Combine AI-driven security operations, multi-signal attack surface coverage and 24/7 Elite Threat Hunters to help you take your security program to the next level.
Get unlimited Incident Response with threat suppression guarantee - anytime, anywhere.
CTEM and advisory programs that identify security gaps and build proactive strategies to address them.
Multi-agent Generative AI system embedded across eSentire’s Security Operations platform to scale human expertise.
Extended Detection andOpen XDR with Agentic AI & machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Customer PortalSee what our SOC sees, review investigations, and see how we are protecting your business.
Platform IntegrationsSeamless integrations and threat investigation across your existing tech stack.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Threat Response Unit (TRU)Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Cyber Resilience TeamExtend your team capabilities and prevent business disruption with expertise from eSentire.
Response and RemediationWe balance automated blocks with rapid human-led investigations to manage threats.
Flexible MDR pricing and packages that fit your unique security requirements.
Entry level foundational MDR coverage
Comprehensive Next Level MDR from eSentire
Next Level MDR with Cyber Risk Advisors to continuously advance your security program
Stop ransomware before it spreads.
Identity ResponseStop identity-based cyberattacks.
Zero Day AttacksDetect and respond to zero-day exploits.
Cybersecurity ComplianceMeet regulatory compliance mandates.
Third-Party RiskDefend third-party and supply chain risk.
Cloud MisconfigurationEnd misconfigurations and policy violations.
Cyber RiskAdopt a risk-based security approach.
Do More With LessPrevent disruption by outsourcing MDR.
Sensitive Data SecurityProtect your most sensitive data.
Cyber InsuranceMeet insurability requirements with MDR.
Cyber Threat IntelligenceOperationalize cyber threat intelligence.
Security LeadershipBuild a proven security program.
THE THREAT On September 8th, 2025, a large-scale supply chain attack was confirmed, affecting at least 25 widely used npm packages, collectively downloaded over two billion…
THE THREATA critical security advisory has been issued for NetScaler ADC and Gateway systems, highlighting three significant vulnerabilities (CVE-2025-7775, CVE-2025-7776, and…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
About Us Leadership CareersWe provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
We offer three flexible MDR pricing packages that can be customized to your unique needs.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
In recent weeks, eSentire has observed multiple Email Bombing attacks, which involve threat actors using phishing techniques to gain remote access to a host in order to install malware. Email Bombing attacks comprise of users receiving large amounts of spam emails in a short period of time, resulting in overwhelming the user's inbox and a degradation of services. This is followed by a Microsoft Teams message from a threat actor claiming to be part of the organization's IT support team, requesting a remote session to help resolve the issue. These attacks have been linked to threat groups involved in ransomware campaigns. eSentire Threat Intelligence assess with high confidence that Email Bombing will continue to be an effective initial access technique.
Due to ongoing abuse, it is recommended that organizations restrict access to external Microsoft tenants unless required for legitimate business purposes. Additionally, following the principle of least privilege can help limit the potential impact of a security breach.
The Email Bombing attack chain involves a user receiving high amounts of spam emails within a short period of time, in an attempt to overwhelm the user. This is then followed by a Microsoft Teams messages originating from threat actor-controlled Microsoft Office 365 service tenants, posing as tech support from the users' organization. This is possible through configuration settings within Microsoft Teams allowing for users on external domains the ability to initiate chats or meetings with internal users.
The threat actors will initiate a request for a call with the victim to help remediate the ongoing email spam issue. While on the call, the threat actor will utilize Microsoft remote control tools such as Quick Assist or Teams screen sharing to take control of the target’s machine. During this session, the threat actor will download further malicious payloads onto the host to gain persistence, perform reconnaissance, gather credentials, exfiltrate data, and drop malware or ransomware. Sophos has attributed related activity to the ransomware-related threat clusters STAC5143 and STAC5777, which have also been documented in public reports as key threat actors in recent cyber threats.
In one instance, eSentire observed a threat actor downloading the following files via the Microsoft Edge web browser (kb052117-01.bpx and kb052123-02.bpx) once the threat actor gained access to the host via a Quick Assist session. The files were downloaded from the domain ‘hxxps[://]filters6[.]s3[.]us-east-2[.]amazonaws[.]com/gtjs.html?t=drivers’, and were combined to create the file ‘pack.zip’.
Scripted commands were run, performing various actions with the Zip file, and maintaining a guise of installing email filters for the user to cover their tracks.
This file was extracted using tar[.]exe, and created the ‘%TEMP%\arch1271.cab’ file, where it was copied to the ‘%LOCALAPPDATA%\Microsoft\ODBC’ directory. The ‘arch1271.cab’ file contained the malicious ‘wscapi.dll' which was executed via the ‘odbcconf.exe’ process.
