O365 Phishing Image

Office 365 Business Email Compromise Attacks

The Office 365 (O365) platform has experienced tremendous growth and there is no sign of that trend slowing.  More businesses than ever reside with – or plan to migrate accounts to – the expanding Microsoft Business or Enterprise services. Scammers have taken notice and have crafted simple, effective social engineering attacks targeted to (and from compromised) O365 users.

Since the last quarter of 2017, we have blocked an abnormal quantity of Business Email Compromise attack campaigns.  These are a version of man-in-the-middle attacks exploiting the trust that goes with the victims known contacts.  Western African (likely Nigerian) scam groups have improved social engineering techniques, which ultimately lead to credential theft and financial fraud. Our SecureTide Filtering and Phenomenal Care Support teams have documented data for this attack. The information provided below details the tactical phases of ongoing Office 365 Business Email Compromise attacks and credential harvesting by these scammers.

Read More

AppRiver Trojan Protection

Trojan Droppers Exploiting Symbolic Link Files

Malicious actors routinely attempt to confuse recipients of messages with obscure file extensions to load malicious files on the victims machine.

For most users the .slk file is recognized in Microsoft Office software as an Excel file. However, as detailed here, it also is recognized by other applications among various hardware and mobile platforms. They are designed to link data between spreadsheets and databases. Similar to Excel .xls/.xlsx files, these .slk files also support the ability to execute malicious commands.

Fortunately with this attack vector, the user receives quite a few warnings that should set off red flags before the infection begins. However, few anti-virus engines are catching these attacks.

This blog steps thru the chain of infection for one of these malicious .slk trojan droppers and details what users should watch out for.

Read More

Mailbox Bomb Image

Update 4/3/2018

We’ve seen an increase of customers reporting email bombs, specifically the Distributed Spam Distraction (DSD) attack, over the past couple weeks.  On Monday, 4/2/2018, 6 different attacks were reported to our teams.  Fraudulent Best Buy pickup orders have been a common theme observed during these attacks, however, any type of identity theft or fraudulent activity may occur by attackers.  We recommend victims being monitoring accounts for any suspicious activity first, then contact us for assistance in mitigation the email bomb.

Original Blog:
Email Bombs Increasing in Frequency

Email bombs in the cyber-security industry are classified as a form of a Denial of Service (DoS) attack. The victim faces an insurmountable volume of messages quickly filling up their mailbox when this attack commences. With enough volume, this effectively renders their email box useless. Victims attempt to make sense why an avalanche of messages suddenly are filling up their account, however, this is no accident.

Motives for the attack vary from revenge to financial fraud.  As mentioned in our 2017 Global Security Report DSD section, they are usually to disguise some type of fraudulent activity taking place while the storm of emails distract.  Fraudulent activity observed during these attacks range anywhere from unauthorized Russian airline ticket purchases to Apple store orders.

We recommend customers monitor their financial and retail accounts for any suspicious activity first, then contact us for assistance in mitigation. 

Read More