Login

Promote Your Company       |     Contact

Independent Cyber News.

Barracuda Networks Email Threat Radar April 2025
Security Awareness | Security Operations | Threat Intelligence
Email Threat Radar – April 2025; Over the last month, Barracuda threat analysts identified several notable email-based threats targeting organizations around the world and designed to evade detection and boost the chances of success, including: Email attacks targeting victims with toxic calendar invites Phishing kits abusing a trusted file-sharing platform Voicemail phishing returning after several months of […]
Posted: Wednesday, Apr 30
  • KBI.Media
  • $
  • Barracuda Networks Email Threat Radar April 2025
Barracuda Networks Email Threat Radar April 2025

Email Threat Radar – April 2025; Over the last month, Barracuda threat analysts identified several notable email-based threats targeting organizations around the world and designed to evade detection and boost the chances of success, including:

  • Email attacks targeting victims with toxic calendar invites
  • Phishing kits abusing a trusted file-sharing platform
  • Voicemail phishing returning after several months of decline

Toxic Calendar Invites Are Yet Another Email Trap for Victims

Threat snapshot

Barracuda’s threat analysts have spotted the Sneaky 2FA phishing kit distributing poisoned calendar invites in an attack designed to steal user credentials.

ICS (iCalendar) attachments work across different platforms like Google Calendar, Microsoft Outlook and Apple Calendar. This compatibility makes ICS (.ics) files popular for scheduling events, meetings and appointments between organizations. They are particularly useful for virtual meetings, as they can contain URLs for video calls or related documents.

In the attack seen by Barracuda threat analysts, the email body is empty, and there is just a link to an ICS file that appears to be a legitimate calendar invite. The file contains some event details as well as a phishing link that claims to take the recipient to an unpaid invoice.

When the recipient opens the invitation, there is a link pointing to the legitimate Monday platform where the phishing content is hosted.

The victim is presented with a CAPTCHA verification and needs to click “view document,” which redirects them to a phishing page designed to steal their Microsoft credentials.

Signs to look for

  • Any of the following: a meeting invite that you are not expecting, from someone you don’t know or don’t hear from often, to discuss something you are not aware of, and with no context or covering message, should sound the alarm. Report the message to your security team and check with the sender directly if appropriate to verify if the message is legitimate.
  • The use of calendar invites in phishing attacks is on the rise, with several reports of Google calendar invites being spoofed in phishing campaigns. 
  • Since ICS files are often considered harmless and not all security tools can spot malicious invites, this represents a new opportunity — for a while at least — for attackers to bypass security controls and snare victims.

Phishing Kits Abuse ShareFile to Launch Hundreds of Attacks

Threat snapshot

Barracuda’s threat analysts have spotted several hundred attacks by notorious phishing kits taking advantage of the legitimate ShareFile document-sharing platform.

The kits are hosting fake login forms on ShareFile and sending ShareFile URLs to potential victims.

This isn’t the first time that Barracuda’s threat analysts have found phishing content hosted on ShareFile, but its use by prominent Phishing-as-a-Service (PhaaS) platforms is a new development. This tactic appears to be the latest in a long line of adaptations by PhaaS groups to evade detection, increase stealth and ensure the survival of phishing campaigns.

The kits hosting content on ShareFile are the advanced and rapidly evolving Tycoon 2FA and Mamba 2FA. Barracuda recently reported on the behavior of Tycoon 2FA and other rising PhaaS platforms. Mamba 2FA follows a similar approach.

Mamba 2FA — another PhaaS ‘Most Wanted’

Mamba 2FA targets Microsoft 365 users and can intercept one-time passcodes and authentication cookies to bypass multifactor authentication. 

Evasion techniques include using proxy servers and short-lived, rotating phishing links that help to avoid blocklisting, HTML attachments with some junk content to avoid detection by security tools, and sandbox detection that sends unwanted traffic — such as security scanning tools — to an unrelated site such as Google 404 web pages.

The ShareFile Attack Method

The phishing emails usually impersonate SharePoint or DocuSign and feature a file-sharing notification and link that will take them to a fake document hosted on ShareFile.

Because the email includes a legitimate ShareFile URL, the message doesn’t flag any security concerns. And since recipients know and trust the platform, they are also more likely to click on the link and enter the requested login data.

Signs to look for

  • As above, an email that you are not expecting, from someone you don’t often hear from and on a topic that is not usual for you, should all sound alarm bells.
  • As should an email from ShareFile when your organization doesn’t generally use ShareFile.
  • Report the message to your security team and check with the sender directly if appropriate to verify if the message is legitimate.
  • If the email includes a link directing you to a Microsoft or Google login page, check that it is a legitimate login page. Avoid entering your credentials if you suspect the page might be fake or malicious.

Voicemail-based Form Phishing On The Rise Again

Threat Snapshot

Since February, Barracuda threat analysts have observed a rise in the detection of voicemail-based email phishing, or vishing, attacks after a period of decline. The attacks claim to be voicemail alerts, and when the recipient clicks on the link to play the message, they are taken to an online form hosted on legitimate platforms, such as Monday and Zoho, where they need to enter their credentials.

Other recently detected vishing attacks involved Mamba 2FA and Tycoon 2FA, one of which used the professional social media platform LinkedIn as part of the URL redirect.

 Signs to look for

  • As above, the warning light should come on if the sender, nature and claimed content of the message are unexpected or unsolicited. Always verify the source if it really does seem genuine.
  • Another red flag is any pressure to act or respond quickly or any kind of veiled threat.

How Barracuda Email Protection Can Help Your Organization

Barracuda Email Protection offers a comprehensive suite of features designed to defend against advanced email threats.

It includes capabilities such as Email Gateway Defense, which protects against phishing and malware, and Impersonation Protection, which safeguards against social engineering attacks.

Additionally, it provides Incident Response and Domain Fraud Protection to mitigate risks associated with compromised accounts and fraudulent domains. The service also includes Cloud-to-Cloud Backup and Security Awareness Training to enhance overall email security posture.

Barracuda combines artificial intelligence and deep integration with Microsoft 365 to provide a comprehensive cloud-based solution that guards against potentially devastating, hyper-targeted phishing and impersonation attacks.

Further information is available here.

In Other News…

No results found.
All Press Releases

Recent Articles

No results found.
Article Archives
Share This