DISCARDED: Tales From the Threat Research Trenches

• Freighty Cats: RFQ Phishing Comes to A Warehouse Near You

  Send us fan mail!Hello to all our Cyber Stars! In this episode host Selena Larson welcomes back guest and part-time co-host Tim Kromphardt, fresh from DEFCON, to explore the world of request-for-quote (RFQ) fraud—a growing scam targeting small- to medium-sized businesses with fake purchase requests and net financing schemes.Tim explains how cybercriminals exploit legitimate business practices to steal physical goods like networking tools, surveillance equipment, and medical devices. Using stolen business credentials, fake domains, and freight forwarding services, these scams combine social engineering with real-world theft. He shares firsthand stories of engaging with scammers directly, taking down fraudulent domains in real time, and even halting shipments in transit.Selena and Tim break down how these schemes operate, the sophistication of scammers and why smaller, specialized companies are often targeted. They also provide practical tips for spotting and avoiding these scams, from verifying domains and emails to independently confirming contacts and addresses.Resources Mentioned:https://www.proofpoint.com/us/blog/threat-insight/net-rfq-request-quote-scammers-casting-wide-net-steal-real-goodsFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

  --------  

  35:44

  --------

  35:44
• Direct Send Exploitation & URL Rewrite Attacks: What Security Teams Must Know

  Send us fan mail!Hello to all our Cyber Squirrels! In this extra-packed episode of Discarded, host Selena Larson welcomes Proofpoint Principal Research Engineer Jason Ford for his first appearance on the show. Together, they dive into two resurging email attack techniques—Microsoft 365 Direct Send abuse and URL rewrite abuse—and why defending against them requires more than just traditional email security.Jason explains what Direct Send is, why attackers exploit this legacy feature, and how it enables phishing campaigns that appear to originate from inside an organization. From QR code phishing kits to “to-do list” themed lures, Selena and Jason break down attack chains, share real-world examples, and highlight the red flags that indicate exploitation. They also explore how adversaries weaponize URL rewrites in redirect chains, to deliver malware and credential phishing. We also unpack: How Direct Send works under the hood and why legacy features are a prime targetCommon signs in email headers that reveal Direct Send abuseThe role of URL rewrites in modern phishing campaignsWhy credential phishing has overtaken malware as the go-to tacticPractical steps organizations can take—including when it makes sense to disable Direct SendThe importance of layered defenses, user education, and risk awareness across SaaS appsPredictions on which “old school” techniques might resurface nextThis episode offers a clear, actionable look at how threat actors adapt and why everything old in cybercrime eventually becomes new again. Resources Mentioned:https://www.proofpoint.com/us/blog/email-and-cloud-threats/attackers-abuse-m365-for-internal-phishinghttp://www.jasonsford.comhttps://github.com/jasonsford/directsendanalyzer For more information about Proofpoint, check out our website.Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

  --------  

  43:05

  --------

  43:05
• Phish, Chips & Voldemort: Inside China’s Cyber Targeting of Taiwan

  Send us fan mail!Hello to all our Cyber Panda Bears! In this extra-packed episode of Discarded, host Selena Larson and guest host, Sarah Sabotka reunite with Staff Threat Researcher Mark Kelly to dive deep into China-aligned espionage activity—this time with a focus on Taiwan’s semiconductor ecosystem and the strange, stealthy tools threat actors are using to get in.Mark walks us through Proofpoint’s latest research on custom malware (yes, “Voldemort” is back), threat clusters with pun-filled names like UNK_SparkyCarp and UNK_DropPitch, and why Taiwan’s chip industry has become such a hot target. From design and manufacturing to financial analysts and supply chains, Chinese state-aligned actors are getting more creative—and more persistent.We also unpack: The “Phish & Chips” campaign and how it fits into China’s broader geopolitical strategy Why pop culture references like Voldemort and Mr. Robot keep showing up in espionage infrastructureAttribution headaches, including Proofpoint’s tracking of multiple unattributed threat clusters with UNK designators How AI, LLMs, and adversary-in-the-middle phishing are influencing espionage tactics The use of RMM tools and spoofed MacOS folders for stealth Why basic backdoors are making a strategic comeback A threat intel team’s deep love for vegetables, puns, and report titlesWhether you're tracking state-sponsored cyber activity, curious about weird malware names, or just here for the expert banter, this episode has you covered.Resources Mentioned:Phish & Chips: Chinese Espionage Activity Targeting Taiwan's Semiconductor EcosystemFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

  --------  

  42:53

  --------

  42:53
• Threat Actor Theater: TA2541, TA558, and the Cyber Heist Crew TA582

  Send us fan mail!Hello to all our cyber pals! In this episode of Discarded, host Selena Larson and co-host, Tim Kromphardt, are joined by Joe Wise, Senior Threat Researcher at Proofpoint for a deep dive into the chaotic brilliance of mid-tier eCrime actors—including the elusive TA582.We explore recent activity from TA2541 and TA558—two groups known for their uncanny consistency and precision targeting—before shifting focus to TA582: a standout in today’s threat landscape. TA582’s multilayered, region-specific lures (think vintage car sales and fake speeding tickets) and complex delivery models are impressive compared to your typical cybercriminal.Topics Include:🔍 What you’ll hear:How TA2541 and TA558 maintain eerily consistent lures and targeting year after yearThe regional flavor behind lures in Latin America and Europe—especially during tax seasonWhy TA582 feels like a digital jigsaw puzzle, with simultaneous email, web inject, and compromised site vectorsA breakdown of TA582’s evolving payloads, from GhostWeaver to Interlock RATThe surprising links between threat actor collaboration, initial access brokers, and shifting loader trendsHow weird or silly variable names can enable threat actor trackingAnd yes—13 URLs that needs the Tron soundtrack playing in the background to exploreFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

  --------  

  37:54

  --------

  37:54
• 10 Things I Hate About Attribution: A Clustering Conundrum

  Send us fan mail!Hello to all our cyber detectives and pedantic CTI friends! In this episode of Discarded, host Selena Larson is joined by Greg Lesnewich, Staff Threat Researcher at Proofpoint for a behind-the-scenes look at one of the most frustratingly fascinating attribution cases yet.What begins as a lighthearted rant: “10 Things I Hate About Attribution,” quickly turns into a deep dive into the murky overlap between TA829 (aka RomCom), TA289, and the elusive GreenSec cluster. From TransferLoader and malware panels to REM proxy infrastructure and attack chain similarities, Greg and Selena dissect the breadcrumb trail that led to a 25-page blog, a mountain of malware chains (Dusty Hammock? Single Camper?), and an attribution headache. Topics Include:TA829 (aka RomCom) and the elusive GreenSec cluster: What’s the difference?Vertical targeting overlap (and divergence)Malware breakdown: TransferLoader vs. RomCom and related malwareUse of REM proxy and rebrand.ly infrastructureAttribution logic and the perils of shared toolingBonus: Existential mysteries and karaoke mic commentaryThe attribution game isn’t always about getting it right—it’s about asking better questions. Join us in the mess, and keep connecting the dots.For more information about Proofpoint, check out our website.Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

  --------  

  56:24

  --------

  56:24

More Technology podcasts

Trending Technology podcasts

About DISCARDED: Tales From the Threat Research Trenches

DISCARDED: Tales From the Threat Research Trenches: Podcasts in Family