DISCARDED: Tales From the Threat Research Trenches

Signatures and Surprises: Inside the Emerging Threats Team Jun 18, 2025

Hello to all our Cyber Masked Vigilantes! In this episode of Discarded, host Selena Larson and co-host Tim Kromhardt are joined by James Emery-Callcott, a Security Researcher on Proofpoint’s Emerging Threats team, for an insider’s look at the technical, tactical, and collaborative forces shaping modern network detection.

James takes us behind the curtain of rule writing, CVE coverage, and malware detection, breaking down how signatures are developed, validated, and deployed to protect against a constantly shifting threat landscape. From the fading heyday of exploit kits to the rise of infostealers and ClickFix, we explore how detections evolve—and why the most persistent threats often hinge on the fundamentals of networking.

You’ll also hear how the team maps detection rules to frameworks like MITRE ATT&CK and CISA KEV, using metadata tags to reduce alert fatigue and prioritize real-world risks. James shares why this kind of tagging isn’t just technical polish—it’s operational gold.

But detection doesn’t happen in a vacuum. James explains how the community—through Discord chats, support tickets, and collaborative research—plays a vital role in surfacing false positives, sharing POCs, and suggesting metadata improvements.

Bonus highlights include:

Why writing reliable detection rules is still too nuanced for AI
The anatomy of a CVE rollout (and the surprising role of an Xbox controller)
Signature performance testing and hardware challenges
Why older vulnerabilities still matter
A sneak peek at a free Suricata training series in the works

Whether it’s a shoutout to Tony for pushing tagging innovation or a nod to students eager to get started, the message is clear: everyone can contribute to better detection.

Resources Mentioned:

CrazyHunter: https://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html

https://www.proofpoint.com/us/blog/threat-insight/emerging-threats-updates-improve-metadata-including-mitre-attck-tags

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

DBIR Deep Dive: Identity, Access, and the Expanding Attack Surface Jun 04, 2025

Hello to all our Cyber Stars! Join host Selena Larson, and guest host, Sarah Sabotka, as they sit down with Alex Pinto, Associate Director of Threat Intelligence at Verizon Business and the lead author behind the industry-defining Verizon Data Breach Investigations Report (DBIR). Together, they unpack the most pressing findings from the brand new VZDBIR, offering a behind-the-scenes look at how the reports are built—and what they reveal about today’s rapidly evolving threat landscape.

Alex shares how the editorial strategy behind the DBIR helps translate raw data from 100+ contributors into actionable insights and compelling narratives.

The conversation dives into:

The surge in zero-day vulnerabilities and growing threats tied to network edge devices
Why third-party risk is skyrocketing, and what that means for vendor relationships
How ransomware groups are maturing and reinvesting like modern businesses
The alarming rise of credential abuse via MFA-bypassing phishing kits and information stealers
Why identity is now the primary target—and how defenders can introduce friction without killing usability
The limitations of current threat categorization and whether full attack chain visualizations should be next

Whether you're here for the acronyms, the insights, or just want to win at cyber threat bingo, this episode is a must-listen for anyone navigating the modern security landscape.

🎧 Tune in to hear why “DBIR Day” matters—and how this year’s findings may be more personal than ever.

Resources Mentioned:

https://www.verizon.com/business/resources/reports/dbir/

For more information about Proofpoint, check out our website.

The ClickFix Convergence: How Threat Actors Blur the Lines May 14, 2025

Hello to all our Cyber Spring Chickens! Join host Selena Larson, and guest host, Sarah Sabotka, as they chat with Saher Naumaan, Senior Threat Researcher at Proofpoint, for a deep dive into how modern espionage and cybercrime are increasingly blurring lines.

At the center of the conversation is ClickFix—a fast-evolving social engineering technique originally used by cybercriminals but now adopted by espionage actors across at least three countries in just 90 days.

We explore:

how threat actors are borrowing each other’s tactics, techniques, and procedures (TTPs), creating “muddled attribution” as espionage groups mimic high-volume e-crime methods
how these techniques are being tailored to target high-value, often non-technical individuals
what defenders can do in the face of increasingly sophisticated psychological attacks

Resources Mentioned:

https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix

https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape

https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

The Art of the Innocent Ask: How Threat Actors Use Benign Conversations Apr 29, 2025

Hello to all our Cyber Spring Chickens! Join host Selena Larson and guest hosts, Tim Kromphardt and Sarah Sabotka, both Senior Threat Researchers at Proofpoint.

These top sleuths crack open Proofpoint’s new Human Factor series and explore one of the most deceptively dangerous tactics in a threat actor’s playbook: the benign conversation.

What exactly is a benign conversation—and why is it anything but harmless? Whether it’s a simple “Do you have a minute?” or a seemingly legit job offer, these messages are often the opening moves in complex social engineering attacks used for fraud, malware delivery, and even nation-state espionage.

The team dives into:

The top five fraud-related benign conversation themes, including the rise of advanced fee fraud
Real-world examples of job scams, gift card requests, and a Taylor Swift-themed lure
The difference between financially motivated lures and espionage-style social engineering
How Iranian and North Korean threat actors are perfecting the art of trust-building through impersonation and tailored messages
TOAD scams (Telephone-Oriented Attack Delivery) and the power of fear and urgency
The critical role of spoofing in making these attacks believable
The human toll and psychological manipulation behind scams like pig butchering—and why acknowledging the abuse behind them matters

From hijacked contact forms and fake antivirus invoices to AI-generated phone calls and scam compounds, this episode blends serious security insight with Friday vibes and candid discussion.

Whether you're a seasoned threat analyst or just here for the “lure-palooza,” you’ll walk away with a sharper eye for red flags—and a deeper understanding of the evolving cyber threat landscape.

Resources Mentioned:

🔍 [Read the full report] https://www.proofpoint.com/us/resources/threat-reports/human-factor-social-engineering

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Diving Into Cyber Journalism: FOIA, Fraud, and the Fight Against Online Threats Apr 09, 2025

Hello to all our Cyber Cherry Blossoms! Join host Selena Larson and guest host, Tim Kromphardt, a Senior Threat Researcher, as they chat with Andrew Couts, Senior Editor, Security and Investigations at WIRED.

Andrew shares insights into his work overseeing cybersecurity coverage and investigative reporting, collaborating with newsrooms, and uncovering the hidden threats lurking in the digital world.

We dive into how cybersecurity and privacy reporting has evolved, the growing risks posed by data collection and surveillance, and the challenges of informing the public around security experimentation.

We also discuss:

Recent investigations on ad tech, police drone surveillance, and the unintended consequences of data tracking
The rise of "pig butchering" scams and the difficulties in shutting them down
How the Freedom of Information Act (FOIA) serves as a powerful tool for uncovering hidden government actions
The real-world dangers journalists face when reporting on cybercriminals—such as swatting and online retaliation
The double-edged sword of privacy—how encryption and digital anonymity can both protect individuals and make it harder to track cybercriminals

Join us for a fascinating deep dive into the world of digital security, investigative journalism, and the real-life implications of living in an era where our data is constantly at risk.

Resources Mentioned:

Leveling Up Your Cybersecurity–WIRED Guide

https://www.wired.com/story/phone-data-us-soldiers-spies-nuclear-germany/

https://www.wired.com/story/the-age-of-the-drone-police-is-here/

https://www.wired.com/story/starlink-scam-compounds/

https://www.wired.com/story/alan-filion-torswats-swatting-arrest/

https://www.wired.com/story/no-lives-matter-764-violence/ (Content warning: self-harm, violence)

https://www.wired.com/story/the-wired-guide-to-protecting-yourself-from-government-surveillance/

https://www.wired.com/story/how-to-take-photos-at-protests/

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

RMM Tools: The New Cybercrime Trick? Mar 25, 2025

Hello to all our Remote Cyber Pals! Join host Selena Larson and guest host, Tim Kromphardt, a Senior Threat Researcher, as they chat with Staff Threat Researcher, Ole Villadsen, from Proofpoint. They explore the broader shift from traditional malware to commercially available tools that fly under the radar and how cybercriminals are increasingly abusing Remote Monitoring and Management (RMM) tools (sometimes called Remote Access Software) to gain initial access in email-based attacks.

Topics Covered:

The growing use of such tools like ScreenConnect, Atera, and NetSupport in cyberattacks
How threat actors are shifting from traditional malware loaders to commercially available tools
TA583’s adoption of RMM tools as a primary attack method
The role of social engineering in phishing lures, including Social Security scams
The impact of cybersecurity influencers and scam-baiting YouTubers on threat awareness
The ongoing arms race between cybercriminals and defenders

From stealthy intrusions to shifting cybercrime trends, this conversation uncovers the critical threats organizations face in 2025.

Resources Mentioned:

https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Your Best Defense against Social Engineering: The Gray-Matter Firewall Mar 11, 2025

Hello to all our Cyber Pals! Join host Selena Larson and guest hosts, Sarah Sabotka and Tim Kromphardt, both Senior Threat Researchers from Proofpoint, as they dive into the realities of current social engineering schemes —especially during high-risk times like tax season. Cybercriminals exploit fear, urgency, and excitement to manipulate victims, from IRS impersonation scams and fraudulent tax payment requests to deepfake cons and TikTok frauds.

Our hosts dive into real-world examples, including:

tax-themed phishing attacks
tech support scams targeting the elderly
job scams leveraging Taylor Swift’s tour

They explore how AI is reshaping fraud tactics, why scammers still rely on outdated schemes like overseas financial windfalls, and how platforms like WhatsApp and Telegram play a role in modern cybercrime.

Tune in to learn how these scams work, why they succeed, and—most importantly—how you can protect yourself. Check out our show notes for additional resources, and don’t forget to share this episode with friends and colleagues!

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Hiding in Plain Sight: How Defenders Get Creative with Image Detection Feb 25, 2025

Hello to all our Cyber Pals! Join host Selena Larson and guest host, Sarah Sabotka, as they speak with Kyle Eaton, Senior Security Research Engineer at Proofpoint.

They explore the evolving world of image-based threat detection and the deceptive tactics cybercriminals use to evade defenses. From image lures embedded in emails, PDFs, and Office documents to the surprising ways attackers reuse visuals across campaigns, this conversation break down how detection engineering is adapting to counter new threats.

There is also examination of how AI is shaping both cyber deception and detection, raising the question of how generative AI is influencing image-based security.

Listeners will gain insights into real-world detection successes, persistent threats like TA505 and Emotet, and the role of instincts in cybersecurity—because, as Selena notes, sometimes good detection is all about the vibes.

Key Topics Covered:

Characteristics of Image-Based Threats
Groups like TA505 and Emotet historically using recognizable image lures
OneNote-Based Malware Detection (2023) & the Challenges with OneNote
Shift to PDF-Based Threats
PDF Object Hashing for Attribution & Detection
Image-Based Threat Detection Insights
Generative AI’s Impact on Image-Based Threats

Join us as we uncover real-world detection wins, explore persistent threats like TA505 and Emotet, and dive into the importance of instincts in cybersecurity—because, as our guest puts it, sometimes good detection is all about the vibes.

Resources mentioned:

https://github.com/target/halogen

https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Cyber Groundhog Day and romance scams, featuring Only Malware in the Building Feb 05, 2025

Hey Cyber Pals! This week we are doing a very special spotlight on a recent episode from Only Malware in the Building. Our very own, Selena Larson, also co-hosts on this fabulous podcast.

Be sure to check it out and enjoy!

Find more OMIB: https://thecyberwire.com/podcasts/only-malware-in-the-building/9/notes

—------------------------------------------------

Welcome in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is Selena Larson, Proofpoint intelligence analyst and host of their podcast DISCARDED. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by N2K Networks Dave Bittner and Rick Howard to uncover the stories behind notable cyberattacks.

Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode and since it is February (the month of love as Selena calls it), we talk about romance scams known throughout the security world as pig butchering. And, Rick's experiencing a bit of a Cyber Groundhog Day in his newly-realized retirement.

The Power of Partnerships: An Interview with the NSA’s Kristina Walter Jan 22, 2025

Hello to all our Cyber Magicians! Join host Selena Larson and guest host, Joshua Miller, as they speak with Kristina Walter, the Chief of NSA’s Cybersecurity Collaboration Center. They explore the cutting-edge collaborations between the NSA and industry partners to combat cyber threats, with a deep dive into the NSA’s Cybersecurity Collaboration Center (Triple C).
Kristina sheds light on the growing awareness around cyber hygiene, the importance of collective defense, and the role of partnerships between government and private sectors in tackling malicious activity. She also offers practical advice for those looking to break into government cybersecurity roles, dispelling myths about the need for a STEM background and highlighting the relevance of "core skills" like public speaking, decision-making, and risk management.
Key Topics Covered:

Public-private partnership success stories
NSA’s approach to global collaboration
The shift from information consumption to actionable intelligence sharing
The average American's cybersecurity concerns
Insights into the collaborative efforts needed to counter cyber threats
Naming malware campaigns

The episode wraps up with tips on staying current in the fast-paced world of cybersecurity, from leveraging NSA advisories to building communities for information sharing. Whether you're an aspiring cybersecurity professional or an industry veteran, this episode is packed with actionable advice and thought-provoking perspectives.
Resources mentioned:
https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3805947/nsa-announces-kristina-walter-as-the-new-chief-of-cybersecurity-collaboration-c/
https://www.nsa.gov/Press-Room/News-Highlights/
https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3669141/nsa-and-partners-spotlight-peoples-republic-of-china-targeting-of-us-critical-i/
https://www.nsa.gov/about/cybersecurity-collaboration-center/
For more information about Proofpoint, check out our website.
Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

The Battle for a Safer Internet: Inside Domain Takedowns and Threat Actor Tactics Jan 07, 2025

Hello to all our Cyber Magicians! Join host Selena Larson and guest host,Tim Kromphardt, as they speak with Hannah Rapetti, the Takedown Services Manager at Proofpoint. Hannah shares her fascinating journey from librarian to cybersecurity expert, detailing her path into the industry through certifications, CTFs (Capture the Flag), and the Women in Cybersecurity (WiCyS) community.The conversation dives into real-world examples, techniques, and strategies used to identify, track, and eliminate malicious domains.
Key Topics Covered:

Collaborative Efforts: How teams work together to identify scam websites, gather evidence, and escalate for takedown.
Tools and Techniques: Using tools like domain search, backend kits identification, and IP-based connections to uncover related sites.
Challenges in Takedowns: Managing lists of hundreds of domains across multiple providers, verifying live activity, and the need for ongoing monitoring.
Threat Actor Behavior: How threat actors use multiple registrars or re-register domains to evade detection.
Best Practices for Organizations:
- Preemptively purchasing lookalike domains.
- Monitoring new domain registrations for suspicious activity.
- Educating users to identify and avoid malicious domains.
Ethical Considerations: Balancing infrastructure disruption with the need for ongoing research, particularly for cyber espionage threats.
Favorite Wins: Memorable investigations, such as takedowns during the Super Bowl, fake Olympics ticket scams, and real-time disruption of pig-butchering schemes.

The episode highlights the importance of domain takedowns not just for individual companies but for contributing to a safer internet ecosystem. It’s a mix of practical advice, real-life stories, and insights into the ongoing battle against cybercrime.
Resources mentioned:
Genina Po Discarded Episode
https://www.proofpoint.com/us/blog/threat-insight/pig-butchers-join-gig-economy-cryptocurrency-scammers-target-job-seekers
https://www.wicys.org/
https://www.proofpoint.com/us/blog/threat-insight/pig-butchers-join-gig-economy-cryptocurrency-scammers-target-job-seekers
https://podcasts.apple.com/us/podcast/discarded-tales-from-the-threat-research-trenches/id1612506550?i=1000677061400
https://www.proofpoint.com/us/blog/threat-insight/security-brief-scammers-create-fraudulent-olympics-ticketing-websites
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Hackers, Heists, and Heroes: The Evolving Ransomware Game Dec 17, 2024

Hello to all our Cyber Pals! Join host Selena Larson and guest, ransomware expert, Allan Liska, CSIRT at Recorded Future, drops by to share his creative take on cyber-themed graphic novels, proving there’s nothing ransomware can’t inspire—even superheroes.
In this episode, we uncover the shadowy ecosystem driving ransomware attacks, from the industrialization of cybercrime to the rise of "small-batch" threat actors redefining chaos. Explore how Operation Endgame dealt a devastating blow to malware powerhouses like Pikabot and SmokeLoader, shaking trust within underground networks and leaving cybercriminals scrambling to regroup.
We’ll also decode the evolving tactics of ransomware gangs, from slick AI-powered voice disguises to the surprising shift toward consumer scams. Plus, we’ll discuss whether law enforcement’s crackdown will make ransomware too expensive for crooks, forcing them to rethink their game plans—or at least settle for less glamorous schemes like crypto theft.
Don’t miss the Champagne pick that pairs perfectly with ransomware disruptions! 🥂
Resources mentioned:
https://www.chainalysis.com/blog/2024-crypto-crime-mid-year-update-part-1/
https://www.marketplace.org/shows/marketplace-tech/how-scammers-hijack-their-victims-brains/
https://www.cisa.gov/resources-tools/resources/review-attacks-associated-lapsus-and-related-threat-groups-report
https://www.proofpoint.com/us/blog/threat-insight/major-botnets-disrupted-global-law-enforcement-takedown
https://www.justice.gov/opa/pr/us-charges-russian-national-developing-and-operating-lockbit-ransomware
https://therecord.media/russian-national-in-custody-extradited
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/
https://therecord.media/chamelgang-china-apt-ransomware-distraction
https://urldefense.com/v3/__https://www.recordedfuture.com/research/outmaneuvering-rhysida-advanced-threat-intelligence-shields-critical-infrastructure-ransomware__;!!ORgEfCBsr282Fw!pYnNQZUQJLJTFlj5w7PcWRjyr6rh-logFnqo03_Mz19RUrK4rftQU1qbTj_iql3KNjn4Ub7a5LsDLpCJgdJQSA$
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Stealth, Scale, and Strategy: Exploring China’s Covert Network Tactics Dec 03, 2024

Hello to all our Cyber Frogs! Join host Selena Larson and guest host, Sarah Sabotka, explore the evolving tactics of China-based nation-state threat actors with guest Mark Kelly, Staff Threat Researcher at Proofpoint. They focus on TA415 (APT41 or Brass Typhoon), examining its combination of cybercrime and state-sponsored espionage. From the Voldemort malware campaign to targeting critical infrastructure, Mark sheds light on how these actors leverage tools like Google Sheets for command and control, exploit vulnerabilities, and adapt to evade detection.
The discussion also highlights:

the strategic importance of edge devices, pre-positioning for geopolitical escalations, and the intersection of espionage, gaming, and cybercrime
Operational Relay Boxes (ORBs), covert networks used by Chinese Advanced Persistent Threat (APT) groups to mask cyber activities
exploitation of non-traditional systems and vulnerabilities
the impact of compromised consumer devices on global cybersecurity

Resources mentioned:
https://www.nytimes.com/2024/10/26/us/politics/salt-typhoon-hack-what-we-know.html
https://cyberscoop.com/salt-typhoon-us-telecom-hack-earth-estries-trend-micro-report/
https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort
https://www.bleepingcomputer.com/news/security/state-hackers-turn-to-massive-orb-proxy-networks-to-evade-detection/
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Scams, Smishing, and Safety Nets: How Emerging Threats Catches Phish Nov 15, 2024

Hello to all our Cyber Pals! Join host Selena Larson and guest, Genina Po, Threat Researcher at Emerging Threats at Proofpoint. She shares how she tackles emerging cyber threats, breaking down the process of turning data into detection signatures. Using tools like Suricata to create detections for malicious activity, she maps out her approach to writing rules that identify and block these threats.
The goal? Equip companies to stay secure, and encourage listeners with the skills to spot and prevent scams on their own. Genina shares her journey tracking pig butchering scams through thousands of domains and URLs. She reveals patterns—certain headers and markers—that help identify these sites amid a flood of data, and she describes the challenges in detection, as scammers increasingly vary their setups to evade filters.
Also discussed:

proactive measures against phishing and fraud sites, with Proofpoint using "takedown" services to remove malicious domains, disrupting scams before they impact users
the importance of questioning biases, particularly in cyber threat intelligence where assumptions can shape classifications and responses
collaboration with Chainalysis to connect various scams through cryptocurrency wallets, showing cross-over between different fraud types

Resources mentioned:
Book: Why Fish Don’t Exist by Lulu Miller
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Pig Butcher Scammers Put Job Seekers On The Menu Oct 29, 2024

A note to our listeners, this episode contains some content our listeners might find upsetting including mentions of human trafficking.
Hello to all our Pumpkin Spice Cyber Friends! Join host Selena Larson and guest host, Sarah Sabotka as they chat with senior threat researcher and fraud expert Tim Kromphardt. They talk about the world of pig butchering and crypto romance scams, where Tim discusses how these scams manipulate victims' feelings, making it incredibly hard to escape, even when presented with evidence of the scam. And how these threat actors have expanded their enterprises to include job scamming. He explains the challenges of tracking funds through cryptocurrency systems, and why these scams are so profitable.
The episode highlights the need for victims to speak out and share their stories without shame, breaking the cycle and raising awareness.
Also discussed:

how psychological manipulation can be just as damaging as technical vulnerabilities
resources for victims, and how people can identify hallmarks of these types of scams
the role of automation and AI in scaling scams

Resources mentioned:
globalantiscam.org
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Under Siege: How Hackers Exploit Cloud Vulnerabilities Oct 15, 2024

Hello to all our Cyber Ghosts! Join host Selena Larson as she chats with Eilon Bendet– Cloud Threat Researcher from Proofpoint. From account takeovers to state-sponsored hacks, they uncover how cybercriminals are outsmarting traditional defenses – and why even multi-factor authentication might not be enough to keep them out.
Together, they discuss the complexities of cloud threat detection, including the role of User and Entity Behavior Analytics (UEBA) in identifying suspicious activities and preventing account takeovers (ATO). Eilon breaks down two primary ATO threat vectors—credential-based brute force attacks and precision-targeted phishing campaigns.
Also discussed:

how these groups exploit cloud environments
concerning trends such as the rise of reverse proxy-based toolkits and MFA bypass techniques
the importance of identity-focused defense strategies and how threat actors customize tools to infiltrate cloud systems, steal data, and monetize compromised accounts

