Law enforcement authorities in the U.K. have arrested two teen members of the Scattered Spider hacking group in connection with their alleged participation in an August 2024 cyber attack targeting Transport for London (TfL), the city's public transportation agency.
Thalha Jubair (aka EarthtoStar, Brad, Austin, and @autistic), 19, from East London and Owen Flowers, 18, from Walsall, West Midlands

Law enforcement authorities in the U.K. have arrested two teen members of the Scattered Spider hacking group in connection with their alleged participation in an August 2024 cyber attack targeting Transport for London (TfL), the city's public transportation agency.

Thalha Jubair (aka EarthtoStar, Brad, Austin, and @autistic), 19, from East London and Owen Flowers, 18, from Walsall, West Midlands were arrested at their home addresses on Tuesday, the National Crime Agency (NCA) said. They are 19 and 18, respectively.

It's worth noting that Flowers was initially arrested for his alleged involvement in the TfL attack in September 2024, but was subsequently released on bail. The agency said it found evidence of Flowers targeting U.S. healthcare companies, and that he has also been charged with conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation and Sutter Health.

Jubair has also been charged under the Regulation of Investigatory Powers Act (RIPA) 2000 for failing to surrender PINs and passwords for devices seized by law enforcement from him on March 19, 2025.

"This attack caused significant disruption and millions in losses to TfL, part of the UK's critical national infrastructure," Deputy Director Paul Foster, head of the NCA's National Cyber Crime Unit, said. "Earlier this year, the NCA warned of an increase in the threat from cyber criminals based in the U.K. and other English-speaking countries, of which Scattered Spider is a clear example."

In tandem, the U.S. Department of Justice (DoJ) unsealed a complaint charging Jubair with conspiracies to commit computer fraud, wire fraud, and money laundering in relation to at least 120 computer network intrusions and extorting 47 U.S. entities from May 2022 to September 2025.

These attacks involved the use of social engineering techniques to gain unauthorized access to the target networks, and then leveraging that access to steal and encrypt information, and demand ransom from victims in return for regaining control and preventing the leak of the exfiltrated data.

According to the complaint, victims paid at least $115,000,000 in ransom payments. The incidents, the DoJ added, caused widespread disruption to U.S. businesses and organizations, including critical infrastructure and the federal court system, in October 2024 and January 2025.

In July 2024, the DoJ said law enforcement seized cryptocurrency wallets on a server allegedly controlled by Jubair and confiscated digital assets worth about $36 million at the time. Jubair is also said to have transferred a portion of the proceeds that originated from one of the victims, worth about $8.4 million at the time, to another wallet.

Jubair has been charged with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. If convicted, he faces a maximum penalty of 95 years in prison.

"Jubair went to great and sophisticated lengths to keep himself anonymous while he and his criminal associates continued to attack these victims and extort tens of millions of dollars in ransom payments," said Alina Habba, Acting U.S. Attorney and Special Attorney for the District of New Jersey.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

U.K. Arrests Two Teen Scattered Spider Hackers Linked to August 2024 TfL Cyber Attack

In the @digitalocean/do-markdownit package through 1.16.1 (in npm), the callout and fence_environment plugins perform .includes substring matching if allowedClasses or allowedEnvironments is a string (instead of an array).

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-2h8j-8r9p-849f: @digitalocean/do-markdownit has Type Confusion vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of two sets of malware that were discovered in an unnamed organization's network following the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM).
"Each set contains loaders for malicious listeners that enable cyber threat actors to run arbitrary code on the compromised server,"

Data Breach / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of two sets of malware that were discovered in an unnamed organization's network following the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM).

"Each set contains loaders for malicious listeners that enable cyber threat actors to run arbitrary code on the compromised server," CISA said in an alert.

The vulnerabilities that were exploited in the attack include CVE-2025-4427 and CVE-2025-4428, both of which have been abused as zero-days prior to them being addressed by Ivanti in May 2025.

While CVE-2025-4427 concerns an authentication bypass that allows attackers to access protected resources, CVE-2025-4428 enables remote code execution. As a result, the two flaws could be chained to execute arbitrary code on a vulnerable device without authentication.

According to CISA, the threat actors gained access to server running EPMM by combing the two vulnerabilities around May 15, 2025, following the publication of a proof-of-concept (PoC) exploit.

This permitted the attackers to run commands that made it possible to collect system information, download malicious files, list the root directory, map the network, execute scripts to create a heapdump, and dump Lightweight Directory Access Protocol (LDAP) credentials, the agency added.

