The IT Nerd

Here is an intriguing case study from Fortra’s Suspicious Email Analysis (SEA) team that documents a sophisticated phishing attempt identified in early April 2025. The attack utilizes a combination of tactics never before seen together by Fortra researchers, and highlights how the actors are increasingly using a variety of technologies to illegally access systems. 

Key highlights include:

• Significance: This is the first Fortra documented instance of these tactics being used together for a Microsoft O365 phishing attempt.
• Complexity: This attack uniquely combines tactics such as an encrypted .htm file, AES encryption, and a malicious npm package.
• Target: The primary goal was to harvest Microsoft O365 credentials.

Having visibility into emerging trends, and understanding the Tactics, Techniques, and Procedures (TTPs) associated with novel incidents is crucial for cybersecurity professionals to enhance their defenses against such targeted attacks.

The report can be found here: https://www.fortra.com/blog/threat-analysis-malicious-npm-package-leveraged-o365-phishing-attack

Fortra today announced the acquisition of Lookout’s Cloud Security business featuring their Security Service Edge (SSE) solution. Based in Boston, Massachusetts, Lookout’s Cloud Security solution features Cloud Application Security Broker (CASB), Zero Trust Network Access (ZTNA) and Secure Web Gateway (SWG) among other critical security solutions. In addition, with this acquisition, Fortra now offers a complete Data Security Posture Management (DSPM) solution.  

In March 2024, Fortra and Lookout announced a strategic integration partnership to provide customers with comprehensive security coverage through Fortra’s Digital Guardian DLP. Now Fortra customers will have comprehensive DSPM capabilities leveraging the power of Fortra’s existing solutions for data discovery, classification and data loss prevention (DLP) enhanced by Lookout’s strength in cloud security. 

As organizations face increased threats from cyber-attacks, and look to comply with regulatory and privacy requirements, Lookout’s SSE capabilities help organizations safeguard their people, devices, applications and data wherever it lives across hybrid environments.   

Fortra has published the results of its 2025 Email Threat Landscape report which describes how the email threat landscape evolved in 2024 and forecasts what defenders should expect in 2025. Fortra analyzed more than 1 million email threats, many of which bypassed traditional email security measures.

Some of the main findings include:

• 99% of email threats reaching corporate user inboxes in 2024 were response-based social engineering attacks or contained phishing links, without delivering malware.
• Scammers are exploiting leaked personal data, such as home addresses, to craft highly personalized attacks and extortion schemes.
• Legitimate services are being heavily abused to get malicious emails into user inboxes. Misuse of developer tools grew sharply, increasing more than 200% in 2024.
• Multichannel attacks are luring victims out of secure email environments. Methods include malicious QR codes and hybrid vishing, which surged in Q4 2024 to account for 40% of response-based email threats.

You can read the report here.

Two years ago, Microsoft, Fortra, and Health ISAC launched an aggressive takedown campaign to stop cybercriminals from weaponizing unauthorized versions of Cobalt Strike. Many questioned if the effort would work – and it has!

Today this is what they are seeing:

• 80% reduction in unauthorized Cobalt Strike copies circulating in the wild
• 200+ malicious domains seized to cut off cybercriminal access
• Dwell time reduced to under a week in the U.S. (down from months)
• Operation MORPHEUS: A global law enforcement collaboration shutting down 593 criminal infrastructure points across 27 countries

This initiative is now entering a new phase, with automated takedowns and tighter security controls, making it even harder for cybercriminals to exploit red team tools.

You can find out more details here.

There’s been a staggering 1,216% increase in cryptocurrency scams over the past year according to the latest threat intelligence from global cybersecurity company Fortra.

Fortra sent me a report that detailed what they were seeing in terms of BEC related activity. And I have to admit that even though I live in this space, what they reported blew my mind. Specifically:

• Attackers are shifting to crypto for its ease of laundering and growing financial appeal, with Bitcoin’s recent rise to $100K making it an even bigger target.
• 158 cryptocurrency-related scams identified in January 2025 alone.
• 122 unique wallets recorded, with transactions ranging from $0.17 to $53,438. The most active wallet received 0.09 BTC (~$9,047) in just two transactions.
• AI is enabling scalable, highly persuasive scam emails, while dark web “Sextortion Kits” are fueling large-scale extortion campaigns.

