Security Community

April 29th, 2025 Who:  A sophisticated phishing campaign has been identified, targeting Gmail users by impersonating official Google communications.​ What:  Attackers are sending emails that appear to originate from no-reply@accounts.google.com, a legitimate Google address. These emails claim that Google has received a subpoena concerning the recipient's account and prompt users to click on a link leading to a fraudulent "support portal" hosted on sites.google.com. This portal is designed to harvest user credentials by mimicking Google's legitimate services.​ Example phishing email - Note the email is from a legitimate Google email address. Impact:  The phishing emails pass Gmail's security checks, including DKIM signature verification, making them appear authentic and allowing them to bypass spam filters. Users who enter their credentials on the fake portal risk full account compromise, including unauthorized access to emails, contacts, and sensitive personal information. Google is aware of this exploit and is actively rolling out protections to mitigate the threat.​ Recommendations:  Users are advised to enable multi-factor authentication and remain vigilant for unexpected emails requesting sensitive information, even if they appear to come from legitimate Google addresses. If a user suspects an email to be phishing, it is advised to flag the email, and report it to IT/Security staff. DO NOT click any links contained in the email if at all suspicious. Read the full article HERE

Who: • Hertz (car rental company) • Cleo Communications (file transfer vendor) • Possible link to Clop ransomware gang (Russia-affiliated) What: A cyberattack exploiting zero-day vulnerabilities in Cleo’s platform led to unauthorized access to Hertz customer data between October–December 2024. Exposed data includes: • Names, contact details, and dates of birth • Credit card and driver’s license information • Some Social Security and passport numbers • Workers' compensation claim data Impact: • Global exposure: Breach notices issued in the U.S., Canada, EU, UK, and Australia • Unknown scope: Number of affected customers not yet confirmed • No current evidence of fraudulent use, but sensitive data is at risk • Cleo vulnerabilities have been patched, and authorities have been notified Action Needed: • Monitor for fraud and identity theft • Review vendor security practices • Implement stronger third-party risk management policies Read the full article HERE

Security Brief: Phishing Campaigns Use Real-Time Validation for Credential Theft Who: Threat actors employing advanced phishing techniques, tracked by Cofense and Ontinue. Related activity linked to clusters Storm-1811 and STAC5777. What: A new tactic dubbed “precision-validating phishing” uses real-time email validation to display fake login pages only to verified, high-value email accounts. This approach improves success rates and evades detection by security tools. Additional phishing lures use file deletion notices to deliver malware or direct users to bogus Microsoft login pages. In a separate campaign, attackers used Microsoft Teams messages and Quick Assist for remote access and multi-stage compromise. Impact: • Credential theft from real, active accounts with higher resale/exploitation value. • Malware delivery via fake OneDrive installers using ScreenConnect remote access. • Extended phishing campaign lifespans due to evasion of automated analysis. • Persistence and remote access achieved using legitimate tools (e.g., TeamViewer, Node.js). Action Needed: • Educate users on new phishing tactics and suspicious file deletion lures. • Disable unused collaboration tools like Quick Assist. • Monitor for abnormal remote access activity and unauthorized use of tools like TeamViewer. Read the full article HERE