CINXE.COM
Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign | Proofpoint US
<!DOCTYPE html> <html lang="en-us" dir="ltr" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# schema: http://schema.org/ sioc: http://rdfs.org/sioc/ns# sioct: http://rdfs.org/sioc/types# skos: http://www.w3.org/2004/02/skos/core# xsd: http://www.w3.org/2001/XMLSchema# " class="page-en"> <head> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-MGR7P8X');</script> <script async src="https://www.googletagmanager.com/gtag/js?id=G-B1V8SZE3GL"></script> <script>window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-B1V8SZE3GL');</script> <script>(function(){var a=window.mutiny=window.mutiny||{};if(!window.mutiny.client){a.client={_queue:{}};var b=["identify","trackConversion"];var c=[].concat(b,["defaultOptOut","optOut","optIn"]);var d=function factory(c){return function(){for(var d=arguments.length,e=new Array(d),f=0;f<d;f++){e[f]=arguments[f]}a.client._queue[c]=a.client._queue[c]||[];if(b.includes(c)){return new Promise(function(b,d){a.client._queue[c].push({args:e,resolve:b,reject:d})})}else{a.client._queue[c].push({args:e})}}};c.forEach(function(b){a.client[b]=d(b)})}})();</script> <script data-cfasync="false" src="https://client-registry.mutinycdn.com/personalize/client/d454424c4514a20a.js"></script> <meta charset="utf-8" /> <meta name="description" content="What happened Proofpoint researchers recently observed new activity by the Iran-aligned threat actor TA450 (also known as MuddyWater, Mango Sandstorm, and Static Kitten), in which the group used a..." /> <link rel="shortlink" href="https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign" /> <link rel="canonical" href="https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign" /> <link rel="image_src" href="https://www.proofpoint.com/sites/default/files/styles/metatag/public/btc-imgs/GettyImages-1133924836-min.jpg.webp?itok=o7XoZsGE" /> <link rel="icon" href="/themes/custom/proofpoint/apps/drupal/favicon.ico" /> <link rel="mask-icon" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon.svg" /> <link rel="icon" sizes="16x16" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-16x16.png" /> <link rel="icon" sizes="32x32" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-32x32.png" /> <link rel="icon" sizes="96x96" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-96x96.png" /> <link rel="icon" sizes="192x192" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-192x192.png" /> <link rel="apple-touch-icon" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-60x60.png" /> <link rel="apple-touch-icon" sizes="72x72" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-72x72.png" /> <link rel="apple-touch-icon" sizes="76x76" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-76x76.png" /> <link rel="apple-touch-icon" sizes="114x114" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-114x114.png" /> <link rel="apple-touch-icon" sizes="120x120" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-120x120.png" /> <link rel="apple-touch-icon" sizes="144x144" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-144x144.png" /> <link rel="apple-touch-icon" sizes="152x152" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-152x152.png" /> <link rel="apple-touch-icon" sizes="180x180" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-180x180.png" /> <link rel="apple-touch-icon-precomposed" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-57x57.png" /> <link rel="apple-touch-icon-precomposed" sizes="72x72" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-72x72.png" /> <link rel="apple-touch-icon-precomposed" sizes="76x76" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-76x76.png" /> <link rel="apple-touch-icon-precomposed" sizes="114x114" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-114x114.png" /> <link rel="apple-touch-icon-precomposed" sizes="120x120" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-120x120.png" /> <link rel="apple-touch-icon-precomposed" sizes="144x144" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-144x144.png" /> <link rel="apple-touch-icon-precomposed" sizes="152x152" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-152x152.png" /> <link rel="apple-touch-icon-precomposed" sizes="180x180" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-180x180.png" /> <meta property="og:site_name" content="Proofpoint" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign" /> <meta property="og:title" content="Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign | Proofpoint US" /> <meta property="og:description" content="What happened Proofpoint researchers recently observed new activity by the Iran-aligned threat actor TA450 (also known as MuddyWater, Mango Sandstorm, and Static Kitten), in which the group used a..." /> <meta property="og:image" content="https://www.proofpoint.com/sites/default/files/styles/metatag/public/btc-imgs/GettyImages-1133924836-min.jpg.webp?itok=o7XoZsGE" /> <meta property="og:image:url" content="https://www.proofpoint.com/sites/default/files/styles/metatag/public/btc-imgs/GettyImages-1133924836-min.jpg.webp?itok=o7XoZsGE" /> <meta property="og:image:secure_url" content="https://www.proofpoint.com/sites/default/files/styles/metatag/public/btc-imgs/GettyImages-1133924836-min.jpg.webp?itok=o7XoZsGE" /> <meta property="article:published_time" content="2024-03-21T07:53:21-07:00" /> <meta property="article:modified_time" content="2024-03-21T08:35:37-07:00" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:description" content="What happened Proofpoint researchers recently observed new activity by the Iran-aligned threat actor TA450 (also known as MuddyWater, Mango Sandstorm, and Static Kitten), in which the group used a..." /> <meta name="twitter:title" content="Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign | Proofpoint US" /> <meta name="twitter:site" content="@proofpoint" /> <meta name="twitter:url" content="https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign" /> <meta name="twitter:image" content="https://www.proofpoint.com/sites/default/files/styles/metatag/public/btc-imgs/GettyImages-1133924836-min.jpg.webp?itok=o7XoZsGE" /> <script data-cfasync="false" type="text/javascript" id="vwoCode">window._vwo_code=window._vwo_code || (function() { var account_id=767242, version=1.3, settings_tolerance=2000, library_tolerance=2500,z use_existing_jquery=false, is_spa=1, hide_element='body', /* DO NOT EDIT BELOW THIS LINE */ f=false,d=document,code={use_existing_jquery:function(){return use_existing_jquery},library_tolerance:function(){return library_tolerance},finish:function(){if(!f){f=true;var e=d.getElementById('_vis_opt_path_hides');if(e)e.parentNode.removeChild(e)}},finished:function(){return f},load:function(e){var t=d.createElement('script');t.fetchPriority='high';t.src=e;t.type='text/javascript';t.innerText;t.onerror=function(){_vwo_code.finish()};d.getElementsByTagName('head')[0].appendChild(t)},init:function(){window.settings_timer=setTimeout(function(){_vwo_code.finish()},settings_tolerance);var e=d.createElement('style'),t=hide_element?hide_element+'{opacity:0 !important;filter:alpha(opacity=0) !important;background:none !important;}':'',i=d.getElementsByTagName('head')[0];e.setAttribute('id','_vis_opt_path_hides');e.setAttribute('nonce',document.querySelector('#vwoCode').nonce);e.setAttribute('type','text/css');if(e.styleSheet)e.styleSheet.cssText=t;else e.appendChild(d.createTextNode(t));i.appendChild(e);this.load('https://dev.visualwebsiteoptimizer.com/j.php?a='+account_id+'&u='+encodeURIComponent(d.URL)+'&f='+ +is_spa+'&vn='+version);return settings_timer}};window._vwo_settings_timer = code.init();return code;}());</script> <meta name="facebook-domain-verification" content="l349mr2tyecyl7w3a1146378lqxru1" /> <meta name="MobileOptimized" content="width" /> <meta name="HandheldFriendly" content="true" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <link rel="preload" href="/themes/custom/proofpoint/dist/app-drupal/assets/fonts/proofpoint.woff2" as="font" crossorigin="anonymous" /> <link rel="preload" href="/themes/custom/proofpoint/dist/app-drupal/assets/fonts/RobotoCondensed-Regular-webfont.woff" as="font" crossorigin="anonymous" /> <link rel="preload" href="/themes/custom/proofpoint/dist/app-drupal/assets/fonts/fjalla-one-v7-latin-regular.woff" as="font" crossorigin="anonymous" /> <link rel="preload" href="/themes/custom/proofpoint/dist/app-drupal/assets/fonts/fjalla-one-v7-latin-regular.woff2" as="font" crossorigin="anonymous" /> <link rel="preload" href="/themes/custom/proofpoint/dist/app-drupal/assets/fonts/RobotoCondensed-Bold-webfont.woff" as="font" crossorigin="anonymous" /> <link rel="alternate" hreflang="en-us" href="https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign" /> <link rel="alternate" hreflang="en-gb" href="https://www.proofpoint.com/uk/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign" /> <link rel="alternate" hreflang="ja" href="https://www.proofpoint.com/jp/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign" /> <link rel="alternate" hreflang="en-au" href="https://www.proofpoint.com/au/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign" /> <title>Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign | Proofpoint US</title> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_SzsfcKm17EaxTSftk5pG4vhuvmtTMk2JTGHvDvyHSOU.css?delta=0&language=en&theme=particle&include=eJxdkMFuAyEMRH9oEap66d9ENnEALdjImEj9-7K5wPZiycNoxo_WHvnrh30BjgMiuScZBRM9WntU0JNMfB0c0pn50jqBhuSH5dKv3RJV8iZSEPTov92oeoRORwO1HAr5IEqbFZABMXNcjigSC7mXsPWlvkSM1L2_P70JlPxnWsqbC4vEvYuN2FybLHozhdP1gT1oRnI4zITXeyJ43i5CnUrQUfFf1QpZ-pZ79dxjJwHDe2MtglAclfkZE_cP6VGUfg" /> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_8ecnUogkowN7sYBLQ7Tqbcqe0r3rbujwh1eXZu6Z_X8.css?delta=1&language=en&theme=particle&include=eJxdkMFuAyEMRH9oEap66d9ENnEALdjImEj9-7K5wPZiycNoxo_WHvnrh30BjgMiuScZBRM9WntU0JNMfB0c0pn50jqBhuSH5dKv3RJV8iZSEPTov92oeoRORwO1HAr5IEqbFZABMXNcjigSC7mXsPWlvkSM1L2_P70JlPxnWsqbC4vEvYuN2FybLHozhdP1gT1oRnI4zITXeyJ43i5CnUrQUfFf1QpZ-pZ79dxjJwHDe2MtglAclfkZE_cP6VGUfg" /> <script src="/sites/default/files/js/js_Wi8RdyzDF-uwGcwq9eMv1Giiu7RfMo7nYneG5kg6rd4.js?scope=header&delta=0&language=en&theme=particle&include=eJxdkMFuAyEMRH9oEap66d9ENnEALdjImEj9-7K5wPZiycNoxo_WHvnrh30BjgMiuScZBRM9WntU0JNMfB0c0pn50jqBhuSH5dKv3RJV8iZSEPTov92oeoRORwO1HAr5IEqbFZABMXNcjigSC7mXsPWlvkSM1L2_P70JlPxnWsqbC4vEvYuN2FybLHozhdP1gT1oRnI4zITXeyJ43i5CnUrQUfFf1QpZ-pZ79dxjJwHDe2MtglAclfkZE_cP6VGUfg"></script> <script src="https://platform-api.sharethis.com/js/sharethis.js#property=6543fd1a2398960013d900a7&product=inline-share-buttons&source=platform"></script> </head> <body class="path-node"> <a href="#main-content" class="visually-hidden focusable"> Skip to main content </a> <div class="limit-width-wrapper"> <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas> <div class="header-nav__spacer"></div> <div class="header-nav js-is-top"> <div class="header-nav__extra"> <div class="header-nav__extra-wrap"> <div class="header-nav__top-language" data-open="content:x_lng"> <span>English (Americas)</span> </div> <div class="header-nav__actions"> <div class="header-nav__top-search" data-open="content:x_sch"> <span>Search</span> </div> <div class="header-nav__top-login" data-open="content:x_lgn"> <span>Login</span> </div> </div> </div> </div> <div class="header-nav__main"> <div class="header-nav__main-wrap"> <div class="header-nav__expand" data-open="home"></div> <ul class="header-nav__top-links"> <li class="header-nav__top-link"> <div data-open="content:platform_panel" class="header-nav__top-link-text"> Platform </div> </li> <li class="header-nav__top-link"> <div data-open="content:products_panel" class="header-nav__top-link-text"> Products </div> </li> <li class="header-nav__top-link"> <div data-open="content:solutions_panel" class="header-nav__top-link-text"> Solutions </div> </li> </ul> <a href="/us" class="header-nav__logo">Proofpoint</a> <div class="header-nav__buttons"> <a href=/us/contact class="global-elements__cta-button--outline header-nav__button" > <span>Contact</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> </div> <div class="header-nav__mobile-actions"> <div class="header-nav__mobile-search" data-open="content:x_sch">Search</div> <div class="header-nav__mobile-menu" data-open="home"></div> </div> </div> </div> </div> <div class="header-nav__menu"> <div class="header-nav__menu-wrapper"> <div class="header-nav__menu-close"></div> <div class="header-nav__menu-pane" data-home={true}> <ul class="header-nav__home-links"> <li class="header-nav__home-link" data-open="content:platform_panel" ><span>Platform</span></li> <li class="header-nav__home-link" data-open="content:products_panel" ><span>Products</span></li> <li class="header-nav__home-link" data-open="content:solutions_panel" ><span>Solutions</span></li> <li class="header-nav__home-link" data-open="content:partners_panel" ><span>Partners</span></li> <li class="header-nav__home-link" data-open="content:resources_panel" ><span>Resources</span></li> <li class="header-nav__home-link" data-open="content:company_panel" ><span>Company</span></li> </ul> <div class="header-nav__menu-extras"> <div class="header-nav__menu-search" data-open="content:x_sch">Search</div> <div class="header-nav__menu-login" data-open="content:x_lgn">Login</div> <div class="header-nav__menu-language" data-open="content:x_lng">English (Americas)</div> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Platform"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Platform</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Products"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Products</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Solutions"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Solutions</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Partners"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Partners</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Resources"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Resources</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Company"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Company</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-content="products_panel"> <div class="header-nav__content"> <a href="/us/products/protect-people" class="header-nav__content-link-group-anchor"> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Protect People</div> <div class="header-nav__content-group-desc">Multi-layered, adaptive defenses for threat detection, impersonation, and supplier risk.</div> </div> </a> <div class="header-nav__content-link"> <a href="/us/products/threat-defense" class="header-nav__content-link-text">Email Security</a> </div> <div class="header-nav__content-link"> <a href="/us/products/impersonation-protection" class="header-nav__content-link-text">Impersonation Protection</a> </div> <div class="header-nav__content-link"> <a href="#" class="header-nav__content-link-text" data-open="content:products_more_tp_products_panel">More products</a> </div> <a href="/us/products/defend-data" class="header-nav__content-link-group-anchor"> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Defend Data</div> <div class="header-nav__content-group-desc">Transform your information protection with a human-centric, omni-channel approach.