Further analysis determined that the cyber threat actors dropped two sets of malicious files to the "/tmp" directory, each of which enabled persistence by injecting and running arbitrary code on the compromised server:

*   **Set 1** - web-install.jar (aka Loader 1), ReflectUtil.class, and SecurityHandlerWanListener.class
*   **Set 2** - web-install.jar (aka Loader 2) and WebAndroidAppInstaller.class

Specifically, both sets contain a loader which launches a malicious compiled Java class listener that intercepts specific HTTP requests and processes them to decode and decrypt payloads for subsequent execution.

"ReflectUtil.class manipulates Java objects to inject and manage the malicious listener SecurityHandlerWanListener in Apache Tomcat," CISA said. "\[SecurityHandlerWanListener.class\] malicious listener that intercepts specific HTTP requests and processes them to decode and decrypt payloads, which dynamically create and execute a new class."

WebAndroidAppInstaller.class, on the other hand, works differently by retrieving and decrypting a password parameter from the request using a hard-coded key, the contents of which are used to define and implement a new class. The result of the execution of the new class is then encrypted using the same hard-coded key and generates a response with the encrypted output.

The end result is that it allows the attackers to inject and execute arbitrary code on the server, enabling follow-on activity and persistence, as well as exfiltrate data by intercepting and processing HTTP requests.

To stay protected against these attacks, organizations are advised to update their instances to the latest version, monitor for signs of suspicious activity, and implement necessary restrictions to prevent unauthorized access to mobile device management (MDM) systems.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

CISA Warns of Two Malware Strains Exploiting Ivanti EPMM CVE-2025-4427 and CVE-2025-4428

Snipe-IT before 8.1.18 allows unsafe deserialization.

GHSA-phwj-fgch-xvrj: Snipe-IT allows unsafe deserialization

GHSA-c9wp-pr7f-hfqm: Snipe-IT allows XSS

More than a dozen elected officials were arrested in or around 26 Federal Plaza in New York City, where ICE detains people in what courts have ruled are unsanitary conditions.

Police arrested more than a dozen New York state and city elected officials Thursday at 26 Federal Plaza, the Manhattan immigration court and an Immigration and Customs Enforcement (ICE) field office, many as they pressed to gain access to the building’s 10th-floor lockup, where recent court rulings—including a temporary restraining order—directed ICE not to cram immigrants into overcrowded, unsanitary conditions.

The lawmakers and other officials, arrested around 3:45 pm local time, say they were “attempting to conduct oversight” following claims that people appearing for court hearings were being confined for hours or days without proper food, medical care, or contact with attorneys.

A spokesperson for New York City comptroller Brad Lander’s office told WIRED by phone that Lander and 10 other elected officials were denied access and then arrested while “engaged in an action on the 10th floor of 26 Federal Plaza, where ICE inhumanely detains thousands of immigrant New Yorkers.” Lander was previously arrested at the same facility in June while accompanying a migrant man whom ICE targeted with arrest.

A joint press release issued by New York officials in the aftermath lists the electeds among those arrested:

*   NYC comptroller Brad Lander
*   State senator Julia Salazar
*   State senator Jabari Brisport
*   State senator Gustavo Rivera
*   Assembly member Robert Carroll
*   Assembly member Emily Gallagher
*   Assembly member Jessica Gonzalez-Rojas
*   Assembly member Marcela Mitaynes
*   Assembly member Claire Valdez
*   Assembly member Tony Simone
*   Assembly member Steven Raga
*   Public advocate Jumaane Williams
*   Assembly member Phara Souffrant-Forrest
*   Council member Sandy Nurse
*   Council member Tiffany Caban

At least some officials, according to Lander’s office, had been released at the time of writing. The final four on the list were arrested outside the facility, reportedly by the New York City Police Department. Dozens of New Yorkers who had gathered, holding signs and chanting “ICE out of NY,” were also arrested, officials said. A follow-up demonstration was planned for 6 pm ET at Foley Square, a longtime rallying point for immigrant rights protests in the heart of Manhattan’s Civic Center neighborhood.

Comptroller Brad Lander joins local elected officials inside lower Manhattan’s federal building, demanding access to an Immigration and Customs Enforcement holding area on the building’s 10th floor.

Photograph: Spencer Platt; Getty Images

Neither the Department of Homeland Security nor ICE immediately responded to a request for comment. Reached by phone, a New York Police Department spokesperson declined to comment because “the incident is ongoing.”

