Abusing Discord to deliver Agent Tesla malware

Sublime's Attack Spotlight series highlights real-world email threats, focusing on a particular malware/ransomware attack targeting Google Workspace users. This attack involves sending a fake purchase order email with an embedded logo linked to a Discord CDN, where clicking the link downloads a VBE file that executes the Agent Tesla Remote Access Trojan (RAT). Agent Tesla, often used in Malware-as-a-Service (MaaS) operations, provides initial access to compromised systems to deploy more advanced malware, including ransomware. Sublime identifies and mitigates these threats through detection signals, such as the use of reputable file hosting services like Discord to evade scrutiny, auto-downloading of suspicious file types, mismatched sender and reply-to addresses, and communications from unknown senders. The platform emphasizes its capability to prevent these email-based threats and encourages deploying a free instance of its solution.