DISCARDED: Tales From the Threat Research Trenches

Proofpoint
  • ٤٫٩ (٥٥)
  • التكنولوجيا
  • يتم التحديث كل أسبوعين

DISCARDED: Tales from the Threat Research Trenches is a podcast for security practitioners, intelligence analysts, and threat hunters looking to learn more about the threat behaviors and attack patterns. Each episode you’ll hear real world insights from our researchers about the latest trends in malware, threat actors, TTPs, and more. Welcome to DISCARDED

  1. ٢٦ أغسطس

    Direct Send Exploitation & URL Rewrite Attacks: What Security Teams Must Know

    Send us fan mail! Hello to all our Cyber Squirrels! In this extra-packed episode of Discarded, host Selena Larson welcomes Proofpoint Principal Research Engineer Jason Ford for his first appearance on the show. Together, they dive into two resurging email attack techniques—Microsoft 365 Direct Send abuse and URL rewrite abuse—and why defending against them requires more than just traditional email security. Jason explains what Direct Send is, why attackers exploit this legacy feature, and how it enables phishing campaigns that appear to originate from inside an organization. From QR code phishing kits to “to-do list” themed lures, Selena and Jason break down attack chains, share real-world examples, and highlight the red flags that indicate exploitation. They also explore how adversaries weaponize URL rewrites in redirect chains, to deliver malware and credential phishing.  We also unpack:  How Direct Send works under the hood and why legacy features are a prime target Common signs in email headers that reveal Direct Send abuse The role of URL rewrites in modern phishing campaigns Why credential phishing has overtaken malware as the go-to tactic Practical steps organizations can take—including when it makes sense to disable Direct Send The importance of layered defenses, user education, and risk awareness across SaaS apps Predictions on which “old school” techniques might resurface next This episode offers a clear, actionable look at how threat actors adapt and why everything old in cybercrime eventually becomes new again.  Resources Mentioned: https://www.proofpoint.com/us/blog/email-and-cloud-threats/attackers-abuse-m365-for-internal-phishing http://www.jasonsford.com https://github.com/jasonsford/directsendanalyzer  For more information about Proofpoint, check out our website. Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!

    ٤٣ من الدقائق

  2. ١٢ أغسطس

    Phish, Chips & Voldemort: Inside China’s Cyber Targeting of Taiwan

    Send us fan mail! Hello to all our Cyber Panda Bears! In this extra-packed episode of Discarded, host Selena Larson and guest host, Sarah Sabotka reunite with Staff Threat Researcher Mark Kelly to dive deep into China-aligned espionage activity—this time with a focus on Taiwan’s semiconductor ecosystem and the strange, stealthy tools threat actors are using to get in. Mark walks us through Proofpoint’s latest research on custom malware (yes, “Voldemort” is back), threat clusters with pun-filled names like UNK_SparkyCarp and UNK_DropPitch, and why Taiwan’s chip industry has become such a hot target. From design and manufacturing to financial analysts and supply chains, Chinese state-aligned actors are getting more creative—and more persistent. We also unpack:  The “Phish & Chips” campaign and how it fits into China’s broader geopolitical strategy  Why pop culture references like Voldemort and Mr. Robot keep showing up in espionage infrastructure Attribution headaches, including Proofpoint’s tracking of multiple unattributed threat clusters with UNK designators  How AI, LLMs, and adversary-in-the-middle phishing are influencing espionage tactics  The use of RMM tools and spoofed MacOS folders for stealth  Why basic backdoors are making a strategic comeback  A threat intel team’s deep love for vegetables, puns, and report titles Whether you're tracking state-sponsored cyber activity, curious about weird malware names, or just here for the expert banter, this episode has you covered. Resources Mentioned: Phish & Chips: Chinese Espionage Activity Targeting Taiwan's Semiconductor Ecosystem For more information about Proofpoint, check out our website.   Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!

