Help request. My brother has Stage 4 colorectal cancer.

His life insurance has refused to pay out on a technicality, meaning he and his loved ones cannot afford the mortgage on their home.

I've never asked for anything in return for infosec stuff, but if you have anything spare, please chuck it this direction instead:

https://gofund.me/b9a0d8f4

Here is a thread to watch on the /r/sysadmin/ at Reddit. Apparently, a number of Microsoft shops are getting a ton of alerts about credentials being leaked or compromised for Entra, MS's cloud-based identity and network access solution. Some report getting those accounts that caused alerts locked out. I suppose this could be some kind of glitch or false positive on MS's end....

https://www.reddit.com/r/sysadmin/comments/1k2pmkz/new_entra_leaked_credentials_no_breach_on_hibp_etc/?share_id=Wy8kDMc84FCgo1Jxr8AM5&utm_content=2&utm_medium=ios_app&utm_name=ioscss&utm_source=share&utm_term=1

Proofpoint Threat Research has additional observations to share related to Kaspersky’s CloudSorcerer research (https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/). ⤵️

In late May 2024, we observed a campaign against a US-based organization using a freemail account spoofing a well-known US think tank organization using a fake event invitation as a lure.

The activity observed overlaps with the details in the Kaspersky report. We attribute this activity to a cluster currently tracked as UNK_ArbitraryAcrobat.

The malicious emails included a link to a ZIP file hosted on acrobat-inst[.]com.

If the ZIP file is downloaded and opened, a user is presented with a folder and 3 LNK files, all of which can be used to start the chain of malicious activity.

The LNKs will launch either the PDF or Word Document embedded in the folder, rename various components in the folder to new names, and then launch an embedded executable file, cache.tmp.

Upon execution, the loaded process reaches out to GitHub or TechNet profiles to fetch a hex-style blob in the profile with the same CDOY markers referenced in Kaspersky’s research.

The ZIP file contained duplicative components and contained references to MacOS but no logic to execute on such devices. We have not yet been able to find other LNK files with similar metadata or logic.