Resources mentioned:
MACT or malicious applications blog: https://www.proofpoint.com/us/blog/cloud-security/revisiting-mact-malicious-applications-credible-cloud-tenants
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Champagne Attack Chains on a Kool-Aid Budget Sep 30, 2024

Hello to all our Pumpkin Spice cyber friends! Join host Selena Larson and today’s co-host, Tim Kromphardt, as they chat with Joe Wise, Senior Threat Researcher and Kyle Cucci, Staff Threat Researcher both from Proofpoint.
Together, they unpack recent campaigns involving the abuse of legitimate services, particularly focusing on the clever tactics used by cybercriminals to evade detection.Joe and Kyle discuss a fascinating trend where attackers are leveraging Cloudflare’s temporary tunnels, bundling Python packages, and deploying a range of malware like Xworm and Venom Rat. They explore the increasing abuse of legitimate services like Google Drive, Adobe Acrobat, and Dropbox, which allow attackers to blend in with regular business traffic. The conversation also touches on a range of threat clusters, including Exormactor and Voldemort malware, and TA2541, who have consistently leveraged Google Drive URLs to spread malicious content.
Also discussed:

the challenge of detecting and mitigating these types of threats and the importance of staying ahead of the evolving attack strategies
the motivations behind these campaigns
why traditional defense mechanisms may fall short

Resources mentioned:
https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort
https://www.proofpoint.com/us/blog/threat-insight/scammer-abuses-microsoft-365-tenants-relaying-through-proofpoint-servers-deliver
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Guarding the Vote: Unmasking Cyber Threats in Election Season Sep 17, 2024

Hello to all our cyber citizens! Join host Selena Larson and today’s co-host, Tim Kromphardt, as they chat with Joshua Miller, Senior Threat Researcher and Rob Kinner, Senior Threat Analyst both from Proofpoint.
With election season on the horizon, cyber attackers are sharpening their tactics—impersonating government agencies, emailing journalists, and crafting sophisticated phishing schemes. But how real is the threat? And what can be done to protect our democracy from the digital shadows? Today, we pull back the curtain on the unseen battles being fought in cyberspace and what it means for voters, journalists, and defenders alike.
The discussion covers a range of election threats, from malicious domains, impersonation, and typo-squatting to sophisticated credential phishing campaigns that exploit government and election-related themes.
Also discussed:

how state-sponsored actors from DPRK, Russia, and China are interested in espionage around election related topics
the impersonation of various government entities for phishing purposes, revealing the creativity and resourcefulness of threat actors
while cyber threats are pervasive, the integrity of the voting process remains strong, backed by robust defenses and ongoing efforts by dedicated professionals

Resources mentioned:
https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering
https://www.justice.gov/opa/pr/justice-department-disrupts-covert-russian-government-sponsored-foreign-malign-influence
https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists
https://www.proofpoint.com/us/blog/threat-insight/media-coverage-doesnt-deter-actor-threatening-democratic-voters
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Very Mindful, Very APT: Inside the Activity of Current Espionage Actors Sep 04, 2024

Hello to all our mindful and demure cyber sleuths! Join host Selena Larson and today’s co-host, Sarah Sabotka as they chat with Joshua Miller and Greg Lesnewich, Threat Researchers at Proofpoint about the ever-evolving world of advanced persistent threats (APTs).
The team unravels the latest espionage tactics of threat actors from Iran, North Korea, and Russia, exploring everything from Iran’s sophisticated social engineering campaigns to North Korea’s customized Mac malware.
They also highlight the increasing interest in MacOS malware in the cybercrime landscape and examine examine the threat posed by a group targeting AI researchers with unique malware like "SugarGh0st RAT."
Also discussed:

the quirky and often amusing names given to malware campaigns in the cybersecurity world.
unexpected connections between cybersecurity and pop culture, featuring a discussion on how celebrities like Taylor Swift handle digital security.
what recent activity suggests about the actors’ changing tactics.

Resources mentioned:
SleuthCon Talk: Presenter, Selena Larson
Rivers of Phish from CitizenLab
https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering
https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign
https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn
https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds
https://www.theguardian.com/music/shortcuts/2019/jan/29/digital-security-taylor-swift-facetime-privacy-bug-breaches
https://www.youtube.com/watch?v=LYHmTjFW-nY
https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week
https://www.proofpoint.com/us/blog/threat-insight/security-brief-artificial-sweetener-sugargh0st-rat-used-target-american
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Don't miss

Rebel Security Training: Cyber Lessons from A Galaxy Far, Far Away Aug 20, 2024

Hello, cyber rebels! Ever wondered what lightsabers, the Force, and intergalactic battles have in common with the world of cybersecurity? Welcome to a special episode of the Discarded Podcast. Join host Selena and co-host Greg Lesnewich, Senior Threat Researcher at Proofpoint, along with our guest, Eric Geller, cybersecurity reporter and host of the Hoth Takes Star Wars podcast, as they dive into the fascinating intersection of Star Wars and cybersecurity. He reveals how the tactics and strategies from a galaxy far, far away can be applied to modern-day digital defense.
Greg and Eric share their love for Star Wars while drawing parallels between iconic moments from the saga and modern cybersecurity practices. Ever wondered how the Rebels' infiltration of the Death Star reflects real-world hacking techniques? Or how the Empire's security flaws could be lessons for today's digital defenses? We've got you covered. They highlight how living off the land techniques, identity protection failures, and internal security oversights in the Star Wars universe can teach us valuable lessons for defending against cyber threats.
From red teaming with Han and Chewbacca to intelligence analysis with Princess Leia, and even hardware hacking with Babu Frik, we cover a broad spectrum of cyber roles through the lens of Star Wars. We also delve into who would make the best CISO in the Star Wars universe, with some surprising nominations and entertaining analogies.
Whether you're a Star Wars enthusiast or a cybersecurity professional, this episode provides a unique and entertaining perspective on the skills and strategies essential for both realms. Tune in for a fun and insightful conversation that bridges the gap between fiction and reality in the most engaging way possible.
Resources mentioned:
Hoth Takes (podcast)
NIST Framework
https://www.wired.com/author/eric-geller/
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

The Art of Frustrating Hackers: Diving Into the DEaTH Cycle with Randy Pargman Aug 06, 2024

Hello, Cyber Stars! In today's episode of the Discarded Podcast, hosts Selena Larson and Sarah Sabotka are joined by Randy Pargman, Director of Threat Detection at Proofpoint. Randy shares his extensive experience in cybersecurity, from working at the FBI and understanding law enforcement’s role in cyber defense, to endpoint detection and response, to his current role at Proofpoint.
We explore the relentless cat-and-mouse game between cyber defenders and threat actors. Randy discusses the importance of Detection Engineering and Threat Hunting (DEATH) and how these disciplines work together to outsmart cybercriminals. He also highlights the significance of log data retention and how investing in longer retention periods can drastically improve the efficacy of detection measures.
Randy touches on the upcoming DEATHCon, a must-attend event for cybersecurity professionals. He shares fascinating stories and analogies, making complex cybersecurity concepts accessible and engaging.
We also talk about:

the concept of the "pyramid of pain" and how spending too much time on IOCs can be a losing battle against agile threat actors
the value of empathy and collaboration among security teams
practical steps for building shared lab environments

Resources mentioned:
DeathCON
Operation Endgame
Clipboard to Compromise Blog: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
DFIR Report Labs: https://thedfirreport.com/services/dfir-labs/
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

The Hunt for Cyber Criminals: A Deep Dive with Wired's Andy Greenberg Jul 24, 2024

Hello, Cyber Stars! In today's episode of the Discarded Podcast, hosts Selena Larson and Pim Trouerbach are joined by Andy Greenberg, Senior Writer at WIRED. Known for his deep dives into the world of hacking, cybersecurity, and surveillance, Andy shares his journey of uncovering and telling compelling stories about the digital underworld.
The conversation kicks off with Andy detailing his extensive experience in cybersecurity journalism and his knack for long-form storytelling. He shares insights into his acclaimed Wired article on the Mirai botnet hackers and discusses his latest book, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.
We also talk about:

the intricate world of cryptocurrency and its unintended consequence of fueling ransomware attacks
the rise of pig butchering scams, now dwarfing ransomware in financial impact
the ethical dilemmas and real-world consequences of cybercrime

Resources mentioned:
Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg
Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency by Andy Greenberg
https://www.wired.com/story/mirai-untold-story-three-young-hackers-web-killing-monster/
https://www.wired.com/story/crypto-home-invasion-crime-ring/
https://www.wired.com/story/tigran-gambaryan-us-congress-resolution-hostage-nigeria/
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Have you heard: Only Malware in the Building? Jul 15, 2024

Check out new episodes of Only Malware in the Building wherever you listen to podcasts:
https://thecyberwire.com/podcasts/only-malware-in-the-building

Malware Evasion Uncovered: The Battle Against Evolving Malware Techniques Jul 09, 2024

Hello, Cyber Pirates! In today's episode of the Discarded Podcast, hosts Selena Larson and Tim Kromphardt are joined by Kyle Cucci, Staff Threat Researcher at Proofpoint. Dive with us into the world of cyber attacks as Kyle breaks down the intricacies of evasion techniques used by threat actors. From defense evasion to anti-sandboxing and anti-reversing methods, Kyle sheds light on how modern malware ensures its survival. Discover the evolution and increasing sophistication of these techniques, and learn about specific malware families like WikiLoader, Remcos, and the notorious Loki Bot.
We then move into how teams of threat hunters, intelligence analysts, and malware reversers work closely to identify new malware techniques and develop robust defenses within sandbox environments. Kyle shares insights into the constant feedback loop between intelligence and detection teams, highlighting how they stay ahead of evolving threats.
We also talk about:

evasion strategies, including temperature checks, geofencing, and human detection mechanisms
the use of publicly available tools by malware authors
the future of AI and large language models (LLMs) in both aiding and combating cyber threats

Resources mentioned:

Evasive Malware by Kyle Cucci
SentinelOne Research: https://www.sentinelone.com/blog/blackmamba-chatgpt-polymorphic-malware-a-case-of-scareware-or-a-wake-up-call-for-cyber-security/

For more information about Proofpoint, check out our website.
Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Checkmate: Breaking Down Operation Endgame Jun 25, 2024

Hello, cyber sleuths! In today's exciting episode of the Discarded Podcast, hosts Selena Larson and Sarah Sabotka are joined by the brilliant Pim Trouerbach, Senior Reverse Engineer at Proofpoint. Pim gives us the lowdown on this massive law enforcement operation targeting multiple high-profile botnets across the globe, called Operation Endgame, and how this coordinated takedown affects the cybercrime landscape and the significance of arresting the individuals behind these operations.
He also breaks down the different malware impacted including SystemBC, IcedID, Pikabot, Bumblebee, and more.
We also talk about:

the rise and fall of Bumblebee, comparing it to its predecessor, Baza Loader, and contemplating why it didn't quite live up to its anticipated potential despite its advanced features
the collaborative efforts between law enforcement and private sector partners, emphasizing the effectiveness of these joint operations in curbing cyber threats
the high-quality, cinematic videos released as part of Operation Endgame

