ioc.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
INDICATORS OF COMPROMISE (IOC) InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.

Administered by:

Server stats:

1.6K
active users

#email

104 posts92 participants4 posts today

Something happens to me occasionally, and I don't know where to put it in the ridiculous - infuriating - preposterous feelingspace. It happened again today.

Backstory: I'm an email geek, who has been running mail servers for three decades, and who has written a lot of mail-handling software. I've worked as a consultant on email systems for companies large and small.

When you run your own mailservers, have deep experience with MTAs, and are a bit of a privacy nut, you might have a tendency to want to know exactly who does what with your email address when you give it to them. For most people, this desire is just a dream; it's not possible with their email system.

Thanks to a technique semi-related to #VERP - variable envelope return-path, a mailing list feature with the qmail MTA - it's possible for email geeks. Basically the idea is that you give a different email address to everyone you deal with, and keep track of who you gave it too. Then, when you receive email, you can tell from the address the email was delivered *to* - one of your many addresses - where they got your address from.

Example:

Say I own the `example.net` domain. I arrange for all email to that domain to come to me.

I decide to order something online from #CrappyTire (ask a Canadian). When the Crappy Tire website asks for my email address, I type in "crappytire@example.net".

1/x

"Google is updating Gmail to allow enterprise users to send encrypted messages to any inbox in just a few clicks. Google says it’s developed a new encryption model that, unlike the current encryption feature on Gmail, doesn’t require senders or recipients to use custom software or exchange encryption certificates.

The feature is rolling out in beta starting today, and will initially be available for Google enterprise users to send encrypted emails to other Gmail users within the same organization. Google says this will expand to emails sent to any Gmail inbox “in the coming weeks,” and to inboxes from any third-party email provider “later this year.”

Gmail’s current encryption feature, based on the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol, can already be used to send external emails. Doing so requires the recipient to have S/MIME configured and complete multiple steps with the sender before emails can be securely exchanged, however."

theverge.com/news/640422/googl

Gmail logo on a graphic red background.
The Verge · Gmail is making it easier for businesses to send encrypted emails to anyoneBy Jess Weatherbed

APT Targets South Korea with Deceptive PDF Lures

The Kimsuky APT group, also known as Black Banshee, has been actively targeting South Korean government entities using evolving tactics. Two distinct campaigns were uncovered, both utilizing government-themed PDF documents as lures. The infection chain begins with a phishing email containing a malicious LNK file attachment, which drops an obfuscated VBA script. This script then deploys additional files, including a PDF and a ZIP containing malicious components. The attacks involve sophisticated techniques such as Base64 encoding, obfuscation, and VM-aware evasion. The malware's functionalities include data exfiltration, cryptocurrency wallet theft, browser data extraction, keylogging, and establishing C2 communication. The campaigns demonstrate the group's continuous efforts to compromise South Korean targets using deceptive tactics and multi-stage malware.

Pulse ID: 67efe85af4503af2018d414e
Pulse Link: otx.alienvault.com/pulse/67efe
Pulse Author: AlienVault
Created: 2025-04-04 14:10:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation

The PoisonSeed campaign is targeting enterprise organizations and individuals outside the cryptocurrency industry by phishing CRM and bulk email provider credentials. The attackers export email lists and send bulk spam from compromised accounts, primarily to support cryptocurrency spam operations. The campaign uses a novel cryptocurrency seed phrase poisoning attack, providing security seed phrases to trick victims into copying them into new cryptocurrency wallets for future compromise. While similarities exist with Scattered Spider and CryptoChameleon groups, PoisonSeed is currently classified separately due to unique characteristics. The campaign has targeted companies like Coinbase, Ledger, Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho, using sophisticated phishing techniques and automated processes to quickly exploit compromised accounts.

Pulse ID: 67ef8546d1d9ef9cd8e91906
Pulse Link: otx.alienvault.com/pulse/67ef8
Pulse Author: AlienVault
Created: 2025-04-04 07:07:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

Why does neither Google nor Microsoft's cloud services understand the "Maximum size exceeded" error in an email rejection? If a competent mail service rejects an email that is too large, Microsoft will tell users the email was rejected as spam and Google will tell users the email was rejected because the destination mailbox is full. Both are wrong and dumb. #email #gmail #outlook

BeaverTail and Tropidoor Malware Distributed via Recruitment Emails

A sophisticated malware campaign has been uncovered, involving the distribution of BeaverTail and Tropidoor malware through fake recruitment emails. The attackers, suspected to be of North Korean origin, impersonated a developer community to lure victims into downloading malicious code. The campaign utilizes a downloader disguised as 'car.dll' and BeaverTail malware masquerading as 'tailwind.config.js'. BeaverTail functions as an infostealer and downloader, targeting web browsers and cryptocurrency wallets. Tropidoor, a backdoor malware, establishes communication with command and control servers, allowing remote execution of various commands. The attack methodology shares similarities with previous North Korean campaigns, including the use of techniques reminiscent of the Lazarus group's LightlessCan malware.

Pulse ID: 67ef0692d6ed151e2be71213
Pulse Link: otx.alienvault.com/pulse/67ef0
Pulse Author: AlienVault
Created: 2025-04-03 22:07:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

Gootloader Returns: Malware Hidden in Google Ads for Legal Documents

The Gootloader malware campaign has evolved its tactics, now using Google Ads to target victims seeking legal templates. The threat actor advertises legal documents, primarily agreements, through compromised ad accounts. Users searching for templates are directed to a malicious website where they are prompted to enter their email address. They then receive an email with a link to download a seemingly legitimate document, which is actually a zipped .JS file containing malware. When executed, the malware creates a scheduled task and uses PowerShell to communicate with compromised WordPress blogs. The campaign demonstrates a shift in Gootloader's strategy, moving from poisoned search results to controlled infrastructure for malware delivery.

Pulse ID: 67ef0696f2790ccbd23c46a9
Pulse Link: otx.alienvault.com/pulse/67ef0
Pulse Author: AlienVault
Created: 2025-04-03 22:07:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

Tax-Themed Email Attacks Deliver Malware

Phishing campaigns that are leveraging tax-related themes deploy malware and
steal credentials using redirection methods including URL shorteners and QR
codes.

Pulse ID: 67eefa6981ed9f88b138ace0
Pulse Link: otx.alienvault.com/pulse/67eef
Pulse Author: cryptocti
Created: 2025-04-03 21:15:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

BeaverTail and Tropidoor Malware Distributed via Recruitment Emails

An attack involving BeaverTail and Tropidoor malware was discovered, targeting victims through fake recruitment emails from a developer community. The attackers provided a BitBucket link containing malicious code, including BeaverTail disguised as 'tailwind.config.js' and a downloader called 'car.dll'. BeaverTail, known for information theft and downloading additional payloads, was found in South Korea. The downloader shares similarities with the Lazarus group's LightlessCan malware. BeaverTail steals credential information and cryptocurrency wallet data from web browsers, while Tropidoor acts as a backdoor, connecting to C&C servers and executing various commands. The attack is suspected to be carried out by North Korean threat actors, highlighting the need for caution when dealing with executable files from unknown sources.

Pulse ID: 67eec30f88dc6ea426373c6b
Pulse Link: otx.alienvault.com/pulse/67eec
Pulse Author: AlienVault
Created: 2025-04-03 17:19:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.