Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
In early February, our Incident Handling team responded to a phishing campaign targeting users in the retail industry. In one instance, a compromised account was leveraged to distribute voicemail themed phishing emails. For example, “XXXXXX left you a Voicemail at 07:30 am,” where the Xs represent a redacted phone number with the area code. The email contains the link to the custom collaboration form created on allo[.]io. (Figure 1).
The form contains the link to a fake Microsoft login page, but the user is first routed through a CloudFlare Turnstile prompt (Figure 2) before accessing the phishing page. Security tools often look for abnormal behaviors or patterns to detect bots and malicious activities. Using Turnstile not only instills a sense of legitimacy in the phishing site for potential victims but also conceals the genuine phishing page from the detection efforts of automated security scanners.
The source code of the phishing page contains an obfuscated code using simple XOR algorithm. Upon decoding, we can see that the page points to the JavaScript file that gets loaded at 13j7q.umhhs0.com/u352/myscr451443[.]js (Figure 4).
Upon deobfuscating myscr451443[.]js, we see that it’s responsible for holding the user's access to the main content (fake Microsoft sign-in page) while performing necessary security validations via CloudFlare Turnstile.
Further investigating the source code, we can see that the phishing landing page source code is stored under /web6/assets/js/pages.min.js?cb=36 path. The code attempts to fetch the user’s IP address by making the request to httpbin[.]org/ip and sends it over to the server via the POST request to <phishing_domain>/web6/info along with the browser name (derived from user-agent) and the pagelink value, in our example it’s “6x96”.
The code filters out certain domains to prevent sign-ins from personal emails, which hints that the phishing campaign targets corporate users. If one of the domains in the list is entered, the user will get a message “We couldn't find an account with that username. Try another, or get a new Microsoft account”.
During the analysis of the network traffic, we observed a communication request directed to the domain ailinux[.]ru. This was subsequently identified and confirmed as an interface to the TycoonGroup control panel (Figures 9-10). TycoonGroup is marketed as a phishing-as-a-service platform and is actively being sold on the Telegram platform.
TycoonGroup boasts a user base of over 2,000. The phishing kits they offer are equipped with a range of features, such as a QR code phishing service, a private antibot system, the ability to bypass two-factor authentication, and the capability to retrieve cookies that remain valid for up to one year, among others (Figure 11).
Performing the search via URLscan on the “web6/assets” we found over 1000 scan results related to the phishing kit (Figure 12).
Our team of 24/7 Cyber SOC Analysts and Incident Handling Team investigated the suspicious activities, notified the clients, and recommended resetting the passwords and revoking the sessions.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.