Email is still the backbone of how businesses communicate, with more than 300 billion messages sent every day.…

Email is still the backbone of how businesses communicate, with more than 300 billion messages sent every day. But this huge volume also makes it one of the easiest ways for cybercriminals to get in. As companies depend more and more on digital communication, strong email security becomes essential.

****Understanding Email Security Threats****

Modern email threats go way beyond basic spam. Today’s attackers use advanced tactics like spear phishing, business email compromise and even zero-day malware. These threats can slip past older security tools and lead to data breaches, financial losses and serious damage to a company’s reputation.

Recent studies indicate that 94% of malware is delivered via email, making it the most common attack vector for cybercriminals. Furthermore, email-based attacks have increased by 67% over the past year, with phishing attempts becoming increasingly sophisticated and difficult to detect through conventional means.

****The Essential Defense: Secure Email Gateways****

A secure email gateway serves as a comprehensive defence mechanism positioned between your organization’s email infrastructure and external email traffic. This critical security layer performs multiple functions simultaneously, including malware detection, spam filtering, data loss prevention, and email encryption.

Unlike simple filters that just block suspicious senders based on reputation, today’s secure email gateways use advanced AI and machine learning to catch new threats as they happen. They check email content, watch for unusual sender behaviour, and inspect attachments to deliver layered protection against both known and unknown attacks.

New ways to block file-based attacks have become a key part of strong email security. Companies like Sasa Software named a ‘Cool Vendor’ by Gartner for its work in cyber-physical security, use advanced Content Disarm and Reconstruction (CDR) technology.

This process cleans risky files by stripping out harmful code but keeps the document usable. It adds an extra layer of protection against zero-day exploits and persistent threats that old signature-based tools often fail to catch.

****Key Features That Define Effective Email Security****

Advanced threat protection is essential for strong email security. This includes real-time link scanning, sandboxing suspicious attachments, and watching for unusual communication patterns that could signal a compromised account or a social engineering attempt.

Content filtering and data loss prevention features ensure that sensitive information remains protected during transmission. These capabilities automatically identify and classify confidential data, applying appropriate encryption or blocking unauthorized transmissions based on predefined policies.

Email encryption functionality also provides end-to-end protection for sensitive communications, ensuring that even if messages are intercepted during transmission, the content remains unreadable to unauthorized parties. This feature is particularly important for organizations handling regulated data such as healthcare records, financial information, or legal documents.

****Implementation Considerations for Organizations****

When evaluating email security solutions, organizations must consider scalability, integration capabilities, and user experience impact. The ideal solution should seamlessly integrate with existing email infrastructure while providing comprehensive protection without significantly disrupting normal business operations.

Cloud-based deployment options offer numerous advantages, including reduced infrastructure costs, automatic updates, and global threat intelligence sharing. These solutions can scale dynamically with organizational growth while providing consistent protection across distributed workforces.

Administrative oversight and reporting capabilities enable security teams to monitor threat landscapes, track security incidents, and generate compliance reports required by various regulatory frameworks such as GDPR, HIPAA, or PCI DSS.

****Best Practices for Email Security Implementation****

Successful email security implementation requires a comprehensive approach combining technological solutions with user education and policy development. Regular security awareness training helps employees recognize and report suspicious emails, creating a human firewall that complements technical security measures.

Establishing clear email usage policies and incident response procedures ensures that organizations can respond quickly and effectively when security incidents occur. These policies should address acceptable use guidelines, data handling procedures, and escalation protocols for suspected security breaches.

Regular security assessments and penetration testing help identify potential vulnerabilities in email security configurations, ensuring that protection mechanisms remain effective against evolving threat landscapes.

As cyber threats continue to evolve in sophistication and frequency, implementing a secure email gateway becomes increasingly critical for organizations of all sizes. The cost of a security breach far exceeds the investment required for comprehensive email protection, making robust email security not just a technical necessity but a sound business decision.

Organizations seeking to protect their digital communications should prioritize solutions that offer comprehensive threat protection, seamless integration capabilities, and scalable deployment options. By implementing proper email security measures, businesses can maintain secure communications while enabling productive collaboration in today’s interconnected business environment.

Protecting Your Business Communications: The Critical Role of Secure Email Gateways

This Fourth of July, Bruce, the 25-foot mechanical shark from Jaws, shares how his saltwater struggles mirror the need for real-world cybersecurity stress testing.

Thursday, July 3, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Hi, I’m Bruce, the 25-foot mechanical star of “Jaws.”  

This summer marks 50 years since my 4 minutes of screentime kept people out of the water for decades. Maybe this Fourth of July weekend you’re planning to sea-shanty your way to a special screening? If you do, here’s a little behind-the-scenes story on how my endless malfunctions almost made Spielberg hang up his director hat before you could say “phone home.” 

I was built for a studio tank — a predictable and safe environment. But Spielberg, in pursuit of realism, had other plans. He threw me into the Atlantic, where the salt water, rolling waves and unruly weather conditions caused more chaos than anybody had bargained for. 

