Olivia
Online
Tobias Knecht
@knutix
Founder & CEO @abusix, Co-Chair RIPE Anti-Abuse Working Group
Karlsruhe, Germany
Joined July 2010
210 Following
424 Followers
2K Posts
QR phishing up 146%. Content scanners can't read images. But the sending IPs and landing page domains still leave tracks. Network-layer reputation catches what content filters miss. #Quishing #ThreatIntel #Abusix
Median patch time: 43 days (up from 32). Vuln exploitation: now the #1 breach vector.
For ISPs: every slow-patching customer is a future abuse origin. You need to see it before the complaints arrive. #DBIR2026 #CyberSecurity #Abusix
5,500+ GitHub repos poisoned in one automated wave via hijacked Actions tokens.
Scale attacks leave infrastructure tracks. Real-time abuse data sees the wave before the reports land.
#SupplyChain #ThreatIntel
The FBI warned about Kali365 PhaaS: bypasses MFA via OAuth token theft. Content filters didn't catch it.
The sending infrastructure still left tracks. It always does.
#PhishingAsAService #ThreatIntel
Who to follow
CAUCE
@cauce
Coalition Against Unsolicited Commercial Email - the Internet’s oldest end-user advocacy group.
Kate Nowrouzi
@KateNowrouzi
VP, Deliverability & Product Strategy @mail_gun (YC W11), @wearesinch. spiritual gangster, triathlete, loyal friend, consistently honest, wrong at times.
Nicholas Schafer
@nickdschafer
Ex college baseball player turned #emailgeek. I tweet about random things including baseball cards, email, and birds.
cPanel CVSS 9.8 — 70M+ domains, actively exploited, CISA KEV listed.
Under NIS2, hosting providers are essential entities. "We were patching" doesn't stop compromised servers from becoming spam infrastructure.
Abuse intelligence closes that window. #NIS2 #CyberSecurity
232% more malicious domains in 6 months. AI spins up phishing infra faster than any team can track it. Your blocklist is either alive — or it's already obsolete. #ThreatIntelligence #EmailSecurity #Abusix
Glassworm botnet: infected devs via VSCode extensions, npm packages, GitHub repos. C2 infrastructure ran for months.
Attack chains change. The IPs and domains running them don't.
Real-time reputation data is still the fastest signal. #CyberSecurity #ThreatIntel
Amazon SES abused for phishing. SPF pass. DKIM pass. DMARC pass.
When attackers build their infrastructure to pass your filters by design, authentication is no longer the defense.
Behavioral signals are the layer that still works.
#EmailSecurity #Phishing #Infosec
Google. Yahoo. Microsoft. All mandated DMARC.
Result: 9% of domains at p=reject. 91% still spoofable.
Authentication without enforcement doesn't protect anything. It just creates an audit trail.
#DMARC #EmailSecurity #Infosec
Multiple critical CVEs in dnsmasq — cache poisoning, RCE, privilege escalation. Fixed in 2.92rel2.
The catch: dnsmasq is in millions of ISP-provisioned routers and embedded devices. You can't patch what you don't know you're running.
Know your stack.
#DNS #Infosec #NetworkSecu
46% of global spam now comes from compromised accounts on Gmail, Outlook, and SaaS platforms.
SPF/DKIM/DMARC all pass. IP reputation: clean. Standard defenses: blind.
What catches it: real-time abuse signals from actual receiving infrastructure.
#EmailSecurity #ThreatIntel #IS
369K devices. 163 countries. Years of operation as anonymous attack proxies. SocksEscort ran on ISP and hosting networks without detection. Real-time IP reputation finds infected devices before law enforcement does. #ISP #BotnetTakedown #Cybersecurity
Microsoft: 35K phishing victims, 13K orgs, 26 countries — in 3 days.
Sent through legitimate services. SPF/DKIM/DMARC passed clean.
QR code phishing is the fastest-growing 2026 attack vector. Static reputation can't scan behind a QR image.
#Phishing #ThreatIntel #Infosec
NIS2 is fully in force across the EU. Luxembourg was the last major holdout — enacted May 10.
For ISPs: the documentation phase is over. Regulators now want proof of operational abuse detection, not policies.
#NIS2 #ISP #Compliance
ICANN just opened a new gTLD round — first since 2012. Historical data: 77% of new TLD domains are intentionally registered for abuse. New TLDs = new blocklist work. Real-time data covers them. Static feeds don't. #DNS #ThreatIntel #ISP
67% of credential-stuffing attacks hide behind residential proxies. The IP looks clean. The behavior isn't. IP reputation is the starting point — behavioral signals are what actually catches it. #ISP #ThreatIntel #NetworkSecurity
86% of phishing attacks are AI-generated now (KnowBe4 Q1 2026).
What AI changes: velocity. Infrastructure that didn't exist Monday is abusing your network by Wednesday.
The abuse complaint arrives after the damage. Real-time telemetry doesn't.
#CyberSecurity #ThreatIntel #ISP
8.3 billion phishing threats in Q1 2026 alone. QR code attacks up 146%. CAPTCHA-gated up 125%.
At this automation scale, blocklists need to move faster than attackers pivot infrastructure — not faster than the next report.
#CyberSecurity #ThreatIntel #EmailSecurity
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers