple phishing attempts to full-blown system compromises. Today, we're taking you on a journey where are showing you how a single email can lead to a complete system takeover. To understand the demo (in the sections below), read through the blog to get the full context. ## Crafting the Perfect Bait: The Phishing Email It all starts with a well-crafted email. We've observed attackers putting significant effort into making these emails look legitimate (in our demo case it an AWS Invoice). They're not just throwing darts in the dark; they're studying their targets, using social engineering to create the perfect lure. - **Spoofed Email Addresses**: Attackers often disguise their email addresses to mimic trusted sources. - **Fake Domains**: We've seen domains that look strikingly similar to real ones. A slight change like "example.co" instead of "example.com" can easily go unnoticed. - **Malicious Attachments or Links**: These are the payload delivery mechanisms. Attackers embed malicious attachments or links, often disguised as urgent documents. ## Slipping Past the Guards: Email Delivery Once the email is crafted, it needs to land in the target's inbox. We've observed several techniques attackers use to bypass security systems: - **Bypassing Spam Filters**: Attackers use spear-phishing techniques, carefully crafting emails to avoid raising red flags. - **Email Authentication Manipulation**: We've seen attackers exploit weak DMARC and SPF configurations to make their emails appear more trustworthy. ## The Moment of Truth: Initial Interaction This is where the victim either falls for the trap or spots it. If they click a malicious link or open an infected attachment, the attack chain begins. ### The Real Attack Begins: Malware Execution and Shellcode Once the phishing email has served its purpose, the real attack kicks off: - **Deploying Shellcode**: This small piece of code executes a larger payload, often downloading more complex malware in the background. - **Second-stage Payload**: This could be ransomware or a Remote Access Trojan (RAT). ### Digging Deeper: Privilege Escalation and Lateral Movement With a foothold in the system, attackers typically try to increase their level of access and spread to other systems in the network. ### The Grand Finale: Exfiltration and Persistence Assuming full control, attackers aim to steal data and ensure long-term access to the network: - **Establishing Persistence**: Attackers create mechanisms to maintain access, even after system reboots. - **Data Exfiltration**: Valuable information is siphoned off, often encrypted to avoid detection. ## Attack Demo We've created a demo of how an endpoint can be compromised with a single email attachment. For infrastructure details, check out our blog post on the [CrowdStrike phishing email incident](https://ravenmail.io/blog/how-the-crowdstrike-episode-exposes-the-gaps-in-email-security-clz8bmyzp003p27xkwl2p5n8z). In our demo, we use a custom script to send an email with a tailored SMTP profile and custom headers. This approach helps ensure the email lands in the victim's inbox and once the attachment is opened it establishes a connection with the C2 server. _Note: Our demo uses proof-of-concept attacks in a controlled environment and does not replicate actual ransomware or malware._ ## MITRE ATT&CK Framework Mapping To help you better understand how this attack chain aligns with known cyber attack patterns, we've mapped each stage to the MITRE ATT&CK framework. This mapping provides valuable insights into the tactics and techniques used by attackers, which can inform your defensive strategies. ![MITRE Framework](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2024-09-12-at-10-1726116044554-compressed.png) By understanding these mappings, we can develop more targeted and effective defense strategies. Each technique in the MITRE ATT&CK framework has associated mitigations and detection methods, which can guide our cybersecurity efforts. Remember, staying informed about these tactics and continuously updating our defenses is crucial in the ever-evolving landscape of cybersecurity threats. Stay vigilant, and stay secure! As we say, It all begins with an email _P.S: Something's new coming, check out our new product launch by clicking the banner below_ [![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/blog-ad-03-1726118666962-compressed.jpg)](https://raven-mail.beehiiv.com/p/new-way-detect-cxo-impersonation) --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## CEO Impersonation on WhatsApp & the Role of Email enabling Cross-Platform attacks Published: 2024-09-09 Category: Threat Landscape Category URL: https://ravenmail.io/blog/category/threat-landscape Tags: CEO Impersonation, WhatsApp, Cross Platform Attacks Tag URLs: CEO Impersonation (https://ravenmail.io/blog/tag/ceo-impersonation), WhatsApp (https://ravenmail.io/blog/tag/whatsapp), Cross Platform Attacks (https://ravenmail.io/blog/tag/cross-platform-attacks) URL: https://ravenmail.io/blog/whatsapp-attacks ## Introduction In today's interconnected business world, communication platforms like email and WhatsApp have become integral to daily operations. However, this multi-channel approach has opened new avenues for cybercriminals. A particularly insidious threat has emerged: cross-platform [CXO impersonation attacks](https://ravenmail.io/blog/ceo-impersonation). These sophisticated schemes leverage the unique characteristics of different communication channels to manipulate victims and bypass security measures. ![Email to WhatsApp Attack](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/2cc91b01-1b7f-497b-abb3-151181752606-1725854678329-compressed.png) ## The Intelligence Gathering Phase: Exploiting Public Professional Databases Before delving into the mechanics of email-to-WhatsApp attacks, it's crucial to understand how attackers arm themselves with information to make their impersonations convincing. One of the most accessible and potent sources of such information is publicly available professional databases and networking sites. ### The Role of Professional Intelligence Platforms Platforms like ZoomInfo, SignalHire, and RocketReach have revolutionized business intelligence and recruitment. However, they've also inadvertently become treasure troves for cybercriminals planning impersonation attacks. Here's how attackers exploit these resources: 1. **Organizational Hierarchy Mapping:** These platforms often provide detailed org charts, allowing attackers to understand reporting structures and identify high-value targets. 2. **Contact Information Harvesting:** Attackers can easily obtain professional email addresses and sometimes even direct phone numbers of executives and key employees. 3. **Career Trajectory Insights:** By analyzing career histories, attackers can craft more believable narratives, referencing past roles or companies in their impersonation attempts. 4. **Corporate Jargon and Culture:** Job descriptions and company overviews provide attackers with industry-specific terminology and insights into corporate culture, making their communications seem more authentic. 5. **Identifying Potential Victims:** These platforms allow attackers to pinpoint employees in finance, HR, or other sensitive departments who might have the authority to perform requested actions. 6. **Cross-Referencing Data:** By combining information from multiple platforms, attackers can build comprehensive profiles of their targets and the executives they plan to impersonate. ### Bridging to Email and WhatsApp Attacks Armed with this rich, publicly available data, attackers can craft highly convincing initial emails. They can reference correct job titles, mention recent company news or initiatives, and use appropriate corporate language. This level of detail lends credibility to their impersonation, making the eventual transition to WhatsApp seem more plausible and less suspicious. ## The Prevalence of Email-to-WhatsApp Attacks While cross-platform attacks can occur in various ways, our research indicates that email-to-WhatsApp attacks are significantly more common. In fact, a crucial finding is that most WhatsApp-based attacks can be traced back to origins in email communication. This trend reflects a calculated strategy by cybercriminals to exploit the strengths and weaknesses of both platforms. ### Why Email-to-WhatsApp is the Preferred Attack Vector: 1. **Email as the Attack Origin:** Our data shows that an overwhelming majority of WhatsApp-based impersonation attacks have some connection to email. This could range from initial contact via email to the use of email for gathering intelligence or establishing credibility before moving to WhatsApp. 2. **Established Trust:** Email remains the primary formal communication channel in most businesses. Attackers leverage this to establish initial credibility, making the transition to WhatsApp seem more natural and less suspicious. 3. **Rich Data Source with Context:** Corporate email often contains valuable information about organizational structure, ongoing projects, and communication styles. Attackers use this intelligence to craft more convincing WhatsApp impersonations. 4. **Familiarity with Email Spoofing:** Cybercriminals have extensive experience with email spoofing techniques. They often use this as a starting point, even if the main attack occurs on WhatsApp. 5. **Verification Challenges for WhatsApp:** Many organizations have robust email security but lack equivalent measures for WhatsApp. The transition from a 'secure' email environment to WhatsApp can catch victims off guard. 6. **Perceived Urgency:** After establishing context via email, attackers use WhatsApp to escalate the perceived urgency of their requests, exploiting its association with immediate, informal communication. 