Under federal law, members of Congress have explicit authority to inspect immigration detention facilities, including conducting unannounced visits. State and city lawmakers don’t have that authority and must rely on DHS or ICE to approve such requests. The Trump administration has instituted new policies, such as mandating advance notice and designating certain field offices and short-term sites off-limits, that have blocked or delayed congressional oversight visits in recent months.

Federal judges and civil rights groups have zeroed in on the conditions inside 26 Federal Plaza. This summer, a federal court issued a preliminary injunction against the government after allegations surfaced that the facility’s detainees were being crammed into severely overcrowded rooms and made to sleep on bare floors and were denied food, hygiene, and confidential access to their lawyers.

The problems echo a broader pattern across the US, where watchdogs and courts have flagged overcrowding, poor sanitation, and blocked access to counsel in ICE facilities from Arizona to Louisiana.

Advocates say some of the most jarring overcrowding is happening on 26 Federal Plaza’s 10th floor, where detainees have estimated that between 70 and 90 people have been crammed into rooms measuring roughly 215 square feet. That would leave each person with roughly the space of a doormat—less room than a folded bath towel—in an area no bigger than a studio apartment kitchen.

The arrests came as part of a coordinated action by progressive Democrats, timed to amplify demands for Albany to reconvene and pass the New York for All Act. The bill would bar state and local agencies, including police and sheriffs, from sharing information or resources with ICE, aiming to stop what lawmakers describe as abductions of immigrants at court hearings and check-ins. Along with New York City Council’s proposed Trust Act—which would let people sue if city agencies unlawfully cooperate with ICE—the legislation is essential, Democrats say, to defend due process and prevent local governments from becoming de facto extensions of ICE.

Dozens of anti-Immigration and Customs Enforcement protesters are arrested after refusing to leave the Jacob K. Javits Federal Building on September 18, 2025, in New York City.

Photograph: Spencer Platt; Getty Images

"The criminalization, demonization, and state-sponsored violence against immigrants in this country has reached a fever pitch under this administration. All of us, and especially elected leaders, must do more to protect New Yorkers, regardless of when they arrived,” Assembly member Emily Gallagher, a Democrat who represents parts of Brooklyn, said in a statement.

Many elected officials have been arrested while protesting the Trump administration’s immigration enforcement tactics. Among others, in June, Senator Alex Padilla of California was handcuffed after challenging Homeland Security secretary Kristi Noem at a Los Angeles press conference, and in May, Newark mayor Ras Baraka was arrested outside a federal detention center during an attempted oversight visit.

In a statement, Yasmine Farhang, executive director of the Immigrant Defense Project, applauded the lawmakers’ actions Thursday, accusing the US government of “egregious abuses of power,” and imploring New York governor Kathy Hochul to use her clemency powers to shield migrants dealing with overlapping punishments from the courts and immigration authorities.

“New York leaders cannot let this cruelty go unchecked,” she said. “The moment to act is NOW.”

_Additional reporting by Andrew Couts._

These Are the 15 New York Officials ICE and NYPD Arrested in Manhattan

Now, especially in a very competitive environment, it is essential to make your name shine. Enterprise SEO solutions…

Now, especially in a very competitive environment, it is essential to make your name shine. Enterprise SEO solutions are crucial for boosting brand authority. Search engine optimisation (SEO) helps to attract more traffic to your content and build your business’s credibility to establish a strong foothold. In this post, we will discuss how these solutions help build brand authority and why you need them.

****The Fundamentals of Enterprise SEO****

Enterprise SEO is the process of optimising websites for complex organisations (depending on size or structure). It aims to rank multiple pages higher on search engines. However, enterprise SEO solutions consider the individual needs of larger organisations, whereas traditional SEO often focuses on smaller businesses. It comprises working in multiple domains or millions of pages and being in sync with your corporation’s objectives.

****Enhancing Online Visibility****

One of the biggest advantages of enterprise SEO is that it improves your business’s visibility online. Proper content optimisation with relevant keywords will ensure that a business website is ranked mostly at the top of the search results. This creates exposure and trust with potential customers. A brand appearing frequently in user searches creates a positive association and strengthens brand recognition.

****Building Trust and Credibility****

A brand’s content authority depends on trust and credibility. Enterprise SEO solutions assist in establishing this with relevant, valuable, and authoritative content. Posting high-quality content that answers users’ queries positions your brand as a reputable source. Search engines prioritise content like this, pushing it even higher in the rankings and visibility.