Each day, my hydraulics jammed, my pneumatics corroded and my paint peeled like a sunburned tourist on Amity Beach.

There were days when the crew could only capture one or two shots before either I broke, the weather broke, or one of the actors’ egos broke. Every night they’d patch me up and whisper an assortment of four-letter words into my rusty gills.

My saving grace became Verna Fields, aka “Mother Cutter.” Spielberg’s editor was the one to suggest they only use fleeting moments of footage starring yours truly. While I bobbed around like a skydancer on a windless day, Verna worked her magic: stitching reactions, cutting away at just the right moment and building tension with empty water. She turned me from a potential failure to a legend. 

And thus, I became a lesson in what happens when you build for a predictable environment but deploy in the wild. Sound familiar? 

I’ve been told that readers of Talos’ Threat Source Newsletter are security folks, and I’ve been asked to write something just for you. Here it goes… 

*   _“You’re gonna need a bigger boat.”_ Overprepare. Expect things to go wrong.  
*   _“It’s only an island if you look at it from the water.”_ Perspective matters. Make sure your alerts are honed to spot the things that really matter. 
*   _“Smile, you son of a…”_ Sometimes, your last line of defense is your defining moment. Should everything else fail, make sure you have something left in the tank. 

In cybersecurity, your green ticked audit checklists mean nothing if you haven’t pressure-tested your environment against real red teamers. Incident response plans need ocean trials, not just bullet points. 

If I have a legacy beyond people sticking their noggin in my teeth for “the gram,” it’s this: Build your defenses for salt water, not studio tanks. And remember, the mayor always wants to keep the network open... 

_Editor’s note: I’d like to thank Bruce for his time and perspective, and I hope he found our studio a relaxing place to write. I’m also sorry that I only had two barrels and not the requested three for him to play with._ 

_Bruce’s story is why_ _Cisco Talos Incident Response_ _exists: to help you prepare for the effects of salt water before they wreak havoc on your system. With Talos IR, you can stress test your defenses using real world scenarios and incident responders who’ve experienced just about everything there is to see._ 

_Enjoy the Fourth of July weekend, and remember to listen out for the_ duh dun.

**The one big thing **

Cisco Talos has enhanced its email threat detection engine to address brand impersonation tactics using PDF payloads in phishing attacks. These attacks often exploit popular brands to steal sensitive information, employing methods like QR code phishing and telephone-oriented attack delivery (TOAD), where victims are tricked into calling adversary-controlled phone numbers. Adobe’s e-signature service and PDF annotations have also been abused to bypass detection systems. 

**Why do I care? **

Phishing attacks are getting sneakier, using PDFs and trusted brands to trick people into giving up personal info or downloading malicious software. If you're not careful, you could fall for one of these scams, especially since attackers are using clever tactics like fake phone numbers or QR codes to seem legitimate. 

**So now what? **

Be extra cautious with emails containing PDFs, even if they look legit. Avoid scanning QR codes or calling phone numbers from unsolicited emails. Cisco’s detection tools are updated often, but staying vigilant and double-checking anything suspicious is your best defense.

**Top security headlines of the week **

**Europol Dismantles $540 Million Cryptocurrency Fraud Network, Arrests Five Suspects**   
The international effort, codenamed Operation Borrelli was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. (The Hacker News) 

**International Criminal Court hit by new 'sophisticated' cyberattack**   
In a statement yesterday, the ICC revealed that it had contained a "sophisticated and targeted" cybersecurity incident, which was discovered by systems in place to detect cyberattacks targeting its systems. (Bleeping Computer) 

**Windows’ Infamous ‘Blue Screen of Death’ Will Soon Turn Black**   
After more than 40 years of being set against a very recognizable blue, the updated error message will soon be displayed across a black background. (SecurityWeek) 

**Ahold Delhaize Data Breach Impacts 2.2 Million People**   
The incident impacted Giant Food pharmacies, Food Lion and Stop & Shop, among others. Stolen information may include names, contact info, date of birth, SSN, passport number, financial account information and more. (SecurityWeek) 

**Germany asks Google, Apple remove DeepSeek AI from app stores**   
The Berlin Commissioner for Data Protection has formally requested Google and Apple to remove the DeepSeek AI application from the application stores due to GDPR violations. (Bleeping Computer)

**Can’t get enough Talos? **

**Decrement by one to rule them all: AsIO3.sys driver exploitation**   
Learn how our researcher, Marcin Noga, found two critical vulnerabilities in ASUS’ Armory Crate and AI Suite drivers.

**Talos Takes: Teaching LLMs to spot malicious PowerShell scripts**   
Hazel chats with Ryan Fetterman from the SURGe team to explore his new research on how LLMs can assist security operations centers in identifying malicious PowerShell scripts.

**Beers with Talos: Terms and conceptions may apply**  
In this episode, the crew reassembles after a totally intentional and not-at-all accidental hiatus. They cover AI-assisted IVF, a possible underground war against dairy, and the real heroes: conference dogs.