7. **Exploitation of WhatsApp's Privacy Features:** The move to WhatsApp allows attackers to take advantage of its end-to-end encryption, making detection more difficult once the conversation has moved platforms. 8. **Multi-Stage Attack Opportunity:** Starting with email allows attackers to conduct multi-stage attacks. They can use email for reconnaissance and initial trust-building, then switch to WhatsApp for the final, often more urgent or sensitive, phase of the attack. This prevalent pattern of email-to-WhatsApp attacks underscores the need for organizations to view their communication security holistically. While securing each platform individually is crucial, it's equally important to focus on the transitions between platforms, as these often represent the most vulnerable points in the communication chain. [![CXO Impersonation](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/blog-ad-2-1725900203219-compressed.jpg)](https://raven-mail.beehiiv.com/p/new-way-detect-cxo-impersonation) ## The Anatomy of an Email-to-WhatsApp Attack ![Email to WhatsApp Attack](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2024-09-09-at-9-1725853594346-compressed.png) A typical attack might unfold as follows: 1. **Initial Contact:** The attacker sends a spoofed email impersonating a high-level executive, often the CEO or CFO. 2. **Trust Building:** Through a series of emails, the attacker establishes credibility and creates a sense of importance around a particular issue. 3. **Platform Shift:** The attacker suggests moving the conversation to WhatsApp for "security" or "urgency" reasons. 4. **Escalation:** On WhatsApp, the attacker ramps up the pressure, often pushing for immediate action like a fund transfer. 5. **Execution:** The victim, convinced by the initial email exchange and feeling the urgency on WhatsApp, complies with the attacker's request. ## The WhatsApp Factor: A Double-Edged Sword ![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/gattkejacaaoxgz-1725854727159-compressed.jpeg) WhatsApp's end-to-end encryption, while excellent for user privacy, presents unique challenges in combating these attacks: 1. **Content Inaccessibility:** The encryption prevents external tools from scanning message content for threats. 2. **Limited Monitoring:** Traditional security measures can't perform real-time analysis of WhatsApp communications. 3. **False Sense of Security:** Users may assume that WhatsApp's encryption makes it inherently secure, lowering their guard against social engineering. Attackers exploit these factors, using WhatsApp as a "blind spot" in corporate security to advance their schemes. ## Case Studies: Real-World Examples of Cross-Platform Attacks ### Case Study 1: The CFO Wire Transfer Fraud A multinational corporation fell victim to a sophisticated attack where the CFO was impersonated. The attacker initially contacted the finance department via a spoofed email, discussing an urgent and confidential acquisition. After establishing credibility through several email exchanges, the impersonator suggested moving to WhatsApp for "secure, real-time updates." On WhatsApp, the attacker pressured a senior finance employee to make a swift wire transfer of $1.5 million to "secure the deal." The fraud was only discovered when the real CFO inquired about the unusual transaction days later. ### Case Study 2: The Gift Card Scam In a notable incident, a mid-sized tech company fell victim to a sophisticated gift card scam. The attack unfolded as follows: 1. Initial Email: An employee in the HR department received an email seemingly from the CEO, discussing an urgent employee appreciation initiative. 2. Trust Building: Over a series of emails, the "CEO" explained the need for discretion to maintain the surprise element of the initiative. 3. Platform Shift: The attacker suggested moving to WhatsApp for quicker communication and to "avoid leaks." 4. Escalation on WhatsApp: On WhatsApp, the impersonator urged the HR employee to purchase a large number of gift cards for the supposed initiative, promising reimbursement. 5. Execution: The employee, convinced by the elaborate setup and feeling pressured by the perceived urgency, purchased $50,000 worth of gift cards and sent the codes via WhatsApp. The fraud was only discovered days later when the real CEO inquired about an unrelated HR matter. By then, the gift cards had been redeemed, and the funds were irretrievable. ### Case Study 3:  The UPI Scam In India, where digital payments via UPI (Unified Payments Interface) are ubiquitous, attackers have adapted their techniques to exploit this system: 1. Email Impersonation: An accounts payable employee at a large Indian corporation received an email from what appeared to be the company's Managing Director. 2. Contextual Manipulation: The email discussed a confidential new vendor partnership, adding credibility by referencing recent company news. 3. WhatsApp Transition: The "MD" asked to continue the conversation on WhatsApp, citing the need for end-to-end encryption due to the sensitive nature of the deal. 4. UPI Exploitation: On WhatsApp, the impersonator provided UPI details for an urgent payment to the "new vendor," stressing the criticality of immediate action for the partnership. 5. Rapid Execution: The employee, convinced by the elaborate ruse and the perceived authority of the MD, transferred ₹75 lakhs (approximately $100,000) via UPI. The scam was uncovered only when the real vendor inquired about the delayed payment a week later. The immediacy of UPI transactions and the difficulty in tracing the beneficiary made recovery of the funds nearly impossible. ## Conclusion Cross-platform CXO impersonation attacks, particularly those moving from email to WhatsApp, represent a significant and evolving threat in the global business landscape. The prevalence of attacks originating in email before transitioning to WhatsApp highlights the need for a holistic approach to communication security. The exploitation of publicly available information from professional databases adds another layer of sophistication to these attacks, making them increasingly difficult to detect. By understanding these mechanics and implementing comprehensive, culturally-aware security strategies, businesses can better protect themselves against these sophisticated threats. Remember, in the world of multi-channel communication, vigilance must extend across all platforms, and verification is crucial – especially when dealing with urgent financial requests or when asked to switch communication channels. [![CXO Impersonation](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/blog-ad-03-1725900237195-compressed.jpg)](https://raven-mail.beehiiv.com/p/new-way-detect-cxo-impersonation) --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## Phishing-As-A-Service Meets AI - A New Frontier in Email Security Published: 2024-09-05 Category: Threat Landscape Category URL: https://ravenmail.io/blog/category/threat-landscape Tags: phishing, phishkits, AI Attacks Tag URLs: phishing (https://ravenmail.io/blog/tag/phishing), phishkits (https://ravenmail.io/blog/tag/phishkits), AI Attacks (https://ravenmail.io/blog/tag/ai-attacks) URL: https://ravenmail.io/blog/phishing-as-a-service ## Introduction In the rapidly evolving landscape of cybersecurity, Phishing-as-a-Service (PhaaS) has emerged as a game-changing phenomenon. As businesses and individuals become more aware of traditional phishing techniques, cybercriminals have adapted, leveraging artificial intelligence (AI) to streamline and scale their malicious activities. This blog delves into the world of AI-enhanced phishing, exploring how it's revolutionizing the speed and effectiveness of phishing campaigns, reducing launch times from 21 hours to just 15 minutes. At RavenMail Security we have demonstrated the use of Phishing Kits to simulate a [CrowdStrike campaign](https://ravenmail.io/blog/how-the-crowdstrike-episode-exposes-the-gaps-in-email-security-clz8bmyzp003p27xkwl2p5n8z). ## What is Phishing-as-a-Service: The Playstore for Threat Actors ![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/firefly-show-cyberattack-as-a-menu-card-47097-1725596364245-compressed.jpg) PhaaS is a model where cybercriminals offer phishing tools, infrastructure, and expertise as a service to other malicious actors. This model has made it easier for less technically skilled individuals to launch sophisticated phishing campaigns. Essentially, PhaaS operates like a "one-stop-shop" for launching phishing attacks, providing everything from phishing kits to hosting services. ### Key Components of PhaaS 1. **Phishing Kits:** Pre-designed templates that mimic legitimate websites 2. **Infrastructure:** Domains, email servers, and hosting services 3. **Customization Options:** Tools to tailor phishing emails and websites to specific targets 4. **Support and Training:** Assistance and advice for setting up and running phishing operations ## Popular Phishing Kits and Their Features PhaaS & Phish-Kits are often available on Dark Web marketplaces. These kits are sold with everything needed to execute a phishing attack, including ready-to-use email templates and fake login pages. Here are some popular kits with their features 1. **"16Shop" Phishing Kit** - Targets multiple brands including Apple, Amazon, and PayPal - Includes mobile-responsive phishing pages - Anti-bot and anti-spam protection to evade detection 2. **"HiddenEye" Open-Source Phishing Kit** - Supports over 30 website templates including social media and banking sites - Keylogger functionality to capture keystrokes - IP address and location tracking of victims 3. **"Modlishka" Reverse Proxy Phishing Tool** - Capable of bypassing