Latest news with #SlashNext
Forbes
16-07-2025
- Forbes
Delete Any Emails On Your Phone Or PC That Include These Images
These images are dangerous. Here we go again. There's a fast growing threat in your inbox that's hard to detect — even for security software on your PC. This has 'seemingly come out of nowhere,' but you need to be aware. And it means deleting a raft of incoming emails. The new warning comes courtesy of Ontinue, which says 'threat actors are increasingly leveraging Scalable Vector Graphics (SVG) files as a delivery vector for JavaScript-based redirect attacks.' Plenty of these images, 'commonly treated as harmless' contain 'embedded script elements' that lead to browser redirects. And that's a huge risk. While these images might be .SVG attachments, as we have seen before, they could also be links to external images pulled into the email. And the campaign also relies on spoofed domains and email lures to trick users into opening and engaging. VIPRE warns that 'up until this point, SVGs have been recognized by email security tools as generally benign image files, which is why attackers are now having so much success hiding their nefarious exploits in them.' Looking at this latest warning, SlashNext's J Stephen Kowski told me 'when you open or preview these 'images,' they can secretly redirect your browser to dangerous websites without you knowing.' That means you need to be 'extra careful' with images. Because the latest attacks leverage spoofed domains and senders to trick you, it isn't as easy as just avoiding emails from unknown senders. Instead, you should delete any email with an .SVG attachment unless you're expecting it. And you should allow your browser to block external images until you're certain of their origin. Kowski says these emails will also likely be 'pushy about viewing the image right away,' and while 'your email provider's built-in security features, such as spam filtering and safe attachments, can help, they're not perfect against these newer tricks.' Jason Soroko from Sectigo goes even further, warning security teams to 'treat every inbound SVG as a potential executable,' as the surge in such attacks continues. The real threat though lies in user complacency. SVG attacks, VIPRE says, are now tussling with PDFs to become 'attackers' favorite attachments of choice.' These are only images, most users assume, and so no click-throughs, no harm. Ontinue says 'the observed targets of this campaign fall into B2B Service Providers, including the ones handling valuable Corporate Data regularly, including Financial and Employee data, Utilities, Software-as-a-Service providers that are great social engineering targets as they expect to receive a high volume of emails.' And the team warns 'this technique demonstrates how adversaries are shifting away from executable payloads and towards smuggling (HTML and now SVG) techniques. By embedding script logic into image formats and using trusted browser functions, the attack chain avoids triggering traditional behavioral or signature-based alerts.' The emails containing the attachments or links will be simple, 'using a minimal format to avoid detection and provoke curiosity or interaction.' Hijacking poorly protected domains or spoofing others with special characters enhances the lure. The advice is just as simple. If you're not expecting an email which includes image links or .SVG attachments, delete them from your inbox. 'This campaign highlights a creative pivot in attacker methodology,' the team says, 'using benign file formats to hide malicious logic and evade established detection controls.' Which is another way of saying that you're your own best defense.
Forbes
26-04-2025
- Forbes
Do Not Use This Login On Your PC—You Lose Everything
Do not make this mistake on your PC Your password is dangerous. It's easy to steal, and if it unlocks your account on its own then you're in serious trouble. That's why two-factor authentication (2FA) is critical and it's why Microsoft now says it wants to delete passwords for a billion users. But if your account is unlocked with a password and a simple 2FA SMS code, you're also in serious trouble. Those texted codes are easy to bypass, intercept or steal, either technically or by tricking users into sharing them. That's why Microsoft, Google and others are pushing passkeys, linking your account access to your physical hardware. Now you have something new to worry about. A new type of attack that's spreading rapidly and could see you losing everything on your PC through one simple mistake. I warned last week about ClickFix, fraudulent popups that trick users into copying, pasting and running scripts on Windows PCs to fix non-existent technical problems or allow access to a restricted document or website. ProofPoint warns ClickFix attacks have become increasingly popular 'in cybercrime over the last year as well as in espionage campaigns in recent months.' ClickFix attacks usually load malware onto your PC, to either hunt down and steal credentials or data, or in more extreme cases, they can remotely hijack your PC. We have now seen a variation of that theme, with new attacks tricking users into sharing the URL strings on their PCs that include multi-factor authentication tokens. 'If the victim shares the OAuth code,' Volexity says, 'the attacker is then able to generate an access token that ultimately allows access the victim's M365 account.' Now the email security team at SlashNext warns that a new attack dubbed 'SessionShark O365 2FA/MFA' has been designed 'to bypass Microsoft Office 365 multi-factor authentication (MFA) protections' in a different way. This is 'an adversary-in-the-middle (AiTM) phishing kit that can steal valid user session tokens to defeat two-factor authentication on Office 365 accounts.' The kit is being sold under the ridiculous guise of an educational tool. It will quickly get into attackers' hands and be used to power phishing campaigns targeting Microsoft account holders. As such, it's now critical that you set up passkeys for your Microsoft, Google and other key accounts. And you must not sign into your accounts through login windows that are accessed via links in emails, messages, forum posts or attachments. If you need to sign into your account, only ever do so through usual methods. AI now makes it easy for attackers to exactly replicate brands, logos, sign-in windows and even CAPTCHAs. They deploy techniques to hide from the automatic tools used to hunt down and stop such phishing websites. And the attacks are working. 'A successful credential theft still depends on tricking the victim,' SlashNext says. 'SessionShark claims to 'mimic the Office 365 login interface with high fidelity' and even 'dynamically adapts to various conditions for increased believability.' In other words, the phishing pages look just like real Microsoft login screens, and may even handle different login workflows or error messages seamlessly. By making the user experience convincing and contextually appropriate, the kit helps attackers harvest credentials even from wary users.' You have been warned.