</div> </div> </a> <div class="header-nav__content-link"> <a href="/us/products/data-loss-prevention" class="header-nav__content-link-text">Enterprise DLP</a> </div> <div class="header-nav__content-link"> <a href="/us/products/adaptive-email-dlp" class="header-nav__content-link-text">Adaptive Email DLP</a> </div> <div class="header-nav__content-link"> <a href="/us/products/insider-threat-management" class="header-nav__content-link-text">Insider Threat Management</a> </div> <div class="header-nav__content-link"> <a href="/us/products/compliance-and-archiving" class="header-nav__content-link-text">Intelligent Compliance</a> </div> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Mitigate Human Risk</div> <div class="header-nav__content-group-desc">Unlock full user risk visibility and drive behavior change.</div> </div> <div class="header-nav__content-link"> <a href="/us/products/mitigate-human-risk" class="header-nav__content-link-text">Security Awareness</a> </div> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Augment Your Capabilities</div> </div> <div class="header-nav__content-link"> <a href="/us/products/premium-services" class="header-nav__content-link-text">Managed Services</a> </div> <div class="header-nav__content-link"> <a href="/us/products/packages" class="header-nav__content-link-text">Product Packages</a> </div> <div class="header-nav__content-link-spacer"></div> </div> </div> <div class="header-nav__menu-pane" data-content="products_more_tp_products_panel"> <div class="header-nav__content"> <div class="header-nav__content-heading">More Protect People Products</div> <div class="header-nav__content-link"> <a href="/us/products/identity-protection" class="header-nav__content-link-text">Account Take-Over and Identity Protection</a> <div class="header-nav__content-link-desc">Secure vulnerable identities, stop lateral movement and privilege escalation.</div> </div> <div class="header-nav__content-link"> <a href="/us/products/adaptive-email-security" class="header-nav__content-link-text">Adaptive Email Security</a> <div class="header-nav__content-link-desc">Stop more threats with a fully integrated layer of behavioral AI.</div> </div> <div class="header-nav__content-link"> <a href="/us/products/email-security-and-protection/secure-email-relay" class="header-nav__content-link-text">Secure Email Relay</a> <div class="header-nav__content-link-desc">Secure your application email and accelerate DMARC implementation</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="solutions_panel"> <div class="header-nav__content"> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Solutions by Use Case</div> <div class="header-nav__content-group-desc">How Proofpoint protects your people and data.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/email-authentication-with-dmarc" class="header-nav__content-link-text">Authenticate Your Email</a> <div class="header-nav__content-link-desc">Protect your email deliverability with DMARC.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/combat-email-and-cloud-threats" class="header-nav__content-link-text">Combat Email and Cloud Threats</a> <div class="header-nav__content-link-desc">Protect your people from email and cloud threats with an intelligent and holistic approach.</div> </div> <div class="header-nav__content-link"> <a href="#" class="header-nav__content-link-text" data-open="content:solutions_by_use_case_panel">More use cases</a> </div> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Solutions by Industry</div> <div class="header-nav__content-group-desc">People-centric solutions for your organization.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/federal" class="header-nav__content-link-text">Federal Government</a> <div class="header-nav__content-link-desc">Cybersecurity for federal government agencies.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/state-and-local-government" class="header-nav__content-link-text">State and Local Government</a> <div class="header-nav__content-link-desc">Protecting the public sector, and the public from cyber threats.</div> </div> <div class="header-nav__content-link"> <a href="#" class="header-nav__content-link-text" data-open="content:solutions_by_industry_panel">More industries</a> </div> <a href="/us/compare" class="header-nav__content-link-group-anchor"> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Comparing Proofpoint</div> <div class="header-nav__content-group-desc">Evaluating cybersecurity vendors? Check out our side-by-side comparisons.</div> </div> </a> <div class="header-nav__content-link"> <a href="#" class="header-nav__content-link-text" data-open="content:compare_proofpoint_panel">View comparisons</a> </div> </div> </div> <div class="header-nav__menu-pane" data-content="solutions_by_use_case_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Solutions By Use Case</h3> <div class="header-nav__content-heading">How Proofpoint protects your people and data.</div> <div class="header-nav__content-link"> <a href="/us/solutions/change-user-behavior" class="header-nav__content-link-text">Change User Behavior</a> <div class="header-nav__content-link-desc">Help your employees identify, resist and report attacks before the damage is done.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/combat-data-loss-and-insider-risk" class="header-nav__content-link-text">Combat Data Loss and Insider Risk</a> <div class="header-nav__content-link-desc">Prevent data loss via negligent, compromised and malicious insiders.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/enable-intelligent-compliance" class="header-nav__content-link-text">Modernize Compliance and Archiving</a> <div class="header-nav__content-link-desc">Manage risk and data retention needs with a modern compliance and archiving solution.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/protect-cloud-apps" class="header-nav__content-link-text">Protect Cloud Apps</a> <div class="header-nav__content-link-desc">Keep your people and their cloud apps secure by eliminating threats and data loss.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/prevent-loss-from-ransomware" class="header-nav__content-link-text">Prevent Loss from Ransomware</a> <div class="header-nav__content-link-desc">Learn about this growing threat and stop attacks by securing ransomware's top vector: email.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/secure-microsoft-365" class="header-nav__content-link-text">Secure Microsoft 365</a> <div class="header-nav__content-link-desc">Implement the best security and compliance solution for Microsoft 365.</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="solutions_by_industry_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Solutions By Industry</h3> <div class="header-nav__content-heading">People-centric solutions for your organization.</div> <div class="header-nav__content-link"> <a href="/us/solutions/higher-education-security" class="header-nav__content-link-text">Higher Education</a> <div class="header-nav__content-link-desc">A higher level of security for higher education.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/financial-services-and-insurance" class="header-nav__content-link-text">Financial Services</a> <div class="header-nav__content-link-desc">Eliminate threats, build trust and foster growth for your organization.