two-factor authentication (2FA) - Real-time traffic flow monitoring and modification - Automatic SSL/TLS certificate generation 4. **"SocialFish" Social Media Phishing Kit** - Focuses on social media platforms like Facebook, Twitter, and LinkedIn - Includes URL shortener to disguise phishing links - Email template generator for spear-phishing campaigns 5. **"Gophish" Open-Source Phishing Framework** - User-friendly web interface for campaign management - Customizable email and landing page templates - Detailed campaign analytics and reporting 6. **"Evilginx" Advanced Phishing Framework** - Specialized in capturing login credentials and session cookies - Uses a reverse proxy to intercept and modify traffic in real-time - Capable of bypassing multi-factor authentication - Customizable phishing templates for various popular services 7. **"Phoenix" Phishing Kit** - Targets financial institutions with high-fidelity website clones - User-friendly interface for creating and managing phishing campaigns - Advanced evasion techniques to bypass security measures - Customizable features allowing for tailored attacks - Available on multiple dark web forums, indicating widespread use [![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/blog-ad-01-1725604598558-compressed.jpg)](https://raven-mail.beehiiv.com/p/new-way-detect-cxo-impersonation) ## How Attackers Sell Their Services Attackers sell Phishing-as-a-Service (PhaaS) on dark web marketplaces, offering cybercriminals a turnkey solution for launching sophisticated phishing campaigns. These services typically include customizable phishing kits, hosting infrastructure, and ongoing support. Vendors showcase their products with detailed descriptions, screenshots, and sometimes video demonstrations. Pricing models vary, ranging from one-time purchases to subscription-based services. To build trust, sellers often offer money-back guarantees or free trials. Payment is usually accepted in cryptocurrencies to ensure anonymity. Some advanced PhaaS providers even offer tiered services, AI-powered features, and regular updates to evade the latest security measures. This commoditization of phishing tools on the dark web has significantly lowered the barrier to entry for cybercrime, making it accessible even to those with limited technical skills. Here are some real examples found by our threat researchers **1\. Customised panels delivered in 1hr** ![Phish kit selling](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/phish-kit1-1725594034653-compressed.png) **2\. Banks available for targets** ![phish kit 2](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/phish-kit2-1725594204113-compressed.png) **3\. Sector-wise phishing website creation services** ![phaas](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/phaas1-1725594253381-compressed.png) ## Alarming Statistics of how AI has Enhanced Phishing-As-A-Service 1. The average time to launch a campaign from **21 hours to just 15 minutes** \- a 97% reduction. 2. AI-driven phishing campaigns can generate and send up to **10,000 personalized emails per hour**, compared to the previous average of 200 emails per day using manual methods. 3. AI-enhanced phishing emails have a **40% higher click-through rat** e compared to traditional phishing attempts, due to improved personalization and timing. 4. AI-powered phishing campaigns can now adapt to new security measures within **30 minutes of deployment**, compared to the previous average of 48 hours. 5. AI-driven phishing kits can perform A/B testing on hundreds of email variations in **under an hour,** a process that previously took days or weeks. 6. AI-powered security systems have reduced the average time to detect a phishing campaign from **24 hours to 30 minutes**. ## Conclusion: Approach to Mail Security Needs to Shift to AI-Native Solutions The rise of AI-enhanced phishing has dramatically shifted the cybersecurity landscape, reducing campaign launch times from 21 hours to just 15 minutes. This acceleration, coupled with increased sophistication and scale, poses unprecedented challenges that traditional email security measures are ill-equipped to handle. Legacy systems, designed for conventional phishing methods, are overwhelmed by the volume, speed, and adaptability of modern attacks. Rule-based detection, static blacklists, and signature-based antivirus software prove increasingly ineffective against AI-generated phishing content that evolves in real-time. The rapid iteration and learning capabilities of AI systems allow attackers to deploy new variations almost instantly when one attack vector is blocked. Organizations must recognize that conventional approaches are no longer sufficient. The future of digital security depends on harnessing AI not just as a weapon, but as a shield. This requires a fundamental shift towards dynamic, AI-driven defense systems that can adapt and respond in real-time to emerging threats. The arms race between AI-enhanced phishing and AI-driven defense will define the cybersecurity landscape for years to come. Only by embracing advanced, AI-powered security solutions can businesses hope to protect their digital assets in this new era of AI-accelerated threats. [![CXO Impersonation ](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/blog-ad-01-1725604714162-compressed.jpg)](https://raven-mail.beehiiv.com/p/new-way-detect-cxo-impersonation) --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## From SolarWinds to Uber: Why EDR Falls Short in Modern Email Security Published: 2024-09-02 Category: Threat Landscape Category URL: https://ravenmail.io/blog/category/threat-landscape Tags: Supply Chain Attacks, XDR, AI-Native Email Security, Case study Tag URLs: Supply Chain Attacks (https://ravenmail.io/blog/tag/supply-chain-attacks), XDR (https://ravenmail.io/blog/tag/xdr), AI-Native Email Security (https://ravenmail.io/blog/tag/ai-native-email-security), Case study (https://ravenmail.io/blog/tag/case-study) URL: https://ravenmail.io/blog/xdr-limitations ## Introduction In an era where cyber threats are evolving at an unprecedented pace, CISOs have increasingly turned to Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions as their key arsenal in the defense-in-depth strategy. However, recent high-profile attacks, from the SolarWinds supply chain compromise to the Uber data breach, have exposed critical vulnerabilities in this approach, particularly when it comes to email security. This post explores why EDR and XDR solutions, despite their merits, can be evaded by cutting-edge email attacks and why a new approach to email security is crucial. ![Evasion](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/2ad6c470-6605-4951-aa3a-a3be30fc58a8-1725426116699-compressed.png) ## The Rise of EDR and XDR in Cybersecurity EDR and XDR represent the evolution of endpoint security beyond simple signature-based detection. EDR focuses on monitoring and responding to threats at the endpoint level, while XDR extends this capability across multiple security layers, including networks and cloud environments \[1\]. CISOs have embraced these solutions for several compelling reasons: 1. Comprehensive visibility across endpoints 2. Advanced threat hunting capabilities 3. Automated response features 4. Integration with other security tools In the context of email security, EDR and XDR aim to provide a robust defense by monitoring endpoint behavior, analyzing patterns, and quickly responding to potential threats. ## The Modern Email Threat Landscape The email threat landscape has undergone a dramatic transformation in recent years, presenting new challenges that traditional security measures struggle to address. Key developments include: 1. ​ [AI-enabled attacks:](https://ravenmail.io/blog/how-the-crowdstrike-episode-exposes-the-gaps-in-email-security-clz8bmyzp003p27xkwl2p5n8z) Cybercriminals are leveraging artificial intelligence to create highly convincing phishing emails, deepfake voice and video scams, and sophisticated social engineering attacks \[2\]. 2. ​ [SaaS phishing:](https://ravenmail.io/blog/saas-to-saas-phishing-the-hidden-threat-in-your-email-security) Attackers are exploiting the trust users place in legitimate Software-as-a-Service (SaaS) platforms, leading to account takeover attacks and OAuth-based phishing \[3\]. 3. **[Business Email Compromise (BEC)](https://ravenmail.io/blog/ceo-impersonation)**: BEC attacks have become increasingly sophisticated, with attackers using advanced social engineering tactics to impersonate executives or trusted partners \[4\]. 4. **Supply chain attacks**: Cybercriminals are targeting an organization's suppliers or software vendors to gain access to multiple victims through a single compromise \[5\]. ### The SolarWinds Supply Chain Attack (2020) The SolarWinds attack began with a compromised software update from a trusted vendor. This attack was particularly insidious because: - It bypassed traditional email security filters by using legitimate, compromised accounts. - The malicious code was inserted into a trusted software update, evading EDR solutions that focus on known malicious patterns. - Once inside, attackers used internal email addresses to spread laterally, appearing as legitimate internal communications \[6\]. This attack demonstrated that EDR solutions, focused primarily on endpoint behavior, can miss threats that originate from trusted sources and leverage legitimate processes. ### The Uber Data Breach (2022) The Uber breach showcased the limitations of EDR in combating sophisticated social engineering: - Attackers used social engineering tactics to compromise an employee's credentials via a phishing attack. - They then bombarded the employee with push notifications for two-factor authentication, which the employee eventually accepted. - This attack bypassed EDR by leveraging legitimate authentication processes and user actions \[7\]. The Uber case highlights how EDR solutions can struggle to differentiate between legitimate user actions and those manipulated by attackers, especially when social engineering is involved. ## Limitations of EDR/XDR in Combating Modern Email Threats ![Phishing mail](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/phishigmail-1725425894235-compressed.png) These examples, among others, reveal several key limitations of EDR and XDR in the face of modern email threats: 1. **Focus on endpoint activity**: EDR and XDR primarily monitor endpoint behavior and system changes. However, many sophisticated email attacks don't leave significant traces on the endpoint until it's too late. 2. **Difficulty detecting AI-generated content**: These solutions struggle to identify the subtle nuances of AI-generated phishing emails or deepfake content. 