Resources mentioned:
https://www.proofpoint.com/us/blog/threat-insight/major-botnets-disrupted-global-law-enforcement-takedown
https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits
https://operation-endgame.com/
https://www.justice.gov/opa/pr/911-s5-botnet-dismantled-and-its-administrator-arrested-coordinated-international-operation
https://x.com/Shadowserver/status/1797945864004210843
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Hacking the Human Mind: How Cyber Attackers Exploit Our Brains Jun 11, 2024

Hello to all our cyber squirrels! Joining our series host, Selena Larson, is our co-host today, Tim Kromphardt. Together they welcome our special guest–Dr. Bob Hausmann, Proofpoint's Manager of Learning Architecture and Assessments and a seasoned psychologist.
Our conversation explores how cyber threat actors exploit the different systems of thought in our brains and how attackers leverage our rapid, emotionally-driven responses (system one thinking) to bypass our more deliberate, rational processes (system two thinking).
Dr. Bob introduces us to the concept of cognitive biases, particularly normalcy bias, and how these mental shortcuts can shape our cyber defense strategies. He explains how organizations often fall into the trap of thinking "it won't happen to us," leading to underinvestment in critical security measures. Drawing parallels to historical events like the sinking of the Titanic and the COVID-19 pandemic, he underscores the importance of overcoming these biases to enhance preparedness.
We also talk about:

Real-world implications and examples of social engineering attacks.
The impact of urgency and stress on decision-making in cybersecurity.
The alarming rise and mechanics of pig butchering scams.
The role of AI in scams and cybersecurity
Empathetic approaches to helping scam victims

Resources mentioned:

Book: "Thinking, Fast and Slow" by Daniel Kahneman

Book: "The Art of Deception" by Kevin Mitnick

Previous Discarded Episode on Pig Butchering

Have I Been Pwned

PhishMe

Cybersecurity and Infrastructure Security Agency (CISA)

SANS Institute

https://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-online

https://therecord.media/southeast-asian-scam-syndicates-stealing-billions-annually

https://www.cfr.org/in-brief/how-myanmar-became-global-center-cyber-scams

https://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests

For more information about Proofpoint, check out our websit

Decrypting Cyber Threats: Tactics, Takedowns, and Resilience May 29, 2024

Hello to all our cyber pals! Joining our series host, Selena Larson, is our co-host today, Tim Kromphardt. Together they welcome our special guest–Daniel Blackford, the Director of Threat Research at Proofpoint. The conversation dives into the intricate world of cyber threats and the impact of law enforcement disruptions on malware, botnets, and ransomware actors.
We'll explore how threat actors react when their preferred infrastructures or ransomware-as-a-service systems get taken down, offering insights into their various responses—from rebuilding and rebranding to the emergence of new power players in the cybercriminal ecosystem.
We also talk about:

Analysis of the Hive ransomware takedown and the massive Qbot operation, including the technical and human aspects of these disruptions
How other groups rise to prominence despite disruptions
Differences between malware disruptions and business email compromise (BEC) or fraud-focused disruptions
The evolution of threat actor techniques, such as, legitimate remote management tools and living off the land techniques

For more information about Proofpoint, check out our website.
Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

It Works on My Machine: Why and How Engineering Skills Matter in Threat Research May 08, 2024

The Discarded Podcast team is gearing up and working hard for a new season! Until then we have a special Re-Run treat--one of our favorite episodes! Enjoy!
Engineering skills can play a massively beneficial role in cyber security, as Pim Trouerbach, a Senior Reverse Engineer at Proofpoint and Jacob Latonis, Senior Threat Research Engineer at Proofpoint, are able to share.
They emphasize the importance of understanding the requirements and context of security researchers to build effective tools. The conversation touches on the potential impact of AI and LLMs (large language models) in threat research. While AI tools can be valuable for entry-level tasks, the context, experience, and expertise of human engineers are essential for handling complex code and understanding threat actors' behaviors.
Join us as we also discuss:
[02:59] The uniqueness of engineering skills in understanding researchers' requirements for data cleaning, tool development, and working in a security environment.
[11:06] How the versioning in malware samples can provide insights into the threat actors' behavior and trajectory.
[13:24] How malware is simply software with malicious intent, and how practices of developers and threat actors can overlap.
[17:10] The tools and techniques used by threat actors, including obfuscation and encryption methods.[21:42] The importance of context and experience in writing tools and understanding researchers' workflows.
For more information, check out our website.

Decoding TA4903: Exploring the Dual Objectives of a Unique Cyber Threat Actor Apr 02, 2024

Today’s focus is on the elusive threat actor known as TA4903. But that's not all - we've got a special treat for you as well. Our longtime producer, Mindy, is joining us as a co-host, bringing her expertise and insights to the table, as we turn the mic around and interview, Selena!
We explore recent research conducted by Selena and her team on TA4903’s distinct objectives. Unlike many cybercrime actors, TA4903 demonstrates a unique combination of tactics, targeting both high-volume credential phishing campaigns and lower-volume direct business email compromises.
We also dive into:

TA4903 spoofs government entities like the Department of Transportation and the Department of Labor to lure victims
Use of advanced techniques including evil proxy for multi-factor authentication token theft and QR codes for phishing campaigns
Rising trends in cryptocurrency-related scams and other financial frauds

Resources mentioned:
MFA Bypass (Blog) by Timothy Kromphardt
IC3 2023 FBI Report
New TA4903 research: https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids
For more information, check out our website.

A Trip Down Malware Lane: How Today's Hottest Malware Stacks Up Against Predecessors Mar 19, 2024

It has been a busy first quarter for the Proofpoint Threat Research team! Today we have returning guest, Pim Trouerbach, to share his personal stories about his favorite malware and discuss the current landscape, including insights on Pikabot, Latrodectus, and WikiLoader.
The conversation explores the evolution from old school banking trojans to the current favored payloads from major cybercrime actors, and the changes in malware development through the years. Pim shares the different meticulous analysis and research efforts, and we learn about mechanisms to combat the malware.
We also dive into:

a valuable lesson about the consequences of malware running rampant in a sandbox environment
the shifts in attack chains and tactics employed by threat actors
the need for adaptive detection methods to combat evolving cyber threats

Resources mentioned:
Countdown to Zero Day by Kim Zetter
Shareable Links:
https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion
https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft
https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates
https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black
https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax
Pim’s Favorite Malware:
* Emotet: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-280a
* IcedID: https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid
* Dridex: https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a
* Hancitor: https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor
* Qbot: https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot
* Hikit (APT): https://attack.mitre.org/software/S0009/
* Stuxnet (APT): https://www.penguinrandomhouse.com/books/219931/countdown-to-zero-day-by-kim-zetter/
* Cutwail: https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail
For more information, check out our website.

Hiding In Plain Sight: Unique Methods Of C2 From Infostealers Mar 05, 2024

Network-based detections, such as those developed by threat detection engineers using tools like suricata and snort signatures, play a crucial role in identifying and mitigating cyber threats by scrutinizing and analyzing network traffic for malicious patterns and activities.
Today’s guest is Isaac Shaughnessy, a Threat Detection Engineer at Proofpoint. Isaac shares his insights into the challenges of detecting and mitigating malware, especially those using social platforms for command and control. He emphasizes the team's engagement with the InfoSec community, highlighting the value of platforms like Twitter and Mastodon for sharing and receiving information.
We also dive into:

the unique challenges of crafting effective signatures
the specifics of malware, focusing on Vidar stealer and highlighting the dynamic nature of Vidar's command and control infrastructure
the distribution methods of these malware strains, from email campaigns to unconventional tactics like using video game platforms and social media for luring victims

Resources mentioned:
Intro to Traffic Analysis w/ Issac Shaughnessy
Emerging Threats Mastodon: https://infosec.exchange/@emergingthreats
Threat Insight Mastodon: https://infosec.exchange/@threatinsight
Vidar Stealer Picks Up Steam!
For more information, check out our website.

From Attribution to Advancement: Red Canary’s Katie Nickels Tackles CTI’s Biggest Questions Feb 20, 2024

The esteemed Katie Nickels joins us on the show today! Katie is the Director of Intelligence Operations at Red Canary, and our conversation with her explores a wide array of topics, ranging from career growth in threat intelligence to the intricacies of attribution and threat actor naming.
Katie delves into her diverse career journey and transitions to advice for those entering the field, emphasizing persistence, creativity, and considering entry-level roles like SOC analyst positions. There is also talk of avoiding burnout while pursuing one’s passion, especially in cybersecurity.
We also dive into:

Communication and attribution challenges including the confusion of different naming conventions
Marketing and the personification of threat actors
Strategic approaches in handling incidents and avoiding panic

For more information, check out our website.

Beyond the Headlines: Reporting on Sensitive Cybersecurity Topics to Resonate with Everyone Feb 06, 2024

*This episode contains content warnings of suicide and self-harm*
“It’s not about preventing something from happening, it’s being prepared for when it does.” This episode is filled with stories from the different scenarios that have been plaguing people with cyber security attacks.
Today’s guest is Kevin Collier, a cybersecurity reporter at NBC. He joins us to discuss his experiences covering cybersecurity stories for a mainstream audience. As the first and only dedicated cybersecurity reporter at NBC, Collier reflects on the evolving nature of media coverage in the cybersecurity space, emphasizing the increasing need for dedicated coverage in major news publications. He highlights the rise of scams facilitated through text messages, emails, and zero-day exploits, emphasizing the geopolitical circumstances that enable these threats, and also helping audiences understand the reality behind the cyber threats they face.
They also dive into:

The poignant reporting process on a story of pig butchering scams
The normalization of cyber threats, such as ransomware, and the role of the media in shaping public perception
The process of convincing stakeholders to prioritize certain topics
The emotional toll of reporting on sensitive cybersecurity topics and the importance of self-care in navigating this challenging intersection.

Resources mentioned: trigger warning for content of suicide and self-harm
“Online romance scams are netting millions of dollars — and pushing some to self-harm” by Kevin Collier
Discarded Episode with Tim Utzig
Colonial Pipeline Blog by CISA.gov
For more information, check out our website.

Strategies for Defense and Disruption: Part Two of Predicting Cyber Threats in 2024 Jan 23, 2024

Is 2024 the year of adaptability and collaboration within the security community? Let’s hope so!
Today’s episode is Part Two of what to expect in cybersecurity in 2024, and our guests are Randy Pargman and Rich Gonzalez. Randy sheds light on the crucial role of the Detections Team and emphasizes the constant innovation of malware authors, and the team’s mission to outsmart them. Rich discusses the Emerging Threats team and dives into open source and paid resources as force multipliers for security teams.
While some reflections were shared about 2023, namely multiple high-profile vulnerability events and the challenges posed by QR codes, the conversation focused on the upcoming year. They anticipate increased creativity from threat actors, and emphasize the constant battle between red and blue teams. The conversation underscores the need for constant adaptation, response to emerging threats, and collaboration within the security community.
Other topics discussed include:

Incidents like WinRAR, Citrix NetScaler ADC, and ScreenConnect vulnerabilities
The positive impact of public-private partnerships and international cooperation in enhancing cybersecurity defenses
Hopeful vision for the industry, advocating for understanding, education, & increased diversity

For more information, check out our website.

