Why Me? - Target Of Phishing Attacks


What’s on this page
Introduction
Businesses around the world might differ in operating industry, sector, and geographic location. However, almost all businesses are united in the suffering of phishing attacks targeting their users. Such attacks could be easy to spot by tech-savvy users. Nevertheless, a sophisticated phishing attack could even trick trained users, posing a critical threat and forming a great chance for threat actors to achieve their goals. Moreover, one of the most interesting elements is the variation of the targets, as some users were observed to receive a large volume of phishing emails, while others are receiving a relatively less amount. This advisory aims to uncover the most used techniques by threat actors to obtain the email addresses of the organization’s users to initiate the phishing campaign.
Sources of Email Addresses
Publicly Exposed Accounts
In this case, the threat actors attempt to obtain the email addresses of the users belonging to the targeted entities by searching for any mailboxes associated with the entity's domain in search engines, public resources, and deep web resources such as paste sites. Users in many cases are unintentionally exposing their business emails in LinkedIn or Github accounts as a communication means. However, threat actors will always take advantage of such exposed details to target the users. Additionally, organizations should abstain from publishing content that contains users’ email addresses. The email addresses that can be published are the generic accounts that represent organization departments such as info, HR, marketing, and legal mailboxes.
B2B Directory
A B2B business directory is basically an online directory that is listing businesses around the world, categorizing businesses, and collecting their contact details; aiming to guide users and help them in their search for companies for marketing/business purposes. However, services such RocketReach, Zoominfo, Apollo, Hunter, and SignalHire are truly a goldmine for malicious actors to obtain a user's contact details. These online databases of businesses have their own methodologies for obtaining, verifying, and then selling the employees’ contact details of an entity. B2B directories provide such information for business purposes; hence, most of them also provide a “removal request” feature in their platform so the targeted entity will be allowed to contact them in order to remove their own data from the B2B Directory platform. In the Appendix, we have listed the most common B2B Directory platforms along with their contact details to request the removal of the organization’s details.
Email Syntax Guessing
In this case, the attacker is capable of guessing multiple user mailboxes, either by searching for the email format used by a specific entity or by guessing the generic department's mail lists, such as Public Relations, IT Department, or HR. In this case, the threat actor is not looking for a specific email account; instead, the goal here is to identify the email format being adopted by an organization. Then, the threat actor will work on identifying the employee’s names from public sources such as LinkedIn and map the employee’s name to the organization’s email format. For example, the threat actor was able to identify that the email format followed by XYZ organization is “{First Initial}.{Last Name}@xyz.com”. Then, by exploring the LinkedIn page of XYZ organization, the actor was able to find an employee with the name “John Smith”. Therefore, the threat actor will attempt to target this specific user by sending the phishing email to the mailbox “jsmith@xyz.com” which will likely be a valid email address for the user.
Third-Party Data Breaches
Data breaches are the leakage of an organization's sensitive information, including the Personally Identifiable Information (PII) related to the organization’s users or customers. The breached information is not limited in most cases to email addresses or passwords. Breaches can include the exposure of dates of birth, geographic locations, names, employer name, gender, and phone numbers. Once a third-party entity - such as social media or any service provider - is breached, the malicious actor will tend to sell the data to the public. Such data exposure represents a great source of information for threat actors as for sure some information of the organization's employees will be part of such breaches due to the registration in the breached party. By acquiring the dumps of data breaches and looking for the details associated with the users belonging to the targeted entity, this method can be utilized by the attackers to perform more sophisticated attacks. Users that are using their corporate email accounts for the registration of third-party services are for sure highly vulnerable to this type of information exposure.
Phenomenon: Targeting Personal Inboxes With CxO Name
CTM360 witnessed an increase in a sophisticated attack willing to lure the victims by delivering the phishing email to the victim’s personal inbox. Hence, the victim would be in a tough situation where he might be in a direct encounter with the threat actor; far away from the corporate defenses. The attack scheme is mostly utilizing compromised mailboxes from well-reputed email providers, using a C-level executive name as a sender, and requesting urgent action to be performed from the victim. Such details are actually aligned with the scope of advisory, where the attacker is taking advantage of the exposed details in data breaches, which includes useful information such as email addresses, job titles, employers, names, phone numbers, and social media profiles. Then, the attacker is mapping and correlating these exposed details to the victim profile of the targeted entity and initiates the Phishing attack targeting the victim’s personal mailbox.
Recommendations
In order to protect your organization from email exposure, the following steps are recommended to be taken:
- Ask your employees to remove their business account details if it was published online.
- Reach out to the B2B directories listing your users requesting the removal of the accounts.
- Use generic mailboxes in your online publications such as HR, Marketing, or Legal.
- Ensure to have a strict policy regarding the registration in online third-party services.
- Ensure not to use the same email address pattern across the organization. Use different email patterns such as:
- {LastName}@xyz.com
- {First_Initail}{LastName}@xyz.com
- {FirstName}{LastName}@xyz.com
- {LastName}{First_Initial}{Middle_Initial}@xyz.com
Appendix