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/healthcare-information-security" class="header-nav__content-link-text">Healthcare</a> <div class="header-nav__content-link-desc">Protect clinicians, patient data, and your intellectual property against advanced threats.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/mobile-message-security-solutions-for-service-providers" class="header-nav__content-link-text">Mobile Operators</a> <div class="header-nav__content-link-desc">Make your messaging environment a secure environment.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/email-security-solutions-for-service-providers" class="header-nav__content-link-text">Internet Service Providers</a> <div class="header-nav__content-link-desc">Cloudmark email protection.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/protection-compliance-small-business" class="header-nav__content-link-text">Small and Medium Businesses</a> <div class="header-nav__content-link-desc">Big-time security for small business.</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="compare_proofpoint_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Proofpoint vs. the competition</h3> <div class="header-nav__content-heading">Side-by-side comparisons.</div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-abnormal-security" class="header-nav__content-link-text">Proofpoint vs. Abnormal Security</a> </div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-mimecast" class="header-nav__content-link-text">Proofpoint vs. Mimecast</a> </div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-cisco" class="header-nav__content-link-text">Proofpoint vs. Cisco</a> </div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-microsoft" class="header-nav__content-link-text">Proofpoint vs Microsoft</a> </div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-microsoft-purview" class="header-nav__content-link-text">Proofpoint vs. Microsoft Purview</a> </div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-legacy-dlp" class="header-nav__content-link-text">Proofpoint vs. Legacy DLP</a> </div> </div> </div> <div class="header-nav__menu-pane" data-content="partners_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Partners</h3> <div class="header-nav__content-heading">Deliver Proofpoint solutions to your customers.</div> <a href=https://partners.proofpoint.com class="global-elements__cta-button header-nav__content-button" > <span>Channel Partners</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> <div class="header-nav__content-link"> <a href="/us/partners/trusted-data-solutions-partnership" class="header-nav__content-link-text">Archive Extraction Partners</a> <div class="header-nav__content-link-desc">Learn about Extraction Partners.</div> </div> <div class="header-nav__content-link"> <a href="/us/global-system-integrator-gsi-and-global-managed-service-provider-msp-partners" class="header-nav__content-link-text">GSI and MSP Partners</a> <div class="header-nav__content-link-desc">Learn about our global consulting.</div> </div> <div class="header-nav__content-link"> <a href="/us/partners/technology-alliance-partners" class="header-nav__content-link-text">Technology and Alliance Partners</a> <div class="header-nav__content-link-desc">Learn about our relationships.</div> </div> <div class="header-nav__content-link"> <a href="/us/partners/digital-risk-and-compliance-partners" class="header-nav__content-link-text">Social Media Protection Partners</a> <div class="header-nav__content-link-desc">Learn about the technology and....</div> </div> <div class="header-nav__content-link"> <a href="/us/channel-partners-small-and-medium-business" class="header-nav__content-link-text">Proofpoint Essentials Partner Programs</a> <div class="header-nav__content-link-desc">Small Business Solutions .</div> </div> <div class="header-nav__content-link"> <a href="https://partners.proofpoint.com/prm/English/s/applicant" class="header-nav__content-link-text">Become a Channel Partner</a> </div> </div> </div> <div class="header-nav__menu-pane" data-content="resources_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Resources</h3> <div class="header-nav__content-heading">Find reports, webinars, blogs, events, podcasts and more.</div> <a href=/us/resources class="global-elements__cta-button header-nav__content-button" > <span>Resource Library</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> <div class="header-nav__content-link"> <a href="/us/blog" class="header-nav__content-link-text">Blog</a> <div class="header-nav__content-link-desc">Keep up with the latest news and happenings.</div> </div> <div class="header-nav__content-link"> <a href="/us/webinars" class="header-nav__content-link-text">Webinars</a> <div class="header-nav__content-link-desc">Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity.</div> </div> <div class="header-nav__content-link"> <a href="/us/cybersecurity-academy" class="header-nav__content-link-text">Cybersecurity Academy</a> <div class="header-nav__content-link-desc">Earn your certification to become a Proofpoint Certified Guardian.</div> </div> <div class="header-nav__content-link"> <a href="/us/podcasts" class="header-nav__content-link-text">Podcasts</a> <div class="header-nav__content-link-desc">Learn about the human side of cybersecurity.</div> </div> <div class="header-nav__content-link"> <a href="/us/new-perimeters" class="header-nav__content-link-text">New Perimeters Magazine</a> <div class="header-nav__content-link-desc">Get the latest cybersecurity insights in your hands.</div> </div> <div class="header-nav__content-link"> <a href="/us/threat-reference" class="header-nav__content-link-text">Threat Glossary</a> <div class="header-nav__content-link-desc">Learn about the latest security threats.</div> </div> <div class="header-nav__content-link"> <a href="/us/events" class="header-nav__content-link-text">Events</a> <div class="header-nav__content-link-desc">Connect with us at events to learn how to protect your people and data from ever-evolving threats.</div> </div> <div class="header-nav__content-link"> <a href="/us/customer-stories" class="header-nav__content-link-text">Customer Stories</a> <div class="header-nav__content-link-desc">Read how our customers solve their most pressing cybersecurity challenges.</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="company_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Company</h3> <div class="header-nav__content-heading">Proofpoint protects organizations' greatest assets and biggest risks: their people.</div> <a href=/us/company/about class="global-elements__cta-button header-nav__content-button" > <span>About Proofpoint</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> <div class="header-nav__content-link"> <a href="/us/why-proofpoint" class="header-nav__content-link-text">Why Proofpoint</a> <div class="header-nav__content-link-desc">Learn about our unique people-centric approach to protection.</div> </div> <div class="header-nav__content-link"> <a href="/us/company/careers" class="header-nav__content-link-text">Careers</a> <div class="header-nav__content-link-desc">Stand out and make a difference at one of the world's leading cybersecurity companies.</div> </div> <div class="header-nav__content-link"> <a href="/us/newsroom" class="header-nav__content-link-text">News Center</a> <div class="header-nav__content-link-desc">Read the latest press releases, news stories and media highlights about Proofpoint.