Full Report
July phishing campaign
Analysis Summary
This incident summary is based on a report detailing an active phishing campaign observed in July 2025.
# Incident Report: July Financial Lure Phishing Campaign
## Executive Summary
An active phishing campaign targeting EU and US companies was identified in July 2025, leveraging financial lures delivered via PDF attachments containing QR codes. The attack aimed at credential harvesting using two specific domains, one newly registered and one potentially compromised. Response focused on identifying the threat indicators and understanding the attack chain similarity.
## Incident Details
- Discovery Date: July 30, 2025 (Based on report publication date)
- Incident Date: Occurred prior to, and ongoing as of, July 2025
- Affected Organization: Multiple EU and US companies (Not specifically named)
- Sector: Undisclosed, targets financial sectors based on lure theme
- Geography: EU and US
## Timeline of Events
### Initial Access
- Date/Time: Prior to/During July 2025
- Vector: Email Phishing
- Details: Emails with a financial lure theme were sent to targets. These emails contained a PDF document. Inside the PDF, a QR code directed users to credential harvesting websites.
### Lateral Movement
- **Not explicitly detailed.** The focus of the report is on the initial delivery and credential harvesting mechanism.
### Data Exfiltration/Impact
- **Credential Harvesting:** The primary goal was harvesting user credentials via phishing pages hosted on `dallasonrasolutions[.]cloud` and `withbible[.]com`.
### Detection & Response
- **Detection:** Identified through analysis of email characteristics, originating IPs, and the use of identical HELO messages across different phishing instances.
- **Response:** The intelligence analyst documented and shared the Indicators of Compromise (IoCs) associated with the campaign.
## Attack Methodology
- **Initial Access:** Email Phishing (Financial Lure).
- **Persistence:** Not applicable for this specific delivery method, as it relies on user interaction.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Use of QR codes within PDFs to obfuscate the final landing URLs from basic email scanners. One landing domain (`dallasonrasolutions[.]cloud`) was newly registered.
- **Credential Access:** Tricking users into entering credentials on lookalike harvesting sites.
- **Discovery:** N/A (Intelligence report focus, not attacker actions within the network).
- **Lateral Movement:** Not detailed.
- **Collection:** Harvesting credentials.
- **Exfiltration:** Data (credentials) likely exfiltrated via the phishing sites to attacker-controlled infrastructure.
- **Impact:** Compromise of user accounts via stolen credentials.
## Impact Assessment
- **Financial:** Not quantified, but potential losses associated with credential compromise/account takeover.
- **Data Breach:** User credentials (type unspecified). Volume unknown.
- **Operational:** Potential disruption if key business accounts are compromised.
- **Reputational:** Low visibility unless targeted organizations disclose the breach.
## Indicators of Compromise
- **Network indicators (Defanged):**
- IP 1: 51.89.86.103
- IP 2: 23.26.201.168
- URL 1: dallasonrasolutions[.]cloud (Registered 1 day prior to analysis)
- URL 2: withbible[.]com (A seemingly older domain potentially compromised for use)
- **File indicators:** EML files containing hashes of the malicious content. PDF attachments containing QR codes.
- **Behavioral indicators:** Use of identical HELO messages in email headers; financial lure theme consistency.
## Response Actions
*(Note: Response actions listed are based on the *analyst's* documentation of the threat, not necessarily remediation steps taken by the targeted organizations.)*
- **Containment measures:** Sharing IoCs (IPs and domains) for immediate blocking/blacklisting by security infrastructure.
- **Eradication steps:** N/A (No internal network compromise documented).
- **Recovery actions:** N/A (No internal breach documented).
## Lessons Learned
- **Key takeaways:** Attackers are utilizing multi-stage delivery (Email -> PDF -> QR Code -> Phishing Site) to bypass standard defenses. The use of both new and potentially compromised legacy domains suggests adaptability in hosting infrastructure.
- **What could have been done better:** Immediate detection relies heavily on advanced threat intelligence monitoring and sandboxing capabilities to analyze embedded QR codes.
## Recommendations
- Implement enhanced email gateway filtering to flag emails containing recognizable financial lures, especially those attaching non-standard documents like PDFs meant to be scanned.
- Increase monitoring and alerting around DNS lookups to newly registered domains, particularly those associated with inbound email traffic.
- Educate users specifically on QR-code-based phishing attacks embedded within documents.
- Investigate the history of older domains being used in conjunction with new infrastructure (`withbible[.]com` being 14 years old).