Stories from the LevelBlue SOC

Executive Summary Cyber attackers are constantly innovating new ways to compromise users and steal credentials. Among these techniques, credential harvesting through phishing attempts is one of the most prevalent methods. This deceptive strategy often involves attackers creating a fake site that mirrors a legitimate login page. They distribute links to this phony site through sophisticated phishing emails, embedding redirect links… Read more →

Executive Summary In a recent LevelBlue incident response engagement, an analyst in our managed detection and response (MDR) security operations center (SOC) responded to an alarm that was triggered by a suspicious email/inbox rule. The rule aimed to conceal responses to an internal phishing attempt from the account user, so the attacker could solicit funds from the company's… Read more →

Executive Summary The “Security Alert” scam is a prevalent tech-support fraud that threatens both Windows and Apple users. It exploits the trust of users by masquerading as an official support site, using fake pop-up warnings to lure users into dialing scam phone numbers by conveying a sense of urgency. The ultimate goal is gaining remote access to the… Read more →

Executive summary While most end users are well-acquainted with the dangers of traditional phishing attacks, such as those delivered via email or other media, a large proportion are likely unaware that Microsoft Teams chats could be a phishing vector. Most Teams activity is intra-organizational, but Microsoft enables External Access by default, which allows members of one organization to add users… Read more →

This blog was co-authored with Josue Gomez and Ofer Caspi. Executive summary BlackCat is and has been one of the more prolific malware strains in recent years. Believed to be the successor of REvil, which has links to operators in Russia, it first was observed in the wild back in 2021, according to researchers. BlackCat is written in the Rust language,… Read more →