</div> </div> <div class="header-nav__content-link"> <a href="/us/legal/trust" class="header-nav__content-link-text">Privacy and Trust</a> <div class="header-nav__content-link-desc">Learn about how we handle data and make commitments to privacy and other regulations.</div> </div> <div class="header-nav__content-link"> <a href="/us/legal/esg" class="header-nav__content-link-text">Environmental, Social, and Governance</a> <div class="header-nav__content-link-desc">Learn how we apply our principles to positively impact our community.</div> </div> <div class="header-nav__content-link"> <a href="/us/support-services" class="header-nav__content-link-text">Support</a> <div class="header-nav__content-link-desc">Access the full range of Proofpoint support services.</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="platform_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Platform</h3> <div class="header-nav__content-heading">Discover the Proofpoint human-centric platform.</div> <a href=/us/platform class="global-elements__cta-button header-nav__content-button" > <span>Learn More</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> <div class="header-nav__content-link"> <a href="/us/platform/nexus" class="header-nav__content-link-text">Proofpoint Nexus</a> <div class="header-nav__content-link-desc">Detection technologies to protect people and defend data.</div> </div> <div class="header-nav__content-link"> <a href="/us/platform/zen" class="header-nav__content-link-text">Proofpoint Zen</a> <div class="header-nav__content-link-desc">Protect and engage users wherever they work.</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="x_sch"> <div class="header-nav__content"> <div class="header-nav__content-title--search"> Search Proofpoint </div> <div class="header-nav__search"> <form class="header-nav__search-form"> <input type="text" class="header-nav__search-input" placeholder=""> <input type="submit" class="header-nav__search-button" val="Search"> </form> <div class="header-nav__search-sugg-title">Try searching for</div> <div class="header-nav__search-suggestions"> <a href="/us/search?content%5Bquery%5D=Email%20Security" class="header-nav__search-suggestion">Email Security</a> <a href="/us/search?content%5Bquery%5D=Phishing" class="header-nav__search-suggestion">Phishing</a> <a href="/us/search?content%5Bquery%5D=DLP" class="header-nav__search-suggestion">DLP</a> <a href="/us/search?content%5Bquery%5D=Email%20Fraud" class="header-nav__search-suggestion">Email Fraud</a> </div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="x_lgn"> <div class="header-nav__content"> <div class="header-nav__content-title"> Select Product Login </div> <ul class="header-nav__logins"> <li class="header-nav__content-login"> <a href="https://proofpoint.my.site.com/community/s/" target="_blank">Support Log-in</a> </li> <li class="header-nav__content-login"> <a href="https://proofpointcybersecurityacademy.adobelearningmanager.com" target="_blank">Proofpoint Cybersecurity Academy</a> </li> <li class="header-nav__content-login"> <a href="https://digitalrisk.proofpoint.com/" target="_blank">Digital Risk Portal</a> </li> <li class="header-nav__content-login"> <a href="https://emaildefense.proofpoint.com/login.php" target="_blank">Email Fraud Defense</a> </li> <li class="header-nav__content-login"> <a href="https://threatintel.proofpoint.com/" target="_blank">ET Intelligence</a> </li> <li class="header-nav__content-login"> <a href="https://us1.proofpointessentials.com/app/login.php" target="_blank">Proofpoint Essentials</a> </li> <li class="header-nav__content-login"> <a href="https://proofpointcommunities.force.com/community" target="_blank">Sendmail Support Log-in</a> </li> </ul> </div> </div> <div class="header-nav__menu-pane" data-content="x_lng"> <div class="header-nav__content"> <div class="header-nav__content-title"> Select Language </div> <ul class="header-nav__language-links"> <li class="header-nav__language-link"> <a href="/us">English (Americas)</a> </li> <li class="header-nav__language-link"> <a href="/uk">English (Europe, Middle East, Africa)</a> </li> <li class="header-nav__language-link"> <a href="/au">English (Asia-Pacific)</a> </li> <li class="header-nav__language-link"> <a href="/es">Español</a> </li> <li class="header-nav__language-link"> <a href="/de">Deutsch</a> </li> <li class="header-nav__language-link"> <a href="/fr">Français</a> </li> <li class="header-nav__language-link"> <a href="/it">Italiano</a> </li> <li class="header-nav__language-link"> <a href="/br">Português</a> </li> <li class="header-nav__language-link"> <a href="/jp">日本語</a> </li> <li class="header-nav__language-link"> <a href="/kr">한국어</a> </li> </ul> </div> </div> </div> </div> <div class="layout-container"> <div> <div data-drupal-messages-fallback class="hidden"></div> </div> <main class="container" role="main"> <a id="main-content" tabindex="-1"></a> <section class="row"> <div class="layout-content"> <div> <div id="block-particle-content"> <article about="/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign" class="node--type--blog-post node--view-mode--full node node-blog-full"> <div class="breadcrumbs"><div class="nav-crumbs"><div class="breadcrumb__item"><a href="/us/blog" class="breadcrum__item-link">Blog</a></div><div class="breadcrumb__item"><a href="/us/blog/threat-insight" class="breadcrum__item-link">Threat Insight</a></div><div class="breadcrumb__item"> Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign </div></div></div> <div class="blog-banner"> <div class="blog-banner__image"> <picture> <source srcset="/sites/default/files/styles/image_1920_750/public/btc-imgs/GettyImages-1133924836-min.jpg.webp?itok=Dc0-yFPF 1x" media="screen and (min-width: 1440px)" type="image/webp" width="1920" height="750"/> <source srcset="/sites/default/files/styles/image_1024_400/public/btc-imgs/GettyImages-1133924836-min.jpg.webp?itok=7IcMPewi 1x" media="screen and (min-width: 1024px)" type="image/webp" width="1024" height="400"/> <source srcset="/sites/default/files/styles/image_768_375/public/btc-imgs/GettyImages-1133924836-min.jpg.webp?itok=YaOrLqpm 1x" media="screen and (min-width: 768px)" type="image/webp" width="768" height="375"/> <source srcset="/sites/default/files/styles/image_1920_750/public/btc-imgs/GettyImages-1133924836-min.jpg.webp?itok=Dc0-yFPF 1x" media="screen and (min-width: 1440px)" type="image/webp" width="1920" height="750"/> <source srcset="/sites/default/files/styles/image_1024_400/public/btc-imgs/GettyImages-1133924836-min.jpg.webp?itok=7IcMPewi 1x" media="screen and (min-width: 1024px)" type="image/webp" width="1024" height="400"/> <source srcset="/sites/default/files/styles/image_768_375/public/btc-imgs/GettyImages-1133924836-min.jpg.webp?itok=YaOrLqpm 1x" media="screen and (min-width: 768px)" type="image/webp" width="768" height="375"/> <img loading="lazy" src="/sites/default/files/styles/image_768_300/public/btc-imgs/GettyImages-1133924836-min.jpg.webp?itok=aAO7B7po" width="768" height="300" alt="Proofpoint Packages" typeof="foaf:Image" /> </picture> </div> <div class="blog-banner__gradient-overlay"></div> <div class="blog-banner__heading-wrap"> <h1 class="blog-banner__heading"> <span>Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign </span> </h1> </div> </div> <div class="blog-content"> <div class="blog-content__sharethis sharethis_toolbox sharethis_32x32_style"> <div class="blog-content__sharethis_label sharethis__label">Share with your network!