Though I unfortunately don’t have a link to the report that these figures came from. I can point you towards this blog post where Fortra does detail other BEC related trends that they have documented.

SpartanWarriorz

Threat Background & History

Fortra is tracking activity from a scam kit authoring group known as SpartanWarriorz. These authors have been selling kits targeting over 300 global brands as far back as September 2022. They have targeted industries including financial institutions in North America and Europe, retail, delivery services, and social media platforms. Using the messaging service Telegram, they have been observed giving away a plethora of free phishing kits to increase their reputation within the phishing community. 

Operations experienced some service disruption recently when the SpartanWarriorz Telegram channel was shut down on November 21^st. The group created a new channel on the same day and has attempted to inform their past subscribers.

Profile picture for SpartanWarriorz on Telegram.

Service Breakdown

SpartanWarriorz primarily has used the platform Telegram to advertise their phishing kits. Their Telegram channel currently has over 5,300 subscribers, managed by two moderators. Across their platform they have offered services including:

• Phishing Kits and Pages
• Access to Compromised Websites
• Published Phishing Lures
• Email Spamming Services

Example phishing kit advertised by SpartanWarriorz on Telegram.

Customary advertising file within a SpartanWarriorz phish kit.

SpartanWarriorz has advertised over 300 kits on Telegram that are available for sale or have been given away. In addition to the kits offered, SpartanWarriorz advertises mailer tools that allow threat actors to send out phishing campaigns using pre-authored lure emails available from the seller. The group also offers access to web server shells through their Telegram platform. These shells have been installed on compromised servers and can be used to carry out phishing attacks. 

A Telegram post advertising a plethora of SpartanWarriorz phish kits.

SpartanWarriorz kits allow users to input a Telegram API token and chat ID to exfiltrate stolen credentials, including OTP codes. Additionally, kits include extensive antibot lists that block specific IP addresses and ranges, user agents, and known web crawlers from accessing the phishing pages within the kit. This code sends all blocked visitors to Google.com or a fake 404 error page. Other configuration settings frequently seen include options to require victims to sign in twice or complete a CAPTCHA.   

This is going to be a lengthy list of predictions as I have several members of the Fortra team sharing their thoughts on what they think is going to happen in 2025.

John Wilson – Senior Fellow, Threat Research

1. Scams will become increasingly personalized. For example, there was a recent email extortion scam circulating that included a customized PDF attachment. The PDF included a Google Street View image of the victim’s home. I predict we will see a lot more of this type of personalization in 2025. By correlating data across multiple data breaches, a cybercriminal might threaten to expose a sensitive medical condition if the victim doesn’t pay up, for example. Thanks to breach data, scammers pretending to be the SSA or IRS will reference the victim’s actual SSN in their calls and emails.
2. We’ll see increased use of cross-channel social engineering attacks. For example, we started seeing hybrid vishing in 2023, where the attack starts out with an email instruction the victim to call a phone number. Quishing, or phishing using QR codes, is a way to cross from an email to a URL opened on a mobile device. I predict we’ll see more of these cross-channel attacks in 2025. For example, a user might receive a deep-fake voice message from their CEO instructing them to be on the lookout for an email, or a call from their “IT Security Team” instructing them to download a software “update” right away from a website mentioned on the call.
3. Our Geopolitical rivals will continue to leverage social media to deepen divides within NATO and within the USA. Russia in particular would love to see the dissolution of NATO and even of the United States itself.
4. In 2025 we will see a terrorist group use a cyberattack to target self-driving cars. The attack may directly cause injuries and fatalities by using the cars as a weapon, or the cars may be used to cause gridlock in order to slow the emergency response to a more traditional attack.
5. Swatting and Doxing are so last year. In the near future we’ll see hackers plant CSAM on their victim’s phone or laptop before tipping off the police.
6. Criminal street gangs will infiltrate Flock Safety in order to prevent their license plate readers from detecting the gang’s activities.

Chris Reffkin – Chief Security and Risk Officer

Security risk will be further integrated into broader risk management of business operations. The consolidation and market adjustment that is occuring in the security industry is really a result of the CISOs out there as after all the CISOs are the ones that lead acquisitions of new secuity technologies. This does not mean CISOs are being demoted or deprioritized but they will need to be in line with other business leaders when it comes to priority and spend.

