Decoding the Spear-Phishing Tactics of SEABORGIUM and TA453 in the UK
SEABORGIUMTA453RussiaIranAPT 42Calisto
SEABORGIUM and TA453 are Russia-based and Iran-based threat actors conducting spear-phishing campaigns targeting organizations and individuals in the U.K. and other areas of interest. They target various sectors, including academia, defense, governmental organizations, and NGOs, using personalized phishing emails to compromise the victims' credentials and gain access to sensitive information.
Indicators of Compromise
nco2.liveSOCRadar2023-05-09
gettogether.questSOCRadar2023-05-09
continuetogo.meSOCRadar2023-05-09
css-ethz.chSOCRadar2023-05-09
tinyurl.inkSOCRadar2023-05-09
mailer-daemon-message.coSOCRadar2023-05-09
check.idSOCRadar2023-05-09
mailer-daemon.meSOCRadar2023-05-09
bnt2.liveSOCRadar2023-05-09
mailer-daemon.liveSOCRadar2023-05-09
profilepic.siteSOCRadar2023-05-09
local0.infoSOCRadar2023-05-09
mailer-daemon.onlineSOCRadar2023-05-09
mailer-daemon.orgSOCRadar2023-05-09
litby.usSOCRadar2023-05-09
mailer-daemon.netSOCRadar2023-05-09
mailerdaemon.meSOCRadar2023-05-09
de-ma.onlineSOCRadar2023-05-09
office-updates.infoSOCRadar2023-05-09
cija-drive.comSOCRadar2023-05-09
docs-shared.onlineSOCRadar2023-05-09
protection-office.liveSOCRadar2023-05-09
hypertextttech.comSOCRadar2023-05-09
cache-dns-forwarding.comSOCRadar2023-05-09
document-forwarding.comSOCRadar2023-05-09
drive-control.comSOCRadar2023-05-09
nonviolent-conflict-service.comSOCRadar2023-05-09
onlinecloud365.liveSOCRadar2023-05-09
y-ml.coSOCRadar2023-05-09
drive-globalordnance.comSOCRadar2023-05-09
lk-nalog-gov.ruSOCRadar2023-05-09
pdf-docs.onlineSOCRadar2023-05-09
hd-docs-share.comSOCRadar2023-05-09
attach-update.comSOCRadar2023-05-09
guard-checker.comSOCRadar2023-05-09
protection-web-app.comSOCRadar2023-05-09
documents-cloud.comSOCRadar2023-05-09
live-identifier.comSOCRadar2023-05-09
yandx-online.cloudSOCRadar2023-05-09
botguard-web.comSOCRadar2023-05-09
cache-pdf.onlineSOCRadar2023-05-09
response-filter.comSOCRadar2023-05-09
word-yand.liveSOCRadar2023-05-09
dns-cache.onlineSOCRadar2023-05-09
threatcenterofreaserch.comSOCRadar2023-05-09
drive-information.comSOCRadar2023-05-09
redir-document.comSOCRadar2023-05-09
cache-dns-preview.comSOCRadar2023-05-09
pdf-cache.comSOCRadar2023-05-09
selector-drafts.onlineSOCRadar2023-05-09
as-mvd.ruSOCRadar2023-05-09
goo-link.onlineSOCRadar2023-05-09
checker-bot.comSOCRadar2023-05-09
document-preview.comSOCRadar2023-05-09
online-document.liveSOCRadar2023-05-09
proton-view.onlineSOCRadar2023-05-09
apicomcloud.comSOCRadar2023-05-09
hd-centre-drive.comSOCRadar2023-05-09
botguard-checker.comSOCRadar2023-05-09
response-redir.comSOCRadar2023-05-09
docs-collector.comSOCRadar2023-05-09
documents-preview.comSOCRadar2023-05-09
proton-viewer.comSOCRadar2023-05-09
docs-cache.onlineSOCRadar2023-05-09
proxycrioisolation.comSOCRadar2023-05-09
drive-previewer.comSOCRadar2023-05-09
umo-drive.comSOCRadar2023-05-09
blueskynetwork-shared.comSOCRadar2023-05-09
cache-docs.comSOCRadar2023-05-09
relogin-dashboard.onlineSOCRadar2023-05-09
office365-online.liveSOCRadar2023-05-09
doc-viewer.comSOCRadar2023-05-09
protectionmail.onlineSOCRadar2023-05-09
webresources.liveSOCRadar2023-05-09
goo-ink.onlineSOCRadar2023-05-09
antibots-service.comSOCRadar2023-05-09
goweb-protect.comSOCRadar2023-05-09
drive-defender.comSOCRadar2023-05-09
dns-challenge.comSOCRadar2023-05-09
protectedshields-storage.comSOCRadar2023-05-09
umopl-drive.comSOCRadar2023-05-09
drive-us.onlineSOCRadar2023-05-09
office-protection.onlineSOCRadar2023-05-09
