Resources

Hughes Hubbard and Reed CIO: “eSentire MDR is so much more than MDR.”

6 Reasons Why Phishing and Security Awareness Training Programs Fail

Misconfigurations are the biggest threat to cloud security, period.

Visit the eSentire Blog →

Case Studies

Customer testimonials and case studies.

White Papers

Analyst reports and thought leadership.

Reports

Incident Reports and threat dissections.

Webinars

Demonstrations and thought leadership.

Data Sheets

Information and solution briefs for our services.

Visit Resource Library →

Oct 18, 2021

Grief Ransomware Gang Claims 41 New Victims, Targeting Manufacturers; Municipalities; & Service Companies in U.K. & Europe

Grief Operators Earned an Estimated 8.5 Million British Pounds in Four Months Key Findings: The Grief Ransomware Gang (a rebrand of the DoppelPaymer Ransomware Group) claims to have infected 41 new victims between May 27, 2021—Oct. 1, 2021 with their ransomware.Over half the companies listed on Grief’s underground leak site are based in the U.K. and Europe. The Grief Ransomware Gang appears to…
Read More

View all Advisories →

Company

About Us

eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.

Read about how we got here

Leadership Work at eSentire

Oct

451 Nexus 2021

eSentire is a sponsor for 451 Nexus.

Oct

Ransomware Recovery: Lessons from the CRA/InfraGard Survey

Join Tiff Cook, eSentire's Sr. Director of Incident Response and Bill…

Oct

ILTA LegalSEC Summit 2021

eSentire will be participating in ILTA LegalSEC Summit.

View Event Calendar →

Oct 12, 2021

eSentire Launches MDR with Microsoft Azure Sentinel Extending Response Capabilities Across Entire Microsoft Security Ecosystem

Waterloo, ON – Oct. 12, 2021 -- eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announced the expansion of its award-winning MDR services with Microsoft Azure Sentinel, as part of its integration with the complete Microsoft 365 Defender and Azure Defender product suites supporting Microsoft SIEM, endpoint, identity, email and cloud security services.…
Read More

View Newsroom →

Partners

Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.

Learn about our Partner Program

Malicious Activity Assessment

A 45 day of continuous network visibility assessment and cybersecurity scorecard.

Multi-Tenant Sensor (MTS)

MTS protects your customers’ networks 24/7 from today’s evolving threat landscape.

Apply today to partner with the Authority in Managed Detection and Response.

Become a Partner →

Partner Login →

The Threat

The eSentire Security Operations Center has observed a spear phishing campaign targeting customers in the financial industry. The email claims to originate from the Securities and Exchange Commission and arrives bundled with a malicious Microsoft Word Document. The document uses the Dynamic Data Exchange (DDE) protocol to execute malicious PowerShell code which downloads and executes DNSMessenger malware. If successful, this attack allows the threat actor to interact with the victim’s system.

What you should do about it

DDE relies on user interaction. As such, staff education is an important step in preventing this attack. We recommend sharing indicators (see below) with users to increase awareness of this threat.
Implement spoofed email blocking with Sender Policy Framework or Sender ID.

Additional Information

Observed Spear Phishing email uses a spoofed [email protected] email address to lure victims into downloading and executing a Microsoft Word attachment (see below). This document contains a malicious Dynamic Data Exchange (DDE) command which attempts to spawn a PowerShell process.
Unlike similar spear phishing campaigns, DDE does not use VBA Macros to execute commands.
DDE presents the end-user with a message prompt and requires interaction to execute correctly.
Once installed, DNSMessenger malware uses DNS TXT queries to create a bidirectional command and control (C2) channel between the victim and the attacker.

Email Indicators

Subject: EDGAR Filings

From: [email protected] (spoofed)

Filings and Forms rules

Dear TARGETNAME,

The SEC's Office is issuing this EDGAR Alert to inform EDGAR members about changes in EDGAR Filings.

Attachment:
Filings_and_Forms.docx

When opened, it presents the user with the following message:

[image src="/assets/32bc1ece0c/Spear-Phishing-SEC-Campaign.png" id="1227" width="495" height="132" class="center ss-htmleditorfield-file image" title="Spear Phishing SEC Campaign" alt="Spear Phishing SEC Campaign"]

Clicking Yes on the pop up will initiate the download of DNSMessenger malware.

Clicking Yes on the pop up will initiate the download of DNSMessenger malware.

For additional information, please visit:

http://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html

ESENTIRE SERVICES

Managed Risk Programs →

Managed Detection & Response →

Digital Forensics & Incident Response →

ESENTIRE PLATFORM

Atlas Extended Detection & Response (XDR) →

ESENTIRE PEOPLE

Team eSentire

Security Operations Center (SOC)

Threat Response Unit

ESENTIRE INCIDENT RESPONSE

Are you experiencing a security incident or have you been breached?

CALL US NOW

Network

Endpoint

Log

Cloud

Insider Threat

Case Studies

White Papers

Reports

Webinars

Data Sheets

Resources

Security advisories — Feb 26, 2019

Spear Phishing – SEC Campaign

Sales and Customer Support

What we do

How we do it

Resources

Company

The Authority in Managed Detection and Response.