Phishing, Elections, and Costly Attacks: Part One of Predicting Cyber Threats in 2024 Jan 09, 2024

To move forward, it’s good to take a minute and reflect on what’s happened.
Today’s episode focuses on insights from Daniel Blackford and Alexis Dorais-Joncas, both Senior Managers of Threat Research at Proofpoint. This is the first in our two-part series looking at what’s on the horizon for 2024.
Reflecting on 2023, they discuss the use of QR codes, major technique shifts from the biggest ecrime and APT actors, and the ongoing problem of ransomware.
Looking ahead to 2024, the emphasis goes to the gradual shift of attacks outside corporate-managed infrastructure, leveraging personal email accounts to bypass extensive security measures. On the cybercrime side, there’s a prediction of the continued development of as-a-service models, particularly focusing on traffic distribution services, leading to more modular and challenging-to-attribute attack chains.
They also dive into:

Threat actor activity during the elections and Olympics
Specific threat actor groups that caught their attention in 2023, TA473 and TA577
Living off the Land concepts

For more information, check out our website.

Jingle Bells, Phishing Tales: Reflecting on Cybersecurity in the Holiday Spirit Dec 26, 2023

In this special Holiday edition of Discarded, the tables are turned with hosts, Selena and Crista, becoming the answer-ers, our returning Moderator, Mindy Semling, as the question asker, and our wonderful audience is transformed into Cyber Elves.
This conversation is lively and filled with questions from a variety of engaged audience members. (Thank you to everyone who contributed). Questions range from career advice for aspiring Cyber Threat Analysts, to certain threats exploding in popularity, to a reflection of 2023.
The Discarded Podcast team would like to take a moment and thank the following people for their contributions to the Cyber Security Landscape this year:

Pim Trouerbach
Kelsey Merriman
Tommy Madjar
Bryan Campbell
Greg Lesnewich
Kyle Eaton
Joe Wise
Emerging Threats team
The overall Proofpoint Team, including, but not limited to our PR and marketing teams

Resources mentioned:
Youtube: Katie Nickels Sans Threat Analysis Rundown
https://www.sans.org/cyber-security-courses/cyber-threat-intelligence/
https://www.networkdefense.co/courses/investigationtheory/
https://www.nbcnews.com/tech/tech-news/how-online-romance-scams-netting-millions-self-harm-rcna85252
https://medium.com/mitre-attack/attack-v14-fa473603f86b
https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-1-968b5a8daf9a
https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-2-d04b7a529d36
https://www.atlanticcouncil.org/in-depth-research-reports/report/sleight-of-hand-how-china-weaponizes-software-vulnerability/
https://www.wired.com/story/gadget-lab-podcast-621/
https://www.wired.com/story/mirai-untold-story-three-young-hackers-web-killing-monster/
For more information, check out our website.

I Know This Might Sound Crazy but Russia’s TA422 Blasted Lots of Exploits Dec 12, 2023

Tis the season for understanding TA422’s latest activity AND for singing podcast guests!
Today’s returning guest is Greg Lesnewich, Senior Threat Researcher at Proofpoint. He sheds light on the tactics, techniques, and procedures (TTPs) employed by TA422. The conversation touches on the significance of the high volumes observed starting in late summer, the exploitation of vulnerabilities for NTLM credential harvesting, and the brief usage of the WinRAR vulnerability.
They touch upon the potential reasons behind the group's choices, considering factors such as resourcing, tactical decisions, and a shift towards speed and efficiency. There is also consideration about connecting TA422's activities to broader trends in threat actor behavior, such as a shift towards living off the land techniques and a focus on social engineering for initial access.
The conversation continues on the following topics:
[11:17] TA422 Recent Activity
[13:30] Campaign’s using CVE 2023 23397
[18:35] Winrar activity
[22:50] October & November activity
[26:50] Guest Singing Spotlight
[29:30] Noticeable differences in campaigns
Resources mentioned:
TA422 Proofpoint Blog: https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week
Google TAG Report on WinRAR Exploits: https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/amp/
Selena’s Cyber Tunes Playlist: https://open.spotify.com/playlist/7GqH7SefgiI1UtYNjQ5svg?si=vO2Ao-lTTSuCCVfgfgcUfw&pt=97da5ebbd320a4f79014b1f205fc8438&pi=u--xbfwSuHSE-T
Wired story on Sandworm: https://www.wired.com/story/sandworm-ukraine-third-blackout-cyberattack/
For more information, check out our website.

MITRE ATT&CK Evolves with Cyber Threat Sophistication Nov 29, 2023

Take a deep dive with us into the incomparable MITRE ATT&CK Framework, a comprehensive knowledge base that catalogs real-world threat actor behaviors derived from threat intelligence.
Today’s guests are our great friends at MITRE ATT&CK, Adam Pennington (Attack Lead), and Patrick Howell O’Neill, (Lead Cyber Operations Analyst). They explore how the Framework serves as a common language for communicating adversary threat behaviors and discuss its evolution from an internal project to a community-driven resource.
The latest version of the MITRE ATT&CK Framework version 14 was released on Halloween, emphasizing new features like the addition of new defensive information and techniques they previously said no to including. They discuss the decision-making process behind incorporating new techniques, such as Financial Theft, Impersonation, Phishing: Spearphishing Voice, and Phishing for Information: Spearphishing Voice.
The conversation continues on the following topics:
[5:00] MITRE ATT&CK Framework
[9:25] Improving cybersecurity detection
[13:00] New ATT&CK techniques
[16:00] Decisions about which techniques to add
[23:00] Mobile ATT&CK
[30:00] Decisions about which trends to include
[37:00] Feedback about the Framework
Resources mentioned:
What is the MITRE ATT&CK Framework?
https://attack.mitre.org/
https://medium.com/mitre-attack/attack-v14-fa473603f86b
For more information, check out our website.

Looking Behind the Curtain at the Palestinian-Aligned TA402 Nov 14, 2023

While the current Israeli/Palestinian conflict is on everyone’s minds, how many are thinking about the repercussions of cyber security?
Today’s guest is returning guest, Joshua Miller, Senior Threat Researcher on the APT team at Proofpoint. While he focuses on different Middle East, North African state-aligned threats, he is talking today about a Palestinian-aligned threat group coined TA402.
While there is no direct link to Hamas, their activities support the Palestinian Territories. Joshua paints a vivid picture of TA402's usual targets, strategies, and tactics, highlighting their geofencing techniques and their crafty use of compromised government agency accounts. The recent evolution of their attack chain, involving Dropbox and DLL side loading, is dissected in intricate detail, offering a glimpse into the evolving landscape of cyber threats.
This discussion not only provides insights into TA402's modus operandi but also emphasizes its distinctiveness from its previous malware campaigns.
TIMESTAMPS
[1:35] Length of time tracking TA402
[3:00] Differences between known government threat actors vs TA402
[7:00] Other groups involved in the Israeli/Palestinian War
[10:40] Normal victimology from this type of threat actor
[12:30] Comparison of tactics that TA402 is deploying
[19:20] Difficulties in tracking TA402
Resources mentioned:
Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage
New TA402 Molerats Malware Targets Governments in the Middle East
https://malpedia.caad.fkie.fraunhofer.de/actor/aridviper
https://www.proofpoint.com/us/blog/threat-insight/exploiting-covid-19-how-threat-actors-hijacked-pandemic
For more information, check out our website.

Unmasking the Tricksters: The World of Fake Browser Updates Oct 31, 2023

How can you tell when a website (yes, a website) is compromised? These threats are pretty crafty because they aren't out to target specific individuals; they just wait for folks like you and me to innocently click on compromised websites during our regular browsing.
But these threats don't stop at casual browsing. They sneak into emails, social media, search engines, and even web alerts. They're like chameleons, adapting to different situations.
Our guest today is Dusty Miller, a Threat Detection Analyst at Proofpoint. He identifies four key groups: SocGholish, RogueRaticate/FakeSG, ZPHP/SmartApeSG, and ClearFake. Each has its own style and tricks, but they all love using that tempting fake browser update ruse.
These threats work because they exploit our trust in websites we've visited before. Users tend to trust websites they've visited before, making them more susceptible to clicking on fake browser update prompts.
Responding to these threats isn't a walk in the park for defenders. To tackle them effectively, you need to pinpoint which specific threat you're dealing with and respond accordingly. It's like playing a game with multiple rulebooks; you've got to know which one you're up against.
TIMESTAMPS
[1:45] Fake Browser Opportunities
[5:00] Threat Actors Using Malware
[9:00] Browser Malware Clusters & Tactics
[18:00] Combating Fake Updates
[19:00] Naming New Malware
[28:00] Why These Threats
Resources mentioned:
Dr. Bob Hausmann Episode
“Are You Sure Your Browser is Up to Date?...” by Dusty Miller
For more information, check out our website.

Decoding the Malware Maze: Insights From a Threat Researcher Oct 17, 2023

Oh the days when spam was the only concern for email security!
Our guest today is Chris Wakelin, a Senior Threat Researcher at Proofpoint. He recounts the era when email attachments were plain text, and the concept of malicious URLs had yet to become prevalent. Chris was a pioneer in implementing email security measures and recalled introducing Spam Assassin, an early open-source program for spam detection, at his university.
Chris emphasized his belief in not shipping emails into a black hole (where emails are never seen by humans and they do not return error but instead directing them to spam folders or rejecting them at the gateway.) He stressed the importance of precision in cybersecurity, a lesson learned from his mathematical background.
TIMESTAMPS
[5:00] First Spam Filtering Implementation
[6:00] Spam Assassin
[12:15] Differences between static/dynamic detections and various signatures
[14:00] Running the Sandbox
[19:00] Naming New Malware
[23:50] Best Practices
Resources mentioned:
LCG Kit Blog
TA 558 Blog
ET Open Rule Set
For more information, check out our website.

Obfuscated: Online Threats and the Visually Impaired Oct 04, 2023

Billions of dollars in losses is bad enough. But when a friend loses $1,000 on a platform he trusted, online fraud gets personal.
In this podcast episode, we dive deep into the world of online fraud with the personal account of Tim Utzig, a Senior Associate Analyst at Anser and friend of his Selena Larson. Utzig, who is blind, lost $1,000 in an online scam. His story highlights the difficulties and risksof being a person with a disability in an online world that enables cyber crime and often neglects accessibility.
Timothy Kromphardt, an email fraud researcher at Proofpoint, used his expertise tracking scams and engaging directly with threat actors to help Utzif recover. He explains the complexities of cyber crime investigations and the roadblocks to bringing scammers to justice.
TIMESTAMPS
[1:00] Twitter scam story
[6:00] Viewing images with a screen reader
[8:45] Scam Busting
[12:30] Cautions to scam busting
[17:40] Unraveling the Twitter scam follow up
[20:20] Involvement of the police force & government
[26:35] Protection techniques for people with disabilities
[27:20] Key characteristics of fraud
Resources mentioned:
https://www.wired.com/story/twitter-laptop-scam-hunters/
For more information, check out our website.

