Following on from this post from last week. We are seeing another what looks like Hawkeye or Agent Tesla keylogger campaign using identical methods. All the same sites and hosting companies are involved with the same possibility of the DNS on Godaddy being compromised to allow this scummy domain to work. In exactly the same way I saw last week, the email body content on the mail server is different to the body content in the email, when it is delivered to the prospective victim. Once again the XLS file attachment uses CVE-2017-11882 to download the Hawkeye or Agent Tesla … Continue reading →