</div> <div class="blog-content__sharethis_buttons sharethis_buttons"> <div class="sharethis-inline-share-buttons"></div> <span class="addthis_button_subscribe at300b UNCONVERTED" title=Subscribe> <span class="at-icon-wrapper block-subscribe-button__trigger block-subscribe-button__addthis"></span> </span> </div> </div> <div class="blog-content__metadata blog-content__metadata-author"> <span class="blog-content__date"> <time datetime="2024-03-21T14:53:21Z">March 21, 2024</time> </span> <span class="blog-content__author"> Joshua Miller and the Proofpoint Threat Research Team </span> </div> <div class="node-full__body blog-content__body"> <h3>What happened </h3> <p paraeid="{6e59aa97-69a8-4dc2-a6df-09e0cc0ae356}{249}" paraid="521123952">Proofpoint researchers recently observed new activity by the Iran-aligned threat actor TA450 (also known as MuddyWater, Mango Sandstorm, and Static Kitten), in which the group used a pay-related social engineering lure to target Israeli employees at large multinational organizations. TA450 is known for targeting Israeli entities particularly since at <a href="https://therecord.media/muddywater-campaign-iran-israel-social-engineering" rel="noreferrer noopener" target="_blank">least October 2023</a> with the start of the Israel-Hamas war and this continues that trend with a focus on global manufacturing, technology, and information security companies. </p> <p paraeid="{3687e1b5-c2af-4c00-ab66-a7fd37bc9e5c}{41}" paraid="747055223">In the phishing campaign, which started 7 March and continued through the week of 11 March 2024, TA450 sent emails with PDF attachments that contained malicious links. While this <a href="https://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps" rel="noreferrer noopener" target="_blank">method</a> is not foreign to TA450, the threat actor has more recently relied on including malicious links directly in email message bodies instead of adding in this extra step. Proofpoint researchers observed the same targets receive multiple phishing emails with PDF attachments that had slightly different embedded links. The links were to a variety of file-sharing sites, including Egnyte, Onehub, Sync and TeraBox. The emails also used a likely compromised .IL sender account, which is consistent with this threat actor’s recent activity. </p> <p paraeid="{3687e1b5-c2af-4c00-ab66-a7fd37bc9e5c}{96}" paraid="2144378198">As seen in Figures 1 and 2, if a target opened the attachment and clicked on the included link, it would lead to the download of a ZIP archive containing a compressed MSI that ultimately would install AteraAgent, remote administration software that is known to be abused by TA450. </p> <p paraeid="{3687e1b5-c2af-4c00-ab66-a7fd37bc9e5c}{108}" paraid="1549264823"><img alt="Figure 1" data-entity-type="file" data-entity-uuid="4f065989-9df9-4c04-af30-d1271ef4d073" height="369" src="/sites/default/files/inline-images/p1_4.png" width="916" loading="lazy"></p> <p paraeid="{3687e1b5-c2af-4c00-ab66-a7fd37bc9e5c}{117}" paraid="1119794771"><em>Figure 1. Opened PDF attachment with malicious link (Machine translation: Document title: Pay Slip; Body of PDF: Hello, From now on receive your pay slip through the following software). </em></p> <p paraeid="{3687e1b5-c2af-4c00-ab66-a7fd37bc9e5c}{131}" paraid="275955013"><img alt="Figure 2" data-entity-type="file" data-entity-uuid="9330caaf-daf7-4a06-9672-ca65b93e7e62" height="459" src="/sites/default/files/inline-images/p2_4.png" width="915" loading="lazy"></p> <p paraeid="{3687e1b5-c2af-4c00-ab66-a7fd37bc9e5c}{140}" paraid="52965329"><em>Figure 2. ZIP archive via Onehub that leads to the download of remote administration software. </em></p> <h3 paraeid="{3687e1b5-c2af-4c00-ab66-a7fd37bc9e5c}{150}" paraid="1995726316">Attribution </h3> <p paraeid="{3687e1b5-c2af-4c00-ab66-a7fd37bc9e5c}{160}" paraid="904885377">Proofpoint researchers attribute this campaign to TA450 based on known TA450 tactics, techniques, and procedures, campaign targeting, and malware analysis. In January 2022, the United States Cyber Command <a href="https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/" rel="noreferrer noopener" target="_blank">attributed</a> this group to Iran's Ministry of Intelligence and Security. </p> <h3 paraeid="{3687e1b5-c2af-4c00-ab66-a7fd37bc9e5c}{199}" paraid="1099932417">Why it matters </h3> <p paraeid="{3687e1b5-c2af-4c00-ab66-a7fd37bc9e5c}{211}" paraid="427266606">This activity is notable for several reasons, including that it marks a turn in TA450’s tactics. While this campaign is not the first observed instance of TA450 using attachments with malicious links as part of the threat actor’s attack chain, it is the first time Proofpoint researchers have observed TA450 attempt to deliver a malicious URL in a PDF attachment rather than directly linking the file in an email. Additionally, this campaign is the first time Proofpoint has observed TA450 using a sender email account that matches the lure content. For example, this campaign used an email account of salary[@]<compromisedorg>co[.]il, which is in alignment with the various pay-themed subject lines. </p> <p paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{37}" paraid="2037141794">Finally, this activity continues TA450's trend of leveraging Hebrew language lures and compromised .IL accounts to target Israeli individuals belonging to large multinational companies, maintaining a heightened risk for organizations with this type of footprint. </p> <h3 paraeid="{c649143c-fe36-4d05-b685-2df22c025e0b}{93}" paraid="7282991">Emerging Threat (ET) signatures </h3> <table aria-rowcount="7" border="1" data-tablelook="1184" data-tablestyle="MsoNormalTable"> <tbody> <tr aria-rowindex="1" role="row"> <td data-celllook="69905" role="rowheader"> <p paraeid="{c649143c-fe36-4d05-b685-2df22c025e0b}{103}" paraid="1344508466"><strong>SID </strong></p> </td> <td data-celllook="69905" role="columnheader"> <p paraeid="{c649143c-fe36-4d05-b685-2df22c025e0b}{112}" paraid="2142006148"><strong>Rule Name </strong></p> </td> </tr> <tr aria-rowindex="2" role="row"> <td data-celllook="69905" role="rowheader"> <p paraeid="{c649143c-fe36-4d05-b685-2df22c025e0b}{122}" paraid="825607385"><a href="https://threatintel.proofpoint.com/sid/2051743" rel="noreferrer noopener" target="_blank">2051743</a> </p> </td> <td data-celllook="69905"> <p paraeid="{c649143c-fe36-4d05-b685-2df22c025e0b}{129}" paraid="1993185085">ET OPEN DNS Query to File Sharing Domain (egnyte .com) </p> </td> </tr> <tr aria-rowindex="3" role="row"> <td data-celllook="69905" role="rowheader"> <p paraeid="{c649143c-fe36-4d05-b685-2df22c025e0b}{143}" paraid="1939926355"><a href="https://threatintel.proofpoint.com/sid/2051745" rel="noreferrer noopener" target="_blank">2051745</a> </p> </td> <td data-celllook="69905"> <p paraeid="{c649143c-fe36-4d05-b685-2df22c025e0b}{150}" paraid="2143122738">ET OPEN 2051745 - DNS Query to File Sharing Domain (sync .com) </p> </td> </tr> <tr aria-rowindex="4" role="row"> <td data-celllook="69905" role="rowheader"> <p paraeid="{c649143c-fe36-4d05-b685-2df22c025e0b}{158}" paraid="1413859063"><a href="https://threatintel.proofpoint.com/sid/2051749" rel="noreferrer noopener" target="_blank">2051749</a> </p> </td> <td data-celllook="69905"> <p paraeid="{c649143c-fe36-4d05-b685-2df22c025e0b}{165}" paraid="334423922">ET OPEN DNS Query to File Sharing Domain (terabox .com) </p> </td> </tr> <tr aria-rowindex="5" role="row"> <td data-celllook="69905" role="rowheader"> <p paraeid="{c649143c-fe36-4d05-b685-2df22c025e0b}{177}" paraid="276358142"><a href="https://threatintel.proofpoint.com/sid/2051750" rel="noreferrer