Unusual Attack Chain Leads to NTLM Data Theft
released on 2024-03-04 @ 02:41:51 PM
Proofpoint identified threat actor TA577 using a new attack chain to steal NTLM authentication information for sensitive data gathering and follow-on activity. Campaigns sent tens of thousands of emails with zipped HTML attachments that triggered connections to TA577's SMB servers, potentially compromising NTLM hashes. TA577 has rapidly adopted new tactics recently, suggesting they have resources to iterate delivery methods. Organizations should block outbound SMB to prevent this type of exploitation.