DISCARDED: Live with John Hultquist! Sep 22, 2023

Live from New York City, it’s your Discarded podcast team at Protect 2023! Joining Selena Larson, is our special guest, John Hultquist, Chief Analyst at Mandiant, now part of Google Cloud.
They discuss various cybersecurity threats and activities of nation-states like Russia, China, and North Korea. China stands out as it hasn't executed significant destructive cyberattacks like its peers. Most of China's cyber activity involves intellectual property theft, targeting dissidents, and espionage. However, there's growing concern about their interest in critical infrastructure, particularly in times of geopolitical tension. Russia, on the other hand, has a history of destructive and disruptive attacks, such as those seen in the Middle East and South Korea.
They also discuss the role of threat intelligence and information sharing in combating cyber threats, emphasizing the importance of responsible government involvement in providing leads to the cybersecurity community.
Of course, the influence of AI in cyber threat creation is also covered, particularly in generating fake media and content.
[4:00] China sets themselves apart
[8:00] Concerns about cyber enabled kinetic impacts
[14:00] Thoughts about Russia and Ukraine
[20:00] Techniques that analysts would find helpful
[24:00] Target anticipations for 2024
Resources mentioned:
https://www.mandiant.com/resources/blog/threat-actors-generative-ai-limited
https://www.cyberwarcon.com/https://www.goodreads.com/en/book/show/41436213
https://www.reuters.com/article/us-france-election-macron-cyber-idUSKBN17Q200
https://www.helpnetsecurity.com/2015/07/08/sophisticated-successful-morpho-apt-group-is-after-corporate-data/
https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
https://www.mandiant.com/resources/blog/attackers-deploy-new-ics-attack-framework-triton
https://podcast.silverado.org/episodes/how-russian-intelligence-operatives-have-attacked-ukraine-in-cyberspace-interview-with-ukrainian-security-service
For more information, check out our website.

From Rio to Madrid: Unmasking the Brazilian Banking Malware Wave Sep 05, 2023

Regardless of location, it’s important to understand what is happening in the global threat landscape because we are a global economy. What affects one region may affect one closer to home.
Part of the reason Brazil has become a recent hotbed is the amount of online population is expanding rapidly. Today’s guest, Jared Peck (Senior Threat Researcher at Proofpoint), dives deeper into his knowledge of this region and breaks down the unusual characteristics.
[3:30] The threat landscape in Brazil
[5:20] Brazilian banking malware being financially motivated
[9:10] Credential theft in Brazil
[13:30] Identifying threat actor clusters
[17:00] Types of Brazilian campaigns
[21:00] Diversity of malware leaders
For more information, check out our website.

Everything Comes Back in Style: How Old TTPs are Remerging in China's E-Crime Ecosystem Aug 22, 2023

Just like a forensic scientist, the job of a threat analyst is to search for the digital fingerprints. The key is to have a starting reference point, and then being able to see what is off from there.
Our guest today is Bryan Campbell, a Staff Threat Analyst at Proofpoint. He breaks down what is happening on the China cybercrime threat landscape, as well as, the importance of staying aware of past trends.
Join us as we also discuss:
[7:09] The Renaissance of Chinese malware in email data
[12:05] Chinese themed malware and malware families
[13:55] The campaigns delivering this type of malware
[20:00] How the China cybercrime landscape has changed
[25:04] Expectations for the future
[28:32] LLMs being used for these circumstances
For more information, check out our website.

It Works on My Machine: Why and How Engineering Skills Matter in Threat Research Aug 08, 2023

Engineering skills can play a massively beneficial role in cyber security, as Pim Trouerbach, a Senior Reverse Engineer at Proofpoint and Jacob Latonis, Senior Threat Research Engineer at Proofpoint, are able to share.
They emphasize the importance of understanding the requirements and context of security researchers to build effective tools. The conversation touches on the potential impact of AI and LLMs (large language models) in threat research. While AI tools can be valuable for entry-level tasks, the context, experience, and expertise of human engineers are essential for handling complex code and understanding threat actors' behaviors.
Join us as we also discuss:
[02:59] The uniqueness of engineering skills in understanding researchers' requirements for data cleaning, tool development, and working in a security environment.
[11:06] How the versioning in malware samples can provide insights into the threat actors' behavior and trajectory.
[13:24] How malware is simply software with malicious intent, and how practices of developers and threat actors can overlap.
[17:10] The tools and techniques used by threat actors, including obfuscation and encryption methods.
[21:42] The importance of context and experience in writing tools and understanding researchers' workflows.
For more information, check out our website.

An Apple a Day Won't Keep Iranian APT Away: How TA453 Targets Macs Jul 25, 2023

What is new with Iranian actor TA453, and what is happening with their attack chains?
To answer these questions, today’s guest is Joshua Miller, a Senior Threat Researcher on the APT team at Proofpoint. Since his last visit, Joshua has published new research on TA453, highlighting new malware and social engineering techniques, which can be found here.
Join us as we discuss the following:
[1:25] What’s new with threat actor T453
[2:35] Multi Persona Impersonation
[6:25] Use case of LNKs in the attack chain
[8:10] Use of free cloud services
[11:15] Attacking different operating systems
[16:15] Convoluted attack chains
[27:40] Collaborating with researchers, like Dropbox
For more information, check out our website.

Threats and Risks in the Global South Jul 11, 2023

When researching cyber threats, there is a bias towards to the West and most of Europe. But what about the global majority?
Today’s guest is Martijn Grooten, a Digital Security Threat Analyst with Internews. With 16 years of experience in cybersecurity, he has recently focused on the impact of security for at risk groups and people.
Join us as we discuss the following:

Outdated ideas of security for the general public
Common trends geographically
The distinction of threats between devices

For more information, check out our website.
Resources:
Martijn’s BotConf talk: https://youtu.be/CcqOy6WdUjw
Martijn on social media: Twitter, Mastodon, LinkedIn

Weird & Wacky Researcher Summer: The Artifacts & Detections Edition Jun 27, 2023

It's shaping up to be a weird and wacky summer for threat researchers.
While it’s been quieter on the front end, there are still many stories to share with some weird and wacky incidents. This episode also includes a fun, dramatized read of an email tactic.
Join us as we discuss the following:

Where the team identifies on the Cyber Alignment Chart
Use of celebrity names within email lures
Recent PDF antics
Updates about activity from current threat actors

For more information, check out our website!

It's Summertime: What’s the E-crime Vibe? Jun 14, 2023

Who’s quiet and who’s making noise? What’s the backchannel chatter over at Proofpoint?
Proofpoint threat researchers Joe Wise and Pim Trouerbach join this week’s episode to discuss the e-crime vibe for the first half of 2023.
Join us as we discuss the following:

Emotet’s activity, or lack thereof
Chaotic vibes from IcedID
TA570 and TA577 setting trends

When the Threat Profile is High: Protecting At-Risk Individuals Online May 30, 2023

How does cybercrime threaten individual reporters? What about an entire newsroom?
What if you’re an average person who suddenly becomes the center of a dark conspiracy theory?
Welcome to the world of cybersecurity for at-risk individuals. In this episode, renowned cybersecurity expert, Runa Sandvik joins to talk about her work protecting journalists and newsrooms from powerful attackers.
Join us as we discuss the following:

Protecting personal and corporate devices and accounts for high risk individuals
Common security gaps found in highly targeted organizations
Effectively using cybersecurity tools
Communicating cybersecurity guidance in the workplace

Resources:

The Spies and Stalkers of Surveillance Capitalism May 16, 2023

A brief note on content for today's episode, we are going to be discussing or mentioning stalking, domestic abuse, and sex trafficking in today's show.
If you’re a threat actor with a million dollar budget targeting high ranked targets like dissidents, activists, journalists and politicians, how do you do it? What if you’d like to stalk your neighbor, or your ex?
In this episode, Proofpoint security research engineer, Chris Talib discusses high-ticket mobile spyware, the proliferation of low-cost stalkerware, surveillance capitalism and why he believes technology can’t solve social problems.
Join us as we discuss the following:

Mobile spyware tools
The impact of low cost stalkerware
Moral and ethical implications of developing spyware
The role of governments,organizations and activists in protecting citizen’s right to privacy

Resources:

Beyond Banking: IcedID Gets Forked May 02, 2023

At least three threat actors are ushering in a new era for IcedID, originally classified as banking malware in 2017. In this episode, Proofpoint researchers, Joe Wise and Pim Trouerbach, are here to share their research on the Lite and Forked IcedID variants
Join us as we discuss the following:

Lite IcedID Variant
Forked IcedID Variant
The key differences between the variants
Which operators the Proofpoint team hypothesizes are behind the attacks

Resources:
https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid

“Did I miss you in Orlando?”: The Rise of SMS Phishing Apr 18, 2023

In this podcast episode, Proofpoint senior threat researcher, Adam McNeil, joins us to talk about conversational SMS phishing. These campaigns target mobile devices and often start with a simple, innocuous question.
“Are you coming to dinner tomorrow?” can lead to anything from fraud to impersonation to financial schemes and is considered a $3 billion threat.
In this episode, we discuss the following:

Why a threat actor would choose a conversational SMS campaign
Different scams associated with conversational SMS phishing
Lack of awareness surrounding mobile threats

Staying Ahead of Cloud-Based Threats: Insights on today's threat landscape Apr 07, 2023

Cloud threats are a growing concern due to users' and organizations' increasing adoption of cloud computing. It's crucial to develop the skills needed to identify and analyze cloud-based threats and know the latest security tools and techniques to detect, prevent, and respond to cloud-based attacks.
Ultimately, security researchers and analysts play a critical role in helping organizations mitigate cloud-related risks and ensure the security of their cloud environments. In this episode, Eilon Bendet, from the Proofpoint cloud threat research team, joins us to discuss the cloud threats he is seeing.
In this episode, we discuss the following:

Cloud threat Detection and landscape
Main objectives for threat actors when they leverage the cloud
How users and organization can best protect themselves

Additional Resources:
Cloud Threats & Cloud Threat Landscape

https://www.proofpoint.com/us/threat-reference/casb

https://www.proofpoint.com/us/corporate-blog/post/dont-let-cloud-threats-rain-your-parade

https://www.proofpoint.com/us/corporate-blog/post/microsoft-office-365-attacks-circumvent-multi-factor-authentication-lead-account

https://www.proofpoint.com/us/blog/cloud-security/proofpoint-discovers-potentially-dangerous-microsoft-office-365-functionality

https://www.proofpoint.com/us/blog/cloud-security/proofpoint-analyzes-potentially-dangerous-functionality-microsoft-sway-enables

https://www.proofpoint.com/us/resources/webinars/deep-dive-latest-cloud-threats-microsoft-environments

