Edition: June 23-29, 2025
(Real threats from this week, real skills for every week.)
TL;DR — What You’ll Learn This Week
DocuSign → Google login via Webflow phishing
OneNote malware & ScreenConnect delivery
Deepfake Zoom calls dropping macOS malware
GitHub token leaks exposing sensitive code
Shift Drill: Respond to phishing, build SIEM rules
Welcome to Real Threats → SOC Skills Weekly — your dropzone for real-world threat insights, hands-on drills, and analyst mindset training.
Whether you’re breaking into the field or sharpening your shift game, each edition helps you detect smarter, respond faster, and build instincts that land jobs — not just likes.
We don’t just break down threats — we turn them into applied learning you can practice, discuss, and use to interview stronger, build your portfolio, and show you think like a defender.
New to the SOC world? Start with the “Watch For” tips and the Shift Drill. Don’t worry about getting it all right — just show up weekly and build momentum. Got questions? Ask in the thread — the crew’s got your back.
This Week’s Incidents: Real Threats, Real Lessons
Each of these threats is a real-world training opportunity. You’re not just reading — you’re practicing how to triage, hunt, and respond like a SOC analyst. Whether you’re new or already on battling alerts, ask yourself:
“How would I respond if this hit my SOC queue?”
1. Fake DocuSign → Google Login Theft
Fake DocuSign email hides tricky phishing attempt | Malwarebytes
MITRE Techniques: T1566.002 – Spearphishing Link
(MITRE ATT&CK is a guide that lists common hacker tricks—this one is about fake links in emails.)
Analyst Debrief
In June 2025, scammers pretended to be from DocuSign, a company that handles electronic signatures. They sent emails that looked real, asking people to click a link to “review a document.” This link took users to a fake website hosted on webflow.io, which then sent them to a fake Google login page to steal their passwords. The email came from a tricky fake address, [email protected], which is very close to the real DocuSign address. Once someone entered their Google details, hackers could access their account and possibly steal more information.
Key Red Flags:
- Sender address looks off with a typo: d0cus1gn.com instead of the real one
- Link goes to webflow.io, not a DocuSign site
- Weird request: a DocuSign email asking for Google login details
“Why would a DocuSign email ask me to log into Google to see a document?”
Watch For
- Emails from fake addresses like d0cus1gn.com
- Links that don’t match the company they claim to be from (e.g., DocuSign to webflow.io)
- Reports of fake login pages on sites like webflow.io
Tip for Beginners: If an email asks you to log into a different service (like Google) than you expect, don’t click the link. Instead, go directly to the company’s official website by typing the address yourself.
2. North Korean Deepfake Zoom Malware
https://www.securityweek.com/north-korean-hackers-take-over-victims-systems-using-zoom-meeting/
Analyst Debrief
In June 2025, hackers from North Korea, possibly the BlueNoroff group, tricked people with fake Zoom meeting invites. They used Telegram to send a link (via Calendly) to a fake Zoom site, not the real zoom.us. During the call, they showed fake videos of company bosses (made with deepfake technology) to seem trustworthy. If the call had audio problems, they’d ask users to download a fake fix (an AppleScript) that secretly installed harmful software, like NimDoor, to spy on computers and steal data.
Key Red Flags:
- Meeting invites from unknown Telegram accounts or fake sites (not zoom.us)
- Requests to download fixes or run commands during a call
- Strange video or audio, like a boss sounding off or sudden tech issues
“Why would a Zoom call ask me to download something to fix the sound?”
Watch For
- Check email or chat for Zoom invites from odd sites (not zoom.us)
- Look out for downloads like AppleScript on Mac computers
- Notice if your device connects to Telegram or webflow.io
Tip for Beginners: Always verify a meeting invite with the person who sent it before joining, especially if it asks you to download anything.
3. Ahold Delhaize Ransomware Breach
Retail giant Ahold Delhaize says data breach affects 2.2 million people
Analyst Debrief
In November 2024, a ransomware attack hit Ahold Delhaize, a big grocery company with stores like Stop & Shop in the U.S. It affected 2.2 million customers and workers, exposing personal info like names and health details. Hackers likely started with fake emails containing harmful attachments that locked files with ransomware. After stealing data, they might use it to send more fake emails or steal identities.
Key Red Flags:
- Weird email attachments (like .docx or .pdf) from strangers
- Files on your computer suddenly locking or changing names
- Strange data leaving your device to unknown places
“Why are my files locking up, and why is my computer sending data somewhere odd?”
Watch For
- Signs of locked files (e.g., names ending in .lock) on your device
- Emails with attachments you didn’t expect
- Unusual internet activity on your network
Tip for Beginners: If your files lock or you get an odd email attachment, tell someone right away and avoid opening it. Back up important files regularly to stay safe.
Rapid Threats – High Signal Reads
1. GitHub Token Leak
- Summary: In June 2025, secret codes (API tokens) were accidentally shared on public GitHub pages, risking access to important systems.
- Why it matters: Hackers could use these codes to add bad software or steal data. Beginners should know to watch for odd changes in shared projects.
The Hacker News
2. Zoom Phishing (ScreenConnect) 
- Summary: A June 2025 scam used fake Zoom links to trick people into installing ScreenConnect, letting hackers control their computers.
- Why it matters: This lets hackers sneak in quietly. Beginners should avoid downloading anything from unexpected meeting links.
- Abnormal Security
3. Deepfake Zoom Malware
- Summary: North Korean hackers used fake Zoom calls with deepfake bosses in June 2025 to trick people into downloading harmful Mac software like NimDoor.