3. **Challenges with SaaS communications**: Distinguishing between legitimate SaaS platform communications and malicious phishing attempts is extremely difficult for EDR/XDR systems. 4. **Reliance on known patterns**: While EDR and XDR use advanced analytics, they still largely rely on recognizing known malicious patterns or behaviors, making them vulnerable to novel attack techniques. 5. **Cloud email blind spots**: As more organizations move to cloud-based email systems, EDR and XDR solutions may have limited visibility into these environments. ## The Need for Specialized AI-Native Email Security Given these limitations, it's clear that EDR and XDR alone are insufficient to protect against modern email threats. A dedicated, AI-native approach to email security is necessary to complement existing solutions. AI-native email security offers several advantages: 1. **Deep content analysis**: AI can analyze the nuanced content of emails, including writing style and context, to detect sophisticated phishing attempts. 2. **Real-time threat detection**: Machine learning models can identify and respond to novel threats as they emerge, without relying solely on known patterns. 3. **Context understanding**: AI can better understand the context of communications and user behavior, reducing false positives while catching subtle anomalies. 4. **Adaptive policy**: These systems continuously learn and adapt to combat evolving AI-generated attacks and new threat vectors. ## Implementing a Holistic Email Security Strategy To effectively protect against modern email threats, organizations need a holistic approach that combines the strengths of EDR/XDR with specialized AI-native email security: 1. **Layered defense**: Use EDR/XDR for broad endpoint protection while employing AI-native solutions for deep email content analysis. 2. **Integration**: Ensure that email security solutions can share threat intelligence with EDR/XDR platforms for a coordinated response. 3. **User education**: Complement technical solutions with ongoing user training to recognize sophisticated phishing attempts and other email-based threats. 4. **Continuous assessment**: Regularly evaluate the effectiveness of your email security strategy against the latest threats and adapt as necessary. ## Conclusion The SolarWinds and Uber attacks serve as stark reminders that even the most sophisticated EDR and XDR solutions can fall short in the face of modern email threats. As attack techniques continue to evolve, leveraging AI, exploiting trust in SaaS platforms, and employing advanced social engineering, organizations must recognize the limitations of relying solely on EDR/XDR for email security. By complementing EDR/XDR with AI-native email security solutions, organizations can build a more robust defense against the ever-evolving spectrum of email-based threats. As email continues to be a primary attack vector for an increasingly diverse range of threats, a specialized and adaptive approach to email security is not just beneficial – it's essential for maintaining a strong security posture in today's digital landscape. ## References ​ [\[1\] Gartner, "Market Guide for Extended Detection and Response," 2021.](https://www.gartner.com/en/documents/4007995) ​ [\[2\] Brundage, M. et al., "The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation," 2018.](https://arxiv.org/pdf/1802.07228) ​ [\[4\] FBI, "Internet Crime Report 2020," 2021.](https://www.cybereason.com/blog/fbi-pegs-2020-cybercrime-costs-at-4-billion#:~:text=In%20its%20Internet%20Crime%20Report,year%20estimated%20at%20%244.1%20billion.) ​ ​ [\[5\] ENISA, "Threat Landscape 2021," 2021.](https://www.isaca.org/resources/isaca-journal/issues/2023/volume-2/enisas-threat-landscape-and-the-effect-of-ransomware) ​ ​ [\[6\] FireEye, "Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor," 2020.](https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor) ​ ​ [\[7\] Uber, "Uber Response to Cybersecurity Incident," 2022.](https://www.uber.com/newsroom/security-update) ​ --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## CEO Impersonation Fraud: A Case for Context-Aware Email Security Published: 2024-08-30 Category: Case Study Category URL: https://ravenmail.io/blog/category/case-study Tags: Context-Aware Email Security, CEO Impersonation, BEC Attack Tag URLs: Context-Aware Email Security (https://ravenmail.io/blog/tag/context-aware-email-security), CEO Impersonation (https://ravenmail.io/blog/tag/ceo-impersonation), BEC Attack (https://ravenmail.io/blog/tag/bec-attack) URL: https://ravenmail.io/blog/ceo-impersonation ## Introduction In an era where digital communication reigns supreme, email remains a critical tool for business operations. However, it's also become a prime vector for sophisticated cyberattacks [(see demo here)](https://ravenmail.io/blog/attack-demo-how-attackers-can-read-inbox-contents-without-getting-inside-clzw7m3gq005f103axz46ie60), with CEO impersonation scams emerging as a particularly costly threat. Despite advances in email security, many organizations find themselves vulnerable to these attacks. The question is: why do traditional email security measures fall short, and what's missing from our defensive strategies? ## Understanding CEO Impersonation Scams CEO impersonation scams, also known as "whaling" or "business email compromise" (BEC) attacks, involve cybercriminals posing as company executives to trick employees into transferring funds or sharing sensitive information. These scams are alarmingly effective, with the FBI reporting that BEC attacks caused over $2.4 billion in losses in 2021 alone. ### Case Studies ![Facebook wire fraud](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2024-08-30-at-10-1724994639269-compressed.png) Let's delve into some high-profile cases that illustrate the sophistication and impact of these attacks: 1. **FACC AG (2016):** This Austrian aerospace parts manufacturer lost a staggering €50 million ($54 million) when scammers impersonated the CEO in emails to the finance department. The attackers crafted convincing emails requesting urgent wire transfers for a supposed acquisition project. The scam was so convincing that it went undetected until after multiple transfers had been made. The fallout was severe: both the CEO and CFO were fired, and the company filed a lawsuit against its auditors. 2. **Ubiquiti Networks (2015):** The U.S.-based tech company specializing in networking technology fell victim to a $46.7 million scam. In this case, the attackers went a step further – they not only impersonated executives but also posed as employees from the company's outside legal counsel. This dual impersonation lent additional credibility to the fraudulent requests, convincing the finance department to make several transfers to overseas accounts. Ubiquiti managed to recover $8.1 million, but still suffered a net loss of $38.6 million. 3. **Crelan Bank (2016):** This Belgian bank became the victim of one of the largest reported CEO fraud cases in Europe, losing €70 million ($75.8 million). The attack involved sophisticated social engineering tactics to impersonate top executives. While details remain limited due to ongoing investigations, the scale of the loss highlights the potential impact of these scams on financial institutions. 4. **Toyota Boshoku Corporation (2019):** The Japanese car parts manufacturer (a member of the Toyota Group) lost $37 million to a BEC attack. In this case, the scammers posed as business partners rather than company executives. They managed to convince an employee to change payment directions for a legitimate transaction, showcasing how these attacks can exploit vulnerabilities in supply chain and vendor relationships. 5. **Facebook and Google Wire Fraud (2013-2015):** Even tech giants aren't immune to these scams. Over a two-year period, Lithuanian national Evaldas Rimasauskas orchestrated an elaborate scheme that defrauded Google of $23 million and Facebook of $98 million. Rimasauskas impersonated Quanta Computer, a legitimate Asian hardware manufacturer that both tech companies regularly did business with. He sent fake invoices and forged contracts, complete with falsified corporate stamps, to add authenticity to his requests. The scheme's longevity – running for two years before detection – highlights how convincing these scams can be. Rimasauskas was eventually arrested in 2017, extradited to the U.S., and sentenced to 5 years in prison. 6. **Nikkei (2019):** The Japanese media company Nikkei fell victim to a BEC scam that cost them $29 million. An employee of Nikkei's U.S. subsidiary was tricked into transferring the money to a bank account purportedly belonging to a business partner. The scammer impersonated a Nikkei management executive, showcasing how these attacks often exploit the hierarchical nature of corporations. 