Barracuda full logo

Email Threat Radar - March 2025

Argomenti:
12 mar 2025
|
Threat Analyst Team

Over the last month, Barracuda threat analysts identified several notable email-based threats targeting organizations around the world, including:

  • Extortion attempts impersonating Clop ransomware
  • New attacks by the evasive and highly adaptive LogoKit phishing platform
  • A phishing campaign leveraging SVG image file attachments

Attackers impersonate Clop ransomware to extort payment

Threat snapshot

Why go to the trouble and expense of launching a real ransomware attack when you can just pretend to do so instead?

Barracuda’s threat analysts recently uncovered an email attack where the scammers tried to convince targets that they were Clop ransomware and had successfully breached the company network and stolen sensitive data. The attackers threatened to expose the information unless the victim paid an unspecified sum.

Example of an attack posing as Clop ransomware

In their extortion email, the attackers claimed to have exploited a vulnerability in Cleo, the developer behind a range of managed file transfer platforms, including Cleo Harmony, VLTrader, and LexiCom. This attack method is widely associated with Clop ransomware.

The attackers claimed they had secured unauthorized access to the victim’s company network and had downloaded and exfiltrated data from servers. To lend authenticity to their claims, they pointed the target to a media blogpost reporting on how Clop had stolen data from 66 Cleo customers using this approach.

The attackers provided a series of contact email addresses and urged the victim to get in touch.

Signs to look for

  • Emails from the fake Clop are likely to reference media coverage about actual Clop ransomware attacks.
  • If the email features elements such as a 48-hour payment deadline, links to a secure chat channel for ransom payment negotiations, and partial names of companies whose data was breached, then you are likely dealing with actual Clop ransomware, and you need to take immediate steps to mitigate the incident.
  • If these elements are absent, you’re probably just being scammed.

LogoKit phishing kit evades detection with unique links and real-time victim interaction

Threat snapshot

Barracuda analysts encountered the well-established LogoKit phishing-as-a-service platform distributing malicious emails claiming to be about urgent password resets.

LogoKit has been active since 2022, and its features and functionality help it evade traditional security defenses and make detection and mitigation significantly more difficult.

Among other things, LogoKit has the alarming capability of real-time interaction with victims. This means that attackers can adapt their phishing pages dynamically as the victim types in their credentials. LogoKit retrieves the company logo from a third-party service, for example, Clearbit or Google's favicon database.

LogoKit is very versatile. It integrates with popular messaging services, social media, and email platforms to distribute its phishing. It can generate unique phishing pages for each target. This level of versatility also makes detection harder for traditional security defenses.

In the most recent campaign seen by Barracuda threat analysts, the attackers distributed authentic-looking emails with the headers of "Password Reset Requested" or "Immediate Account Action Required." 

LogoKit phishing attack example

These headers create a sense of concern and urgency, designed to encourage the recipient to quickly click on the link to resolve the supposed issue. Instead, they are redirected to a dynamically created phishing page hosted by LogoKit.

This page is designed to look identical to the login portal and password reset page of the service the victim believes they are connecting to. The victim is prompted to enter their login credentials, which are then captured by the attacker.

Signs to look for

  • The URL pattern to look for:
  • https://ExampleURL.#.[ key + Victim's Email ]
  • https://ExampleURL/[ key + Victim's Email ]
  • https://ExampleURL.#.[ base64 encoded url + Victim's Email ]

Pattern of the hyperlink to Clearbit and Favicon to fetch the logo:

  • <img src="https://logo.clearbit.com/Victim domain" >
  • <img src= "https://www.google.com/s2/favicons?domain=Victim domain" >

Phishing attacks exploiting SVG graphic attachments

The use of malicious attachments in phishing attacks, with minimal or no text in the email body, is rising. Threat analysts have seen attacks using PDFs, HTML, HTM, Word documents, Excel files, and ZIP archives.

As detection tools improve, attackers continue to adapt their attack methods, and Barracuda threat analysts have recently noted a shift toward using SVG (Scalable Vector Graphics) attachments in phishing attacks. Some of these attacks are delivered using popular phishing-as-a-service (PhaaS) platforms, such as Tycoon 2FA.

SVG is a type of image format that is ideal for websites because the images can be made larger or smaller without losing resolution quality. SVG files are generally written in web-friendly XML.

According to Barracuda’s analysts, SVG files are becoming a popular method for delivering malicious payloads due to their ability to contain embedded scripts, which don’t look suspicious to security tools.

In the samples analyzed by Barracuda, the attacks are of the traditional “urgent fund transfer” variety or designed to steal Microsoft credentials. In more complex attacks, opening the email attachment triggers the download of a malicious ZIP file.

Example of a phishing attack exploiting SVG files

If a sandbox environment is detected, the attackers redirect the “victim” to a popular legitimate shopping website instead.

Signs to look for

  • If an email has an .SVG attachment with clickable links, avoid interacting with the attachment.
  • Other red flags include SVG files prompting the download of additional files and the appearance of browser warnings or security alerts when opening the file.

How Barracuda Email Protection can help your organization

Barracuda Email Protection offers a comprehensive suite of features designed to defend against advanced email threats.

It includes capabilities such as Email Gateway Defense, which protects against phishing and malware, and Impersonation Protection, which safeguards against social engineering attacks.

Additionally, it provides Incident Response and Domain Fraud Protection to mitigate risks associated with compromised accounts and fraudulent domains. The service also includes Cloud-to-Cloud Backup and Security Awareness Training to enhance overall email security posture

Barracuda combines artificial intelligence and deep integration with Microsoft 365 to provide a comprehensive cloud-based solution that guards against potentially devastating, hyper-targeted phishing and impersonation attacks.

Further information is available here.

Get complete email security
Threat Analyst Team

The Threat Analyst Team at Barracuda focuses on detecting, analyzing, and mitigating emerging threats. Dedicated to protecting customers from cyberattacks, the team leverages advanced technologies and threat intelligence to provide actionable insights and proactive defense strategies.

Post correlati:
New, simpler onboarding wizard for Barracuda Email Protection
New, simpler onboarding wizard for Barracuda Email Protection
 Cl0p ransomware: The skeezy invader that bites while you sleep
Cl0p ransomware: The skeezy invader that bites while you sleep
 I file del caso SOC: la gang di ransomware armata di Python riemerge per affrontare un muro di difese XDR
I file del caso SOC: la gang di ransomware armata di Python riemerge per affrontare un muro di difese XDR
 Radar delle minacce SOC — Maggio 2025
Radar delle minacce SOC — Maggio 2025
Search the blog

Subscribe to the Barracuda Blog.

Sign up to receive threat spotlights, industry commentary, and more.

Sign up to receive threat spotlights, industry commentary, and more.

Get all the latest news, research, and analysis delivered right to your inbox.