- Why it matters: It mixes fake videos with sneaky software. Beginners should be wary of video calls asking for downloads.
- The Hacker News
4. Scattered Spider Targets Airlines 
- Summary: In June 2025, the FBI warned that Scattered Spider hackers are pretending to be airline workers to steal data with fake calls and emails.
- Why it matters: These tricks can fool anyone. Beginners should check with the company if a call or email seems off.
- The Hacker News
- FBI X
5. Citrix Bleed 2 Flaw Exploited (CVE-2025-5777) 
- Summary: A security weakness (CVE-2025-5777) in Citrix systems was used in June 2025 to let hackers sneak in without passwords.
- Why it matters: This affects remote work tools. Beginners should ensure software is updated to avoid this.
- BleepingComputer
6. SparkKitty Malware on App Stores 
- Summary: In June 2025, SparkKitty malware hid in apps on Google Play and Apple App Store, stealing photos and crypto wallet info.
- Why it matters: Even trusted stores can have risks. Beginners should check app permissions carefully.
- BleepingComputer
7. CoinMarketCap Web3 Popup Hack 
- Summary: A June 2025 attack on CoinMarketCap used fake popups to steal crypto from visitors’ wallets.
- Why it matters: Trusted sites can be hacked. Beginners should avoid clicking popups on crypto sites.
- BleepingComputer
Shift Drill – Apply What You’ve Learned: The DocuSign Redirect Incident
Scenario: You’ve just logged in for your shift as a SOC analyst. An urgent high-priority alert hits the queue: a user has flagged an email claiming to be from DocuSign — but the system is asking them to authenticate using their Google account.
Your initial triage of the reported email immediately reveals these critical red flags:
- Sender:
[email protected](a typosquatting attempt—when hackers use a fake email address that looks almost like the real one) - Redirect URL: The supposed login page is hosted on
webflow.io(a legitimate platform often misused for phishing scams, not DocuSign’s official site)
New to phishing? It’s when hackers send fake emails to trick you into sharing personal info, like passwords.
Complete the questions below and share your answers in the comments
Don’t feel pressured to have perfect or complete answers! Whether you’ve got a full triage plan, a few initial thoughts, or even questions about the scenario—drop them in the comments below! If you’re stuck, ask for help—the community’s here to support you.
Why this matters: Spotting suspicious emails and explaining risks clearly are key skills SOC analysts use every day to protect organizations.
Part 1: Build Your Analyst Instincts
1. What specific details would make you suspicious?
Is it the sender? The link? The mismatch between services?
2. Why does this attack feel wrong — even without the tech jargon?
How would you explain to someone that a DocuSign email asking for Google login is weird?
3. How would you warn a non-technical colleague about this email?
No jargon — just clear, confident guidance.
Tip for Beginners: Try sketching the attack steps (e.g., email → fake site → stolen password) on paper to visualize how the scam works. This can help you spot patterns in future alerts.
Part 2 (Optional): Level Up – Triage, Hunt, and Respond
“Now let’s go deeper — this is where you level up your analyst game.”
1. Can you find the exact malicious URL used in this attack?
(Hint: It’s in the Malwarebytes article)
2. What’s one IOC or email trait you’d search for in logs to spot others hit by this?
Sender address? URL path? Subject line?
3. What log sources or tools would you check to trace if anyone actually clicked that link?
Email logs? Web proxy? DNS? SIEM?
4. How would you write a detection rule for this in plain English?
For example: “Alert if an email contains a link to webflow.io but claims to be from DocuSign.”
BONUS QUESTION: What if a user did click the malicious link?
And let’s say someone did click it. What’s your next move?
What would you check to see if anything was downloaded?
How would you check if follow-up behavior occurred?
Would you look at process launches? file creation? DNS traffic?
“Think about how you’d escalate or contain it — or write a timeline of what happened.”
Comment what you’d do below! You don’t need to fully answer - just give it your best shot 
Shift Recap – From Threat to Action
| Signal | Recommended Action |
|---|---|
| Fake DocuSign → Google login | Flag webflow.io usage in emails |
| Typosquatting domain | Hunt across recent inbound sender domains |
| Hosted phishing flow | Add brand mismatch rules or pre-click link scanning |
| Deepfake Zoom calls | Monitor for non-zoom.us domains in meeting invites |
| Ransomware indicators | Hunt for file encryption patterns and unusual outbound traffic |
What Next?
Reading intel is step one. Applying it is how you win. Don’t just browse — drill your instincts with hands-on challenges that build SOC muscle memory.
This Week’s Starter Pack (Perfect if you’re new or want focused practice)
- SOC Threat Deep Dive: #1 - Phishing Detection
Walk through phishing patterns, tactics, and how to detect them. - Challenge 1: Phishing Analysis – DocuSign Impersonation
Test yourself on the exact threat covered in this week’s drill.
Want the Full Arsenal?
SOC Threat Deep Dive: Learning Series Tracker
Browse all past deep dives with linked challenges.
All Skill Challenges (Tracker Hub)
Practice drills sorted by skill type, threat category, and difficulty.
Catch Up on Past Issues
Even if it’s last month’s attack, the skills still matter — real attackers don’t use expiration dates.
Topics tagged threats-to-soc-skill
Lock In — Don’t miss out on our updates!
Want the next threat drops, challenges, and tools in your inbox?
Join the Crushing Security Newsletter
Got an idea to improve this series? Suggest, tweak, or challenge an idea — all feedback helps us all improve. Drop thoughts below or hit up Steve.