7. **Pathé (2018):** The French cinema company lost over €19 million ($21.5 million) to a BEC scam. Scammers impersonating the company's CEO convinced the CFO and another executive to make several large transfers for a supposed confidential acquisition. The company only discovered the fraud after the third transfer. Both executives were initially fired but later exonerated in court, highlighting the complex aftermath these scams can create within an organization. These cases underscore several key points about CEO impersonation scams: - **Scale of financial damage:** Losses range from tens to hundreds of millions of dollars. - **Vulnerability of large, tech-savvy companies:** Even organizations with substantial cybersecurity resources can fall victim. - **Sophisticated methods:** Attackers combine technical skills with social engineering, often conducting detailed research on their targets. - **Global nature of the threat:** Companies worldwide are at risk, regardless of industry or location. - **Potential for reputation damage and leadership changes:** These incidents can lead to firings, lawsuits, and significant corporate upheaval. - **Challenges in fund recovery and legal prosecution:** While some funds may be recovered, companies often face substantial net losses, and bringing perpetrators to justice can be a complex, international effort. As we can see from these examples, traditional email security measures often fail to prevent these attacks. In the next section, we'll explore why these measures fall short and identify the critical missing piece in most organizations' defenses. ## Traditional Email Security Measures: Necessary But Not Sufficient Most organizations rely on a standard set of email security tools: 1. Spam filters to block unwanted bulk emails 2. Antivirus software to detect malware 3. Email authentication protocols like SPF, DKIM, and DMARC to verify sender domains While these measures are essential for blocking a wide array of threats, they operate without specific organizational context. They can verify that an email comes from a legitimate domain, but they can't determine if the content of that email is appropriate or expected within the organization's normal operations. ### The Critical Missing Piece: Organizational Context ![RavenMail Context Awareness](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/context-awareness-1724995593819-compressed.png) The key element that traditional email security lacks is organizational context. But what exactly does this mean? Organizational context encompasses: - Understanding of company structure, processes, and communication patterns - Knowledge of key personnel and their roles - Awareness of ongoing projects and typical financial transactions - Understanding of internal & external threat landscape and intelligence This context matters because it helps distinguish between legitimate and fraudulent requests, enables detection of anomalies in communication style or content, and allows for validation of unusual or high-stakes requests. Consider the FACC case mentioned earlier. A system with proper organizational context would have flagged several anomalies: 1. An unusual request for a large wire transfer 2. An acquisition project that wasn't part of known company plans 3. Potentially, a communication style that didn't match the CEO's typical emails ### Why Traditional Methods Fall Short in Providing Context Traditional email security methods focus primarily on technical indicators rather than content and context. They check for malware, bad links, or spoofed addresses, but not the appropriateness of the request itself. Here's why this approach is insufficient: 1. **Inability to understand communication patterns:** They can't detect if a supposed CEO's email style differs from their norm. 2. **Lack of integration with business processes:** There's no awareness of typical approval chains or transaction procedures. 3. **Absence of real-time learning and adaptation:** These systems can't evolve with changing organizational dynamics. 4. **Over-reliance on predefined rules:** Rigid rule sets can't account for the nuanced and evolving nature of business communications. ## Conclusion Traditional email security measures play a vital role in protecting organizations from a wide array of threats. However, their lack of organizational context leaves a critical gap that sophisticated attackers exploit through CEO impersonation scams. By incorporating solutions and practices that account for the unique context of your organization — its structure, processes, and communication norms — you can significantly enhance your defenses against these costly attacks. Remember, in the world of email security, context isn't just helpful — it's essential. --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## SaaS-to-SaaS Phishing: The Hidden Threat in Your Email Security Published: 2024-08-27 Category: Threat Landscape Category URL: https://ravenmail.io/blog/category/threat-landscape Tags: Supply Chain Attacks, SaaS-to-SaaS Phishing, Context-Aware Email Security, SaaS Exploits Tag URLs: Supply Chain Attacks (https://ravenmail.io/blog/tag/supply-chain-attacks), SaaS-to-SaaS Phishing (https://ravenmail.io/blog/tag/saas-to-saas-phishing), Context-Aware Email Security (https://ravenmail.io/blog/tag/context-aware-email-security), SaaS Exploits (https://ravenmail.io/blog/tag/saas-exploits) URL: https://ravenmail.io/blog/saas-to-saas-phishing-the-hidden-threat-in-your-email-security ## Introduction In today's rapidly evolving digital landscape, businesses are increasingly relying on Software-as-a-Service (SaaS) solutions to drive efficiency and productivity. A recent study by BetterCloud reveals that organizations now use an average of [110 SaaS applications](https://www.bettercloud.com/resources/state-of-saasops/), a number that has skyrocketed in recent years. While this proliferation of SaaS tools offers numerous benefits, it has also significantly expanded the attack surface for cybercriminals. One particularly alarming trend is the rise of **SaaS-to-SaaS phishing attacks**. These sophisticated exploits leverage the interconnected nature of SaaS ecosystems to compromise entire networks of applications through a single point of entry. As organizations continue to adopt more SaaS solutions, the need for robust email security has never been more critical. ## The SaaS Explosion and Its Security Implications The adoption of SaaS solutions has been nothing short of revolutionary. Gartner predicts that the global SaaS market will reach $195 billion by 2025, underscoring the growing dependence on cloud-based applications. Here are some statistics: - 70% of business applications are now SaaS-based - The average employee uses 36 cloud services at work This extensive use of SaaS applications creates a complex web of interconnected services, each potentially serving as an entry point for attackers. ![Docusign phishing](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/docusign1-1-1724730022839-compressed.webp) DocuSign Phishing Mail (Credits: Team Ascend) ### The Mechanics of SaaS-to-SaaS Phishing Unlike traditional phishing attacks that typically aim to steal credentials or [deploy malware,](https://ravenmail.io/blog/how-a-phishing-email-disrupted-the-upi-and-atm-services-in-india) SaaS-to-SaaS phishing exploits the trust relationships between integrated SaaS platforms. Here's how a typical attack might unfold: 1. The attacker sends a phishing email impersonating a legitimate SaaS provider. 2. An unsuspecting user clicks on a link and enters their credentials on a fake login page. 3. The attacker uses these credentials to access the compromised SaaS account. 4. Leveraging OAuth connections and API integrations, the attacker moves laterally to other connected SaaS applications. 5. Sensitive data is exfiltrated or further malicious actions are taken across multiple platforms. ### The Inadequacy of Traditional Email Security Many organizations have implemented email security solutions, but these tools are often ill-equipped to handle the nuanced threats posed by SaaS-to-SaaS phishing attacks. The limitations include: 1. Limited visibility into SaaS integrations and OAuth permissions 2. Inability to detect sophisticated impersonation tactics 3. Lack of post-delivery protection 4. Insufficient context awareness of SaaS ecosystems in the organisation 5. Reliance on static, rule-based systems that can't keep pace with evolving threats A study by [Ponemon Institute](https://ponemonsullivanreport.com/2022/08/email-data-loss-prevention-the-rising-need-for-behavioral-intelligence/) found that 65% of IT and security professionals believe their current email security solutions are ineffective against advanced email threats, including those targeting SaaS applications. ## Real-Life Case Studies of SaaS-to-SaaS Phishing ![Altassian phishing](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/atlasian-scam-1724730119669-compressed.jpg) Atlassian Phishing Mail (Credits: Atlassian User Community User Kangaroo) To illustrate the severity of these threats, consider the following recent incidents: 1. ​ [The Zoom Credential Harvesting Campaign (2020)](https://cloudsecurityalliance.org/blog/2022/03/13/an-analysis-of-the-2020-zoom-breach): Attackers exploited the surge in Zoom usage during the pandemic, compromising thousands of corporate user credentials and potentially breaching multiple connected SaaS platforms. 2. The Microsoft 365 to Salesforce Attack (2021): Cybercriminals compromised Microsoft 365 accounts and manipulated OAuth permissions to access Salesforce instances, leading to significant data breaches across organizations. 