****Optimising User Experience****

Providing a high-quality user experience is vital for brand authority. Enterprise SEO improves website speed, mobile friendliness, and user navigation. A seamless experience encourages users to stay focused on the site and lessens bounce rates. Happy visitors are more likely to become repeat customers, enhancing brand credibility.

****Content Strategy and Creation****

Content lies at the centre of any SEO strategy. Enterprise search engine optimisation focuses on creating a content strategy aligned with business goals. This strategy involves researching topics that interest the audience and enjoyably providing quality content. Regularly putting out new updates/content ensures the audience keeps coming back for more.

****Leveraging Analytics for Improvement****

Analytics are a key component of enterprise SEO. With proper data analysis, businesses can find the room for improvement and change their strategies accordingly. By knowing what users like and dislike, how they behave, and what trending topics are in their world, content created can be much more focused. Continuously iterating and improving, thus keeping the brand on top of the game via a data-backed approach.

****Local SEO for Global Brands****

Many organisations are considered big and operate in more than one region. Enterprise SEO also includes local SEO, and you want potential customers to see you in specific areas. Optimised content for local audiences can help businesses connect with different customer bases. It enhances brand authority by showing that the company understands regional needs and preferences.

****Adapting to Algorithm Changes****

Search engines regularly update their algorithms, influencing rankings. Enterprise SEO solutions require keeping up with this and adjusting strategies. By being proactive, Businesses can retain their positions while continuing to build authority. This flexibility is vital for long-term success and staying relevant in the competition.

****Collaboration Across Departments****

This means enterprise SEO is not just a one- or two-person job; you must coordinate across departments. It also requires the collective efforts of marketing, IT, and content teams for overall strategic orientation. Such collaboration encourages innovation and efficiency and brings better results. Having an all-in-one strategy not only improves the brand’s authority but also ensures that every element of the business is in accordance with the goals of SEO.

Enterprise SEO Solutions are needed to enhance brand authority. Businesses leveraging visibility, credibility, and convenience through local SEO will strengthen their market share. This can be amplified even further with strategic content, analytics, and local SEO. Partnership and flexibility are the key factors for organisations to maintain their success and authenticity. Accepting enterprise SEO is more than a method; it is a pledge to excellence and market leadership.

(Image by Werner Moser from Pixabay)

How Enterprise SEO Solutions Improve Brand Authority

A pair of flaws in Microsoft's Entra ID identity and access management system could have allowed an attacker to gain access to virtually all Azure customer accounts.

As businesses around the world have shifted their digital infrastructure over the last decade from self-hosted servers to the cloud, they’ve benefitted from the standardized, built-in security features of major cloud providers like Microsoft. But with so much riding on these systems, there can be potentially disastrous consequences at a massive scale if something goes wrong. Case in point: Security researcher Dirk-jan Mollema recently stumbled upon a pair of vulnerabilities in Microsoft Azure’s identity and access management platform that could have been exploited for a potentially cataclysmic takeover of all Azure customer accounts.

Known as Entra ID, the system stores each Azure cloud customer’s user identities, sign-in access controls, applications, and subscription management tools. Mollema has studied Entra ID security in depth and published multiple studies about weaknesses in the system, which was formerly known as Azure Active Directory. But while preparing to present at the Black Hat security conference in Las Vegas in July, Mollema discovered two vulnerabilities that he realized could be used to gain global administrator privileges—essentially god mode—and compromise every Entra ID directory, or what is known as a “tenant.” Mollema says that this would have exposed nearly every Entra ID tenant in the world other than, perhaps, government cloud infrastructure.

“I was just staring at my screen. I was like, ‘No, this shouldn’'t really happen,’” says Mollema, who runs the Dutch cybersecurity company Outsider Security and specializes in cloud security. “It was quite bad. As bad as it gets, I would say.”

“From my own tenants—my test tenant or even a trial tenant—you could request these tokens and you could impersonate basically anybody else in anybody else’s tenant,” Mollema adds. “That means you could modify other people's configuration, create new and admin users in that tenant, and do anything you would like.”

Given the seriousness of the vulnerability, Mollema disclosed his findings to the Microsoft Security Response Center on July 14, the same day that he discovered the flaws. Microsoft started investigating the findings that day and issued a fix globally on July 17. The company confirmed to Mollema that the issue was fixed by July 23 and implemented extra measures in August. Microsoft issued a CVE for the vulnerability on September 4.

