Threat Hub

The Proofpoint threat research team has access to one of the largest, most diverse data sets in all of cybersecurity. We’re bringing you the highlights every week, right here at the Threat Hub.

| Weekly Brief

High-volume campaigns from APT attacker TA422 exploit Microsoft Outlook vulnerability. And a seasonal threat update on our weekly podcast.

This week on The Threat Hub: Our researchers dig in to recent activity by TA422, an advanced persistent threat actor (APT) associated with Russian military intelligence. These phishing campaigns, conducted between March and November 2023, featured unusually high volumes of malicious email for an APT actor, involving as many as 10,000 messages. The attacks targeted a diverse range of industries, including government, aerospace and technology sectors, and were notable for having a daily cadence during the late summer period.

In these campaigns, TA422 made use of CVE-2023-23397, a privilege escalation vulnerability in Microsoft Outlook. Messages contained an appointment attachment with a fake file extension to make it look like another file type, such as CSV, Word or Excel. If the appointment attachment was read by a vulnerable version of Outlook, the victim’s NTLM security credentials could be exposed. Over the eight month period, TA422 evolved its tactics several times, using Mockbin and InfinityFree for redirection, and also exploiting a vulnerability with WinRAR. For a detailed technical analysis and a list of IoCs, check out the full blog post.

And on this week’s Five-Minute Forecast, U.S. authorities take action against North Korean cybercriminals, TrickBot developer faces 35 years in prison after guilty plea, and senior threat intelligence analyst Selena Larson shares an update on seasonal threats.

Insights Chart of the Week
TA422 Phishing Activity
TA422 Goes Phishing

This advanced persistent threat (APT) group, linked to Russian military intelligence, launched an unusual series of campaigns earlier this year. Message volumes were high compared to typical APT activity, and sought to exploit a vulnerability in Microsoft Outlook.

Equip your team with threat intelligence

Threat Insight
APT Attacker Sends Mac Malware

Iran-aligned threat actor TA453 has expanded its repertoire, distributing malware targeting Apple devices.

Threat Insight
Exploring the Post-Macro Landscape

Our researchers unpack all the changes from a year of rapid evolution in malware delivery techniques.

Threat Insight
TA571 Delivers IcedID Forked Loader

A high volume spam distributor switches to an unusual forked version of a popular malware strain.

Go Deeper with Proofpoint Threat Intelligence Services

Connect with threat analysts, understand threats with intelligence specific to your situation, and gain 24/7 visibility into the latest threat discoveries.

Learn More
Threat Report
2023 Human Factor

Cyber attackers target people. They exploit people. Ultimately, they are people. That's why people—not technology—are the most critical variable in today’s cyber threats. This year, the 2023 Human Factor report takes an even closer look at new developments in the threat landscape, focusing on the combination of technology and psychology that makes the modern attack chain so dangerous.

Threat Report
2023 State of the Phish

This year’s report dives deep into today’s threats—and how prepared users are to face them. Get a wealth of data, insight and advice based on knowledge assessments, self-reported cybersecurity habits and actual responses to simulated phishing emails.

About The Threat Research Team

Our threat researchers are responsible for tracking shifts in the cybersecurity landscape, identifying new attacks as they emerge, and monitoring how threat actor tactics, techniques and procedures change over time. The threats they detect and the signatures they write feed into our platforms and are keystones in a system that analyzes more than 2.6 billion emails, 49 billion URLs and 1.9 billion attachments every single day.

By studying what cyber criminals are doing now, our threat researchers are better able to anticipate what they’ll do next. Every day, their work keeps our customers protected—not just from today’s attacks, but tomorrow’s threats as they evolve.

Threat Hub Chart of the Week
Follow us @threatinsight:

Subscribe to the Proofpoint Blog