Microsoft Research has put out a report on the Mint Sandstorm phishing campaign targeting high profile individuals at universities and research orgs:
Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases, Microsoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl.
Operators associated with this subgroup of Mint Sandstorm are patient and highly skilled social engineers whose tradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails. In some instances of this campaign, this subgroup also used legitimate but compromised accounts to send phishing lures. Additionally, Mint Sandstorm continues to improve and modify the tooling used in targets’ environments, activity that might help the group persist in a compromised environment and better evade detection.
Shawn Loveland, COO, Resecurity had this comment:
Bespoke phishing attacks can be highly effective as they are difficult for victims to distinguish as malicious. If the phishing campaign has reasonable operational security (OpSec), it is difficult for security products and services to prevent the delivery of the lure. The next-generation AI-powered phishing campaigns will make bespoke phishing attacks low-cost, automated, and common. After the lure has been delivered and acted upon by the victim, threat actors motivated by geopolitics and money-making endeavors commonly use similar TTPs in their attack, as described by Microsoft.
The motivations behind the actions of threat actors based in Iran can vary between geopolitical and financial gain. The specific motivation behind their actions depends on the group and actors involved. For instance, some threat actors may be driven by geopolitical issues during the day but use the same or similar TTPs at night for personal financial gain. According to a report from Microsoft, this group is only motivated by geopolitics for the specific TTPs described in the report.
Individuals and organizations are vulnerable to various threat actors, with motivations such as personal gain, fame, revenge, challenge, and even geopolitics. It is worth noting that security products and processes can take months to detect and mitigate a new campaign, exposing companies to potential attacks. Therefore, companies must establish a robust CTI practice to detect and mitigate these TTPs before they become targeted.
Microsoft has a lot of advice that you should read and heed if you want to successfully defend against this. Because it’s clearly done by highly skilled threat actors who are willing to go to great lengths to get what they want.
Like this:
Like Loading...
Related
This entry was posted on January 19, 2024 at 8:40 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Microsoft Provides Info On The “Mint Sandstorm” Phishing Campaign
Microsoft Research has put out a report on the Mint Sandstorm phishing campaign targeting high profile individuals at universities and research orgs:
Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases, Microsoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl.
Operators associated with this subgroup of Mint Sandstorm are patient and highly skilled social engineers whose tradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails. In some instances of this campaign, this subgroup also used legitimate but compromised accounts to send phishing lures. Additionally, Mint Sandstorm continues to improve and modify the tooling used in targets’ environments, activity that might help the group persist in a compromised environment and better evade detection.
Shawn Loveland, COO, Resecurity had this comment:
Bespoke phishing attacks can be highly effective as they are difficult for victims to distinguish as malicious. If the phishing campaign has reasonable operational security (OpSec), it is difficult for security products and services to prevent the delivery of the lure. The next-generation AI-powered phishing campaigns will make bespoke phishing attacks low-cost, automated, and common. After the lure has been delivered and acted upon by the victim, threat actors motivated by geopolitics and money-making endeavors commonly use similar TTPs in their attack, as described by Microsoft.
The motivations behind the actions of threat actors based in Iran can vary between geopolitical and financial gain. The specific motivation behind their actions depends on the group and actors involved. For instance, some threat actors may be driven by geopolitical issues during the day but use the same or similar TTPs at night for personal financial gain. According to a report from Microsoft, this group is only motivated by geopolitics for the specific TTPs described in the report.
Individuals and organizations are vulnerable to various threat actors, with motivations such as personal gain, fame, revenge, challenge, and even geopolitics. It is worth noting that security products and processes can take months to detect and mitigate a new campaign, exposing companies to potential attacks. Therefore, companies must establish a robust CTI practice to detect and mitigate these TTPs before they become targeted.
Microsoft has a lot of advice that you should read and heed if you want to successfully defend against this. Because it’s clearly done by highly skilled threat actors who are willing to go to great lengths to get what they want.
Share this:
Like this:
Related
This entry was posted on January 19, 2024 at 8:40 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.