Mailboxes in German-speaking countries are being targeted by an ongoing phishing spam campaign that began July 13, around midnight UTC. 🎣 🇩🇪 🇦🇹 🇨🇭
Approx 3,500 botnet IPs have been linked to this campaign, which uses malicious, invoice-themed Scalable Vector Graphics (.svg) attachments - currently a favorite among threat actors for disseminating malware and phishing content. As expected from a relatively mature spam campaign, the SVGs are "hashbusted" to evade hash-based detection, raise operational sandboxing costs, and hamper investigations. 🧐
An earlier iteration of this spam campaign delivered malware, by luring prospective victims to a URL that ultimately infected their Windows systems with Strela Stealer. 💥 A traffic distribution system (TDS) was used to filter out security researchers and other visitors not targeted by the miscreants.
Since the start of the current campaign, spamming IPs have been added to our CSS and XBL blocklists, ensuring robust coverage by Spamhaus ZEN, which is available for free to help protect your mailboxes:
👉
ZEN Blocklist | Combined IP DNSBLs for effective email filtering
SVG-based abuse is likely to remain relevant for the foreseeable future. Where possible, configure your mail infrastructure to reject emails with SVG attachments, allowing them only on a strict need-to-work basis (e.g., for graphics or design teams).
Besides using ZEN and DBL at your e-mail perimeter, ensure any outgoing network traffic is checked against DBL and DROP to protect your users from accessing phishing sites and similar threats.
👉
Feeds for network protection - via firewalls & BGP routers
