Author: Charlie

Shotgun Wedding

An email caught my eye this morning. Not because of a unique social engineering theme or a new delivery technique, but because of the sheer number of attachments, a shotgun approach to malware delivery. There were 3 RTF files with spoofed .doc and docx.doc extensions, an ARJ archive containing an …

Continue Reading

Recently, I stumbled on an odd Agent Tesla sample that downloaded a paste from This is not a normal TTP for most actors who license Agent Tesla for use in their malicious campaigns. And to make things more interesting, the paste was the hexadecimal representation of the binary and …

Continue Reading

The other day I decided to take a walkabout in our data and explore what the rest of the world sees. And it didn’t take long to find a poorly constructed Brazilian tax note phish spoofing their Ministry of Economy. The actor failed with his phish template and switches between …

Continue Reading
It’s easier to take screenshot than create an email template

Looks legitimate to me… wait a second is that just an IMAGE!

<html<head<title</title</head<body<h2<a href=""<img alt src="cid:3vfxjru.jpg" style="width: 706px; height: 637px;" /</a</h2</body</html
Continue Reading

Catching a Phresh Kit

Let’s follow this Phresh Catch and see where it takes us. We test the shortened link (the simplest of techniques to try and evade URL wrapping) and end up at a compromised GoDaddy hosted website – hxxp://teqzoft[.]com/websinfo/Confirm/websc_signin/.

Credential Phish Landing Page

Clean and basic, as long as you ignore the …

Continue Reading