Post by VMRay

A #phishkit rarely looks malicious if you take its behaviors one by one. https://lnkd.in/ejv26m2G A connection to #Microsoft's real authentication infrastructure: legitimate. A reference to the genuine Microsoft password-reset page: legitimate. A block of login-related text: legitimate. Each behavior, on its own, appears in countless trustworthy applications. It's when they appear together, in the same sample, that the pattern emerges. That's the logic behind one of this month's additions from VMRay Labs: a new meta-VTI that correlates several individually-benign behaviors into a single classification, improving detection of #EvilProxy-style phishkit activity, the kind built around adversary-in-the-middle credential and token theft. May's Detection Highlights, written by Izabela Komorowska, also includes new VTIs for: 🔹 Microsoft #Defender emulator evasion via NtIsProcessInJob, observed in SquidLoader activity 🔹 #PowerShell executed from environment variables, a staging technique that hides code from the command line 🔹 #Phishing pages that download legitimate RMM tools, delivered through fake brand pages 🔹 Suspicious Office controls, surfacing vulnerable ActiveX and OLE objects embedded deep in document structures Plus new config extractors for ArechClient2/SectopRAT and Gh0stRAT, and 30+ new YARA rules. The full breakdown is in the link. 🔗 https://lnkd.in/ejv26m2G #ThreatDetection #Phishing #ThreatIntelligence #MalwareAnalysis