noopener" target="_blank">2051750</a> </p> </td> <td data-celllook="69905"> <p paraeid="{c649143c-fe36-4d05-b685-2df22c025e0b}{184}" paraid="147796764">ET OPEN Observed File Sharing Domain (terabox .com in TLS SNI) </p> </td> </tr> <tr aria-rowindex="6" role="row"> <td data-celllook="69905" role="rowheader"> <p paraeid="{c649143c-fe36-4d05-b685-2df22c025e0b}{196}" paraid="1035393628"><a href="https://threatintel.proofpoint.com/sid/2051746" rel="noreferrer noopener" target="_blank">2051746</a> </p> </td> <td data-celllook="69905"> <p paraeid="{c649143c-fe36-4d05-b685-2df22c025e0b}{203}" paraid="719568892">ET OPEN Observed File Sharing Domain (egnyte .com in TLS SNI) </p> </td> </tr> <tr aria-rowindex="7" role="row"> <td data-celllook="69905" role="rowheader"> <p paraeid="{c649143c-fe36-4d05-b685-2df22c025e0b}{215}" paraid="1716583408"><a href="https://threatintel.proofpoint.com/sid/2051748" rel="noreferrer noopener" target="_blank">2051748</a> </p> </td> <td data-celllook="69905"> <p paraeid="{c649143c-fe36-4d05-b685-2df22c025e0b}{222}" paraid="1272850001">ET OPEN Observed File Sharing Domain (sync .com in TLS SNI) </p> </td> </tr> </tbody> </table> <h3 paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{63}" paraid="1011039855">Indicators of compromise (IOCs) </h3> <table aria-rowcount="13" border="1" data-tablelook="1184" data-tablestyle="MsoNormalTable" style="width: 865.25px;"> <tbody> <tr aria-rowindex="1" role="row"> <td data-celllook="69905" role="rowheader" style="width: 587px;"> <p paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{81}" paraid="822917111"><strong>Indicator</strong></p> </td> <td data-celllook="69905" role="columnheader" style="width: 263px;"> <p paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{90}" paraid="1341803151"><strong>Type</strong></p> </td> </tr> <tr aria-rowindex="2" role="row"> <td data-celllook="69905" role="rowheader" style="width: 587px;"> <p paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{100}" paraid="9664087">salary <salary[@]<compromisedorg>.co[.]il </p> </td> <td data-celllook="69905" style="width: 263px;"> <p paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{115}" paraid="875531059">Example of compromised email sender </p> </td> </tr> <tr aria-rowindex="3" role="row"> <td data-celllook="69905" role="rowheader" style="width: 587px;"> <p paraeid="{b5b069a6-1919-48c4-bb9e-3d74e6b5f172}{198}" paraid="1997274423">תלושי השכר (Machine translation: Pay slip) </p> </td> <td data-celllook="69905" style="width: 263px;"> <p paraeid="{b5b069a6-1919-48c4-bb9e-3d74e6b5f172}{215}" paraid="570306586">Email subject </p> </td> </tr> <tr aria-rowindex="4" role="row"> <td data-celllook="69905" role="rowheader" style="width: 587px;"> <p paraeid="{b5b069a6-1919-48c4-bb9e-3d74e6b5f172}{223}" paraid="643449192">תלוש שכר לחודש 02/2024 (Machine translation: Pay slip for the month 02/2024) </p> </td> <td data-celllook="69905" style="width: 263px;"> <p paraeid="{b5b069a6-1919-48c4-bb9e-3d74e6b5f172}{248}" paraid="1871447558">Email subject </p> </td> </tr> <tr aria-rowindex="5" role="row"> <td data-celllook="69905" role="rowheader" style="width: 587px;"> <p paraeid="{65e5e0df-d007-4ca7-9e76-a4aa896b02ba}{1}" paraid="1305633288">סיסמה לתלוש שכר (Machine translation: Pay slip password) </p> </td> <td data-celllook="69905" style="width: 263px;"> <p paraeid="{65e5e0df-d007-4ca7-9e76-a4aa896b02ba}{20}" paraid="453491988">Email subject </p> </td> </tr> <tr aria-rowindex="6" role="row"> <td data-celllook="69905" role="rowheader" style="width: 587px;"> <p paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{125}" paraid="478005416">תלוש השכר .pdf (Machine translation: Pay slip) </p> </td> <td data-celllook="69905" style="width: 263px;"> <p paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{138}" paraid="545757707">Document title </p> </td> </tr> <tr aria-rowindex="7" role="row"> <td data-celllook="69905" role="rowheader" style="width: 587px;"> <p paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{146}" paraid="2120507961">dee6494e69c6e7289cf3f332e2867662958fa82f819615597e88c16c967a25a9 </p> </td> <td data-celllook="69905" style="width: 263px;"> <p paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{153}" paraid="1813587905">SHA256 (PDF) </p> </td> </tr> <tr aria-rowindex="8" role="row"> <td data-celllook="69905" role="rowheader" style="width: 587px;"> <p paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{165}" paraid="1814661600">hxxp://ws.onehub[.]com/files/[alphanumericidentifier] </p> </td> <td data-celllook="69905" style="width: 263px;"> <p paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{172}" paraid="278613993">Example malicious URL </p> </td> </tr> <tr aria-rowindex="9" role="row"> <td data-celllook="69905" role="rowheader" style="width: 587px;"> <p paraeid="{65e5e0df-d007-4ca7-9e76-a4aa896b02ba}{70}" paraid="1547969457">hxxps://salary.egnyte[.]com/[alphanumericidentifier] </p> </td> <td data-celllook="69905" style="width: 263px;"> <p paraeid="{65e5e0df-d007-4ca7-9e76-a4aa896b02ba}{81}" paraid="1025123297">Example malicious URL </p> </td> </tr> <tr aria-rowindex="10" role="row"> <td data-celllook="69905" role="rowheader" style="width: 587px;"> <p paraeid="{65e5e0df-d007-4ca7-9e76-a4aa896b02ba}{91}" paraid="1018173309">hxxps://ln5.sync[.]com/[alphanumericidentifier] </p> </td> <td data-celllook="69905" style="width: 263px;"> <p paraeid="{65e5e0df-d007-4ca7-9e76-a4aa896b02ba}{98}" paraid="1250032509">Example malicious URL </p> </td> </tr> <tr aria-rowindex="11" role="row"> <td data-celllook="69905" role="rowheader" style="width: 587px;"> <p paraeid="{65e5e0df-d007-4ca7-9e76-a4aa896b02ba}{108}" paraid="1906664499">hxxps://terabox[.]com/s/[alphanumericidentifier] </p> </td> <td data-celllook="69905" style="width: 263px;"> <p paraeid="{65e5e0df-d007-4ca7-9e76-a4aa896b02ba}{121}" paraid="1895951856">Example malicious URL </p> </td> </tr> <tr aria-rowindex="12" role="row"> <td data-celllook="69905" role="rowheader" style="width: 587px;"> <p paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{182}" paraid="193704786">cc4cc20b558096855c5d492f7a79b160a809355798be2b824525c98964450492 </p> </td> <td data-celllook="69905" style="width: 263px;"> <p paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{189}" paraid="158007679">SHA256 (salary.zip) </p> </td> </tr> <tr aria-rowindex="13" role="row"> <td data-celllook="69905" role="rowheader" style="width: 587px;"> <p paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{197}" paraid="1561752857">e89f48a7351c01cbf2f8e31c65a67f76a5ead689bb11e9d4918090a165d4425f </p> </td> <td data-celllook="69905" style="width: 263px;"> <p paraeid="{c803cceb-c95d-4b8d-aca6-59dde90e17c3}{204}" paraid="1100421804">SHA256 (salary.msi) </p> </td> </tr> </tbody> </table> </div> </div> <div class="blog__content-pager"> <div class="content-pager"> <div class="content-pager__items-wrapper"> <div class="content-pager__items"> <div class="content-pager__item content-pager__item--prev"> <a href="/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids" hreflang="en">Previous Blog Post</a> </div> <div class="content-pager__item content-pager__item--next"> <a href="/us/blog/threat-insight/latrodectus-spider-bytes-ice" hreflang="en">Next Blog Post</a> </div> </div> </div> </div> </div> <div class="subscribe-block blog-subscribe" data-animate="true"> <div class="subscribe-block__inner blog-subscribe__inner"> <div class="subscribe-block__copy"> <h3 class="subscribe-block__heading"> Subscribe to the Proofpoint Blog </h3> </div> <div class="subscribe-block__form"> <div