Branching Out. As in the Twitter hack, the perpetrators don't appear to be state-sponsored hackers or foreign cybercrime organizations, but young, English-speaking hackers organizing on forums like the website and the chat service Discord, says Zack Allen, the director of threat intelligence at security firm ZeroFox, who has also worked with the industry group tracking the incidents.
The attackers returned with a new BEC that took a different tack: instead of tricking targets into logging in to lookalike sites, and consequently divulging the passwords, the scam used emails that instructed the recipient to give what was purported to be a Microsoft app access to an Office 365 account.
Scammers are taking advantage of default calendar settings to try to trick users into clicking malicious links. "For the calendar attack, the scammers use a prepared email list to send their fraudulent invitations," says Maria Vergelis, a security researcher at Kaspersky who has been following the method.
It's not uncommon to see them come out with a new variant or a totally new malware family."Palo Alto Networks researchers have only found one sample of the special Cannon-laced malicious document so far, but it was part of a broader APT 28 phishing campaign they observed that focused on government targets in North America, Europe, and a former USSR state that the company declined to name.Meanwhile, investigators at FireEye observed an extensive phishing campaign launched last week that appears to come from APT 29 hackers, also called Cozy Bear.