docs-info.comSOCRadar2023-05-09
documents-online.liveSOCRadar2023-05-09
dns-cookie.comSOCRadar2023-05-09
cija-docs.comSOCRadar2023-05-09
mvd-redir.ruSOCRadar2023-05-09
proton-reader.comSOCRadar2023-05-09
encompass-shared.comSOCRadar2023-05-09
share-drive-ua.comSOCRadar2023-05-09
pdf-shared.onlineSOCRadar2023-05-09
cloud-mail.onlineSOCRadar2023-05-09
preview-docs.onlineSOCRadar2023-05-09
challenge-identifier.comSOCRadar2023-05-09
docs-viewer.onlineSOCRadar2023-05-09
safe-connection.onlineSOCRadar2023-05-09
docs-cache.comSOCRadar2023-05-09
mail-docs.onlineSOCRadar2023-05-09
document-sender.comSOCRadar2023-05-09
docs-drive.onlineSOCRadar2023-05-09
soaringeagle-drive.comSOCRadar2023-05-09
accounts.hypertexttech.comSOCRadar2023-05-09
documents-forwarding.comSOCRadar2023-05-09
dtgruelle-drive.comSOCRadar2023-05-09
docs-storage-ltd.comSOCRadar2023-05-09
land-of-service.comSOCRadar2023-05-09
hypertexttech.comSOCRadar2023-05-09
nonviolent-conflict-storage.comSOCRadar2023-05-09
documents-cloud.onlineSOCRadar2023-05-09
transfer-record.comSOCRadar2023-05-09
secureoffice.liveSOCRadar2023-05-09
disk-previewer.comSOCRadar2023-05-09
dtgruelle-us.comSOCRadar2023-05-09
protection-checklinks.xyzSOCRadar2023-05-09
drive-global-ordnance.comSOCRadar2023-05-09
blueskynetwork-drive.comSOCRadar2023-05-09
cache-dns.comSOCRadar2023-05-09
proton-pdf.onlineSOCRadar2023-05-09
threatcenterofresearch.comSOCRadar2023-05-09
document-view.liveSOCRadar2023-05-09
cloud-drive.liveSOCRadar2023-05-09
docs-shared.comSOCRadar2023-05-09
webview-service.comSOCRadar2023-05-09
pdf-cloud.onlineSOCRadar2023-05-09
mvd-cloud.ruSOCRadar2023-05-09
safelinks-protect.liveSOCRadar2023-05-09
docs-view.onlineSOCRadar2023-05-09
cache-services.liveSOCRadar2023-05-09
sangrail-share.comSOCRadar2023-05-09
attach-docs.comSOCRadar2023-05-09
response-mvd.ruSOCRadar2023-05-09
docs-info.onlineSOCRadar2023-05-09
protection-link.onlineSOCRadar2023-05-09
goweb-service.comSOCRadar2023-05-09
documents-view.liveSOCRadar2023-05-09
sangrail-ltd.comSOCRadar2023-05-09
online365-office.comSOCRadar2023-05-09
network-storage-ltd.comSOCRadar2023-05-09
cloud-storage.liveSOCRadar2023-05-09
docs-web.onlineSOCRadar2023-05-09
documents-pdf.onlineSOCRadar2023-05-09
encompass-drive.comSOCRadar2023-05-09
online-storage.liveSOCRadar2023-05-09
umopl.comSOCRadar2023-05-09
proton-docs.comSOCRadar2023-05-09
cloud-safety.onlineSOCRadar2023-05-09
cloud-us.onlineSOCRadar2023-05-09
filter-bot.comSOCRadar2023-05-09
storage-service.onlineSOCRadar2023-05-09
file-milgov.systemsSOCRadar2023-05-09
online-word.comSOCRadar2023-05-09
officeonline365.liveSOCRadar2023-05-09
default-dns.onlineSOCRadar2023-05-09
protect-link.onlineSOCRadar2023-05-09
cache-pdf.comSOCRadar2023-05-09
hypertextteches.comSOCRadar2023-05-09
dns-mvd.ruSOCRadar2023-05-09
pdf-cache.onlineSOCRadar2023-05-09
preview-docs.comSOCRadar2023-05-09
pdf-forwarding.onlineSOCRadar2023-05-09
global-ordnance-drive.comSOCRadar2023-05-09
cloud-docs.comSOCRadar2023-05-09
document-guard.comSOCRadar2023-05-09
document-online.liveSOCRadar2023-05-09
docs-forwarding.onlineSOCRadar2023-05-09
allow-access.comSOCRadar2023-05-09
drive-share.liveSOCRadar2023-05-09
access-confirmation.comSOCRadar2023-05-09
drive-docs.comSOCRadar2023-05-09
document-share.liveSOCRadar2023-05-09
safe-proof.comSOCRadar2023-05-09
APT Groups2
CallistoRussian Federation
SEABORGIUMTA446StarBlizzardGOSSAMERBEARCOLDRIVERGOSSAMER BEARStar BlizzardBlueCharlie
APT42Iran, Islamic Republic of
