Proofpoint researchers identified TA571 delivering the Forked variant of IcedID in two campaigns on 11 and 18 October 2023. Both campaigns included over 6,000 messages, each impacting over 1,200 customers in a variety of industries globally. Emails in the campaigns purported to be replies to existing threads.
This is known as thread hijacking. The emails contained 404 TDS URLs linking to the download of a password-protected zip archive with the password listed in the email. The attack chain included a series of checks to validate the recipient before delivering the zip archive.