**Upcoming events where you can find Talos **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836**   
MD5: c94c094513f02d63be5ae3415bba8031   
VirusTotal: https://www.virustotal.com/gui/file/cd697cc93851d0b1939a7557b9ee9b3c0f56aab4336dd00ff6531f94f7e0e836/details  
Typical Filename: setup   
Claimed Product: N/A   
Detection Name: W32.Variant:Gen.28iv.1201 

**SHA 256: 57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536**   
MD5: 79b075dc4fce7321f3be049719f3ce27   
VirusTotal: https://www.virustotal.com/gui/file/57a6d1bdbdac7614f588ec9c7e4e99c4544df8638af77781147a3d6daa5af536/details   
Typical Filename: RemCom.exe   
Claimed Product: N/A   
Detection Name: W32.57A6D1BDBD-100.SBX.VIOC 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe    
Claimed Product: N/A   
Detection Name: Simple\_Custom\_Detection   

**SHA 256: 061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0**   
MD5: 8d74e04c022cadad5b05888d1cafedd0  
VirusTotal: https://www.virustotal.com/gui/file/061e13a4fc9f1d4da0671082d5e4666f316bb251f13eded93f9cdb4a584d0bc0/details  
Typical Filename: smhost.exe   
Claimed Product: N/A   
Detection Name: Artemis:Lazy.27fx.in14.Talos

**SHA 256: 2eb95ef4c4c24f1e38a5c8b556d78b71c8a8fb2589ed8c5b95e9d18659bde293**  
MD5: N/A  
VirusTotal: N/A, use https://talosintelligence.com/sha\_searches  
Typical Filename: N/A  
Claimed Product: N/A  
Detection Name: W32.2EB95EF4C4-100.SBX.TG

A message from Bruce the mechanical shark

Customs and Border Protection is asking companies to pitch tools for performing deep analysis on the contents of devices seized at the US border.

United States Customs and Border Protection (CBP) is asking tech companies to pitch digital forensics tools that are designed to process and analyze text messages, pictures, videos, and contacts from seized phones, laptops, and other devices at the United States border, according to documents reviewed by WIRED.

The agency said in a federal registry listing that the tools it’s seeking must have very specific capabilities, such as the ability to find a “hidden language” in a person’s text messages; identify specific objects, “like a red tricycle,” across different videos; access chats in encrypted messaging apps; and “find patterns” in large datasets for “intel generation.” The listing was first posted on June 20 and updated on July 1.

CBP has been using Cellebrite to extract and analyze data from devices since 2008. But the agency said that it wants to “expand” and modernize its digital forensics program. Last year, CBP claims, it did searches on more than 47,000 electronic devices—which is slightly higher than the approximately 41,500 devices it searched in 2023 but a dramatic rise from 2015, when it searched just more than 8,500 devices.

The so-called request for information (RFI) comes amid a string of reports of CBP detaining people entering the US, sometimes questioning them about their travel plans or political beliefs, and at times collecting and searching their phones. In one high-profile incident in March, a Lebanese professor at Brown University’s medical school was sent back to Lebanon after authorities searched her phone and alleged she was “sympathetic” to the former Hezbollah leader Hassan Nasrallah, who was assassinated in September 2024.

In the RFI, CBP said that the digital forensics vendor it chooses will sign a contract in the third fiscal quarter of 2026, which runs from April through June. CBP has eight active contracts for Cellebrite software, licenses, equipment, and training—worth more than $1.3 million in total—that will end between July 2025 and April 2026. CBP appears to use tools other than Cellebrite. The agency said in the recent listing that it uses “a wide variety of digital data extraction tools,” but it doesn’t name these tools.

CBP did not respond to requests for comment. Cellebrite spokesperson Victor Cooper tells WIRED that the company is “unable to comment on active requests for information proposals.”

Three federal contract listings mention that CBP pays for Cellebrite’s Universal Forensic Extraction Device 4PC, software designed to analyze data on a user’s existing PC or laptop. The listing for the “license renewal” doesn’t mention a specific product but may be referring to the Investigative Digital Intelligence Platform, which is Cellebrite’s “end-to-end” suite of tools of analyzing data from devices.

Across Cellebrite’s intelligence platform, users have a wide range of capabilities. It can sort images based on whether they contain certain elements, like jewelry, handwriting, or documents. It can also go through text messages, as well as direct messages on apps like TikTok, and filter out messages that mention certain topics, like evidence obstruction, family, or the police. Users can also unveil photos “hidden” by a device owner, make social maps of friends and contacts, and plot the locations where a person sent text messages.

A blog on Cellebrite’s website about the January 6 insurrection cites a Washington Post report claiming that Cellebrite produced “more than 12,000 pages of data,” “2,600 pages of Facebook records,” and 800 photos and videos from a single person. (On his first day in office, President Trump gave clemency to every person who was charged in connection to actions on January 6, which amounted to nearly 1,600 people.)