The grey area between cyberwarfare and kinetic warfare will be redefined if not closed. We’ll see more of civilian systems and infrastructure reporting attacks, if not offering full blown disruption – with intent and purpose not accidental disruption.

Security organizations will need to invest more in “processes” than ever before looking for better efficiency and optimization of scarce personnel time and resources. This will become an area of continuous improvement and a primary operational initiative in security organizations.

Nick Franklin – Global AWS Technology Alliance Director

CIO’s will drive deeper reviews surrounding the impact security & observability tools can have on their organization in 2025

In July 2024, the world’s second largest cybersecurity ISV caused much of the globe to come to a halt as a result of a flaw in an update pushed to their agent. This has made plain to everyone all around the world, from my mother who can barely use her smart phone, to CEOs, to world leaders that resiliency is as critical as ever and CIO’s can no longer allow their teams to be satisfied with the features and benefits a security product may offer. CIO’s will require greater assurances they are protected from disaster inadvertently caused by the tools they use to protect and monitor their environments. We will see this materialize in legal and contract discussions around terms and SLA’s, enhanced scrutiny placed on the interaction between third party tools and first party systems and applications, and in deeper technical reviews security and observability vendors will need to be prepared to address. Does your endpoint agent have kernel access? Does your SaaS application’s cross account IAM role grant overly permissive access to your employees who have no business accessing end customer information captured by your tool? These are very basic but real scenarios I’m seeing come up with increased frequency that are just the tip of the spear of scrutiny coming to security ISVs as organizations strive to mitigate 3rd party risk to their businesses.

Hyperscalers turn increasingly toward native cybersecurity solutions to drive revenue growth

Hyperscalers will continue to aggressively pursue new customers, but I predict we’ll see an expansion of native cybersecurity capabilities these cloud providers develop and release to capture more and more customer revenue. We’re beyond the stage of cloud being the new and exciting thing everyone is running to for the first time. Cloud vendors now offer hundreds of native services and solutions to customers including security, but in 2025 and beyond to meet the revenue demands of their stakeholders, it seems highly likely the cloud behemoths will develop and launch a myriad of native security tools and features that promise customers the ability to secure and securely manage their data and applications from within the cloud control plane. Secondarily, we’re likely to see several strategic acquisitions of cutting-edge security companies by the hyperscalers themselves.

Wade Barisoff – Director of Product – Data Protection

Our confidence was shaken in the summer of 2024 due to a single vendor publishing an update, which triggered global outages that for some companies, it would take them several weeks to recover. What followed was a series of short-term process changes, and questioning the testing, updating, and rollback process for vendors of all different sizes and scope. 2025 will see companies execute longer term strategies from creating automated testing sandboxes to diversification and segmentation of their environments to ensure a simple update cannot take their entire company down for multiple weeks.

New regulations globally are being implemented in 2025 like the new privacy laws in Malasia, updates to GDPR, and new standards to do business with various governments and military organizations (like CMMC in the United States). These standards are forcing a relook at company technology stacks to see if they can meet the requirements of these new standards, as many of them include heavy fines or worse, the inability to continue to be a supplier. The core focus of a lot of these new regulations includes company hygiene, do you have the correct tools and processes in place as to not lose data or compromise the organization you are doing business with. As attackers dig for new vectors to compromise critical infrastructure, government entities, or simply data loss, this is forcing these organizations to expand their standards to 1st party suppliers. Over time you can expect these standards to expand beyond first party suppliers as cracks emerge, and new standards are put in place to counter them.

Roberto Enea – Data Scientist II

We are going to see an increased use of LLM Agents to exploit targets with a process similar to

• Automatic scanning of targets to detect applications installed
• Ingesting vulnerability descriptions related to the applications detected
• Generation of scripts to exploit the vulnerability
• Vulnerability exploitation

Kurt Thomas – Senior System Engineer

The 2025 cybersecurity landscape will continue to be shaped by highly dynamic, and sometimes opposed, geopolitical, legal, and technological trends.

Attack-Side Trends

Distributed denial-of-service (DdoS), data leaks, and ransomware will remain the top threats in 2025.

Ongoing and expanding military conflicts will continue to drive quantity and sophistication globally. In all of the larger conflicts, cyber is one of the arenas in which they are played out. The most conspicuous example of that is the Russian war on Ukraine and the related intelligence, sabotage and information manipulation activities. These activities will continue and expand in 2025. Other geopolitical conflicts will similarly include cyber attacks.

