New Blog Post | New sophisticated email-based attack from NOBELIUM

%3CLINGO-SUB%20id%3D%22lingo-sub-2396184%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20New%20sophisticated%20email-based%20attack%20from%20NOBELIUM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2396184%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22JasonCohen1892_0-1622216715361.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F284647iF9A770CB34CC7B19%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22JasonCohen1892_0-1622216715361.png%22%20alt%3D%22JasonCohen1892_0-1622216715361.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F05%2F27%2Fnew-sophisticated-email-based-attack-from-nobelium%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ENew%20sophisticated%20email-based%20attack%20from%20NOBELIUM%20-%20Microsoft%20Security%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22x-hidden-focus%22%3EMicrosoft%20Threat%20Intelligence%20Center%20(MSTIC)%20has%20uncovered%20a%20wide-scale%20malicious%20email%20campaign%20operated%20by%20NOBELIUM%2C%20the%20threat%20actor%20behind%20the%20attacks%20against%20SolarWinds%2C%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F12%2F18%2Fanalyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESUNBURST%20backdoor%3C%2FA%3E%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F01%2F20%2Fdeep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ETEARDROP%20malware%3C%2FA%3E%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F04%2Fgoldmax-goldfinder-sibot-analyzing-nobelium-malware%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGoldMax%20malware%3C%2FA%3E%2C%20and%20other%20related%20components.%20The%20campaign%2C%20initially%20observed%20and%20tracked%20by%20Microsoft%20since%20January%202021%2C%20evolved%20over%20a%20series%20of%20waves%20demonstrating%20significant%20experimentation.%20On%20May%2025%2C%202021%2C%20the%20campaign%20escalated%20as%20NOBELIUM%20leveraged%20the%20legitimate%20mass-mailing%20service%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.constantcontact.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EConstant%20Contact%3C%2FA%3E%2C%20to%20masquerade%20as%20a%20US-based%20development%20organization%20and%20distribute%20malicious%20URLs%20to%20a%20wide%20variety%20of%20organizations%20and%20industry%20verticals.%20Microsoft%20is%20issuing%20this%20alert%20and%20new%20security%20research%20regarding%20this%20sophisticated%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F04%2Fgoldmax-goldfinder-sibot-analyzing-nobelium-malware%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eemail-based%20campaign%20that%20NOBELIUM%20has%20been%20operating%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eto%20help%20the%20industry%20understand%20and%20protect%20from%20this%20latest%20activity.%20Below%2C%20we%20have%20outlined%20attacker%20motives%2C%20malicious%20behavior%2C%20and%20best%20practices%20to%20protect%20against%20this%20attack.%20You%20can%20also%20find%20more%20information%20on%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.microsoft.com%2Fon-the-issues%2F%3Fp%3D64692%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20On%20The%20Issues%20blog%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2396184%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%20Defender%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Endpoint%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Identity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Office%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

JasonCohen1892_0-1622216715361.png

New sophisticated email-based attack from NOBELIUM - Microsoft Security

Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals. Microsoft is issuing this alert and new security research regarding this sophisticated email-based campaign that NOBELIUM has been operating to help the industry understand and protect from this latest activity. Below, we have outlined attacker motives, malicious behavior, and best practices to protect against this attack. You can also find more information on the Microsoft On The Issues blog.

0 Replies