Cat-phishing Dogfighters Mar 21, 2023

In the cyber threat intelligence and cybersecurity world, there is a growing recognition of the value of professionals with diverse backgrounds and skillsets. While many individuals in the field come from traditional computer science or engineering backgrounds, there is also a trend of people entering the field from unexpected paths. Sarah Sabotka, Senior Threat Researcher at Proofpoint, joins us on this episode to discuss her background in animal cruelty investigations.
In this episode, we discuss the following:

What a typical day in the life of an animal cruelty investigator looks like
How Sarah used social engineering and open-source intelligence (OSINT) to build cases
How non-traditional skills and experiences have translated to success in infosec

Resources:

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Prank or Propaganda? TA499 Pesters Politics Mar 07, 2023

In this episode, Zydeca Cass, Senior Threat Researcher at Proofpoint, joins the show to discuss Russia-aligned threat actor TA499. Zydeca dives into what makes tracking this threat actor so unique.
Join us as we discuss:

Who TA499 are and what they do
What makes their activity a cyber threat others should pay attention to
What their activity tells us about Russia-aligned groups
How to prevent being exploited

Check out these resources we mentioned:

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

A Venture Mindset: North Korean Actors Go Beyond Espionage Feb 21, 2023

We’ve discussed a handful of APT actors on the Discarded podcast, like Russia, Iran, China and Turkey. In this episode, we dive into the isolated world of North Korean aligned actors with Sr. Threat Researcher, Greg Lesnewich.
In this episode, we discuss the following:

The role DPRK’s culture of isolation has played in its approach to cyber espionage
Overview of TA444 and what makes them different in the landscape
TA444s relationship with cryptocurrency

Resources:

Why Do We Click? Understanding the Psychology of Social Engineering Feb 08, 2023

Social engineering is a technique used by attackers to manipulate individuals into performing actions that may put their personal or sensitive information at risk. Attackers know the biggest weakness in cybersecurity is humans—and with this, leverage socially engineered phishing emails to manipulate the human psychology. In this episode, we have Dr. Bob Hausmann, Learning and Assessment Architect, joining us to discuss the psychology behind user engagement with phishing.
In this episode, we discuss the following:

The Zone of Proximal Development
What the Adaptive Learning Framework is
Where ethical lines should be drawn with phishing simulations
Psychology of social engineering in threat actor approaches

Additional resources:

https://www.proofpoint.com/us/blog/security-awareness-training/adaptive-learning-framework-security-awareness-training
https://www.forrester.com/report/the-future-of-security-awareness-and-training/RES178339
https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working
https://twitter.com/threatinsight/status/1612888307645485086
Daniel Pink Autonomy, Mastery & Purpose: https://www.youtube.com/watch?v=rbR2V1UeB_A&feature=youtu.be
https://www.proofpoint.com/us/blog/threat-insight/exploiting-covid-19-how-threat-actors-hijacked-pandemic
Stay Puft Marshmallow Man: https://www.youtube.com/watch?v=2zhDfUAQSbs&ab_channel=Ghostbusters
2023 State of the Phish Report: Publishing on February 28, 2023 on proofpoint.com

New Year, New Threats: Prepping for the 2023 Threat Landscape Jan 24, 2023

A new year has arrived! The 2022 threat landscape had some extremely notable activity, from Russian APT actors to Microsoft's blocking of macros. We saw a lot and can guarantee threat actors won't be slowing down in 2023 and will continue to be a major threat to organizations. In this episode, Threat Research Managers, Alexis Dorais-Joncas, Rich Gonzalaz and Daniel Blackford, join us to share their perspectives on the 2023 threat landscape. Join us as we discuss the following:

What our experts are anticipating in 2023
How vulnerabilities help in detection creation
Emerging techniques that could be used by malicious actors

Additional resources:

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Confidence, confusion, cashout: How pig butchering is blindsiding victims Jan 10, 2023

Threat actors are disarming their victims with a new approach: The long game. Instead of asking for money or gift cards upfront, they build a connection and confidence until they cash in on the big payout. In this episode of Discarded, Selena Larson and Crista Giering are joined by Proofpoint team members: Tim Kromphardt, Email Fraud Researcher, and Genina Po, Threat Analyst, to discuss socially engineered attacks and how victims are tricked.
Join us as we discuss:

Understanding what pig butchering is
How the scam blindsides victims
The evolution of the fraud from China to other countries in Asia

Resources mentioned:

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Holiday Happy Hour: 12 Faves of Threat Research Dec 28, 2022

As the end of year is rapidly approaching, it’s important to reflect back on some of the top learnings for the year. In this special holiday edition of The Discarded podcast, Selena and Crista are joined by Mindy Semling, Podcast Producer at Proofpoint, to answer questions on their favorite things from threat research over the past year — from blogs to malware to holiday songs, we cover it all. Join us as we discuss:

Celebrating the year
The 12 favorites
A thank you to our guests

Resources mentioned:

https://www.proofpoint.com/us/blog/threat-insight/exploiting-covid-19-how-threat-actors-hijacked-pandemic
https://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-online
https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming
https://medium.com/mitre-attack/intelligence-failures-of-lincolns-top-spies-what-cti-analysts-can-learn-from-the-civil-war-35be8d12884
For more research, check out the Proofpoint Threat Insight blog: https://www.proofpoint.com/us/blog/threat-insight

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

AMA Answers From the Threat Research Trenches Dec 13, 2022

In this highly entertaining episode of DISCARDED, Selena Larson and Crista Giering host a wild round of “Ask Me Anything,” with Sherrod DeGrippo, VP of Threat Research and Detection, and Daniel Blackford, Threat Researcher at Proofpoint.
Featuring insightful questions from listeners and former guests, these industry experts cover a wide range of topics, from silly to serious.
Join us as we discuss:
The most boring malware and common threat actor mistakes
New developments in Ukraine and the Global South
A proliferation of mobile malware and sports-related attacks
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

The Many-Faced Threat: Multi-Persona Impersonation (MPI) In Your Inbox Nov 29, 2022

Social proof is a potent tool, even in the absence of direct support. When someone is pressured to do something in the presence of trusted peers, they are more likely to follow through unless someone objects. Unfortunately, threat actors have taken notice and are investing significant time and resources into looking like a trusted party to gain access to your personal information.
Josh Miller and Sam Scholten join this episode to share their experiences with the evolving intellect of attackers and their multifaceted breach strategies. Using multi-persona impersonation (MPI), attackers establish multiple accounts and increase trust by manipulating social validation — a psychological tool.
Join us as we discuss:
The evolution of MPIs
Email fraud taxonomy
The role of MPI in business email compromise
Resources:
https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo
https://www.proofpoint.com/us/blog/threat-insight/bec-taxonomy-proofpoint-framework
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Machine Learning Is a Party With Camp Disco! Nov 08, 2022

In this episode, Dr. Zachary Abzug, Manager and Tech Lead of Data Science at Proofpoint joins the show to discuss a machine learning enabled tool called Camp Discovery, AKA Camp Disco and the importance of the human interaction required for making use of machine learning in malware detection.
Join us as we discuss:
What exactly Camp Disco is and the need/idea behind its creation
How Camp Disco played a role in the discovery of Chocolatey threat activity
Why Camp Disco uses its own neural network language model instead of an existing language model
Natural Language Processing and how to teach a computer to speak “malware”
Check out these resources we mentioned:
https://www.proofpoint.com/us/blog/engineering-insights/using-neural-network-language-model-instead-of-bert-gpt
https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques
https://www.proofpoint.com/us/company/careers
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Reservation Confirmed: Threat Actors Visiting the Hospitality World Oct 25, 2022

In this episode, Joe Wise, Threat Researcher at Proofpoint, joins the show to discuss his and Selena’s research into a small e-crime actor, TA558 and its targeting against the hospitality and travel e-crime sector since at least 2018.
Join us as we discuss:
Classifying threat actors and how it relates to s’mores
Understanding e-crime vs. APT actors
Why hospitality and travel e-crimes are still successful
TA558’s TTPs and how their consistencies have aided in Proofpoint’s attribution of their activity over the years
Joe shares his theories on why TA558 uses so many different malware types
Check out these resources we mentioned:
https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel
https://embed.sounder.fm/play/299042
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

The Hallow-queen of Cybersecurity: Spooky and Sweet Takes with Sherrod DeGrippo Oct 11, 2022

Cybersecurity doesn't have to be spooky this Halloween.
In this episode, Sherrod DeGrippo, VP of Threat Research and Detection at Proofpoint, joins the show to discuss all things cybersecurity awareness so you can be prepared, not scared, this October. So grab a sweet treat and pull up a seat, the Hallow-queen is about to give her hot takes!
Join us as we discuss:
The growing risk of TOADs (Telephone Oriented Attack Delivery)
Benign phishing reconnaissance emails by threat actors
What you need to know to adapt to this ever changing threat landscape
Bring awareness to cybersecurity this October, even on ghost tours
Check out these resources we mentioned:
https://www.proofpoint.com/us/cybersecurity-awareness-hub
https://www.proofpoint.com/us/products/advanced-threat-protection/et-intelligence
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Investigating Wine Fraud with the Ransomware Sommelier Sep 27, 2022

All for wine, and wine for all. But only if it isn’t fraudulent.
In July 2022, Allan Liska, an analyst at Recorded Future and wine expert, released some new research on counterfeit wine, spirits and cheese. Allan joins the show as our first ever external guest to give us an overview of what that research entailed and the different types of wine fraud he’s observed. By the end of this episode, we’ll all be partners in cybercrime and wine.
Join us as we discuss:
What is wine fraud and the different types of fraud that fall under the counterfeit umbrella
How the pandemic impacted wine fraud due to happy hours
Some of the techniques that wine fraudsters are using to try to legitimize the fake wines
Allan’s favorite fall wines and recommendations for food pairings
Check out these resources we mentioned:
https://www.recordedfuture.com/lockdown-rise-wine-domain-scammer
https://www.recordedfuture.com/counterfeit-wine-spirits-cheese
https://www.proofpoint.com/us/blog/threat-insight/bec-taxonomy-invoice-fraud
https://www.decanter.com/wine-news/worlds-most-expensive-bottle-claimed-fake-as-renowned-collector-sued-93457/#:~:text=A%20billionaire%20Florida%20wine%20collector,to%20Thomas%20Jefferson%20are%20fakes
https://www.cbsnews.com/news/billionaire-spends-35m-to-investigate-400k-wine-fraud/
https://kermitlynch.com/
https://twitter.com/uuallan/status/1561124207727153153
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Hot off the Press: APT Actors Posing as Journalists Sep 13, 2022