Attacks that affect physical systems are likely to increase. Sectors most likely to be affected by that will be defense and all critical-infrastructure sectors

Chinese, Russian, Iranian and North-Korean services as well as various criminal gangs will continue to expand their arsenal of zero-day and few-day software vulnerabilities.

Nation-state actors will increasingly leverage cybercriminal gangs for their goals, to provide a level of plausible deniability, intended to shield them from direct sanctions.

Attackers will progress the use of artificial intelligence for attacks. They will focus on easy gains for their operations through by Large Language Models. Those AIs will help them word convincing phishing emails and assist them with their software development. Use of LLM-based voice deepfakes will proliferate, for “applications” such as business email-and-voice compromise.

While research in more sophisticated use of AI — for instance, to dynamically develop strategies and tactics for attacks — is ongoing, this kind of advanced use has not been spotted in real-life attacks so far and is hopefully still a few years off.

Defense-Side Trends

On the defense side, the need to invest in cybersecurity is slowly being recognized by more and more organizations. Cybersecurity investment is no longer the exclusive domain of a few sectors and is expanding into middle-sized and smaller organizations.

One reason for this trend are compliance frameworks for cyber- or cyber-affine topics like data protection and cyber risk reduction. Those frameworks can be laws, regulations, or industry required standards. Both the EU and the US will see the enactment of further frameworks to implement cyber risk reduction, and technical guidelines aimed at operationalizing that legislation. An example of this are the DORA regulation, which will become effective in January 2025, and the corresponding Regulatory Technical Standards.

Insurance companies create another kind of compliance pressure. Insurance companies are both in the position to, and incentivized to demand that their insurance takers implement proper cyber security.

Cybersecurity training will gain more ground and help to reduce the human factor risk. There is still a lot of ground to cover here, but as security awareness will improve, people will be less likely to fall prey to the most obvious cyber deceits and traps.

On the ransomware side, defense will improve by two trends: more organizations backing up their data and testing backups as well; and use XDR and MDR solutions that aggregate and analyze security data across multiple organizations, ingesting billions of data points and processing them to find threats sooner that any human analyst could.

Adoption of the new NIST-approved encryption algorithms for post-quantum cryptography for data in transit has started and will slowly climb in 2025, starting first in the especially risk-aware sectors like defense and finance. This will reduce the risk of harvest-now-decrypt-later attacks on confidential data.

As a final prediction, I predict more streaming shows and movies with hacking-related story lines.

Antonio Sanchez – Principal Cybersecurity Evangelist

• Synthetic media such as deepfakes and other artificially generated content will continue to increase forcing legislation to address privacy concerns.
• The number of unfilled cyber security roles has been hovering between 3.5 to 4 million in the past few years. This has put significant stress to existing staff which is surfacing a new trend of burnout and people leaving the cybersecurity field due to untenable situations. I expect an increase in people leaving the industry which will also result in security leaders putting less emphasis on technical skills and more emphasis on soft skills to address the staffing shortages.
• Expect an increase in the adoption of automation where repetitive tasks can be executed at machine speed which will reduce the need for human intervention. Increasing the adoption of automation will also help some of the burden of the staffing shortages.
• For 2025 we can expect organizations to implement more stringent requirements from their business partners. Organizations are unlikely to begin doing business or continue doing business with an entity that puts them at serious risk of operational disruption.

Theo Zafirakos – Cyber Risk and Information Security Expert

Service providers increasing their maturity and security controls

Increased customer expectations and the evolving digital landscape will force service providers to implement systems and processes of higher standards. Regulations like the General Data Protection Regulation (GDPR) in Europe, Digital Operational Resilience Act (DORA), or California Consumer Privacy Act (CCPA) mandate higher standards for data protection, privacy, and operational resilience. Non-compliance can result in heavy fines and penalties. Natural disasters and public health crisis are increasing in frequency, and cloud-based and resilient communications channels will become more important.

Chris Spargen – Associate Director, Solutions Engineering

Major Cybersecurity Event(s) drives major and rapid change.

• Impacts include Supply Chain Disruption, potential internet and/or electrical grid outages, and public fear & unrest.
• New legislation or policies are enacted in response to the event(s).
• Platforms will increase in importance for start to finish security solutions that cover all bases.
  First mainstream waves of blockchain currencies begin – likely central bank digital currencies.