3. The DocuSign Supply Chain Attack (2022): Attackers gained access to DocuSign accounts and exploited integrations with tools like Google Workspace and Dropbox, resulting in unauthorized document alterations and data leaks. 4. The Slack to GitHub Breach (2023): Threat actors compromised Slack accounts and exploited Slack-GitHub integrations, leading to source code theft and potential injection of malicious code into repositories. 5. The HubSpot CRM Exploit (2022): Cybercriminals accessed HubSpot accounts and leveraged integrations with email marketing and customer support platforms, launching further phishing campaigns and accessing sensitive customer communications. ## The Impact of SaaS-to-SaaS Phishing The consequences of these attacks can be severe and far-reaching for organizations. Here are the top five impacts: 1. **Widespread Data Breaches:** A single point of entry can lead to extensive data loss across multiple interconnected SaaS platforms, exposing sensitive information and intellectual property. 2. **Significant Financial Losses:** Organizations face direct costs from theft or fraud, as well as expenses related to incident response, recovery efforts, and potential regulatory fines. Long-term financial impacts can result from reputational damage and customer churn. 3. **Operational Disruption and Productivity Loss:** Critical SaaS applications may face downtime during investigation and recovery, disrupting core business processes and resulting in significant productivity losses. 4. **Reputational Damage and Loss of Trust:** Data breaches and compromised communications can severely damage an organization's reputation, leading to loss of customer trust, negative media coverage, and potential loss of business opportunities. 5. **Cybersecurity Resource Drain and Long-term Security Implications:** Responding to these attacks can overwhelm security teams, necessitate substantial investments in new security measures, and require extensive audits and reconfigurations of SaaS ecosystems. ## The Need for Enhanced Email Security To effectively combat the rising threat of SaaS-to-SaaS phishing, organizations need to adopt more comprehensive email security solutions that: 1. Provide deep visibility into SaaS integrations and OAuth permissions 2. Employ advanced AI and machine learning to detect subtle signs of impersonation 3. Offer continuous post-delivery monitoring and remediation capabilities 4. Understand the context of SaaS ecosystems and user behaviors 5. Utilize dynamic, adaptive security measures that evolve with emerging threats ## Conclusion As businesses continue to embrace SaaS solutions, the attack surface for cybercriminals expands proportionally. SaaS-to-SaaS phishing represents a significant and growing threat that traditional email security measures are ill-equipped to handle. One of the primary reasons traditional email security fails to protect against SaaS-to-SaaS phishing attacks is its **lack of context-awareness**. These conventional solutions often operate in isolation, unable to understand the complex interrelationships between various SaaS applications, user behaviors, and organizational workflows. This lack of contextual understanding leaves organizations vulnerable to sophisticated attacks that exploit the interconnected nature of modern SaaS ecosystems. To effectively combat these threats, organizations must invest in advanced email security solutions that go beyond simple rule-based filtering. These next-generation solutions should offer: 1. Deep context-awareness of the entire SaaS ecosystem 2. Real-time analysis of user behaviors and application interactions 3. Understanding of normal vs. anomalous patterns in SaaS usage 4. Ability to detect subtle signs of impersonation and unauthorized access attempts 5. Continuous monitoring and adaptive response capabilities By adopting such context-aware security measures, organizations can significantly enhance their ability to detect and prevent SaaS-to-SaaS phishing attacks. This approach allows security systems to understand not just the content of emails, but also the broader context in which they occur, including the relationships between different SaaS applications, user roles, and typical workflow patterns. As the SaaS ecosystem continues to grow in complexity, our approach to securing it must evolve accordingly. Context-aware email security represents a crucial step forward in protecting organizations against the increasingly sophisticated and interconnected threats of the modern digital landscape. By prioritizing this aspect of cybersecurity, businesses can ensure that the benefits of SaaS adoption are not overshadowed by increased security risks, allowing them to leverage the full potential of cloud-based technologies safely and confidently. --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## Attack Demo: How attackers can read inbox contents without getting inside Published: 2024-08-16 Category: Demo Category URL: https://ravenmail.io/blog/category/demo Tags: red team exercise, email security Tag URLs: red team exercise (https://ravenmail.io/blog/tag/red-team-exercise), email security (https://ravenmail.io/blog/tag/email-security) URL: https://ravenmail.io/blog/attack-demo-how-attackers-can-read-inbox-contents-without-getting-inside-clzw7m3gq005f103axz46ie60 You read that right, you don't need to log inside your inbox to read the contents. There are ways for attackers to snoop what's happening on your account without being detected. In this blog we want to show how this is done and address the following questions with a demo - What can the attacker do once they gain an initial access of the admin? - How the attackers can understand the context of the organisation before launching a targeted attack (similar to the [Jenkin's server attack](https://ravenmail.io/blog/how-a-phishing-email-disrupted-the-upi-and-atm-services-in-india) on Indian payment systems) - How do attackers exfiltrate sensitive documents as part of corporate espionage or to be sold in dark web? ## Reconnaissance Activities Attackers often gather information before finalising the right method to infiltrate the organisation. According to [MITRE Framework](https://attack.mitre.org/tactics/TA0043/), Reconnaissance (TA0043) involves methods where adversaries actively or passively collect information that can assist in their targeting efforts. This data may include specifics about the victim's organization, infrastructure, or personnel. Adversaries can use this information to facilitate other stages of their attack lifecycle, such as planning and executing Initial Access, prioritizing goals after a compromise, or guiding further Reconnaissance activities. The following scenarios are used in the reconnaissance phase using email as an entry point - Understand who are the key personnel - admins, CXOs, finance team IDs - Understanding the tooling ecosystem - SaaS, Infra, Security - Monitor vendor payment cycles, bank accounts details - Search for sensitive information - passwords, documents, keys ## Overview of the demo ![RavenMail: Demo Attack flow](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/screenshot-2024-08-16-at-11-1723788732785-compressed.png) In this flow, we start with find credentials or sessions sold in dark web and using that how to use off-the shelf tools like Graph Runner to steal confidential info. ## Graph Runner Capabilities Used Source: https://github.com/dafthack/GraphRunner - Search and export email.- RNC240816087451 - Search and export SharePoint and OneDrive files accessible to a user - Search all Teams chats and channels visible to the user and export full conversations - Deploy malicious apps - Discover misconfigured mailboxes that are exposed - Clone security groups to carry out watering hole attacks - Find groups that can be modified directly by your user or where membership rules can be abused to gain access - Search all user attributes for specific terms - Leverage a GUI built on the Graph API to pillage a user's account - Dump conditional access policies - Dump app registrations and external apps including consent and scope to identify potentially malicious apps - Tools to complete OAuth flow during consent grant attacks - GraphRunner doesn't rely on any third-party libraries or modules - Continuously refresh your token package ## Attack demo using Graph Runner ## How to detect these of attacks? This attack vector completely sits outside email security filters in the traditional sense, the following detection logics can be used at the IAM layer and the mail security layer to discover these attacks. - Auto-fowarding logic - Privilege escalation - Mail send & immediate sent mail deletion alert - Dark web monitoring alerts --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## How a phishing email disrupted the UPI & ATM services in India Published: 2024-08-07 Category: BFSI Category URL: https://ravenmail.io/blog/category/bfsi Tags: phishing, Software exploit, BFSI, Ransomware Tag URLs: phishing (https://ravenmail.io/blog/tag/phishing), Software exploit (https://ravenmail.io/blog/tag/software-exploit), BFSI (https://ravenmail.io/blog/tag/bfsi), Ransomware (https://ravenmail.io/blog/tag/ransomware) URL: https://ravenmail.io/blog/how-a-phishing-email-disrupted-the-upi-and-atm-services-in-india ## Background On 31 July 2024, the National Payments Council of India (NPCI) issued a [press release](https://www.npci.org.in/PDF/npci/press-releases/2024/NPCI-Press-Release-Interruption-in-Retail-Payments.pdf?TSPD_101_R0=08d1fc67a6ab2000d7ed6bc1f97ff803176616f4148ed6a3f20aa22e05800755a1de50a0650de76408e32e9822143000cf586ae75fde81a3dd75d76debc567c6b6602fa366661aa40a6c01fa8e45ae4f1de07f1792e68404c2fa6770df18fe88) about a possible ransomware attack