<div>APT42 -also known as Crooked Charms and TA453– is a cyber espionage group linked to Iran. The group is allegedly affiliated with the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization (IRGC-IO) and operates behalf of them. The group seems mainly focused on spearphishing attacks, which is a type of phishing attack targeting individuals or organizations known as high-profile or in a specific role—using impersonation to look like a trusted person during its attacks separates the group from other Iranian APT groups.</div>
CALANQUEUNC788APT 42
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Recommended customer actions
The techniques used by the actor and described in the “Observed actor activity” section can be mitigated by adopting the security considerations provided below:
- Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware.
- Configure Office 365 to disable email auto-forwarding.
- Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
- Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
- Require multifactor authentication (MFA) for all users coming from all locations including perceived trusted environments, and all internet-facing infrastructure–even those coming from on-premises systems.
- Leverage more secure implementations such as FIDO Tokens, or Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
For Microsoft Defender for Office 365 Customers:
- Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants.
- Enable Zero-hour auto purge (ZAP) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
- Configure Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
- Use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns within your organization. Run spear-phishing (credential harvest) simulations to train end-users against clicking URLs in unsolicited messages and disclosing their credentials.
Detections
Intelligence gathered by the Microsoft Threat Intelligence Center (MSTIC) is used within Microsoft security products to provide protection against associated actor activity.
Microsoft Defender for Office 365
Microsoft Defender for Office offers enhanced solutions for blocking and identifying malicious emails. Signals from Microsoft Defender for Office inform Microsoft 365 Defender, which correlate cross-domain threat intelligence to deliver coordinated defense, when this threat has been detected. These alerts, however, can be triggered by unrelated threat activity. Example alerts:
A potentially malicious URL click was detected
Email messages containing malicious URL removed after delivery
Email messages removed after delivery
Email reported by user as malware or phish
Microsoft 365 Defender
Aside from the Microsoft Defender for Office 365 alerts above, customers can also monitor for the following Microsoft 365 Defender alerts for this attack. Note that these alerts can also be triggered by unrelated threat activity. Example alerts:
Suspicious URL clicked
Suspicious URL opened in web browser
User accessed link in ZAP-quarantined email
Microsoft 365 Defender customers should also investigate any “Stolen session cookie was used” alerts that would betriggered for adversary-in-the-middle (AiTM) attacks.
Microsoft Defender SmartScreen
Microsoft Defender SmartScreen has implemented detections against the phishing domains represented in the IOC section above.
Reports & References3
Observed Countries34
AL (505)
AT (795)
BA (416)
BE (374)
BG (750)
CH (535)
DE (152)
DK (551)
ES (302)
FI (124)
FR (500)
GB (453)
GR (154)
HR (194)
HU (371)
IS (77)
IT (461)
LT (57)
LU (752)
LV (476)
MC (929)
MD (883)
ME (865)
MK (210)
NO (985)
PT (685)
RO (953)
RS (800)
SE (951)
SI (666)
SK (38)
TR (319)
UA (114)
US (677)