AI & Blockchain Developments

• The continued global adoption of AI will drive market needs for human authenticity.
• The Blockchain will be a solution that serves as public ledger that validates human authenticity.

Automation & AI Developments

• We’ll see automation & AI growth in the cybersecurity space to augment the shortage of professionals and increase the speed of responses.
• This will be a double-edged sword, as cybercriminals will also look to these tools to develop complex threats.

Automated Driving takes off in 2025

• There will be new regulations to button down the cybersecurity risks associated with scaling automated driving.
• Tesla will be a controversial pioneer in this space.

Fortra, has uncovered a significant surge in cybercriminal abuse of Cloudflare Pages (198% increase) and Workers (104%) over the past year. The data also reveals that monthly incidents on Cloudflare Pages alone could surpass 1,600 by year’s end—a 257% year-over-year increase.

What’s surprising?

While it’s primarily used legitimately, Cloudflare Pages can be exploited for malicious purposes due to its reputation, free hosting, ease of use, and global Content Delivery Network (CDN). Threat actors can create convincing malicious sites, using custom domains and secure HTTPS connections to deceive victims. Similarly, while designed to help developers to deploy and run JavaScript code directly at the edge of Cloudflare’s CDN, Cloudflare Workers can be exploited to bypass security controls or automate various attacks like brute-force login attempts. In short, they’re using Cloudflare’s strengths to lure victims into a false sense of security.

Cybersecurity teams may need to change their approach

While Cloudflare does implement threat detection and phishing prevention mechanisms, Fortra’s report suggests a growing trend of abuse on reputable platforms, highlighting the need for more vigilant monitoring, even in environments perceived as secure. Security teams should be aware of these increased attacks and proactively monitor for suspicious activity, as the platform can often be misused before detection of these attacks occur.

Tips for cybersecurity teams:

Cloudflare has several security measures in place to combat abuse, including threat detection systems, phishing detection, and user reporting mechanisms to take down malicious content. Despite these efforts, cybercriminals can still exploit the platform before malicious content is detected. The risk is in how cybercriminals are misusing the service, and not in the technology itself.

Users can protect themselves from phishing by following several best practices. First, they should be cautious when interacting with unfamiliar websites, especially those requesting personal or sensitive information. Verifying the legitimacy of URLs and ensuring that the domain matches the expected source can help identify phishing attempts. Additionally, enabling two-factor authentication (2FA) for accounts adds an extra layer of security.Developers using Cloudflare Pages should implement strong security measures such as regularly updating their site’s dependencies, using HTTPS for secure connections, and monitoring for suspicious activity. It’s also important to report any phishing attempts or malicious activity to Cloudflare for further investigation and takedown, helping to prevent wider abuse.

Fortra’s 2024 Brand Threats and Fraud Report is now live. The report dives into attacks from Q2 2024 across domains, social media platforms, and the dark web, revealing unexpected trends that could reshape how businesses think about digital security.

Some surprising insights:

• New gTLDs are now the most dangerous domains for phishing: Phishers are shifting from familiar domains like .com to newer ones like .dev and .vip.
• Impersonation and cyberattacks are down: Contrary to popular belief, executive and brand impersonation attacks declined by 8%, while cyber hacking incidents fell by 5%—suggesting attackers are pivoting to harder-to-detect strategies.
• Fraud tools on the dark web are exploding: With fraud tools doubling in Q2 2024, they have become the fastest-growing threat on the dark web, surpassing stolen credit card data.
• Social media attacks increased by 60% in one quarter: In May alone, brands faced 160 attacks per month, making social platforms a growing playground for cybercriminals.

View the full report here: https://www.phishlabs.com/resources/guides/brand-threats-and-fraud.

Fortra has analyzed hundreds of thousands of domains, social media, counterfeit, and dark web attacks targeting enterprises, their employees, and brands. This report uses the data from those attacks to present key trends shaping the threat landscape.

Some of the key findings include:

• A 60% surge in social media attacks on brands in Q2 alone.
• A 55% increase in counterfeit websites mimicking well-known brands.
• The rise of New Generic Top-Level Domains (gTLDs) like .dev and .vip being used in phishing attacks, outpacing legacy domains such as .com.
• Fraud tools targeting enterprises more than doubled on the dark web, now representing one of the highest-growing threats.

You can read the report here.