“We mitigated the newly identified issue quickly, and accelerated the remediation work underway to decommission this legacy protocol usage, as part of our Secure Future Initiative,” Tom Gallagher, Microsoft’s Security Response Center vice president of engineering, told WIRED in a statement. “We implemented a code change within the vulnerable validation logic, tested the fix, and applied it across our cloud ecosystem.”

Gallagher says that Microsoft found “no evidence of abuse” of the vulnerability during its investigation.

Both vulnerabilities relate to legacy systems still functioning within Entra ID. The first involves a type of Azure authentication token Mollema discovered known as Actor Tokens that are issued by an obscure Azure mechanism called the “Access Control Service.” Actor Tokens have some special system properties that Mollema realized could be useful to an attacker when combined with another vulnerability. The other bug was a major flaw in a historic Azure Active Directory application programming interface known as “Graph” that was used to facilitate access to data stored in Microsoft 365. Microsoft is in the process of retiring Azure Active Directory Graph and transitioning users to its successor, Microsoft Graph, which is designed for Entra ID. The flaw was related to a failure by Azure AD Graph to properly validate which Azure tenant was making an access request, which could be manipulated so the API would accept an Actor Token from a different tenant that should have been rejected.

“Microsoft built security controls around identity like conditional access and logs, but this internal impression token mechanism bypasses them all,” says Michael Bargury, the CTO at security firm Zenity. “This is the most impactful vulnerability you can find in an identity provider, effectively allowing full compromise of any tenant of any customer.”

If the vulnerability had been discovered by, or fallen into the hands of, malicious hackers, the fallout could have been devastating.

“We don't need to guess what the impact may have been; we saw two years ago what happened when Storm-0558 compromised a signing key that allowed them to log in as any user on any tenant,” Bargury says.

While the specific technical details are different, Microsoft revealed in July 2023 that the Chinese cyber espionage group known as Storm-0558 had stolen a cryptographic key that allowed them to generate authentication tokens and access cloud-based Outlook email systems, including those belonging to US government departments.

Conducted over the course of several months, a Microsoft postmortem on the Storm-0558 attack revealed several errors that led to the Chinese group slipping past cloud defenses. The security incident was one of a string of Microsoft issues around that time. These motivated the company to launch its “Secure Future Initiative,” which expanded protections for cloud security systems and set more aggressive goals for responding to vulnerability disclosures and issuing patches.

Mollema says that Microsoft was extremely responsive about his findings and seemed to grasp their urgency. But he emphasizes that his findings could have allowed malicious hackers to go even farther than they did in the 2023 incident.

“With the vulnerability, you could just add yourself as the highest privileged admin in the tenant, so then you have full access,” Mollema says. Any Microsoft service “that you use EntraID to sign into, whether that be Azure, whether that be SharePoint, whether that be Exchange—that could have been compromised with this.”

This Microsoft Entra ID Vulnerability Could Have Been Catastrophic

SonicWall is urging customers to reset credentials after their firewall configuration backup files were exposed in a security breach impacting MySonicWall accounts.
The company said it recently detected suspicious activity targeting the cloud backup service for firewalls, and that unknown threat actors accessed backup firewall preference files stored in the cloud for less than 5% of its

Data Breach / Network Security

SonicWall is urging customers to reset credentials after their firewall configuration backup files were exposed in a security breach impacting MySonicWall accounts.

The company said it recently detected suspicious activity targeting the cloud backup service for firewalls, and that unknown threat actors accessed backup firewall preference files stored in the cloud for less than 5% of its customers.

"While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall," the company said.

The network security company said it's not aware of any of these files being leaked online by the threat actors, adding it was not a ransomware event targeting its network.

"Rather this was a series of brute-force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors," it noted. It's currently not known who is responsible for the attack.

As a result of the incident, the company is urging customers to follow the steps below -

*   Login to MySonicWall.com and verify if cloud backups are enabled
*   Verify if affected serial numbers have been flagged in the accounts
*   Initiate containment and remediation procedures by limiting access to services from WAN, turning off access to HTTP/HTTPS/SSH Management, disabling access to SSL VPN and IPSec VPN, reset passwords and TOTPs saved on the firewall, and review logs and recent configuration changes for unusual activity

In addition, affected customers have also been recommended to import fresh preferences files provided by SonicWall into the firewalls. The new preferences file includes the following changes -

*   Randomized password for all local users
*   Reset TOTP binding, if enabled
*   Randomized IPSec VPN keys

"The modified preferences file provided by SonicWall was created from the latest preferences file found in cloud storage," it said. "If the latest preferences file does not represent your desired settings, please do not use the file."