Recent Blogs

Microsoft Joins the Push: DMARC Mandatory for High-Volume Senders Starting May 2025
Overview
The fight against email-based threats is intensifying. Following the lead of Google and Yahoo, Microsoft has officially announced the mandatory implementation of email authentication protocols, SPF, DKIM, and DMARC, for high-volume email senders, effective May 5, 2025. Domains sending over 5,000 daily emails to Microsoft's platforms, including Outlook.com, Hotmail.com, and Live.com, will be required to authenticate their messages. Initially, non-compliant messages will be redirected to recipients' Junk folders, with eventual total rejection expected if compliance isn't achieved. This enforcement represents a critical step in securing global email communications from spoofing and phishing threats (Microsoft Tech Community).
Understanding Email Authentication
Email authentication has become essential in combating increasingly sophisticated phishing and spoofing attacks. Three core standards have been adopted widely:
- Sender Policy Framework (SPF: RFC 7208): Verifies the legitimacy of the sending mail server, ensuring messages originate from authorized infrastructure. SPF helps prevent sender address forgery by defining authorized sending sources in DNS records.

- DomainKeys Identified Mail (DKIM: RFC 6376): Cryptographically signs email messages, allowing recipients to confirm message content hasn't been altered in transit. DKIM leverages public-private key pairs to ensure message integrity and authenticity.

- Domain-based Message Authentication, Reporting, and Conformance (DMARC: RFC 7489): Combines SPF and DKIM to enforce domain alignment, verify authenticity, and provide reporting mechanisms for senders to track email usage and potential abuse. DMARC is recommended to be implemented in three incremental stages: initial monitoring (p=none), intermediate quarantining of suspicious messages to test the policy impact (p=quarantine), and full rejection of unauthorized emails to achieve DMARC compliance (p=reject).

Email Content and Delivery Best Practice Guidance
To help the email ecosystem thrive and ensure that legitimate communications reach users' inboxes, major providers like Google, Yahoo, and Microsoft have released a unified set of technical and content-based requirements. This section consolidates these guidelines into a single resource for senders seeking to avoid spam filtering and maintain high deliverability rates.
1. Message Headers & Structural Integrity
2. Content Hygiene and Formatting
3. Infrastructure and Technical Configuration
4. Recipient List Management
5. Engagement and Complaint Monitoring
6. Summary Recommendations
- Align headers and domains with clear, professional identities.
- Respect opt-in and unsubscribe behaviors with transparent mechanisms.
- Structure content to be clean, concise, and free of deceptive or spammy characteristics.
- Maintain technical hygiene through DNS, TLS, SPF limits, and ARC usage.
- Monitor sender reputation and user engagement continuously.
Immediate Impact and Risks of Non - compliance
As of May 2025, domains that fail SPF or DKIM checks or lack a correctly configured DMARC policy with alignment will risk having their emails marked as spam or not delivered at all. Misalignment occurs when the domain used in the message's "From" address doesn't match the domains authenticated by SPF or DKIM.
Organizations failing to comply face significant risks, including diminished deliverability rates, compromised customer trust, and increased susceptibility to impersonation attacks. These impacts directly affect an organization's reputation, customer engagement, and potentially, its revenue.
Actionable Recommendations for Immediate Implementation
To effectively prepare for these mandatory standards, organizations should:
- Audit current DNS records: Utilize tools such as "dig" or Google DNS to verify SPF, DKIM, and DMARC records.
- Begin with Monitoring (p=none): Initially deploy DMARC in monitoring mode to understand email flows and detect anomalies without risking legitimate email delivery.
- Gradually enforce stricter policies: Move from quarantine to full rejection while monitoring.
- Ensure domain alignment: "From" domain must match what’s authenticated via SPF or DKIM.
- Maintain email hygiene: Clean lists, include a clear opt-out option, and avoid using misleading subject lines or headers.
Start Your DMARC Journey with CTM360 Free Community Edition
To support organizations navigating these changes, CTM360 offers a complimentary zero-cost Community Edition platform. It allows comprehensive monitoring, management, and enhancement of your DMARC records and email authentication setup. This proactive approach helps organizations reduce risks associated with impersonation attacks and maintain reliable email communication.
Join CTM360 Community Edition today, no hidden costs, simply real security.
Reference:
Disclaimer:
The information contained in this document is meant to provide general guidance and brief information to the intended recipient pertaining to the incident and recommended action. Therefore, this information is provided "as is" without warranties of any kind, express or implied, including accuracy, timeliness, and completeness.
Consequently, under NO condition shall CTM360®, its related partners, directors, principals, agents, or employees be liable for any direct, indirect, accidental, special, exemplary, punitive, consequential, or other damages or claims whatsoever including, but not limited to loss of data, loss in profits/business, network disruption...etc., arisina out of or in connection with this advisory.
For more information: Email: monitor@ctm360.com Tel: (973) 77 360 360

Securing Browsing Extensions
Summary:
In December 2024, hackers compromised at least 35 Google Chrome extensions, affecting approximately 2.6 million users. The attack exploited phishing emails sent to developers, masquerading as Google policy violation notices. These emails tricked developers into granting permissions to a malicious OAuth application named
“Privacy Policy Extension.
” Once authorized, the attackers gained control over the extensions, injecting malicious code to steal user data, particularly targeting Facebook credentials and business accounts. Browser extensions can significantly enhance productivity by adding new features to web browsers like Microsoft Edge and Google Chrome. However, they also pose significant security risks, as malicious or compromised extensions can lead to data breaches, malware infections, and unauthorized access to corporate networks. It is crucial for organizations to control, block, or manage browser extensions to minimize security risks, particularly in an enterprise environment. This advisory outlines the steps to block and protect browser extensions for Microsoft Edge and Google Chrome, and it also includes specific guidance on managing extensions using Microsoft Intune.
Risks Associated With Browser Extensions
● Data Exposure: Some extensions can access sensitive data (e.g., browsing history, credentials, and files), potentially exposing confidential information.
● Malicious Extensions: Cybercriminals can create or compromise extensions, making them a vector for malware distribution or data exfiltration.
● Phishing Risks: Extensions may manipulate web content, tricking users into providing sensitive information.
● Performance Degradation: Some poorly coded extensions can slow down browsers or degrade system performance.
Managing Browser Extensions Using Group Policy
A. Microsoft Edge
Using Group Policy (Windows)
1. Open the Group Policy Management Console (GPMC).
2. Navigate to: Computer Configuration > Administrative Templates > Microsoft Edge > Extensions
3. Set the following policies:
a. Control which extensions are installed silently: Specify allowed extensions by adding their extension IDs.
b. Configure extension management settings: T o block all extensions, set this policy to "*" (deny all).
c. Configure the list of force-installed extensions: If any extension is necessary for business, add the corresponding extension ID here.
B. Google Chrome
Using Group Policy (Windows)
1. Open the Group Policy Editor.
2. Navigate to: Computer Configuration > Administrative Templates > Google > Google Chrome > Extensions
3. Set the following policies:
a. Block external extensions: Set the policy to block all extensions unless specifically allowed by adding the extension IDs.
b. Configure extension install allow list: If certain extensions are necessary, add their extension IDs here.
c. Configure extension install blocklist: Add a wildcard"*" to block all extensions.
Managing Browser Extensions Using Microsoft Intune
Organizations using Microsoft Intune for endpoint management can apply policies to control browser extension installations across all managed devices. This approach is particularly useful for managing large numbers of endpoints efficiently.
Blocking Extensions in Microsoft Edge Using Intune
1. Sign in to Microsoft Endpoint Manager Admin Center.
2. Navigate to: Devices > Configuration profiles > Create profile
3. Choose:
a. Platform: Windows 10 and later.
b. Profile type: Settings catalog.
4. In the Configuration settings, search for Extensions under Microsoft Edge:
a. Allow specific extensions to be installed (User): Specify allowed extension IDs
b. Control which extensions cannot be installed (User): Add a wildcard"*" to block all extensions.
5. Assign this profile to your target groups (specific users or devices).
Blocking Extensions in Google Chrome Using Intune
1. Sign in to Microsoft Endpoint Manager Admin Center.
2. Navigate to: Devices > Configuration profiles > Create profile
3. Choose:
a. Platform: Windows 10 and later.
b. Profile type: Settings catalog.
4. In the Configuration settings, search for Extensions under Google Chrome\Extensions:
a. Configure extension installation allow list (User): Specify allowed extension IDs
b. Configure extension installation blocklist: Add a wildcard"*" to block all extensions.
5. Assign this profile to your target groups (specific users or devices).
Note: These steps are mentioned for user-based controls. Similar configuration steps can be applied for device-based controls.
Best Practices for Managing Browser Extensions
● Audit Extensions Regularly: Regularly audit the extensions installed on users’ browsers to detect unauthorized or risky extensions.
● User Training: Educate users about the risks associated with browser extensions and how to identify malicious ones.
● Implement a Zero-Trust Model: Always assume that extensions can potentially be compromised. Apply the principle of least privilege when granting extension permissions.
● Use Security Solutions: Consider deploying security solutions that can monitor and block malicious browser activities, including suspicious extension behavior.
Conclusion
Controlling browser extensions in Microsoft Edge and Google Chrome is a critical aspect of securing enterprise endpoints. By implementing the steps outlined above, organizations can significantly reduce the risks associated with browser extensions. Whether you manage your endpoints using Group Policy or Microsoft Intune, these controls can help protect your network from potential extension-related threats. By following this advisory, organizations can take proactive steps to mitigate browser extension risks, enhancing their overall cybersecurity posture.
Reference:
https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/
https://learn.microsoft.com/en-us/defender-endpoint/manage-profiles-approve-sys-extensions-intune
https://gbhackers.com/malicious-editthiscookie-extension/#google_vignette
Disclaimer
The information contained in this document is meant to provide general guidance and brief information to the intended recipient pertaining to the incident and recommended action. Therefore, this information is provided "as is" without warranties of any kind, express or implied, including accuracy, timeliness, and completeness. Consequently, under NO condition shall CTM360®, its related partners, directors, principals, agents, or employees be liable for any direct, indirect, accidental, special, exemplary, punitive, consequential, or other damages or claims whatsoever including, but not limited to: loss of data, loss in profits/business, network disruption…etc., arising out of or in connection with this advisory.
For more information:
Email: monitor@ctm360.com Tel: (+973) 77 360 360

CXO Fraud - Scam Emails Originating From Virgin Media, Optimum And Cox.Net
There is an ongoing scam email campaign targeting executives from prominent organizations around the world. These reported email addresses on the domains are genuine email accounts of 'Virgin Media', 'Optimum' & 'Cox communications' users' which are compromised and sold on underground forums. Scammers buy and use such accounts as they have a higher reputation compared to newly created free accounts to bypass email gateways and spam filters and also lower their risk of being detected or tracked back in a bigger BEC attack.
These accounts are compromised by threat actors via phishing emails and malware, and the issue with such accounts will persist as long as end users are not careful enough while dealing with phishing and malicious emails. Based on our previous experience in response with the hosts Virgin Media, Optimum and Cox.net which are TV and cable providers in the UK and USA. They do not investigate email accounts reported to their abuse team without the original email and header information as this is a mandatory requirement as per their abuse policies. However, once this information is provided they do take action by resetting/recovering the reported account of the original user.
Additionally, enabling strict quarantine measures on your email gateway from these domains will make you a harder target and eventually the attackers moving on to another one.
RECOMMENDATIONS
- As a precautionary measure, all email from private and/or external email addresses which contain the name of your executive staff in the "From" field may flagged.
- As part of containment, please ensure to quarantine emails from the domain @virginmedia[.]com, @optimum[.]net, @optonline[.]net, @cox[.]net, @cox[.]com
- As this type of email is tricky, it is highly recommended to conduct phishing awareness training for all employees to avoid potential risks.