HMRC show the scale of these campaigns - Over 4,600 websites 📈. 🔨And yet they still get stood up, hundreds per day!.

A new cluster sitting on IP: 47.251.127.54

Always remember hunt, pivot, and analyse. Using the right tools allows you to expand your visibility into threats to assess the risk posed and understand the actors behind them.

Notably 2 domains stand out:.fetcetcgovstw[.]top.phlmpost-gov[.]com. These appear to be targeting government bodies within the Philippines. Ones to watch.

The second domain: golbe-phlu3[.]com is again using Cloudflare🌐. This time rather than pattern matching we can look at nameserver overlaps. Looking at the Cloudflare NSs we find more domains all linked. nameserver:(AND

The first domain: globeio-ph[.]com sits behind CloudFlare🌐. 👓We can look at the hostname pattern to allow us to find more linked domains. @urlscanio hunting: 'hostname_dashes:>0 AND hostname: globe*AND tags:apexdomain'

This is a SMS phishing campaign targeting GLOBE a telecoms provider in Philippines 🇵🇭📲📶. ⚠️The Smishing message is injected into the legitimate GLOBE short code flow💉. There are 2 domains seen but there are hundreds more. 📈. 🔎Let's go hunting in @urlscanio ⤵️

I wonder what triggered this public service announcement from the DWP 😁.

@DWPgovuk This group is also targeting UK parking fines and penalty charges. ip:47.251.117.125 AS45102 🇨🇳

@DWPgovuk Another linked IP: 47.251.127.67 . 📈28 more hostnames

@DWPgovuk Some pivoting on the pattern and found another IP linked to this⤵️. 📈40 more hostnames. IP:49.51.135.75 AS132203🇨🇳

Been sent an interesting UK @DWPgovuk smishing message 📲. 🔭URL pattern has been seen 37 other times. All sitting on ip:47.251.59.158 AS45102🇨🇳. 🖥️Interestingly there is a /api directory which is called when the page is loaded. #phishing

Hey @0x6rss can you DM me please! 👍.

We are seeing an increase in QR code overlays in the UK📈🧑🏼‍💻. 💻Interesting domain linked to this campaign . 🌐/payzoneparking.info which redirected to 🌐/payzoneparking.contact. 🔥👀Second image is another campaign and the poster included the person apparently responsible

🔎This is the first case of an RCS spam message that I have seen👀. ⚠️RCS acts like other rich media messaging allowing for media, text & buttons to be embedded into a message. 🇮🇳This is an Indian example but brace for more English language campaigns using RCS📈. #RCS #Phishing

🔒Recommendations:. 1⃣ Secure the entire identity ecosystem.2⃣ Eliminate cross-domain visibility gaps.3⃣ Defend the cloud as core infrastructure.4⃣ Prioritize vulnerabilities with an adversary-centric approach.5⃣ Know your adversary and be prepared

Key highlights:🔦. ☎️Voice phishing up 422%.☁️35% of cloud incidents were through valid accounts.💻The technology sector was the most targeted

🛡️ Defending Against eM Client Abuse:. ✅ Disable IMAP/SMTP where possible.✅ Enforce MFA with app-specific passwords 🔑.✅ Monitor for unauthorized client connections.✅ Educate users on phishing risks 🎓. #CyberSecurity.

Implement Conditional Access: Enforce policies that restrict access based on device compliance or location. User Training: Educate staff about the risks of unauthorized applications. Layered security measures are key to protection.

🔧 Mitigation Strategies.To defend against eM Client exploitation:. Restrict Application Registrations: Limit who can register applications in your environment. Disable Legacy Protocols: Turn off IMAP/SMTP if not required.