Cellebrite also has a controversial history. The company launched a tool in February that lets customers use AI to summarize chat logs and audio from phones. In December, Amnesty International claimed in a report that Serbian police had confiscated a journalist’s phone, used Cellebrite to extract data from it, and then used it to infect the phone with malware. Cellebrite said in February it would limit the use of some of its technology in Serbia.

For its part, Cellebrite says in a “fact” page on its website that it “has strict licensing policies and restrictions” for customers, and that before it sells to anyone, it considers “a potential customer’s human rights record and anti-corruption policies.” The company also says that it “vigorously supports the democratic ideals of freedom of speech and freedom of the press.”

“We do not condone the use of Cellebrite’s solutions to access the personal information of journalists, activists or others who are working against the interests of repressive regimes and doing so outside the bounds of a legally sanctioned investigation expressly violates the terms of our licensing agreements,” Cellebrite says on the fact page.

Legally, CBP has the authority to search anyone’s phone at the US border without a warrant. If a person refuses to hand over their password, US citizens can remain in custody temporarily, but can’t be denied entry. However, non-citizens may be denied entry if they refuse.

If border patrol officers have the password to someone’s phone, they can conduct a “basic search” and manually scroll through the phone on the spot. However, officers may then choose to download the entirety of a phone's data, or keep it to conduct an “advanced search,” at which point digital forensic tools like Cellebrite may be used. Of the approximately 47,000 device searches Customs and Border Patrol conducted in 2024, about 4,200 of them were advanced searches.

CBP has the right to keep a phone for several days to conduct an advanced search, but if the agency cites “extenuating circumstances,” it could have the phone for weeks or months. CBP says that when it takes data from a device, it may be shared with “other agencies” or with “other federal, state, local, and foreign law enforcement agencies.” CBP also has the right to store the data in its Automated Targeting System, which it uses to determine if someone presents a risk of terrorism or criminal activity, for up to 15 years.

CBP Wants New Tech to Search for Hidden Data on Seized Phones

A mobile ad fraud operation dubbed IconAds that consisted of 352 Android apps has been disrupted, according to a new report from HUMAN.
The identified apps were designed to load out-of-context ads on a user's screen and hide their icons from the device home screen launcher, making it harder for victims to remove them, per the company's Satori Threat Intelligence and Research Team. The apps have

Massive Android Fraud Operations Uncovered: IconAds, Kaleidoscope, SMS Malware, NFC Scams

The “El Chapo” Mexican drug cartel snooped on FBI personnel through hacked cameras, and listened in on their phone calls to...

The “El Chapo” Mexican drug cartel snooped on FBI personnel through hacked cameras, and listened in on their phone calls to identify and kill potential witnesses, the US Department of Justice has said. And seven years on, the Bureau’s defenses against this kind of surveillance are still inadequate.

The findings came to light in a June 2025 report from the DoJ’s Inspector General. It identifies a threat that it calls ubiquitous technical surveillance (UTS), in which an attacker combines different kinds of data to build up a detailed profile of a subject. This links the subject to event, locations, and things.

The report highlights several ways in which bad actors can snoop on the FBI:

*   Visual and physical imagery (for example, photographing people)
*   Interception of electronic signals like phone calls
*   Analysis of financial transaction data
*   Checking travel bookings
*   Monitoring their online presence

“Some within the FBI and partner agencies, such as the Central Intelligence agency (CIA), have described this threat as ‘existential’,” warned the report.

The document details just how damaging this type of surveillance can be. It explains that the Sinaloa drug cartel, operated by infamous drug lord Joaquín “El Chapo” Guzmán, had hired a black hat operator to target the FBI. The criminal offered “a menu of services related to exploiting mobile phones and other electronic devices”, said an informant who told the Bureau about it in 2018.

The black hat spied on people entering and leaving the US Embassy in Mexico City and identified people that the cartel would be interested in. These included the FBI Assistant Legal Attache (ALAT), the report explained. The document continues:

> “Using the ALAT’s phone number the hacker was able to see calls made and received, as well as obtain the ALAT’s geolocation data. According to the FBI, in addition to compromising the ALAT’s phone, the hacker also accessed Mexico City’s camera system, used the cameras to follow the ALAT through the city, and identified people the ALAT met with. According to the case agent, the cartel used that information to intimidate and/or kill potential sources or cooperating witnesses.”

**Much work still to do**

Drug cartels are powerful organizations and it’s a scary thought that they’d be able to infiltrate an institution as hardened as the FBI. But the Bureau must surely have this in hand, right?

Not so fast. The Inspector General had already found some worrying shortcomings in the Bureau’s defenses against UTS, warning the FBI that it was “disjointed and inconsistent” in 2022. The Bureau responded by classifying UTS as a Tier 1 Enterprise Risk that year. It recruited a ‘red team’ of analysts to identify UTS vulnerabilities and suggest mitigating measures, but the gap analysis the team submitted was a single-page nothingburger, per the Inspector General’s report, and not adequate to protect the Bureau. It only covered three of six expected vulnerability categories.

