Mass email attacks on user platforms

Since the beginning of 2026, CERT-UA has recorded the mass distribution of phishing emails impersonating central executive authorities and regional administrations, allegedly regarding updates to applications used in civilian and military systems. These emails contain either an executable (EXE) file or a link to a website vulnerable to XSS (Cross-Site Scripting). Visiting such a website results in the execution of malicious JavaScript code and the subsequent download of an executable file onto the victim’s computer. The referenced EXE files and scripts are hosted on repositories within the legitimate GitHub service. The following malware tools have already been confirmed in these campaigns: • SHADOWSNIFF (GitHub-hosted stealer) • SALATSTEALER (MaaS stealer) • DEAFTICK (primitive backdoor written in Go) Additionally, during the analysis of GitHub repositories, researchers identified software exhibiting characteristics of ransomware (internally labeled “AVANGARD ULTIMATE v6.0”), as well as an archive containing an exploit for the WinRAR vulnerability (CVE-2025-8088). This activity has been associated with the Telegram channel “PalachPro.” The campaign is currently tracked under the identifier UAC-0252. Indicators of Compromise (IoCs) are available at: https://lnkd.in/dHZUf_wd

There is a current mail-bomb cyberattack underway on multiple businesses, large and small. Users are being targeted with large numbers of emails from legitimate sites they may never have ever visited, asking them to confirm subscriptions to sites and services, reset their passwords or download files. The intent is to install malware on user devices via a zip file downloaded from a script. These emails may be followed by a Teams message or phone call from 'support'. They get the user to install Anydesk and use this to install malware. This attack has been confirmed by Mimecast and Crowdstrike. It can be blocked by blocking installations of Anydesk, tightening email rules on Defender or your email gateway, or creating filter rules that detect words such as "welcome", "subscribe', "subscription" or "password". Alongside these measures and alerting your users we would recommend using Deep Instinct, which detects and stops any attempt to install malware, including from scripts and zip files, in less than 20ms.

🚨 We got hit with over 25,000 fake user signups. In just over an hour. Last week, mentor.sh experienced a massive wave of bot-driven fake registrations. Turkish-language spam, phishing URLs in usernames, disposable emails - the works. It wasn’t fun. But it was a wake-up call. What happened: - 25k+ fake accounts created in a short burst - Most used throwaway emails like "mail7 . io" - Many had phishing links in names, likely for SEO or abuse - Our signup route was public, and bots found it What saved us (surprisingly): We had just hit our Mailtrap email quota — so no spam emails were actually delivered. A surprising fail-safe. What we did: - Purged 24k+ accounts - Added Cloudflare Turnstile CAPTCHA - Blocked disposable domains - Rate-limited suspicious traffic - Upgraded email infra & alerting What we’re doing now: - Hardening all auth routes - Monitoring spikes in real time - Adding anomaly detection - Introducing friction for suspicious signups Lesson: bots don’t care how big your platform is — just that you have a form exposed. If you’re building something — protect it from day one. Read the full postmortem here → https://lnkd.in/dTS78ZSE

Attackers used inbox noise and Teams calls to create the perfect distraction in an incident yesterday. Here's how it played out: The Attackers targeted a few users by signing them up for hundreds of random websites, flooding their inboxes with confirmation emails. It was intentional noise, meant to overwhelm and distract. Several users flagged the emails to support, recognizing something was wrong; one of them called 4 times in a matter of minutes. That was the goal. While the helpdesk was dealing with the flood, the attackers started calling and messaging through Microsoft Teams, trying to social engineer their way in. The chats originated from onmicrosoft.com domains, so disabling 'unmanaged external access' had no effect. The teams' external messaging settings were set to allow external access for convenience, and the calls were coming from VoIP to Teams Chat, not received on a Teams phone number, so we couldn’t use the usual features to block them. O365’s phishing submission portal was frustrating. No option to bulk delete or move the reported messages, only 'Taking Action' one-by-one. Avanan, The Cloud Security Platform wasn’t much better in terms of speed because I couldn't import a blocklist. I ended up increasing graymail filtering in Mimecast to hold most of the noise in quarantine. I funneled nearly 1,000 domains into the global blocklist, flushing out the registration notifications regularly before users could release them. With Teams, it got more complicated. Once a user clicked “accept chat,” the full sender address was no longer visible. One user was sharp enough to capture the full details and send them over. From there, I used the Teams Admin Center to block those specific emails, which cut off chats and Teams calls tied to that identity. The attackers were attempting to persuade users via phone calls and voicemails to install a “New Shield,” which was actually remote access tools such as AnyDesk and Quick Assist. That didn’t work either. We’re using ThreatLocker so nothing unapproved gets through, even if it’s legitimate software. No one was compromised. One user briefly spoke with the attacker on the phone, but no information was shared, and no software was installed. What worked here wasn’t just awareness, but users knowing how to respond when a threat was spotted. Users reported what they saw, including screenshots and listed phone numbers, which gave us something to act on. This wasn’t a spray-and-pray phishing attempt. It was layered and targeted, combining urgency, noise, and distraction to create an opening. It didn’t get through, but it was well orchestrated. Makes you think about how response plans and platform settings need to evolve, not just awareness. Is anyone else seeing this at their companies or clients? #phishing #socialengineering #emailflood #itsupport #managedservices #fakesupport

In recent weeks, the cyber threat group Black Basta/Storm-1811 has been making headlines. They first initiate their attacks with an email bombing campaign (sending a large volume of emails to their target’s email address) and then reach out to them via Microsoft Teams, posing as IT staff or help desk personnel. Their goal is to gain trust and convince users to install Remote Monitoring and Management (RMM) tools like AnyDesk or AnyConnect. With this post we wanted so share some key actions you can implement to prevent and/or detect these types of threats: ➡️ Ensure strong visibility across endpoints, email, and cloud services. ➡️ Keep a list of approved applications and block (using WDAC/Applocker) the RMM tools you do not support within your environment (can for example be based on the certificate) ➡️ Block outbound connections on the proxy to known RMM domains (for example, for AnyDesk see: https://lnkd.in/eawPsgja) ➡️ Limit external access on Microsoft Teams. ➡️ Educate employees about email bombing, social engineering and impersonation tactics. 💡 For more details on restricting external Teams contact, visit: https://lnkd.in/eMtSDT46 💡 Looking for ways to find out if any RMMs have been installed in your environment: check out our blog on detecting RMMs: https://lnkd.in/e8J9QNNA