RT @0xDanielLopez: TweetFeed is back again! 🔥. After some months paused, I could bring it back to life (thanks to @phage_nz). ✓ TweetFeed c….

Am feeling very fortunate to be a part of the Alpha class for this. The authors are all top of their game and the huge amount of effort they've put into the content certainly shows. Looking forward to day 2!.

Join millions who have switched to Grok.

RT @inversecos: APT Emulation Labs: NOW LIVE 🎉. Solve incidents emulating APT29, APT10 and other threat groups. $45 per month access to….

The attack surface of on-prem Exchange paired with the extensive domain privileges held by it is something that has always troubled me. I've come to figuratively consider it as "Tier 0b". There is some solid advice here on how to best manage it:

I'm a huge fan of using Obsidian for everything from a knowledgebase through to a shopping list. @Bank_Security has done a great job in this post of showing how effective it can be as a CTI tool:

AITM phishing. PDF links to the Cloudflare protected kit through DoubleCick and Baidu redirects. Common indicators: 24x7bus[.]com eviva13[.]com httpbin[.]org adfs.heart[.]org and sign-in's observed using Surfshark and Proxy-Seller IP's.

RT @0xDanielLopez: 🎉 #TweetFeed is back! 🎉. After some months, I could bring it back to life again!. Easily grab IOCs shared by the #infose….

While the technique has been known of for a while, there's a growing trend of BEC using Dynamics 365 Customer Voice as a landing. Example: customervoice[.]microsoft[.]com -> CF worker - > evans-dixon[.]homes or oil-marketings[.]com Sample:

RT @MsftSecIntel: Microsoft has identified new Qakbot phishing campaigns following the August 2023 law enforcement disruption operation. Th….

RT @BushidoToken: 🆕 Top 10 Cyber Threats of 2023! . While you're rockin' around the TTPs 🎄 Grab a mince pie 🥧 and have a look back over the….

Pikabot. Thread hijacking > ZIP > JS+TXT > curl > DLL. Payload: hXXp://167.235.241[.]120/jogX/centr C2: 154.221.30[.]136:13724 136.244.98[.]80:13783 45.76.103[.]152:13720 154.61.75[.]156:2078 Sample:

Remcos RAT. Discord > JS > PowerShell (invokes DLL to download+run another PS1) > PowerShell (invokes DLL to load Remcos payload into a new process) > InstallUtil. wtools[.]io used to host script parts. C2: salwanazeeze.duckdns[.]org:9595 Sample:

Image now hosted at imageupload[.]io and delivering what Triage ID's as zgRAT. Telegram exfil. Payload host: 193.42.33[.]51 Sample:

IcedID. Reviving old tricks. danceharddiehard[.]com > 1azure[.]com > ZIP > ISO > LNK > BAT > rundll32. C2: mistulinno[.]com (as seen in the campaign detailed by @Cryptolaemus1 this morning) Sample:

Similar samples from today. Telegram exfil. VBS:

Very similar to this campaign reported by Blackberry:

Interesting AgentTesla sample. Discord hosted JS > PS (find+replace to form DLer) > PS > DLL (assembled from b64 embedded in hosted image) > Payload DLL (assembled from b64 hosted at 193.42.33[.]91). SMTP exfil to: woodenboxfashion[.]com Sample:

IcedID. PDF > ZIP > JS > CMD > Curl > 7Z (PW protected) > DLL. ZIP: hXXps://newssarkari[.]in/directions (via ad68e[.]app[.]goo[.]gl) 7Z: hXXps://gardenconceptstudio[.]pl/wp-includes/js/tinymce/plugins/compat3x/css/5673.7z C2: minutozhart[.]online Sample:

RT @BushidoToken: 🆕 Pleased to share my latest blog for SANS FOR589: Cybercrime Intelligence 👾. We reviewed the latest cybercrime intrusion….

Remcos RAT. URL (komamin[.]net) > ZIP > VBS > PS > ielowutil. Payload: 103.10.68[.]110/zimbra/gVCeM32.bin (opendir).C2: septrem.duckdns[.]org:2424 Sample: