In this weekly Threat Intelligence Brief we look back at top stories and security related callouts to provide relevant and actionable insights for the
information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
Emerging threat Linux 'Auto-color' malware
Password spraying M365 non-interactive sign-ins
Bypassing Outlook spam filtering
CISA KEV updates
Palo Alto Networks threat researchers recently reported on new Linux malware named "Auto-color". Initially discovered in Q4 of 2024, the malware uses advanced evasion techniques, including deceptive filenames, encrypted communication, and stealthy C2 connections similar to the Symbiote
malware family, granting attackers full remote access. The name Auto-color is derived from what the initial payload file renames itself after installation. While the method for initial delivery of the malware executable is unknown, here's an example of the infection chain post-delivery provided by Palo Alto:
The report includes a list of IoCs you can use to search for related activity. Several recommendations to help detect and mitigate this threat include:
Source: Palo Alto | Unit42
A report from Strike by SecurityScorecard highlights a botnet of over 130,000 compromised devices launching large-scale password spraying attacks against Microsoft 365 (M365) accounts by exploiting non-interactive sign-ins with Basic Authentication. This method bypasses modern security controls, including MFA enforcement, allowing attackers to use stolen credentials from infostealer logs to systematically target accounts. Organizations should immediately review non-Interactive sign-In logs for signs of compromise and rotate credentials if any suspicious activity is detected.
Organizations that monitor only interactive sign-ins may miss attacks exploiting non-interactive sign-ins, which often bypass MFA and are commonly used for legacy protocols and automated processes. While Microsoft is phasing out Basic Authentication, with full retirement of SMTP AUTH set for September 2025, attackers continue to exploit its weaknesses, posing an immediate risk. The following graphic provided by Strike includes some of the high-level details:
To review the full advisory, please follow the linked source material.
Source: Strike | SecurityScorecard
Outlook’s spam filter is designed to block emails containing direct links to malicious file types like **.iso** or **.exe**. However, attackers can bypass this protection by disguising harmful URLs behind seemingly safe hyperlinks, preventing proper detection. This loophole enables threat actors to evade security controls, deceive users into downloading malware, and escalate cyber threats.
According to a report from Afine, to address this weakness, Outlook’s spam filters should be enhanced to examine both the displayed text and the actual URLs of hyperlinks. Since attackers often use redirections to evade detection, security measures must also trace links to their final destinations. Strengthening URL analysis techniques will improve the detection of hidden malicious links and help minimize phishing threats. As always, phishing awareness training is crucial to help stopping attacks they may bypass spam filtering.
Source: Afine
CISA has added 4 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week:
Don't know where to begin with vulnerability management?
Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.
Source: Known Exploited Vulnerabilities Catalog | CISA
Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact