Hornetsecurity Blog

Get regular updates from the world of cloud security

In our blog, the Hornetsecurity team – especially the experts from the Security Lab – regularly report on IT security topics as well as on current innovations and events at Hornetsecurity.

Phishing Technique Trends

Phishing Technique Trends

The basic idea behind phishing has not changed since the 90s, however, the delivery tactics and techniques are constantly evolving. In this article we outline current trends in phishing techniques. These include abuse of legitimate file hosting services, geo-fencing, automatically loading the victims company and/or email provider logo on the phishing website and asking the victim for the password multiple times.
Emotet Inviting Friends to your Halloween Extravaganza

Emotet Inviting Friends to your Halloween Extravaganza

Threat actors often try to bandwagon on current events to trick their victims into falling for their lures. To this end, Emotet also this year sending fake Halloween party invitations to potential victims. While the basic concept behind the fake Halloween party invitations this year is the same as last year, the variety in email texts has increased.
Hornetsecurity included in Gartner’s 2020 Market Guide for Email Security

Hornetsecurity included in Gartner’s 2020 Market Guide for Email Security

The new Market Guide for Email Security from leading research and advisory company Gartner has listed Hornetsecurity as Representative Vendor. With the Gartner Market Guide for Email Security, analysts Mark Harris, Peter Firstbrook and Ravisha Chugh provide comprehensive guidance on how to set up email security to meet changing circumstances. Especially because of the dramatic increase of phishing attacks, the rise of business email compromise (BEC) and the ongoing migration to cloud security, security managers need to ensure that the solutions they choose are appropriate….
Leakware-Ransomware-Hybrid Attacks

Leakware-Ransomware-Hybrid Attacks

Since December 2019, ransomware operators have been using leakware/ransomware hybrid attacks more and more often. These attacks combine the classic ransomware attack with a leakware attack. In a classic ransomware attack, the victim’s data is encrypted and is only decrypted back after the victim pays a ransom fee to the ransomware operators. In a leakware attack, the data is stolen, and the victim is blackmailed with the data being published publicly unless he pays a certain fee. In a leakware/ransomware hybrid attack, the data is first stolen, then encrypted. Then the victim is first asked to pay the ransom for decryption. If the victim declines to pay the ransom, the attackers threaten him to release the stolen data publicly. In some cases, business partners and/or customers of the victim are also contacted and informed of the impending data release to put even more pressure on the victim.
VBA Purging Malspam Campaigns

VBA Purging Malspam Campaigns

VBA purging is a recent office macro detection evasion technique. It removes the VBA macro `PerformanceCache` from malicious documents. While the VBA macro source code is only stored in compressed form in Office documents, this `PerformanceCache` caches the decompressed VBA source code in uncompressed plain text form. Because many security scanning solutions rely on this uncompressed plain text VBA macro source code to be present in order to detect malicious VBA macro code, their detection can be evaded by VBA purging.
QakBot distributed by XLSB files

QakBot distributed by XLSB files

The Hornetsecurity Security Lab has detected usage of XLM macros within XLSB documents to distributed the QakBot malware. Because both XLM macros as well as the XLSB document format being uncommon these new malicious documents have a very low static detection rate by current anti-virus solutions.
BazarLoader Campaign with Fake Termination Emails

BazarLoader Campaign with Fake Termination Emails

BazarLoader is a new malware loader attributed to a threat actor with a close relation to the TrickBot malware. The loader is also aptly named KEGTAP, as in device used to open a beer keg, because it is used to “open” the network of victims for follow up malware in order to move laterally on the network and eventually deploy ransomware.

Sign Up Hornet News

The new Cyberthreat Report