Full Report
Over the last month, Barracuda threat analysts identified several notable email-based threats targeting organizations around the world and designed to evade detection and boost the chances of success.
Analysis Summary
# Incident Report: Global Email-Based Threat Campaign Involving Calendar and File-Sharing Abuse
## Executive Summary
Barracuda threat analysts identified a global campaign utilizing advanced email-based threats featuring two primary methods: malicious calendar invites (.ics files) distributing phishing links, and the abuse of the legitimate ShareFile platform by renowned Phishing-as-a-Service (PhaaS) kits like Tycoon 2FA and Mamba 2FA. The primary impact is credential theft, particularly targeting Microsoft 365 users, leveraging the trust associated with calendar functions and known file-sharing services to bypass standard security controls. Response involved proactive identification, analysis of emerging threat techniques, and user education regarding the signs of these highly evasive attacks.
## Incident Details
- **Discovery Date:** Not explicitly stated, but threats were identified "over the last month." Barracuda analysts were actively monitoring and spotting these threats.
- **Incident Date:** Ongoing during the last month of reporting time.
- **Affected Organization:** Multiple organizations globally ($\text{implied}$).
- **Sector:** Undisclosed (Cross-sectoral targets based on email targeting).
- **Geography:** Around the world.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing/Recent Activity.
- **Vector:** Email delivery utilizing malicious calendar invites (.ics attachments) or phishing emails impersonating SharePoint/DocuSign notifications.
- **Details:**
* **Calendar Attack (Sneaky 2FA):** Email contains only an ICS file link. The file directs the victim to a legitimate Monday platform page, which then presents a CAPTCHA and redirects to a phishing page designed for Microsoft credential harvesting.
* **ShareFile Abuse (Tycoon 2FA/Mamba 2FA):** Emails contain legitimate ShareFile URLs hosting fake login forms, leveraging recipient trust in the service.
### Lateral Movement
- Lateral movement details are not specified, as the primary immediate impact appears to be credential harvesting via phishing linked to the initial email.
### Data Exfiltration/Impact
- **Data Theft:** Theft of user credentials, specifically targeting Microsoft 365 accounts.
- **Techniques:** Mamba 2FA is noted to intercept one-time passcodes and authentication cookies to bypass MFA.
### Detection & Response
- **Detection:** Identified by Barracuda threat analysts through monitoring emerging threats. ICS files proved challenging as many security tools cannot spot malicious invites.
- **Response Actions:** Public disclosure via threat snapshot reports; analysis of the evolving PhaaS kits (Tycoon 2FA, Mamba 2FA).
## Attack Methodology
- **Initial Access:** Malicious ICS attachments embedded with phishing URLs (Sneaky 2FA kit) or legitimate ShareFile links hosting fake login pages (Tycoon 2FA/Mamba 2FA kits).
- **Persistence:** Not explicitly detailed beyond the use of advanced phishing kits designed for sustained operation.
- **Privilege Escalation:** Not relevant to the initial phishing step, but successful credential theft provides the means for privilege escalation within target systems (e.g., M365).
- **Defense Evasion:**
* Using ICS files, which are often considered harmless.
* Hosting phishing content on trusted, legitimate platforms (ShareFile, Monday platform redirects).
* Mamba 2FA uses proxy servers and short-lived, rotating phishing links to avoid blocklisting.
* Use of HTML attachments with junk content and sandbox detection (sending scanners to Google 404 pages).
- **Credential Access:** Direct harvesting via fake login pages following multi-step redirects (calendar-based attacks) or direct credential entry on compromised ShareFile hosted forms.
- **Discovery:** Not specifically detailed, but PhaaS kits operate broadly.
- **Lateral Movement:** Not detailed in this summary layer.
- **Collection:** Intercepting MFA codes and authentication cookies (Mamba 2FA).
- **Exfiltration:** Credential data harvested from phishing sites.
- **Impact:** Successful initial credential compromise against M365 users.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** User credentials for Microsoft 365 environments, potentially leading to downstream data breaches.
- **Operational:** Potential disruption from compromised accounts; low immediate visibility as attack relies on user interaction.
- **Reputational:** Risk associated with publicized compromise techniques targeting general email users.
## Indicators of Compromise
*Note: Artifacts are presented as reported without defanging, as the context requires summarizing the *reported* techniques, but analyst reports generally advise against publishing live IOCs.*
- **Network indicators:** Use of legitimate platforms (Monday, ShareFile—though the abuse technique is the indicator) as intermediaries. Rotating phishing links.
- **File indicators:** Malicious `.ics` (iCalendar) attachments.
- **Behavioral indicators:** Receiving unexpected calendar invites with no context/message; receiving ShareFile alerts when the organization doesn't use the platform; presence of CAPTCHA verification before a document link.
## Response Actions
Response actions described are largely post-incident analysis by Barracuda, focusing on threat intelligence dissemination:
- **Containment:** Not explicitly detailed for affected victims, but internal analysis was the primary action.
- **Eradication:** Not detailed.
- **Recovery:** Not detailed.
## Lessons Learned
- **ICS Files as a Blind Spot:** ICS attachments are generally trusted and can effectively bypass certain security controls.
- **Trust Exploitation:** Attackers are successfully abusing trusted infrastructure (ShareFile, Google/MS calendar functionality) to host malicious content and lower user suspicion.
- **PhaaS Evolution:** Phishing-as-a-Service platforms (Tycoon 2FA, Mamba 2FA) are continually adapting via advanced evasion techniques (rotating links, sandbox detection).
## Recommendations
- Organizations must caution users strongly against interacting with unexpected calendar invitations, especially those lacking context or contextually unusual requests.
- Implement checks to verify if the organization actually uses external services mentioned in notifications (e.g., ShareFile).
- Review security configurations to ensure advanced techniques for inspecting embedded links within calendar files are in place.
- Be vigilant against credential harvesting pages even when they appear linked from trusted domains.