The disclosure comes as threat actors affiliated with the Akira ransomware group have continued to target unpatched SonicWall devices for obtaining initial access to target networks by exploiting a year-old security flaw (CVE-2024-40766, CVSS score: 9.3).

Earlier this week, cybersecurity company Huntress detailed an Akira ransomware incident involving the exploitation of SonicWall VPNs in which the threat actors leveraged a plaintext file containing recovery codes of its security software to bypass multi-factor authentication (MFA), suppress incident visibility, and attempt to remove endpoint protections.

"In this incident, the attacker used exposed Huntress recovery codes to log into the Huntress portal, close active alerts, and initiate the uninstallation of Huntress EDR agents, effectively attempting to blind the organization's defenses and leave it vulnerable to follow-on attacks," researchers Michael Elford and Chad Hudson said.

"This level of access can be weaponized to disable defenses, manipulate detection tools, and execute further malicious actions. Organizations should treat recovery codes with the same sensitivity as privileged account passwords."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

SonicWall Urges Password Resets After Cloud Backup Breach Affecting Under 5% of Customers

Microsoft and Cloudflare have delivered a major blow to the fastest growing Phishing-as-a-Service operation called RaccoonO365.

Microsoft and Cloudflare have disrupted a Phishing-as-a-Service operation, known as RaccoonO365.

The primary goal of RaccoonO365 (or Storm-2246 as Microsoft calls it) was to rent out a phishing toolkit that specialized in stealing Microsoft 365 credentials. They were successful in at least 5,000 cases, spanning 94 countries since July 2024.

The operation provided the cybercriminals’ customers with stolen credentials, cookies, and data which they in turn could use to plunder OneDrive, SharePoint, and Outlook accounts for information to use in financial fraud, extortion, or to serve as initial access for larger attacks.

Roughly an attack would look like this:

*   Emails were sent to victims with an attachment containing a link or QR code.
*   The malicious link led to a page with a simple CAPTCHA. This and other anti-bot techniques were implemented to evade analysis without raising suspicion from the victim.
*   After solving the CAPTCHA, the victim was redirected to a fake Microsoft O365 login page designed to harvest the entered credentials.

RaccoonO365 built its operation on top of legitimate infrastructure in an attempt to avoid detection. Leveraging free accounts, they strategically deployed Cloudflare workers to act as an intermediary layer, shielding their backend phishing servers from direct public exposure.

Reacting to this abuse of its services, Cloudflare teamed up with Microsoft’s Digital Crimes Unit (DCU). Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with RaccoonO365.

The danger of phishing kits like these is clear. Even non-technical criminals can lease a 30-day plan for $355 (to be paid in cryptocurrency) and get their hands on valid Microsoft O365 credentials. With the latest new feature of the phishing kit, users of the kit can even receive codes for certain multi-factor authentication (MFA) methods.

From there they can move forward to data theft, financial fraud, or even use the credentials to infiltrate an organization to deploy ransomware. And to give you an idea, RaccoonO365 customers were able to send emails to 9,000 targets per day. The suspected leaders of the operation had over 850 members on Telegram and have received at least US$100,000 in cryptocurrency payments.

The takedown of the websites and the attribution to a Nigerian suspect cut off the cybercriminals’ revenue streams, and significantly increased RaccoonO365’s operational costs. Besides that, the main suspect is believed to be the main coder behind the project and his apprehension by international law enforcement is likely to be a major blow to the operation.

Now, RaccoonO365 phishing kit customers can start worrying about how much of their information could be revealed in the aftermath of this disruption.

We’ll keep you posted.

**Don’t fall for phishing attempts**

In the operations run by RaccoonO365 two simple rules could have saved you from lots of trouble.

*   Don’t click on links in unsolicited attachments
*   Check if the website address in the browser matches the domain you expect to be on (eg. Microsoft.com).

Other important tips to stay safe from phishing in general:

*   Verify the sender: Always check if the sender’s email address matches what you would expect it to be. It’s not always conclusive but it can help you spot some attempts.
*   Check through an independent channel if the sender actually sent you an attachment or a link.
*   Use up-to-date security software, preferably with a web protection component.
*   Keep your device and all its software updated.
*   Use multi-factor authentication for every account you can.
*   Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Tag

#auth