The red team had been given a prior far more detailed analysis called ‘Anatomy of a Case’ by the Bureau’s Counterintelligence Division but didn’t include these findings. The FBI later said that this was just an outline and is now going back over the two documents.

The Bureau has also proposed a strategic plan to handle UTS, but an early outline of that strategy doesn’t identify who has the authority to run it. “We are also concerned that the forthcoming strategy will not adequately create clear lines of authority when the FBI must respond to UTS-related security incidents,” the report said, adding that the plan’s measures “do not provide a sufficiently clear, actionable long-term approach to address the UTS threat.”

The US had captured and imprisoned Guzmán several times but he kept escaping. Authorities recaptured him in 2016 and extradited him to the US the following year. He was sentenced to life imprisonment in 2019.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Drug cartel hacked cameras and phones to spy on FBI and identify witnesses 

ANSSI report details the Chinese UNC5174 linked Houken cyberattack using Ivanti zero-days (CVE-2024-8190, 8963, 9380) against the French government, defence and finance sector.

In a report published by ANSSI on July 1, 2025, the French cybersecurity agency revealed a highly skilled cybercrime group, dubbed Houken, has carried out a sophisticated attack campaign exploiting multiple zero-day vulnerabilities (CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380) in Ivanti Cloud Service Appliance (CSA) devices.

This group, believed to be linked to the Chinese threat actor UNC5174, infiltrated high-value targets across France. Affected sectors included government bodies, defence organizations, telecommunications providers, financial institutions, media outlets, and transport networks.

The attacks were first observed in September 2024, targeting French entities seeking initial access to their networks. These zero-day vulnerabilities, meaning they were unknown to Ivanti and the public until exploited, allowed the attackers to remotely execute code on vulnerable devices.

ANSSI’s investigation revealed that this group uses complex tools like a specialized rootkit, specifically a kernel module named sysinitd.ko and a user-space executable sysinitd, but also rely on many open-source tools often created by Chinese-speaking developers.

After gaining initial access through Ivanti CSA devices, Houken hackers also performed reconnaissance and moved laterally within victim networks, even compromising other devices such as F5 BIG-IP.

ANSSI suspects that Houken hackers act as an initial access broker. This means they gain a foothold in sensitive systems, possibly to sell access to other groups interested in deeper spying activities.

While their main goal seems to be selling access for intelligence, ANSSI also saw one instance of data theft and attempts to install cryptocurrency miners, suggesting they sometimes look for direct financial gain.

The Houken group has a broad range of targets beyond France, including organizations in Southeast Asia and Western countries. Their activities, including observations of their operational hours, align with China Standard Time (UTC+8). To conceal their operations, the group utilized a diverse attack infrastructure, including commercial VPN services, dedicated servers, and even residential or mobile IP addresses.

Source: ANSSI

The links between Houken and UNC5174, a group previously described by Mandiant, are strong as both groups exhibit similar behaviours, such as creating specific user accounts and, notably, patching vulnerabilities after exploitation.

What makes this campaign particularly noteworthy is the cunning move by the attackers: they patched the very vulnerabilities they used to get in. Garrett Calpouzos, Principal Security Researcher at Sonatype, noted in his comment shared with Hackread.com that this is “a tactic we’re seeing more frequently among advanced threat actors.” By fixing the flaw after their entry, Houken phackers revented other hacking groups from using the same weak spots, helping them stay hidden longer. This suggests a desire for continued, undetected access to their targets._“_

Calpouzos emphasized the importance of securing internet-facing systems, especially with “remote code execution (RCE) vulnerabilities.” He also highlighted that these incidents underscore “unique risks facing high-value targets such as government agencies, which often struggle to act quickly due to bureaucratic hurdles.”

The Houken group remains active, and experts expect them to continue targeting internet-exposed devices worldwide.

China Linked Houken Hackers Breach French Systems with Ivanti Zero Days

The Scattered Spider hacking group has caused chaos among retailers, insurers, and airlines in recent months. Researchers warn that its flexible structure poses challenges for defense.

Empty grocery store shelves and grounded planes tend to signal a crisis, whether it’s an extreme weather event, public health crisis, or geopolitical emergency. But these scenes of chaos in recent weeks in the United Kingdom, United States, and Canada were caused instead by financially motivated cyberattacks—seemingly perpetrated by a collective of joyriding teens.

A notorious cybercriminal group often called Scattered Spider is known for using social engineering techniques to infiltrate target companies by tricking IT help desk workers into granting them system access. Researchers say that the group seems to gain expertise about the backend systems commonly used by businesses in a particular industry and then uses this knowledge to hit a cluster of targets before moving on to another sector. The group often deploys ransomware or conducts data extortion attacks once it has compromised its victims.

Amid increasing pressure from law enforcement last year, which culminated in charges and arrests of five suspects allegedly linked to Scattered Spider, researchers say that the group was less active in 2024 and seemed to be attempting to lay low. The group’s escalating attacks in recent weeks, though, have shown that, far from being defeated, Scattered Spider is emboldened once again.

