• ‘HoldingHands’ Acts Like a Pickpocket With Taiwan Orgs darkreadingJai Vijayan, Contributing Writer
    • Google Chrome Zero-Day CVE-2025-2783 Exploited by TaxOff to Deploy Trinper Backdoor The Hacker [email protected] (The Hacker News)
    • LangSmith Bug Could Expose OpenAI Keys and User Data via Malicious Agents The Hacker [email protected] (The Hacker News)
    • Private 5G: New Possibilities — and Potential Pitfalls darkreadingRichard Thurston
    • Operation Endgame: Do Takedowns and Arrests Matter? darkreadingJames Shank
    • The Beginner’s Guide to Using AI: 5 Easy Ways to Get Started (Without Accidentally Summoning Skynet)
      by Tech Jacks
      March 29, 2025
    • Tips and Tricks to Enhance Your Incident Response Procedures
      by Tech Jacks
      March 17, 2025
    • Building a Security Roadmap for Your Company: Strategic Precision for Modern Enterprises 
      by Tech Jacks
      March 10, 2025
    • The Power of Policy: How Creating Strong Standard Operating Procedures Expedites Security Initiatives
      by Tech Jacks
      March 6, 2025
    • Building a Future-Proof SOC: Strategies for CISOs and Infosec Leaders 
      by Tech Jacks
      March 3, 2025
    • Security Gate Keeping – Annoying – Unhelpful
      by Tech Jacks
      November 13, 2024

  • Home
  • Blog & Observations
  • Articles
    • Guest Author
      • Peter Ramadan
        • SOC IT to ME
        • The Power of Policy
        • CISO Elite
  • In The News
  • Podcast & Vlogs
    • Podcast Videos
    • Security Unfiltered Podcast Information
  • Training & Videos
    • AI
      • AI Governance
    • Cloud
      • AWS
      • Azure
      • Google Cloud
    • Networking
    • Scripting
    • Security
      • Application Security
      • Cloud Security
      • Incident Response
      • Pentesting Information
      • Risk Management
      • Security Policy
    • Servers
    • Microsoft SCCM
    • ISC2
  • Services

How Long Until the Phishing Starts? About Two Weeks, (Tue, Jun 17th) SANS Internet Storm Center, InfoCON: green

June 17, 2025

[This is a guest diary by Christopher Crowley, https://montance.com] 

[This is a guest diary by Christopher Crowley, https://montance.com]

Here’s a good reason to include security awareness training for new hires!

I recently added an account to my Google Workspace domain (montance[dot]com). Friday, May 16th, 10:10 am, to be exact. Something interesting to note about the domain configuration is there’s a catchall account in place, so all email addresses are valid.

Starting May 28th the new account started receiving targeted phishing email messages. The subject was either blank or a variation of my name (Chris or Christopher), and the sender’s “From” address had a call to action and urgency:

From: "EMERGENCY: PROVIDE YOUR CELL NUMBER IMMEDIATELY"
From: "EMERGENCY:PROVIDE YOUR CELL PHONE NUMBER IMMEDIATELY ASAP"
From: "EMERGENCY; PROVIDE YOUR CELL PHONE NUMBER IMMEDIATELY"
From: GET BACK TO ME IMMEDIATELY
From: JUNE THURSDAY 5TH
From: Quick Response
From: RESPONSE REQUIRED
From: Timely Reminder

The messages all indicated that there were some urgent tasks to perform and that I supposedly needed the person’s phone number. There were 8 unique email addresses used, all of which invoke the concept of urgency:

hoursworking605--at--gmail_com
immediatelyofficemail79--at--gmail_com
officeoperatedeskboxx360--at--gmail_com
promotionaltask747--at--gmail_com
promotiontask910--at--gmail_com
quickreply946--at--gmail_com
quicktask5511--at--gmail_com
urgentmails696--at--gmail_com

All of these went into the Spam folder until June 10th, when a couple got through.  Noteworthy, almost all of the email salutations used the recipient’s LinkedIn name. This is obvious because his name on LI includes certifications. Then on June 10th, they sent him a text message:

This is likely reasonably automated phishing with low targeting specificity, but the identification of the new account and fast phishing was interesting. In my case, it was easy to observe since there are so few accounts in the domain and he’s a vigilant and cyber-aware person. MFA is enabled.

One question I have for readers: does anyone have a script or know of a project that’s an equivalent of Invoke-MSOLSpray targeting Google Workspace domains? Someone must be using something like that to discover new accounts. The email address wasn’t posted online anywhere. His LinkedIn profile has a different email address. So, there was some amount of correlation the sender of the spam did.

Nothing especially surprising, but a reminder that they’re watching for opportunities. Someone new at the company and eager to appear responsive seems like a good phishing target!

—
Christopher Crowley
Author, Consultant, Instructor
https://montance.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. 

​Read More

Share this:

  • Click to share on X (Opens in new window) X
  • Click to share on Reddit (Opens in new window) Reddit
  • Click to share on LinkedIn (Opens in new window) LinkedIn
  • Click to share on Facebook (Opens in new window) Facebook
  • Click to email a link to a friend (Opens in new window) Email

Like this:

Like Loading...
Share

In The News

Tech Jacks
Derrick Jackson is a IT Security Professional with over 10 years of experience in Cybersecurity, Risk, & Compliance and over 15 Years of Experience in Enterprise Information Technology

Leave A Reply


Leave a Reply Cancel reply

You must be logged in to post a comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Blog

    • Security Gate Keeping - Annoying - Unhelpful
      November 13, 2024
    • 15 Years on LinkedIn: An Authentic Reflection(or a Beauty...
      October 24, 2024
    • Podcast & Cloud Security Governance
      February 24, 2021
    • The Journey Continues - Moving through 2021
      January 5, 2021
    • CISSP Journey
      February 22, 2019




  • About TechJacks
  • Privacy Policy
  • Gaming Kaiju
© Copyright Tech Jacks Solutions 2025

%d