on a TSP (Technology Service Provider) serving over 300 banks in India, impacting UPI and ATM services for retail customers. ![NPCI statement](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/1722503428432-1723007556429-compressed.png) It was prudent of NPCI to isolate the TSP's processor and proactively issue a statement, thereby averting a major issue. There was extensive coverage in mainstream media, which you can read about [here](https://www.firstpost.com/tech/cybersecurity-experts-reveal-what-exactly-happened-in-the-ransomware-attacks-that-took-down-300-banks-13799726.html), [here](https://www.csoonline.com/article/3480250/over-300-indian-banks-suffer-payment-disruption-from-ransomware-attack.html) & [here](https://economictimes.indiatimes.com/industry/banking/finance/banking/small-indian-banks-back-online-after-ransomware-attack-payments-authority-says/articleshow/112201261.cms?from=mdr) . The forensics, led by [CloudSEK](https://www.cloudsek.com/blog/major-payment-disruption-ransomware-strikes-indian-banking-infrastructure) , indicated that the attack on Brontoo Technology Solutions was traced to the [RansomEXX](https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx) group India's leading cybersecurity advisory body, CERT-In, issued a [vulnerability note](https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0232) seven days later. ## Top 10 Things About the RansomEXX (aka Defray777) Group 01. They have been active since 2018, usually targeting high-profile government institutions, healthcare, telecom, and banking sectors. 02. They are known to target victims through spear-phishing emails, using stolen credentials of exposed applications. 03. In 2021, they launched a newer variant to expand their footprint from Windows to Linux-based servers 04. They specialize in using "In-Memory" or "Fileless" execution methods to evade traditional screening and forensic techniques. 05. They are known to extract passwords, tokens, secrets from in-memory - using tools like Mimikatz 06. They add a personal touch to their ransom notes and artifacts. 07.  They use advanced encryption techniques like RSA-4096 to encrypt payload keys (it takes 4-14 years to crack this!). 08. Their version 1 exploited macros in Microsoft Office documents that downloaded a trojan to run its malicious DLL. 09. They targeted a legal firm with a malicious payload delivered via a steganography technique embedded in a PNG file. 10. The latest attack on banking infrastructure in India targeted an exploit in the Jenkins server. The access to the server could have been sold by an IntelBroker or acquired through a payload delivered via a phishing email. ## How Attackers Gained Access to the Jenkins Server via an Attachment ![Attack chain ](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/attack-chain-1723110648261-compressed.png) ​ The RansomEXX attack on the Jenkins server likely began with a carefully crafted phishing campaign. Attackers sent emails to targeted individuals within the organization, particularly those who had access to critical systems or administrative privileges. > The email appeared to come from a trusted source, perhaps a colleague or a known business partner. It contained an urgent message designed to elicit a quick response, such as an invoice that needed immediate attention or a security alert that required action. > The email included an attachment, often a document such as a Word file, PDF, or Excel spreadsheet. The document contained a malicious macro or embedded script. ### **The Role of Email in RansomEXX Attacks** Emails are a critical vector in the initial stages of RansomEXX attacks. Here’s how email plays a role: - **Phishing Emails:** Attackers craft phishing emails that appear to come from trusted sources, such as colleagues, partners, or well-known companies. These emails often contain urgent messages that prompt the recipient to click on a link or open an attachment. - **Malicious Attachments:** The attachments may be disguised as legitimate documents (e.g., invoices, reports) but contain malicious macros or embedded scripts that execute the ransomware upon opening. - **Malicious Links:** Links within the email may direct the recipient to a compromised website or a website designed to look legitimate. These sites can host exploit kits or prompt the download of a malicious file. - **Spear Phishing:** More targeted phishing emails, known as spear phishing, are directed at specific individuals within the organization, often those with higher levels of access or authority, making them more effective. ### Possible Connection with the Income Tax Filing Season July happens to be the month of income tax filing for employees. This situation has been exploited in the past by the use of Microsoft Word documents with macros that unleash the Trojan.W97M.CVE202140444.A or TrojanSpy.Win32.ICEDID.BP in Windows systems (e.g., reference file name used: Income\_tax\_and\_benefit\_return.docx). Once the recipient opened the attachment, the embedded malicious code was executed, leading to macro execution and payload delivery. ### Gaining Access to Jenkins With the initial payload delivered and executed, the attackers gained a foothold in the network. They used this access to move laterally and escalate their privileges until they reached the Jenkins server. With access to Jenkins, the attackers deployed the RansomEXX ransomware. Jenkins' role as an automation server made it an ideal platform to distribute the ransomware payload quickly and effectively across the organization’s infrastructure. The ransomware was executed, encrypting critical files and systems connected to Jenkins. This caused widespread disruption, as automated build and deployment pipelines were halted, and encrypted data became inaccessible. The attack culminated in the display of a ransom note, demanding payment in cryptocurrency in exchange for the decryption keys. The note often included threats of data leakage if the ransom was not paid, adding pressure on the organization to comply. ![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/ransommail-1723111560894-compressed.png) ## **Conclusion** The RansomEXX attack is a stark reminder of the evolving threat landscape in cybersecurity. Organizations must be proactive in their defense strategies, including regular employee training on recognizing phishing attempts, implementing robust security protocols, and having an incident response plan in place. By understanding the tactics used by attackers and maintaining vigilance, organizations can better protect themselves from the devastating impacts of ransomware. --- This blog is powered by Superblog. Visit https://superblog.ai to know more. --- ## How the 'CrowdStrike episode' exposes the gaps in email security Published: 2024-07-30 Category: Phishing Simulation Category URL: https://ravenmail.io/blog/category/phishing-simulation Meta Title: Are you protected against CrowdStrike Phishing attacks? Meta Description: Deep-dive into how attackers can by-pass existing email security using CrowdStrike Phishing campaigns Tags: phishing, red team exercise, crowdstrike, email security Tag URLs: phishing (https://ravenmail.io/blog/tag/phishing), red team exercise (https://ravenmail.io/blog/tag/red-team-exercise), crowdstrike (https://ravenmail.io/blog/tag/crowdstrike), email security (https://ravenmail.io/blog/tag/email-security) URL: https://ravenmail.io/blog/how-the-crowdstrike-episode-exposes-the-gaps-in-email-security-clz8bmyzp003p27xkwl2p5n8z ![Crowdstrike phishing](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/falconcompressed-1722417573107-compressed.jpg) > This long-form has been authored by our Red Team members at RavenMail. The use of logos and brand names are meant for educational purposes only. It's been a busy week at the [RavenMail](https://ravenmail.io?utm_source=blog&utm_medium=link&utm_campaign=crowdstrike) HQ where our Red Teams were unpacking the possible fallout of the CrowdStrike episode. Given the [size of the impact](https://blogs.microsoft.com/blog/2024/07/20/helping-our-customers-through-the-crowdstrike-outage/), it is very lucrative for any Threat Actor (TA) to take advantage of the situation. Anyone in the business of email security should have seen what's about to be unleashed. Hours after the incident, [James Spiteri](https://gist.github.com/jamesspi) of whichphish.com released a [list of 200 URLs](https://gist.github.com/jamesspi/06f2755ab781bb085388784cf7b64208) that can be potentially used for malicious purposes. We will delve into the details of the CrowdStrike event exploring how threat actors have manipulated the scenario to target unsuspecting users and why email security products failed to protect from such attacks. ## The CrowdStrike Incident: A Brief Overview On July 19, 2024, [CrowdStrike](http://crowdstrike.com/), a leading cybersecurity firm, encountered an issue where a sensor configuration update of their Falcon Platform triggered a system crash, leading to a Blue Screen of Death (BSOD) on affected Windows systems. The update, aimed at enhancing the Falcon platform's protection mechanisms, inadvertently introduced a logic error causing the disruption. Although swiftly rectified within a couple of hours, this incident garnered significant attention across the cybersecurity community. ## Malicious Actors' Exploitation Tactics Taking advantage of the widespread concern and urgency surrounding the CrowdStrike incident, Threat Actors (TA) devised various email phishing schemes to exploit the situation. Here’s a breakdown of some prevalent tactics observed: ### 1. **Impersonation of CrowdStrike** Phishers often masquerade as trusted entities to lure victims into their traps. In this case, emails purportedly from CrowdStrike support teams were crafted to appear legitimate. These emails typically contained urgent calls to action, such as: - **Fake Security Alerts:** Emails warning recipients of the BSOD issue and urging them to download and apply a "critical patch" via an attached file or link. - **Update Notifications:** Messages claiming to provide official updates or additional information on the incident, directing users to malicious websites designed to steal credentials or deliver malware. ### 2. **Spoofed Internal Communications** - Attackers also simulated internal company communications, targeting employees of organizations known to use CrowdStrike services. Examples include: - **IT Department Memos:** Phishing emails mimicking internal IT department notices, instructing employees to update their systems or verify their credentials to ensure protection against the reported issue. - **Executive Directives:** Spoofed emails appearing to come from company executives, emphasizing the urgency of the situation and directing staff to follow specific steps to mitigate the risk. ### 3. **Social Engineering Attacks** Social engineering remains a cornerstone of effective phishing campaigns. In the context of the CrowdStrike incident, attackers leveraged psychological manipulation, including: - **Fear and Urgency:** Crafting messages that instill fear about the potential impact of the BSOD issue, prompting immediate, often irrational responses from recipients. - **Technical Jargon:** Using complex technical language to create an illusion of authority and legitimacy, convincing recipients that the instructions are credible and must be followed without question. ### Examples of Phishing Emails Below are some examples (only body content) of the phishing emails observed during this period: 1. **Fake Security Alert:** > Subject: URGENT: Apply Critical Patch to Avoid System Crash > > Dear User, > > Due to a recent update issue with CrowdStrike, we have identified a critical vulnerability that could cause your system to crash. Please download and apply the patch from the link below immediately to secure your system. > > \[Download Patch\] > > Regards, > > CrowdStrike Support Team​ **2\. IT Department memo:** > Subject: Immediate Action Required: System Update > > Attention All Staff, > > Our security team has been alerted to an issue with CrowdStrike's recent update. Please visit the following link to verify your system's status and apply necessary updates. > > \[Verify System\] > > Thank you, > > IT Department 3\. Executive Directive > Subject: Important Security Update from CrowdStrike > > Dear Team, > > In light of the recent CrowdStrike incident, it is imperative that all employees update their systems to prevent any potential disruptions. Follow the instructions in the attached document to complete the update process. > > Regards, > > \[Executive Name\] ## How we simulated the scenario and were able to compromise accounts ### The approach 1. Victim or employee receives the email 2. Victim/employee should be convinced that the email is legit 3. Should download the pdf file which contains the instructions to update the patch 4. A download link is present in the pdf file which takes the victim to the Malicious or Fake login portal with Cloudflare’s JavaScript protection making it look more legit. 5. The credentials and the session of the user are captured, which will be used for other scenarios. ### Setting up the phish infra For the Phishing simulation to be successful we need a domain which is similar to Crowd strike. Example domain names which are used for phishing [link](https://gist.github.com/jamesspi/06f2755ab781bb085388784cf7b64208), set up sub-domains that look like support teams. 1. We acquired domains via 1. Name cheap 2. GoDaddy 2. We acquired VPS via 1. Digital Ocean 2. AWS 3. Azure 3. We set up web mailing service via 1. Mail gun 2. SendGrid 4. Use basic developer capabilities for 1. SSL certs 2. Code Signing 5. Phish kits from Evilgink 6. Content generated by ChatGPT ![Crowdstrike phishing set up](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/phishingsetup-1722419467502-compressed.png) ### Obfuscating the phishing infrastructure hosting Directly hosted servers are ideal for vulnerability screening and blacklisting because they can be easily identified by defense monitoring systems (e.g., VirusTotal). Automated scanning programs that analyze traffic patterns to and from these servers can reveal malicious activity and the nature of the operations. Setting up redirectors are necessary to mask our infrastructure's IP addresses so it could not be easily traced and making it anonymous. To improve chances of success on Social Engineering engagements, we protected our Evilginx server from being marked as dishonest by combining Cloudflare and HTML Obfuscation. The warning 'Deceptive site ahead' is a common sight for anyone who has attempted to run a Social Engineering campaign. ![Dangerous site warning](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/dangeroussite-1722419702794-compressed.png) We set up Cloudflare in under attack mode and bot fight mode so we get a temporary protection which prevents our domain from getting blacklisted or marking the domain as dangerous site \[deceptive site ahead\]. ![Cloudflare set up under attack mode](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/cloudflare-1722420634741-compressed.png) ### Geo Blocking link scanners This is another effective way to block the web scrappers and link scanners that could happen across your infrastructure is restricting access by the geographical location. Below is a sample screen shot that shows how many unauthorized request that are trying to access the domain and getting blocked by the rule. ![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/geo-1722420745006-compressed.png) Using Java script Challenge when ever a user visits the domain or our malicious link. Below is the sample image showing the interactive challenge. ![JS challenge](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/jschallenge-1722421032303-compressed.png) On successful interaction with the challenge, the users or victim is then redirected to the malicious link where the landing page is hosted. ![Crowstrike landing page](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/phishlandingpage-1722421236565-compressed.png) ### Enhancing email delivery with MailGun and Gophish: We used a robust email service that provides reliable delivery for bulk emails and SMTP credentials for sending an email. With the help of Gophish and Mailgun and some configs we can send the email to our victim’s inbox which basically reduces the pain in creating our own SMTP servers. Below is the sample of the phishing email sender and the convincing email template generated by ChatGPT > Dear employee, > > We hope this message finds you well. > > We are writing to inform you about a critical update for the CrowdStrike security patch. It is essential to install this patch to ensure the continued protection of our systems and data. > > CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This was not a cyberattack. > > The issue has been identified, isolated, and a fix has been deployed. > > We are referring customers to update their Windows servers as soon as possible through the attached tool to avoid disruptions! > > We further recommend organizations ensure they're communicating with CrowdStrike representatives through official channels. > > Our team is fully mobilized to ensure the security and stability of CrowdStrike customers. > > We understand the gravity of the situation and are deeply sorry for the inconvenience and disruption. > > We are working with all impacted customers to ensure that systems are back up and they can deliver > > the services their customers are counting on. > > Obviously, the consequences of any failure to update the system and disruption will be the responsibility > > of the organization's IT manager. > > Please follow the instructions in the below pdf to update Windows > > you can download a PDF document containing detailed steps for the installation process. > > We appreciate your prompt attention to this matter to maintain our cybersecurity defenses. Should you > > have any questions or require assistance, please do not hesitate to contact the IT support team. > > Thank you for your cooperation. > > Please do not reply to this email. For further assistance, contact the IT support team. ## The execution **Email Subject &Sender Name** ![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/subject-1722421605571-compressed.png) **Email Body** ![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/emailbody-1722421647473-compressed.png) **Attachment Overview** ![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/attachment-1722421682142-compressed.png) **Attachment Content** ![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/content-1722421730267-compressed.png) ![](https://prod.superblogcdn.com/site_cuid_clz6pkbqj00ah13rs8x5o0thf/images/content2-1722421747091-compressed.png) ## The Result With this we were able to directly land in the user's inbox across Google Workspace & M365 using 3P email security layers. We used all attack vectors in this campaign and still landed in the users inbox. - Sender reputation & infra scanning - Spoof a look-like domain of a major security company - Able to convincingly write mails in context to what's happening across the world - Pass attachment scanners - Pass URL scanning within attachment In Part 2 we will deep dive on the why some emails get past the security engines and why we need to rethink email security from first principles --- This blog is powered by Superblog. Visit https://superblog.ai to know more. ---