Vi gjør oppmerksom på at informasjonen gitt i denne bloggen er ferskvare og således kan inneholde feil. Aksjoner som gjøres på grunnlag av denne er på eget ansvar. Telenor tar ikke ansvar for innhold gitt i eksterne lenker.

Wednesday, 1 October 2025

Daglig Nyhetsbrev fra Telenor Sikkerhetssenter - 2025.10.01

MatrixPDF toolkit – advisory .

MatrixPDF toolkit – advisory

Telenor Cyberdefence hereby informs its partners that a new phishing and malware distribution toolkit called “MatrixPDF” has been observed actively in use in the Nordics. MatrixPDF is accessible and easy for attackers to use, and its highly adaptive platform makes detection challenging so far.

The following characteristics have been observed:

  • The sender may be legitimate and compromised by the MatrixPDF.

  • The email contains a .pdf attachment that is password protected (by password-protecting the PDF, comprehensive document scanning is bypassed).

  • The email contains the password for the attachment in plaintext.

  • The user is asked to enter the password from the email.

  • When the PDF attachment is opened, its content is blurred and the user must click to see a «preview».

  • The user is then sent to a URL that requests Microsoft login credentials, which are subsequently stolen.

Two things to look out for especially:

  1. .pdf protected with a password, with the password in plain text in the email.

  2. Blurred .pdf that prompts a click to be previewed.

This kit enables the attacker to determine which PDFs are used as blurred backgrounds (these may be legitimate originally) and it can change the URL to which the victim is sent.

Detections will be reactive, so users must be made aware of the two main indicators mentioned above.

It is important that users utilize the “Report Phishing” feature whenever they encounter something similar so that detections can be improved.

Recommended actions:

  • Disable the “Keep me signed in” function for users.

  • Enforce MFA on ALL logins. Use ONLY an authenticator app, NOT SMS. Passkeys are recommended.

  • Implement conditional access policies (e.g., block foreign IP addresses).

  • Limit the number of emails that can be sent per hour/day.

  • Consider acquiring Entra ID P2 licenses for improved detection and blocking of risky sign-ins.

  • Consider acquiring Defender for Identity. Available as part of Enterprise Mobility + Security E5 suite (EMS E5), or standalone. Contact your SDM/KAM for help.

  • Review mailboxes for all users and look for suspicious inbox rules.

  • Review sign-in and authentication logs for all users and check for suspicious activity.

Posted by tsoc at 17:02

No comments:

Post a Comment

Retningslinjer for kommentarer
Alle kommentarer vil bli gjennomlest før de blir publisert. Kommentarer som er usaklige, har støtende eller upassende innhold vil bli slettet av moderator.

Subscribe to: Post Comments (Atom)
 
>