#Tag · bonfire.cafe

Snagged what looks like attempted phish/CSRF

Portrayed itself as a secure banking message. Initial hyperlink directed to

petroleuminvestigations[.]com

Looks like a VPS with openresty doing some lua-based filtering. Then user's kicked to an AWS address impersonating finance documents, and cookies are pulled in from bin.dreatrithoo[.]online common across finance scam sites today per LookyLoo.

#threatintel

34 more domains associated by MX IP address. CSV for all 36:

https://drive.proton.me/urls/0WH2XJ9DV4#YCHkLWZ3aVlm

Proton Drive

Securely store, share, and access your important files and photos. Anytime, anywhere.

Threat Intelligence

@threatlandscapemonitoring@mastodon.social · last week

ThreatLandscape.ai is live Natural language AI copilot for threat intelligence that answers security questions with continuously updated intel, so teams get insights fast without hunting data manually.

#AI #ThreatIntel #CyberSecurity

Mre. Dartigen [maker mode] and 8 others boosted

Ian Campbell

@neurovagrant@masto.deoan.org · 2 weeks ago

Oh well that's fucking clever. A threat actor is sending out phishing emails pretending to be SendGrid, and explaining that all their emails will include "Support ICE" banners in order to trigger ragebait clicks through to the phishing kit.

#threatintel

https://www.linkedin.com/posts/simokohonen_ragebait-as-a-phishing-tactic-a-threat-activity-7415349853754638336-gcCu?utm_source=social_share_send&utm_medium=member_desktop_web&rcm=ACoAABIZhqYBjXCQuV7JX7N_3xlpxZY6alHZ77o

Screencap showing the phishing email and button.

Ragebait as a phishing tactic.. a threat actor pretending to be SendGrid is sending out phishing emails with the note: '..We will be adding a "Support ICE" donation button to the footer of every email sent through our platform'. Feels like the de facto way for phishing people was always trying to lure people with something pleasant, like a list of Christmas bonuses for the year - but psychology has known this effect for a long time, i.e. losing $100 hurts more than finding $100 feels good, or in this case, appearing to support ICE hurts more than knowing the bonuses of the IT department feels good. Still, I feel like this is a bit too over the top.. what do you think? 😆

Seth of the Fediverse boosted

ZeroDay Bae

@cyberseckyle@infosec.exchange · 2 weeks ago

Back in the saddle with my Cybersecurity Weekly Roundup for 2026.

This week’s signal: CISA moves (KEV + retired Emergency Directives), critical patching for Veeam/Trend Micro/n8n/Cisco ISE, legacy edge gear still getting farmed, “internal-looking” phishing tricks, and malicious browser extensions stealing AI chats.

15 stories, quick briefs, and my practitioner take:
https://www.kylereddoch.me/blog/cybersecurity-weekly-roundup-january-2-9-2026/

#Cybersecurity #InfoSec #VulnManagement #ThreatIntel #Ransomware #BlueTeam #CybersecurityWeeklyRoundup #CybersecKyle

CybersecKyle

Cybersecurity Weekly Roundup: January 2-9, 2026

Fifteen stories worth your time this week: KEV updates, high-impact patches, browser ecosystem abuse, and a few reminders that old gear never dies, it just becomes a botnet.

⁂

More from

ZeroDay Bae

Taggart boosted

cR0w h0 h0

@cR0w@infosec.exchange · 2 weeks ago

More Subjects to search on for that Sendgrid thing mentioned by Ian here.

https://masto.deoan.org/@neurovagrant/115865145438282370

API Authentication Issue
API Endpoint Communication Failed
API Endpoint Disabled
API Endpoint Failure
API Endpoint Issue
API Endpoint Issue
API Error Detected
API Request Failures Detected

API Request Status Update

Action required by January 13
Holiday Email Volume
ICE Support Initiative
Issue with Your API Request
JSON Payload Error
Language Preference Updated
Malformed JSON Payload
Migration to Sinch Authentication
New Pride Template
Pride Month Theme Update
We Couldn't Process Your Request

Your API endpoint has been rate limited
Your request couldn't be completed

#threatIntel

cR0w h0 h0

@cR0w@infosec.exchange · 2 weeks ago

More Subjects to search on for that Sendgrid thing mentioned by Ian here.

https://masto.deoan.org/@neurovagrant/115865145438282370

API Authentication Issue
API Endpoint Communication Failed
API Endpoint Disabled
API Endpoint Failure
API Endpoint Issue
API Endpoint Issue
API Error Detected
API Request Failures Detected

API Request Status Update

Action required by January 13
Holiday Email Volume
ICE Support Initiative
Issue with Your API Request
JSON Payload Error
Language Preference Updated
Malformed JSON Payload
Migration to Sinch Authentication
New Pride Template
Pride Month Theme Update
We Couldn't Process Your Request

Your API endpoint has been rate limited
Your request couldn't be completed

#threatIntel

Seth of the Fediverse and 1 other boosted

Ian Campbell

@neurovagrant@masto.deoan.org · 2 weeks ago

So here's the historical pDNS and domain data for sender domains in the headers of these emails from the samples I have.

SendGrid UPNs have been a bust so far, but guessing the attack isn't something to really write home about, but I'd like to see this group in particular inconvenienced for the ragebait aspect.

#threatintel

https://drive.proton.me/urls/V2AGD9P57W#MqEEZYyRVjmI

Proton Drive

Securely store, share, and access your important files and photos. Anytime, anywhere.

Ian Campbell

@neurovagrant@masto.deoan.org · 2 weeks ago

I hate scumbags like this, but I have to have some respect for decent craft.

Ian Campbell

@neurovagrant@masto.deoan.org replied · 2 weeks ago

So here's the historical pDNS and domain data for sender domains in the headers of these emails from the samples I have.

SendGrid UPNs have been a bust so far, but guessing the attack isn't something to really write home about, but I'd like to see this group in particular inconvenienced for the ragebait aspect.

#threatintel

https://drive.proton.me/urls/V2AGD9P57W#MqEEZYyRVjmI