“There are some uniquely skilled actors in Scattered Spider when it comes to social engineering, and they have identified a major gap in our security systems that they’re successfully taking advantage of,” says John Hultquist, chief analyst in Google’s threat intelligence group. “This group is carrying out serious attacks on our critical infrastructure, and I hope that we’re not missing the opportunity to address the most imminent threat.”

Though a number of incidents have not been publicly attributed, an overwhelming spree of recent attacks on UK grocery store chains, North American insurers, and international airlines has broadly been tied to Scattered Spider. In May, the UK’s National Crime Agency confirmed it was looking at Scattered Spider in connection to the attacks on British retailers. And the FBI warned in an alert on Friday that it has observed “the cybercriminal group Scattered Spider expanding its targeting to include the airline sector.” The warning came as North American airlines Westjet and Hawaii Airlines said they had been victims of cybercriminal hacks. On Wednesday, the Australian airline Qantas also said it had been hit with a cyberattack, though it was not immediately clear if this attack was part of the group’s campaign.

“They slowed down, and we saw them dissipate for a while throughout 2024,” says Adam Meyers, a senior vice president for counter-adversary operations at the security company CrowdStrike. “Then they’ve roared back in the last couple of months, first hitting retail and then hitting insurance companies and most recently targeting airlines.”

Scattered Spider first emerged as a high-profile group toward the end of 2023 as its members moved from SIM swapping attacks to launching crippling ransomware attacks on Caesar’s Entertainment and MGM Resorts. The latter cost MGM around $100 million to recover from. Researchers emphasize that the collective is financially motivated, made up of mostly English-speaking teenagers and young men who are often based in the US or UK. The Scattered Spider hackers are considered an offshoot of the Com, an amorphous network of potentially thousands of trolls and criminals, many of whom engage in harassment, extortion, and child exploitation.

Scattered Spider members have increasingly coalesced around a tactic of using targeted social engineering to get a foothold inside company networks. Attackers may impersonate a staff member who is locked out of their company email account and contact the firm’s IT help desk to get access, before resetting multifactor authentication credentials. Researchers say that the group has also used a tactic of creating convincing phishing websites where the URLs often include the name of the target organization along with words like “okta,” “vpn” or “helpdesk.” Once inside networks, the hackers deploy various types of ransomware or steal data that is used to extort companies.

Meyers says Crowdstrike believes that Scattered Spider has roughly four core members, which drive the targeting of potential victims and “leverage” resources from the wider Com ecosystem as needed. The exact structure and size of Scattered Spider is unclear, but researchers agree that the group relies on an array of third-party services to carry out its attacks.

“Deterrence is extremely difficult because we’re essentially fighting a marketplace where a lot of the actors are replaceable,” Google’s Hultquist says. “For instance, Scattered Spider has worked with multiple ransomware services, so if one goes down there’s always someone to replace them.”

Aiden Sinnott, a senior threat researcher at cybersecurity company Sophos’ Counter Threat Unit, says that Scattered Spider and the Com more broadly are connected through relationships and communities on Discord servers or Telegram groups. “It’s this kind of evolving group where maybe new younger threat actors are coming in,” Sinnott says. “You can see this natural escalation progression as they learn skills of each other, and they're very big on sharing their wins as well.”

Some Scattered Spider members may target big-name companies, while others are involved in less high-profile activity. “There are groups, or individuals, who are really focused on hacking Coinbase accounts and stealing crypto and things like that,” Sinnott says. “So they’re not even focused on these big corporate organizations.”

As Hultquist puts it, "the activity is extremely resilient, because instead of fighting a single actor, we’re really fighting a marketplace.”

A Group of Young Cybercriminals Poses the ‘Most Imminent Threat’ of Cyberattacks Right Now

Australian airline Qantas has confirmed a data breach at a third party provider that affects six million customers.

Australia’s largest airline Qantas has confirmed that cybercriminals have gained access to a third party customer servicing platform that contained 6 million customer service records.

Qantas says the breach occurred after a cybercriminal targeted a call centre and managed to gain access to the third party platform, presumably via social engineering.

The airline reassured customers by saying all Qantas systems remain secure, and that there would be “no impact to Qantas’ operations or the safety of the airline. However, Qantas anticipates that a large amount of data has been taken:

> “We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant.”

An initial review has confirmed the data includes:

*   Customers’ names
*   Email addresses
*   Phone numbers
*   Birth dates
*   Frequent flyer numbers

Fortunately, credit card details, personal financial information and passport details were not held in the breached system.

The airline responded quickly by isolating the affected system, notifying customers, and working with the Australian Cyber Security Centre, the Australian Federal Police, and independent cybersecurity experts.

The breach at a third party provider is extra painful since Qantas concluded an uplift of third and fourth-party cyber-risk governance processes in 2024. In a report released at the time, the airline explained:

> “Third- and fourth-party cyber risk involves managing cyber risks from our direct suppliers (third parties) and their suppliers (fourth parties), who can affect our supply chain directly or indirectly through cyber incidents.”

No group has claimed responsibility for the cyberattack yet, which is normal if it is a ransomware attack. But it’s noteable that this weekend the FBI put out a warning on social media about ransomware attacks targeting airlines.

> “The FBI has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector. These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access. These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts. They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.
> 
> Once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware. The FBI is actively working with aviation and industry partners to address this activity and assist victims. Early reporting allows the FBI to engage promptly, share intelligence across the industry, and prevent further compromise. If you suspect your organization has been targeted, please contact your local FBI office.”

Qantas has set up a dedicated customer support line as well as a web page to provide the latest information to customers. Qantas says it will also continue to update customers via its social channels.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Qantas: Breach affects 6 million people, &#8220;significant&#8221; amount of data likely taken 

A popular social engineering technique returns: callback phishing, or TOAD attacks, which leverage PDFs, VoIP anonymity and even QR code tricks.

Wednesday, July 2, 2025 06:00

*   Cisco recently developed and released an update to its brand impersonation detection engine for emails. This new update enhances detection coverage and includes a wider range of brands that are delivered using PDF payloads (or attachments). 
*   A significant portion of email threats with PDF payloads persuade victims to call adversary-controlled phone numbers, displaying another popular social engineering technique known as Telephone-Oriented Attack Delivery (TOAD), also known as callback phishing.  
*   Talos observed that these threat actors often use Voice over Internet Protocol (VoIP) to remain anonymous. These phone numbers are sometimes reused on consecutive days. Additionally, Talos has identified instances of Adobe platform abuse to deliver PDF attachments to victims in TOAD emails. 
*   Talos plans to collect and gather intelligence around phone numbers as an additional indicator of compromise (IOC). 
*   Talos provides new insights into the use of QR codes and PDF annotations in email threats that impersonate legitimate brands through PDF payloads.

**Brand impersonation via PDF payload **

The portable document format (PDF) is a standard method for sharing information electronically. Files created in other applications (e.g., Microsoft Word) are often converted into this format, which can then be viewed using PDF rendering applications like Adobe Reader, commonly available on most OSs. Thanks to its excellent portability, this file format is widely used for the mass distribution of documents to large audiences. However, in recent months, it has also been exploited for illegitimate purposes, such as brand impersonation. 

Brand impersonation is a social engineering technique that exploits the popularity of well-known brands to persuade email recipients to disclose sensitive information. As discussed in our previous blog, adversaries can deliver brand logos and names to victims using multiple types of payloads. One of the most common methods of delivering brand logos and names is through PDF payloads (or attachments).

In some cases, the entire email, including a brand’s logo, is embedded within a PDF attachment. Figure 1 displays an example of a QR code phishing email that impersonates the Microsoft Corporation brand. The threat actor used an enticing subject line, “Paycheck Increment,” timed strategically during periods when promotions or merit changes are likely to occur in various organizations.

Figure 1. A QR code phishing email impersonating the Microsoft brand.

In other cases, the company’s logo is included in a separate image or PDF attachment and is displayed to the victim as soon as they open the email. Below is an example of a QR code phishing email that impersonates both the Microsoft and Adobe Inc. brands. Figure 2 shows the Adobe logo attached to an email as an image file.

Figure 2. A QR code phishing email impersonating the Microsoft and Adobe brands.

A brand’s logo may not always be present in every brand impersonation attempt. For example, the following phishing email, which impersonates the Adobe brand, does not include any logos.

Figure 3. A phishing email impersonating the Adobe brand.

When the victim clicks on the “View the Attached online here” hyperlink, they are redirected to a phishing page impersonating a Dropbox, Inc. webpage.

Figure 4. Phishing page impersonating Dropbox download page.

Figure 5. The final phishing page of the above email, impersonating the Dropbox brand.

**Telephone-oriented attack delivery (TOAD) **

A significant portion of email threats with PDF payloads persuade victims to call adversary-controlled phone numbers, displaying another popular social engineering technique: telephone-oriented attack delivery (TOAD), also known as callback phishing.  

Victims are instructed to call a specific number in the PDF to resolve an issue or confirm a transaction. Once the victim calls, the attacker poses as a legitimate representative and attempts to manipulate them into disclosing confidential information or installing malicious software on their computer.

Figure 6. Overview of a typical TOAD attack sequence.

Phishing typically involves sending emails or messages with malicious links or attachments that direct the victim to a counterfeit website. Callback phishing, however, does not rely on fake websites or phishing links. Instead, attackers use direct voice communication to exploit the victim's trust in phone calls and the perception that phone communication is a secure way to interact with an organization. Additionally, the live interaction during a phone call enables attackers to manipulate the victim's emotions and responses by employing social engineering tactics. Callback phishing is, therefore, a social engineering technique rather than a traditional email threat.  

Most phone numbers found in email threats leveraging this social engineering technique are Voice over Internet Protocol (VoIP) numbers, as it is significantly harder to trace a VoIP number back to a specific individual or physical location compared to a traditional phone number. Below is an example of a TOAD attack that impersonates the McAfee LLC brand.

