Researchers at @Proofpoint have observed attackers targeting physics and engineering departments at U.S. and Canadian universities, and warn that the campaign is likely ongoing.
🗞️ Read about the espionage-motivated attacks in @CyberScoop. https://t.co/eCW7IvkaAr
Proofpoint recommends defenders monitor for successful Outlook Mobile logins followed by a pivot to the M365 Admin portal within <4 seconds using the same VPN node. That speed suggests automated post-compromise tooling, warranting immediate investigation if detected.
The @Proofpoint threat research team is tracking a password-spraying campaign against the U.S. #education sector, using a spoofed user agent so outdated it may predate some of the accounts it targeted.
Read more below. 👇🏼🧵
A subset of compromised accounts pivoted to the Microsoft 365 Admin portal (app id: 618dd325-23f6-4b6f-8380-4df78026e39b) within 2 to 4 seconds after compromise.
The result: 100% success rate on admin access—the tooling knew which accounts had admin privileges.
See our blog for a full overview of the exploitation chain, targeting, post-exploitation activity, and IOCs.
Treat internet-facing mail servers with the same priority as VPNs and other edge infra by rapidly patching vulnerabilities and monitoring for post-exploitation activity.
🚨 New research: @Proofpoint has identified a suspected China-aligned espionage cluster, UNK_MassTraction, exploiting multiple Roundcube n-day vulnerabilities to compromise mail servers at U.S. and Canadian universities.
Analysis, infection chain & IOCs: https://t.co/KI2CEiZAXO.
Once compromised, the mail servers can serve as a pivot point into broader enterprise networks, as well as allow the threat actor access to the organization’s sensitive email traffic.
Proofpoint recommends deploying an #ATO solution to protect your organization against AiTM originated account takeovers.
Our Cloud Threat Research team will continue monitoring any activity related to the Sneaky2FA and NovaCookies phishing kits and will share any notable trends.
Researchers from @Proofpoint have reported an increase in AitM activity originating from #NovaCookies, a suspected variant of the #Sneaky2FA phishing kit.
Researchers observed cloud account takeovers targeting specifically the #healthcare sector. Notably, @Proofpoint detected more than 100 ATOs on the same day in a single tenant in this vertical.
FIFA FANS ‼️ Cybercriminals are using #FIFAWorldCup excitement to steal your personal info and credit card details.
One recent #emailscam we observed used the subject line:
“Congratulations! You're Eligible for the FIFA World Cup 2026 Giveaway”
🧵1/5
🚩 Red cards to watch for:
* Unexpected giveaways or prizes
* Urgent language like “Offer expires today”
* Suspicious sender or reply-to addresses
* Requests for payment to claim a “free” reward