In this episode, Joshua Miller and Michael Raggi, Senior Threat Researchers at Proofpoint, join the show to discuss APT groups targeting and impersonating journalists. Joshua, Michael, and Crista discovered during their research how APT actors use journalist and their leads as a form of espionage to collect sensitive information.
Join us as we discuss:
Proofpoint’s unique report on APTs targeting journalists and insight into the motivations behind these attacks
Understanding the “why” behind threat actors targeting or posing as journalists and media organizations
The most common methods APT actors use in these campaigns to target or pose as journalists
Stories about threat actors from China, Iran, Turkey, and more
Check out these resources we mentioned:
https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists
Previous episode with Joshua: https://podcasts.apple.com/us/podcast/apt-attribution-trials-and-tribulations-from-the-field/id1612506550?i=1000571269986
Previous episode with Michael: https://podcasts.apple.com/us/podcast/web-bugs-the-tubthumping-tactics-of-chinese-threat/id1612506550?i=1000558705940
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Misfits Managed: Breaking Down Misfit Malware Aug 23, 2022

In this episode, Sara Sabotka Senior Threat Researcher on the field-facing team at Proofpoint, joins the show to chat about Misfit Malware. Although it is sometimes referred to as commodity malware, this kind of malicious software is anything but boring. You’ll want to stick around to find out who belongs on the Island of Misfit Malware and the importance of paying attention to the little gang of misfits.
Join us as we discuss:
How do foreign threat actors go about acquiring commodity malware and how much does it cost?
Why Misfit Malware is sometimes easily overlooked by security researchers and defenders
Key characteristics of lures that are commonly used by threat actors who use Misfit Malware
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

The Art of Threat Detection Engineering Aug 09, 2022

In this episode, Konstantin Klinger, Senior Security Research Engineer at Proofpoint, joins the show to chat about his role on the threat research team, focusing on DDX (Detonation, Detection, and Extraction). You won’t want to miss his breakdown of the Pyramid of Pain and how to utilize it for threat detection engineering.
Join us as we discuss:
Real-life examples of complex attack chain with multiple steps and how to they can be detected
Utilizing the Pyramid of Pain for threat detection engineering
How to write detections for geofencing
The perks of incorporating automated MITRE ATT&CK detections into your sandbox
Resources:
https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook
https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east
https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

APT Attribution: Trials and Tribulations From the Field Jul 26, 2022

In this episode, Joshua Miller and Zydeca Cass, Senior Threat Researchers at Proofpoint, join the show to discuss attribution, specifically APT actor attribution. Joshua and Zydeca dive into their experiences of attribution successes and failures, sharing tales of threat actors impersonating Russian opposition leaders and an Iranian kidnapping plot in New York. As Crista says, the good, the bad and the ugly.
Join us as we discuss:
Understanding the difference between the two types of attribution
How attribution can be used in e-crime versus state-aligned investigation
Stories from Josh and Zydeca of threat actors they are tracking based in Russia and Iran
Check out these resources we mentioned:
https://twitter.com/ChicagoCyber/status/1521492543707430912
https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html
https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-kidnapping-conspiracy-charges-against-iranian
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

The Dark-Side of Cryptocurrency Jul 12, 2022

In this episode, Jared Peck, Senior Threat Researcher at Proofpoint, explains cryptocurrency and how bad actors are causing trouble with these new decentralized, anonymous currencies.
Join us as we discuss:
Credential harvesting and phishing
Malicious campaigns and extortion
Digital money laundering
Resources:
https://www.proofpoint.com/us/blog/threat-insight/how-cyber-criminals-target-cryptocurrency
https://twitter.com/ChicagoCyber/status/1521492543707430912
https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html
https://www.proofpoint.com/us/podcasts/threat-digest#113131
https://www.proofpoint.com/us/blog/threat-insight/advance-fee-fraud-emergence-elaborate-crypto-schemes
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

A Day in the Life of a Threat Researcher: Emerging Threats Edition Jun 21, 2022

Tony Robinson, Threat Researcher, joins the podcast to share his expertise as a member of the Emerging Threats team at Proofpoint. Tony gives us an inside look into a day in his life as he and his teammates discover new strains of malware, respond to major vulnerabilities, and ensure that customers are protected. He also shares his advice for those interested in a career in Threat Research.
Join us as we discuss:
How the Emerging Threats team at Proofpoint impacts customers daily lives
Using cybersecurity rule-sets to find new strains of malware
Utilizing the open source security community to write new rules and stay up to date on the developing threat landscape
The difference between rules detecting threat behaviors vs. indicators of compromise
Check out these resources we mentioned:
https://www.proofpoint.com/us/products/advanced-threat-protection/et-intelligence
https://twitter.com/da_667/status/1512255056573255693
https://twitter.com/da_667/status/1503876806478385168
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

The Buzz on Bumblebee Malware Jun 07, 2022

Float like a butterfly. Sting like Bumblebee malware.
In this episode, Kelsey Merriman, Threat Research Analyst, and Pim Trouerbach, Senior Reverse Engineer, both with Proofpoint, share their insights from their research of the new malware downloader called Bumblebee. You won’t want to miss their breakdown of Bumblebee’s unique characteristics and their predictions of how its features will develop over time.
Join us as we discuss:
The difference in tracking Crimeware versus AAPT
How threat actors are using Bumblebee
The exit of BazaLoader malware and its connection to Bumblebee
Check out these resources we mentioned:
https://www.proofpoint.com/us/blog/threat-insight/isnt-optimus-primes-bumblebee-its-still-transforming
https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Social Engineering: How Threat Actors Manipulate Their Targets May 24, 2022

Threat actors always take the path of least resistance to their payday. But it's a mistake to think they aren't willing to put in the work to get a human to hand feed them.
Their attempts to manipulate their targets into taking action are called social engineering. What role do people play in cybersecurity?
In this episode, Daniel Blackford, Threat Researcher at Proofpoint, explains how bad actors capitalize on our humanity to attack us.
Join us as we discuss:
What lies beneath 95% of cyber attacks
The two factors that reduce people's sensitivity to threats
When social engineering content might be waiting for you
Check out these resources we mentioned:
https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453
https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media
https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steal
https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453
https://www.bankinfosecurity.com/kansas-man-faces-federal-charges-over-water-treatment-hack-a-16328
https://twitter.com/selenalarson/status/1224674562882834432
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Paying Attention to BEC: The Most Costly Threat by Individual Losses May 10, 2022

When you think about the most costly threat by personal losses, most people will assume ransomware.
The real threat, however, is business email compromise (BEC). But why aren’t more companies talking about it, then?
In this episode, Tim Kromphardt and Jake G. explain BEC and why organizations need to start paying more attention.
Join us as we discuss:
The definition of BEC & why companies are paying so little attention
Using Supernova to defend against email attacks
Reporting on employment fraud
Check out these resources we mentioned:
BEC Taxonomy: https://www.proofpoint.com/us/blog/threat-insight/bec-taxonomy-proofpoint-framework
Supernova: https://www.proofpoint.com/us/newsroom/press-releases/proofpoint-launches-industrys-first-cloud-native-information-protection-and
IC3 Report: https://www.ic3.gov/
TOAD blog post: https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery
Railroad theft: https://www.cnn.com/2022/01/14/economy/la-freight-railroad-theft/index.html
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Web Bugs & the Tubthumping Tactics of Chinese Threat Actor TA416 Apr 26, 2022

Chinese Threat Actor TA416, otherwise known as Mustang Panda, has been active for a long time, and every time they get knocked down, they get up again.
In this episode, Michael Raggi, Senior Threat Researcher, and Pim Trouerbach, Senior Reverse Engineer, both with Proofpoint, give us an overview of TA416 — the “Tubthumping” villains of the threat landscape.
Join us as we discuss:
The evolving tactics of TA416
PlugX malware and control flow flattening
Tips for dealing with emerging threats
Check out these resources we mentioned:
Michael’s Twitter: https://twitter.com/aRtAGGI/status/1501030779480125441
https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european
https://www.theregister.com/2022/03/09/china_apt41_mandiant_usaherds/
Tubthumping by Chumbawamba
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Defending Against Cyber Criminals: Emotet’s Resurrection & Conti’s Implosion Apr 12, 2022

Cybercriminals. They’re just like us.
With the Russia Ukraine conflict, Conti found itself at odds with internal team members over the issue — Eventually leading to self destruction.
Which begs the question: Are these organizations as impenetrable as we thought?
In this episode, we hear from Andrew Northern, Senior Threat Researcher at Proofpoint, about the resurrection of the Emotet malware, the Conti implosion, and advice to cyber defenders.
Join us as we discuss:
The journey leading to Emotet’s return
The importance of the Conti group leaks
What defenders should be thinking about against cyber threats
Check out this resource we mentioned:
Andrew's Twitter: https://mobile.twitter.com/ex_raritas
https://acn-marketing-blog.accenture.com/wp-content/uploads/2022/03/UPDATED-ACTI-Global-Incident-Report-Ideological-Divide-Blog-14MARCH22.pdf
https://www.wired.com/story/conti-ransomware-russia/
https://www.cnn.com/2022/03/30/politics/ukraine-hack-russian-ransomware-gang/index.html
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Threat Actor 2541: The Latest Tricks & Patterns Mar 29, 2022

How are threat actors like Olympic snowboard halfpipe athletes?
When their good tricks get stolen by competitors, they add new ones to their repertoire.
In this episode, we hear from Joe Wise, Threat Researcher at Proofpoint, about the latest tricks from TA2541 (and why it’s so fun to research that group).
Join us as we discuss:
Changes that TA2541 has made over time
Their current strategies and patterns
Snowboarding, Home Alone, and what makes TA2541 unique
Check out this resource we mentioned:
Charting TA2541's Flight | Proofpoint US
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

The Troubling Rise of MFA Kits Mar 15, 2022

Until recently, threat actors haven’t really invested much time in MFA phish kits because not a lot of people used MFA. (Everyone needs MFA, full stop.)
Consequently, threat actors are using more advanced multi-factor authentication-enabled phish kits.
Find out why in our first episode of DISCARDED, where we hear from Tim Kromphardt, Email Threat Researcher at Proofpoint, about why MFA kits are sort of like Justin Bieber ticket thieves.
Join us as we discuss:
How MFA kits differ from ordinary phish kits
What threat actors and researchers have in common
A technical dive into transparent reverse proxies
Why you need multifactor authentication despite the rise of MFA kits
Check out these resources we mentioned during the podcast:
MFA PSA, Oh My!
Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits
Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Discussing RTF Template Injection: A Malicious Phishing Attempt Mar 02, 2022

If you asked for M&M’s and received Skittles, you might pop a few in your mouth, but it won’t take long to realize something’s off.
This is exactly what’s happening with RTF files: Instead of the intended attachment, unaware companies are delivering these files and realizing later that they were actually malicious.
On this episode of Protecting People, hosts Selena Larson and Crista Giering chat with Michael Raggi, Senior Threat Research Engineer at Proofpoint, about RTF files, template injection, and campaigns using the technique in an effort to make sure customers aren’t being surprised with “Skittles.”
Join us as we discuss:
The importance of template injection
Campaigns using the technique
Widespread adoption of the RTF injection
Mitigating and monitoring the technique
Resource mentioned:
https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread
For more episodes like this one, subscribe to us on Apple Podcasts, Spotify, and the Proofpoint website, or just search for Protecting People in your favorite podcast player.

Our TOPPODCAST Picks

Follow Us

Stay Connected

DISCARDED: Tales From the Threat Research Trenches

Related Podcasts

Links

Stay Connected