    ٤٣ من الدقائق

  3. ٢٩ يوليو

    Threat Actor Theater: TA2541, TA558, and the Cyber Heist Crew TA582

    Send us fan mail! Hello to all our cyber pals! In this episode of Discarded, host Selena Larson and co-host, Tim Kromphardt, are joined by Joe Wise, Senior Threat Researcher at Proofpoint for a deep dive into the chaotic brilliance of mid-tier eCrime actors—including the elusive TA582. We explore recent activity from TA2541 and TA558—two groups known for their uncanny consistency and precision targeting—before shifting focus to TA582: a standout in today’s threat landscape. TA582’s multilayered, region-specific lures (think vintage car sales and fake speeding tickets) and complex delivery models are impressive compared to your typical cybercriminal. Topics Include: 🔍 What you’ll hear: How TA2541 and TA558 maintain eerily consistent lures and targeting year after year The regional flavor behind lures in Latin America and Europe—especially during tax season Why TA582 feels like a digital jigsaw puzzle, with simultaneous email, web inject, and compromised site vectors A breakdown of TA582’s evolving payloads, from GhostWeaver to Interlock RAT The surprising links between threat actor collaboration, initial access brokers, and shifting loader trends How weird or silly variable names can enable threat actor trackingAnd yes—13 URLs that needs the Tron soundtrack playing in the background to explore For more information about Proofpoint, check out our website.   Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!

    ٣٨ من الدقائق

  4. ١٥ يوليو

    10 Things I Hate About Attribution: A Clustering Conundrum

    Send us fan mail! Hello to all our cyber detectives and pedantic CTI friends! In this episode of Discarded, host Selena Larson is joined by Greg Lesnewich, Staff Threat Researcher at Proofpoint for a behind-the-scenes look at one of the most frustratingly fascinating attribution cases yet. What begins as a lighthearted rant: “10 Things I Hate About Attribution,” quickly turns into a deep dive into the murky overlap between TA829 (aka RomCom), TA289, and the elusive GreenSec cluster. From TransferLoader and malware panels to REM proxy infrastructure and attack chain similarities, Greg and Selena dissect the breadcrumb trail that led to a 25-page blog, a mountain of malware chains (Dusty Hammock? Single Camper?), and an attribution headache.  Topics Include: TA829 (aka RomCom) and the elusive GreenSec cluster: What’s the difference? Vertical targeting overlap (and divergence) Malware breakdown: TransferLoader vs. RomCom and related malware Use of REM proxy and rebrand.ly infrastructure Attribution logic and the perils of shared tooling Bonus: Existential mysteries and karaoke mic commentary The attribution game isn’t always about getting it right—it’s about asking better questions. Join us in the mess, and keep connecting the dots. For more information about Proofpoint, check out our website. Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!

    ٥٦ من الدقائق

  5. ١ يوليو

    Comic Sans and Cybercrime: Inside North Korea’s Global Cyber Playbook

    Send us fan mail! Hello to all our Cyber Pals! In this episode of Discarded, host Selena Larson and co-host Sara Sabotka are joined by Saher Naumaan and Greg Lesnewich, teammates on the espionage threat research team at Proofpoint to unravel the multifaceted—and often bizarre—world of North Korean cyber operations.  The team explores: What sets DPRK’s threat actors apart from other nation-state groupsA closer look at North Korea’s cyber and physical support for Russia in UkraineHow cyber activity plays a central role in North Korea’s national strategy—not just a supporting one The phishing-heavy tactics of groups like TA427 (“Old Reliable”) and the emergence of oddball clusters like “Contagious Interview” and “UNK RageQuit” How North Korean actors blur the lines between espionage and financially motivated cybercrime The murky world of North Korean IT workers infiltrating global tech companies under false identities—raising critical questions about workplace exposure, ethics, and potential defections The surprising ways some of these operatives sabotage themselves, including infections with common malware that expose their digital behavior And yes, a Microsoft spoofing campaign actually using Comic Sans North Korean cyber activity is evolving fast and they explain why it deserves far more attention than it gets.    Resources Mentioned: https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front https://spycloud.com/blog/spycloud-march-cybercrime-update/ https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf For more information about Proofpoint, check out our website.   Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!

