New Phishing Campaign Exploits Political Themes

The "Support ICE" campaign is a credential harvesting operation targeting clients of email marketing platforms like Emma and SendGrid. Attackers send emails claiming a politically charged "Support ICE" button will be added to the client's email footers, creating urgency to log in via a malicious link to "opt-out." This social engineering tactic has been used to target a wide range of organizations, including Yale University, Texas A&M University, and Dogfish Head Brewery. This campaign reflects a broader trend of threat actors, including nation-state groups from Russia, China, and Iran, weaponizing polarizing political themes to bypass email security. These adversaries use urgent calls-to-action, such as fake donation requests or critical policy updates, to trigger an emotional response and drive users toward credential theft. Since the launch of ChatGPT, AI-powered tools have led to a 1,265% surge in phishing emails, enabling more sophisticated and personalized attacks at scale. For detection engineering, Splunk can be used to identify such threats by correlating email gateway logs with web proxy and authentication data. A core detection rule would involve creating watchlists of newly registered domains or domains impersonating popular services and alerting when a user clicks a link from an external email and is immediately prompted for credentials on a non-standard login page. A sample Splunk query could be: `index=email OR index=proxy | spath | search (subject="*urgent*" OR subject="*verify*") AND (url="*.xyz" OR url="*.info") | stats count by user, src_ip, url`. This directly maps to the DoD's Zero Trust "User" pillar, which mandates continuous identity verification and assumes a compromised environment. By logging and analyzing every access request, a SIEM can flag anomalous behavior, such as a user accessing a new or suspicious domain and entering credentials, which violates the principle of "never trust, always verify." This provides an auditable data point for demonstrating compliance with controls around identity governance and privileged access management. The primary goal of these campaigns is credential theft, which remains the top initial attack vector in 22% of all breaches. Stolen credentials from SaaS platforms like Microsoft 365 and Google Workspace are frequently sold on dark web marketplaces. This underpins the Zero Trust focus on identity as the new perimeter, requiring robust multi-factor authentication and continuous monitoring for compromised accounts, as even a single stolen credential can grant an adversary initial access.