class="mk-form"> <div class="mk-form__form-container"> <script type="IN/Form2" data-data-form="mktoForm_19277" data-field-firstname="FirstName" data-field-lastname="LastName" data-field-email="Email" data-field-company="Company" data-field-title="Title" data-field-state="State" data-field-country="Country" ></script> <form id="mktoForm_19277" data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1" class="mk-form__form marketo-form-block__form" ></form> </div> </div> </div> </div> </div> </article> </div> </div> </div> </section> </main> </div> <div class="footer-v3" data-animate="true"> <div class="footer-v3__inner"> <nav class="footer-v3__nav"> <div class="footer-v3__nav-wrapper"> <div class="footer-v3__nav-heading">Products</div> <ul class="footer-v3__nav-collapsible"> <li><a href="/us/products/protect-people">Protect People</a></li> <li><a href="/us/products/defend-data">Defend Data</a></li> <li><a href="/us/products/mitigate-human-risk">Mitigate Human Risk</a></li> <li><a href="/us/products/premium-services">Premium Services</a></li> </ul> </div> <div class="footer-v3__nav-wrapper"> <div class="footer-v3__nav-heading">Get Support</div> <ul class="footer-v3__nav-collapsible"> <li><a href="https://proofpoint.my.site.com/community/s/" target="_blank">Product Support Login</a></li> <li><a href="/us/support-services">Support Services</a></li> <li><a href="https://ipcheck.proofpoint.com" target="_blank">IP Address Blocked?</a></li> </ul> </div> <div class="footer-v3__nav-wrapper"> <div class="footer-v3__nav-heading">Connect with Us</div> <ul class="footer-v3__nav-collapsible"> <li><a href="tel:+1-408-517-4710" class="icon-phone-ppoint">+1-408-517-4710</a></li> <li><a href="/us/events">Attend an Event</a></li> <li><a href="/us/contact">Contact Us</a></li> <li><a href="/us/free-demo-request">Free Demo Request</a></li> </ul> </div> <div class="footer-v3__nav-wrapper"> <div class="footer-v3__nav-heading">More</div> <ul class="footer-v3__nav-collapsible"> <li><a href="/us/company/about">About Proofpoint</a></li> <li><a href="/us/why-proofpoint">Why Proofpoint</a></li> <li><a href="/us/company/careers">Careers</a></li> <li><a href="/us/leadership-team">Leadership Team</a></li> <li><a href="/us/newsroom">News Center</a></li> <li><a href="/us/legal/trust">Privacy and Trust</a></li> </ul> </div> </nav> <div class="footer-v3__bottom-wrap"> <section class="footer-v3__bottom"> <div class="footer-v3__logo"> <a href="/us" class="footer-v3__logo-link"> <div class="footer-v3__logo-image"></div> </a> <div class="footer-v3__bottom-copyright-info">© 2024. All rights reserved. </div> </div> <div class="footer-v3__bottom-copyright"> <a class="footer-v3__bottom-copyright-info" href="/us/legal/license">Terms and conditions</a> <a class="footer-v3__bottom-copyright-info" href="/us/legal/privacy-policy">Privacy Policy</a> <a class="footer-v3__bottom-copyright-info" href="/us/sitemap">Sitemap</a> </div> <ul class="footer-v3__bottom-social-menu"> <li> <a href="http://www.facebook.com/proofpoint" class="icon-facebook" target="_blank"></a> </li> <li> <a href="http://www.twitter.com/proofpoint" class="icon-twitter" target="_blank"></a> </li> <li> <a href="https://www.linkedin.com/company/proofpoint" class="icon-linkedin" target="_blank"></a> </li> <li> <a href="https://www.youtube.com/channel/UCIvtJgsrUzFo90NKeiVozhQ" class="icon-youtube-play" target="_blank"></a> </li> <li> <a href="https://www.instagram.com/proofpoint" class="icon-instagram" target="_blank"></a> </li> </ul> </section> </div> </div> </div> </div> <script type="text/javascript">document.write(unescape("%3Cscript src='//munchkin.marketo.net/munchkin.js' type='text/javascript'%3E%3C/script%3E")); </script> <script>Munchkin.init('309-RHV-619');</script><div class="element-invisible" style="clear:both;"><!-- Google Code for Remarketing Tag --> <!-------------------------------------------------- Remarketing tags may not be associated with personally identifiable information or placed on pages related to sensitive categories. See more information and instructions on how to setup the tag on: http://google.com/ads/remarketingsetup ---------------------------------------------------> <script type="text/javascript"> /* <![CDATA[ */ var google_conversion_id = 950296937; var google_custom_params = window.google_tag_params; var google_remarketing_only = true; /* ]]> */ </script> <script type="text/javascript" src="//www.googleadservices.com/pagead/conversion.js"> </script> <noscript> <div style="display:inline;"> <img height="1" width="1" style="border-style:none;" alt="" src="//googleads.g.doubleclick.net/pagead/viewthroughconversion/950296937/?value=0&guid=ON&script=0"/> </div> </noscript></div> </div> <div id="flyout-container"></div> <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","pathPrefix":"us\/","currentPath":"node\/134741","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"ajaxPageState":{"libraries":"eJxVj0GOBCEIRS9Uxkxm07eZgE2rKQWD2EnffqxadFkbEh7w_6eBWg6FPBYJu-sDe9CM5HCYCW9tmcd7dy0vXAmeQUfFfsEgbMTmGkTSFety-RIxUvf-vVAsglAcFarzfBGMIrGQe8mNpmk9FRjed5Z5Cb48eDy8tfaXfx7sC3AcM597klEw0WNSQXcy8XVwSHvmg3UCDckPy6WffQKdske1lE9kaQb2BsiAeLp_mUhB0K1_ulH1CJ3-Ae6OlH4","theme":"particle","theme_token":null},"ajaxTrustedUrl":[],"vwo":{"id":767242,"timeout_library":2500,"timeout_setting":2000,"usejquery":"false","testnull":null},"pp_i18n":{"language":"us"},"instantsearch":{"indexName":"content","path":"us\/search"},"user":{"uid":0,"permissionsHash":"26dd96d39e445e838e5f0382a0a4240ea0629de7ad59c3778594246405e2ccf5"}}</script> <script src="/sites/default/files/js/js_8ywEliv8-1Mc43kmxUbJVlqZWzsPqESGsWfM-5e6_wo.js?scope=footer&delta=0&language=en&theme=particle&include=eJxdkMFuAyEMRH9oEap66d9ENnEALdjImEj9-7K5wPZiycNoxo_WHvnrh30BjgMiuScZBRM9WntU0JNMfB0c0pn50jqBhuSH5dKv3RJV8iZSEPTov92oeoRORwO1HAr5IEqbFZABMXNcjigSC7mXsPWlvkSM1L2_P70JlPxnWsqbC4vEvYuN2FybLHozhdP1gT1oRnI4zITXeyJ43i5CnUrQUfFf1QpZ-pZ79dxjJwHDe2MtglAclfkZE_cP6VGUfg"></script> <script src="https://geoip-js.com/js/apis/geoip2/v2.1/geoip2.js"></script> <script src="/sites/default/files/js/js_DA7GHFg6Iz1O22c58zPl-nNTEwx5y7RuyKjesK1mXJI.js?scope=footer&delta=2&language=en&theme=particle&include=eJxdkMFuAyEMRH9oEap66d9ENnEALdjImEj9-7K5wPZiycNoxo_WHvnrh30BjgMiuScZBRM9WntU0JNMfB0c0pn50jqBhuSH5dKv3RJV8iZSEPTov92oeoRORwO1HAr5IEqbFZABMXNcjigSC7mXsPWlvkSM1L2_P70JlPxnWsqbC4vEvYuN2FybLHozhdP1gT1oRnI4zITXeyJ43i5CnUrQUfFf1QpZ-pZ79dxjJwHDe2MtglAclfkZE_cP6VGUfg"></script> <script src="//munchkin.marketo.net/munchkin.js"></script> <script src="/sites/default/files/js/js_Q_hAq3KoriT4uxdUnA3XDouviRgbwswFyj5MCBnzVHU.js?scope=footer&delta=4&language=en&theme=particle&include=eJxdkMFuAyEMRH9oEap66d9ENnEALdjImEj9-7K5wPZiycNoxo_WHvnrh30BjgMiuScZBRM9WntU0JNMfB0c0pn50jqBhuSH5dKv3RJV8iZSEPTov92oeoRORwO1HAr5IEqbFZABMXNcjigSC7mXsPWlvkSM1L2_P70JlPxnWsqbC4vEvYuN2FybLHozhdP1gT1oRnI4zITXeyJ43i5CnUrQUfFf1QpZ-pZ79dxjJwHDe2MtglAclfkZE_cP6VGUfg"></script> <script src="/themes/custom/proofpoint/apps/drupal/../../dist/app-drupal/assets/js/app.js?q=xQw0c_d4t_Y&v=1"></script> <script src="/sites/default/files/js/js_2LYNA9Zu5KE51oXU7U2qX9zbS5cCqO7wzxelxAEWhjk.js?scope=footer&delta=6&language=en&theme=particle&include=eJxdkMFuAyEMRH9oEap66d9ENnEALdjImEj9-7K5wPZiycNoxo_WHvnrh30BjgMiuScZBRM9WntU0JNMfB0c0pn50jqBhuSH5dKv3RJV8iZSEPTov92oeoRORwO1HAr5IEqbFZABMXNcjigSC7mXsPWlvkSM1L2_P70JlPxnWsqbC4vEvYuN2FybLHozhdP1gT1oRnI4zITXeyJ43i5CnUrQUfFf1QpZ-pZ79dxjJwHDe2MtglAclfkZE_cP6VGUfg"></script> <script src="//app-abj.marketo.com/js/forms2/js/forms2.min.js"></script> </body> </html>