    ٥٣ من الدقائق

  6. ١٨ يونيو

    Signatures and Surprises: Inside the Emerging Threats Team

    Send us fan mail! Hello to all our Cyber Masked Vigilantes!  In this episode of Discarded, host Selena Larson and co-host Tim Kromhardt are joined by James Emery-Callcott, a Security Researcher on Proofpoint’s Emerging Threats team, for an insider’s look at the technical, tactical, and collaborative forces shaping modern network detection. James takes us behind the curtain of rule writing, CVE coverage, and malware detection, breaking down how signatures are developed, validated, and deployed to protect against a constantly shifting threat landscape. From the fading heyday of exploit kits to the rise of infostealers and ClickFix, we explore how detections evolve—and why the most persistent threats often hinge on the fundamentals of networking. You’ll also hear how the team maps detection rules to frameworks like MITRE ATT&CK and CISA KEV, using metadata tags to reduce alert fatigue and prioritize real-world risks. James shares why this kind of tagging isn’t just technical polish—it’s operational gold. But detection doesn’t happen in a vacuum. James explains how the community—through Discord chats, support tickets, and collaborative research—plays a vital role in surfacing false positives, sharing POCs, and suggesting metadata improvements.  Bonus highlights include: Why writing reliable detection rules is still too nuanced for AI The anatomy of a CVE rollout (and the surprising role of an Xbox controller) Signature performance testing and hardware challenges Why older vulnerabilities still matter A sneak peek at a free Suricata training series in the works Whether it’s a shoutout to Tony for pushing tagging innovation or a nod to students eager to get started, the message is clear: everyone can contribute to better detection.   Resources Mentioned: CrazyHunter: https://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html https://www.proofpoint.com/us/blog/threat-insight/emerging-threats-updates-improve-metadata-including-mitre-attck-tags For more information about Proofpoint, check out our website.   Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!

    ٤٤ من الدقائق

  7. ٤ يونيو

    DBIR Deep Dive: Identity, Access, and the Expanding Attack Surface

    Send us fan mail! Hello to all our Cyber Stars! Join host Selena Larson, and guest host, Sarah Sabotka, as they sit down with Alex Pinto, Associate Director of Threat Intelligence at Verizon Business and the lead author behind the industry-defining Verizon Data Breach Investigations Report (DBIR). Together, they unpack the most pressing findings from the brand new VZDBIR, offering a behind-the-scenes look at how the reports are built—and what they reveal about today’s rapidly evolving threat landscape. Alex shares how the editorial strategy behind the DBIR helps translate raw data from 100+ contributors into actionable insights and compelling narratives.  The conversation dives into:  The surge in zero-day vulnerabilities and growing threats tied to network edge devices Why third-party risk is skyrocketing, and what that means for vendor relationships How ransomware groups are maturing and reinvesting like modern businesses The alarming rise of credential abuse via MFA-bypassing phishing kits and information stealers Why identity is now the primary target—and how defenders can introduce friction without killing usability The limitations of current threat categorization and whether full attack chain visualizations should be next Whether you're here for the acronyms, the insights, or just want to win at cyber threat bingo, this episode is a must-listen for anyone navigating the modern security landscape. 🎧 Tune in to hear why “DBIR Day” matters—and how this year’s findings may be more personal than ever.   Resources Mentioned: https://www.verizon.com/business/resources/reports/dbir/ For more information about Proofpoint, check out our website.

    ٥٢ من الدقائق

  8. ١٤ مايو

    The ClickFix Convergence: How Threat Actors Blur the Lines

    Send us fan mail! Hello to all our Cyber Spring Chickens! Join host Selena Larson, and guest host, Sarah Sabotka, as they chat with Saher Naumaan, Senior Threat Researcher at Proofpoint, for a deep dive into how modern espionage and cybercrime are increasingly blurring lines. At the center of the conversation is ClickFix—a fast-evolving social engineering technique originally used by cybercriminals but now adopted by espionage actors across at least three countries in just 90 days.  We explore:  how threat actors are borrowing each other’s tactics, techniques, and procedures (TTPs), creating “muddled attribution” as espionage groups mimic high-volume e-crime methodshow these techniques are being tailored to target high-value, often non-technical individualswhat defenders can do in the face of increasingly sophisticated psychological attacks Resources Mentioned: https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/  For more information about Proofpoint, check out our website.   Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!

    ٣٦ من الدقائق
مشاهدة الكل (٨٧)

٤٫٩
من ٥
‫٥٥ من التقييمات‬

حول

DISCARDED: Tales from the Threat Research Trenches is a podcast for security practitioners, intelligence analysts, and threat hunters looking to learn more about the threat behaviors and attack patterns. Each episode you’ll hear real world insights from our researchers about the latest trends in malware, threat actors, TTPs, and more. Welcome to DISCARDED

المعلومات

  • صناع العمل
    Proofpoint
  • سنوات النشاط
    ٢٠٢٢ - ٢٠٢٥
  • الحلقات
    ٨٧
  • التقييم
    فاضح
  • حقوق النشر
    © 2025 DISCARDED: Tales From the Threat Research Trenches
  • موقع البرنامج على الويب
    DISCARDED: Tales From the Threat Research Trenches

قد يعجبك أيضًا