Figure 6. A TOAD example impersonating the McAfee brand.

Talos has observed that phone numbers are sometimes reused on consecutive days. This could happen for multiple reasons. First, intelligence about phone numbers is collected and distributed at a slower pace compared to other artifacts like URLs and files. In most cases, phone numbers observed in emails by cybersecurity companies are not shared with third-party reputation services, or vice versa. As a result, these phone numbers often remain under the radar for several days. Second, the reuse of phone numbers provides logistical advantages for scam call centers. It enables consistent contact for multi-stage social engineering attacks, scheduling callbacks, and maintaining a credible "brand" presence with victims. Lastly, phone numbers may be reused to minimize costs, particularly if the VoIP service is not free. The plot below illustrates a case where the number +1-818-675-1874 was used in TOAD emails impersonating Best Buy’s Geek Squad brand for four consecutive days.

Figure 7. An example of phone number reuse (+1-818-675-1874) in TOAD emails on consecutive days.

Talos has also observed several cases of e-signature service abuse on the Adobe platform between April and May 2025. Figure 8 shows an example email that impersonates the PayPal brand. In this case, the entire PDF file (i.e., the body of the email) was uploaded to Adobe and sent directly to the victim through the e-signature service.

Figure 8. A TOAD example impersonating the PayPal brand.

Figure 9. The Adobe’s e-signature service abuse in TOAD.

**QR codes in PDF payloads **

Adversaries extensively use QR codes alongside brand impersonation phishing emails, a tactic known as QR code phishing. As seen in Figures 10 – 12, attackers exploit the legitimacy of popular brands to convince users to scan the QR code, ultimately redirecting them to a phishing page, which is often protected by some form of CAPTCHA.

Figure 10. A QR code phishing email impersonating the Docusign, Inc. brand.

Figure 11. CAPTCHA protecting the final phishing page.

Figure 12. Final phishing page.

In most QR code phishing emails with PDF payloads, the entire email body is embedded in the attachment and is rendered for the victim as soon as they open the email. This technique easily evades email filters and detection engines that rely on textual features and keywords, unless preceded by optical character recognition (OCR) analysis. However, OCR is an error-prone process and increases computational costs.

**Annotations in PDF payloads **

Although the PDF format is an open standard, its structure is not straightforward to understand (this book provides an excellent explanation). PDFs can contain both visible and hidden information within their three main components: the text layer, the image layer and the internal structure (e.g., comments and annotations). This flexibility allows certain elements within a PDF to make it appear legitimate, helping it evade spam filters and detection systems. 

To make QR code phishing emails more evasive, attackers often exploit otherwise legitimate PDF annotations. For example, a phishing URL might be embedded in a text annotation, sticky note, comment, or form field within a PDF attachment. Alternatively, attackers may add irrelevant text (or "noise") to bypass detection systems. 

Figures 13 and 14 demonstrate how multiple URLs can be embedded in a PDF attachment using annotations. In this case, the QR code may link to a legitimate web page to build the recipient’s trust, while the embedded annotation points to the actual phishing page. To further obscure the attack, attackers may use shortened URLs, making it harder for users to verify the link's legitimacy before clicking.

Figure 13. A QR code phishing email impersonating the Microsoft brand.

Figure 14. An example PDF attachment with a QR code; two URLs are included in this file in the form of annotations.

**Trends of brand impersonation via PDF payloads **

Brand impersonation remains a prevalent social engineering tactic in phishing attacks, with Talos frequently observing PDF payloads delivering brand names or logos in recent months. 

Using Cisco Secure Email Threat Defense’s brand impersonation detection engine, we uncovered how widespread these attacks are. The plot in Figure 15, reflecting the period between May 5 and June 5, 2025, highlights the most impersonated brands detected in emails with PDF attachments. Microsoft and Docusign were among the most frequently impersonated brands in phishing emails with PDF attachments. Similarly, NortonLifeLock, PayPal, and Geek Squad were among the most impersonated brands in TOAD emails with PDF attachments.

Figure 15. The topmost brands impersonated in emails with PDF attachments.

The map in Figure 16 indicates where brand impersonation attempts using PDF attachments originated for the above brands, both locally and internationally, during this time period.

Figure 16. The originating IP addresses of brand impersonation attempts using PDF attachments.

**Protection against brand impersonation**

Brand impersonation is one of the most popular social engineering techniques, and it is continuously being used by attackers in different types of email threats. Therefore, a brand impersonation detection engine plays a pivotal role in defending against cyber attacks. 

Cisco Talos relies on a wide range of systems to detect this type of threat and protect our customers, from rule-based engines to advanced machine learning-based systems. Learn more about Cisco Secure Email Threat Defense's brand impersonation detection engine here.

PDFs: Portable documents, or perfect deliveries for phish?

Unknown threat actors have been observed weaponizing v0, a generative artificial intelligence (AI) tool from Vercel, to design fake sign-in pages that impersonate their legitimate counterparts.
"This observation signals a new evolution in the weaponization of Generative AI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts," Okta

Tag

#intel