Similar actions were performed within the ‘%LOCALAPPDATA%\Microsoft\OneDrive’ directory, which resulted in a legitimate ‘OneDriveStandaloneUpdater.exe’ process being created in the directory as well. After various steps, the script would print ‘Filters installed successfully!’ to cover the threat actor's activity.
A Registry key was also added under ‘HKCU\SOFTWARE\TitanPlus’, containing C2 IPs (45[.]8[.]157[.]199:443;5[.]181[.]3[.]164:443;38[.]180[.]25[.]3:443). The final actions of the script were to delete the kb052117-01.bpx, kb052117-02.bpx, and pack.zip files. This activity was detected via MDR for Endpoint, where the SOC alerted and isolated the host involved.
In other instances of this attack, eSentire has observed PowerShell being used to download additional payloads and establish persistence, once a threat actor has gained remote access to a host. Specifically, the threat actor downloaded TeamViewer for persistence, deployed XenArmor password recovery tool to steal the victim's credentials and leveraged a .NET DLL payload to establish Command-and-Control (C2) connections, load SharpShares in memory to discover network shares, and use Nltest for Domain Controller enumeration.
Indicators of Compromise (IOCs) |
|
38[.]180[.]25[.]3 |
C2 IP (STAC5777) |
45[.]8[.]157[.]199 |
C2 IP (STAC5777) |
5[.]181[.]3[.]164 |
C2 IP (STAC5777) |
67[.]43[.]234[.]113 |
C2 IP |
0041E492A07AAC0B64AD907D44E6242BCA8A2193D492B8DD44EFC14170391E0F |
xem.7z Hash |
26B16D28C42F3853D9AA571BD864E419B56B30A54BB5A8E596F70B2D227386402 |
RefreshSystem.txt Hash |
2B3D230A76368B7B940BD069DD63C8FCD16E4DBFC888B127427062EE39BDD3CA |
Malicious DLL that was dropped by the PowerShell dropper |
4F77EA80FF9ACA5752A6CF01A0C0FF070563E286659AB86F43EAC889341B0E13 |
XenAllPasswordPro Hash |
2010A4701A0819B61579F916149AE0A5FE3D37D6939B3F66102717C925289B9C |
Malicious TeamViewer used by TA to establish persistence |
73F3ED20F03168D25E658B0603E533CDB566B402 |
Malicious TeamViewer used by TA to establish persistence |
hxxps[://]filters6[.]s3[.]us-east-2[.]amazonaws[.]com/gtjs.html?t=drivers |
First Stage Payload downloader |
hxxps[://]filters6[.]s3[.]us-east-2[.]amazonaws[.]com/js/kb052117-01[.]bpx |
Malware payload hosting |
hxxps[://]filters6[.]s3[.]us-east-2[.]amazonaws[.]com/js/kb052123-02[.]bpx |
Malware payload hosting |
hxxps[://]filters6[.]s3[.]us-east-2[.]amazonaws[.]com/gtjs[.]html?t=drivers |
Malware payload hosting |
hxxps[://]onedrive[.]live[.]com/download?resid=886E7DEE31E60678!116&authkey=!AFpMOei32rZTc4M |
Malicious TeamViewer download for persistence |
hxxps[://]drive[.]usercontent[.]google[.]com/u/0/uc?id=1xXbgBiLuM_D-Ak-J7bgRJefFvlfGY-fx |
Malicious PowerShell dropper download |
hxxps[://]drive[.]usercontent[.]google[.]com/u/0/uc?id=1IdT91pPHyRsDSQMyM7qXFlbVHG0F3a3r |
Malicious PowerShell script download -> RefreshSystem.txt |
hxxps[://]hatua[.]tech/mspsek/x |
Possible download of XenAllPasswordPro and 7-ZIP used for credential theft |
hxxps[://]hatua[.]tech/mspsek/7 |
Possible download of XenAllPasswordPro and 7-ZIP used for credential theft |
hatua[.]tech |
Possible download of XenAllPasswordPro and 7-ZIP used for credential theft |
hxxps[://]ensol[.]co/wp-content/themes/twen/a[.]zip |
Possible malicious TeamViewer download |
ensol[.]co |
Possible malicious TeamViewer download |
References:
[1] https://csrc.nist.gov/glossary/term/least_privilege
[2] https://www.esentire.com/what-we-do/threat-response-unit/threat-intelligence-services
[3] https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings
[4] https://learn.microsoft.com/en-us/defender-cloud-apps/governance-discovery
[5] https://learn.microsoft.com/en-us/defender-office-365/anti-spam-policies-configure
[6] https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/
[7] https://github.com/sophoslabs/IoCs/blob/master/MAILBOMB-TEAMS-RANSOMWARE.csv