Edition: June 23-29, 2025
(Real threats from this week, real skills for every week.)

TL;DR — What You’ll Learn This Week

• DocuSign → Google login via Webflow phishing
• OneNote malware & ScreenConnect delivery
• Deepfake Zoom calls dropping macOS malware
• GitHub token leaks exposing sensitive code
• Shift Drill: Respond to phishing, build SIEM rules

---

Welcome to SOC Skills Weekly — your dropzone for real-world threat insights, hands-on drills, and analyst mindset training.

Whether you’re breaking into the field or sharpening your shift game, each edition helps you detect smarter, respond faster, and build instincts that land jobs — not just likes.

We don’t just break down threats — we turn them into applied learning you can practice, discuss, and use to interview stronger, build your portfolio, and show you think like a defender.

New to the SOC world? Start with the “Watch For” tips and the Shift Drill. Don’t worry about getting it all right — just show up weekly and build momentum. Got questions? Ask in the thread — the crew’s got your back.

---

This Week’s Incidents: Real Threats, Real Lessons

Each of these threats is a real-world training opportunity. You’re not just reading — you’re practicing how to triage, hunt, and respond like a SOC analyst. Whether you’re new or already on battling alerts, ask yourself:

“How would I respond if this hit my SOC queue?”

---

1. Fake DocuSign → Google Login Theft

Fake DocuSign email hides tricky phishing attempt | Malwarebytes

MITRE Techniques: T1566.002 – Spearphishing Link
(MITRE ATT&CK is a guide that lists common hacker tricks—this one is about fake links in emails.)

Analyst Debrief
In June 2025, scammers pretended to be from DocuSign, a company that handles electronic signatures. They sent emails that looked real, asking people to click a link to “review a document.” This link took users to a fake website hosted on webflow.io, which then sent them to a fake Google login page to steal their passwords. The email came from a tricky fake address, [email protected], which is very close to the real DocuSign address. Once someone entered their Google details, hackers could access their account and possibly steal more information.

Key Red Flags:

• Sender address looks off with a typo: d0cus1gn.com instead of the real one
• Link goes to webflow.io, not a DocuSign site
• Weird request: a DocuSign email asking for Google login details

“Why would a DocuSign email ask me to log into Google to see a document?”

Watch For

• Emails from fake addresses like d0cus1gn.com
• Links that don’t match the company they claim to be from (e.g., DocuSign to webflow.io)
• Reports of fake login pages on sites like webflow.io

Tip for Beginners: If an email asks you to log into a different service (like Google) than you expect, don’t click the link. Instead, go directly to the company’s official website by typing the address yourself.

---

2. North Korean Deepfake Zoom Malware

https://www.securityweek.com/north-korean-hackers-take-over-victims-systems-using-zoom-meeting/

MITRE Techniques: T1566.003 – Spearphishing via Service, T1204.001 – User Execution: Malicious Link

Analyst Debrief
In June 2025, hackers from North Korea, possibly the BlueNoroff group, tricked people with fake Zoom meeting invites. They used Telegram to send a link (via Calendly) to a fake Zoom site, not the real zoom.us. During the call, they showed fake videos of company bosses (made with deepfake technology) to seem trustworthy. If the call had audio problems, they’d ask users to download a fake fix (an AppleScript) that secretly installed harmful software, like NimDoor, to spy on computers and steal data.

Key Red Flags:

• Meeting invites from unknown Telegram accounts or fake sites (not zoom.us)
• Requests to download fixes or run commands during a call
• Strange video or audio, like a boss sounding off or sudden tech issues

“Why would a Zoom call ask me to download something to fix the sound?”

Watch For

• Check email or chat for Zoom invites from odd sites (not zoom.us)
• Look out for downloads like AppleScript on Mac computers
• Notice if your device connects to Telegram or webflow.io

Tip for Beginners: Always verify a meeting invite with the person who sent it before joining, especially if it asks you to download anything.

---

3. Ahold Delhaize Ransomware Breach

Retail giant Ahold Delhaize says data breach affects 2.2 million people

MITRE Techniques: T1486 – Data Encrypted for Impact, T1566.001 – Spearphishing Attachment

Analyst Debrief
In November 2024, a ransomware attack hit Ahold Delhaize, a big grocery company with stores like Stop & Shop in the U.S. It affected 2.2 million customers and workers, exposing personal info like names and health details. Hackers likely started with fake emails containing harmful attachments that locked files with ransomware. After stealing data, they might use it to send more fake emails or steal identities.

Key Red Flags:

• Weird email attachments (like .docx or .pdf) from strangers
• Files on your computer suddenly locking or changing names
• Strange data leaving your device to unknown places

“Why are my files locking up, and why is my computer sending data somewhere odd?”

Watch For

• Signs of locked files (e.g., names ending in .lock) on your device
• Emails with attachments you didn’t expect
• Unusual internet activity on your network

Tip for Beginners: If your files lock or you get an odd email attachment, tell someone right away and avoid opening it. Back up important files regularly to stay safe.

Rapid Threats – High Signal Reads

1. GitHub Token Leak

• Summary: In June 2025, secret codes (API tokens) were accidentally shared on public GitHub pages, risking access to important systems.
• Why it matters: Hackers could use these codes to add bad software or steal data. Beginners should know to watch for odd changes in shared projects.
• The Hacker News

2. Zoom Phishing (ScreenConnect)

• Summary: A June 2025 scam used fake Zoom links to trick people into installing ScreenConnect, letting hackers control their computers.
• Why it matters: This lets hackers sneak in quietly. Beginners should avoid downloading anything from unexpected meeting links.
• Abnormal Security

3. Deepfake Zoom Malware

• Summary: North Korean hackers used fake Zoom calls with deepfake bosses in June 2025 to trick people into downloading harmful Mac software like NimDoor.
• Why it matters: It mixes fake videos with sneaky software. Beginners should be wary of video calls asking for downloads.
• The Hacker News

4. Scattered Spider Targets Airlines

• Summary: In June 2025, the FBI warned that Scattered Spider hackers are pretending to be airline workers to steal data with fake calls and emails.
• Why it matters: These tricks can fool anyone. Beginners should check with the company if a call or email seems off.
• The Hacker News
• FBI X

5. Citrix Bleed 2 Flaw Exploited (CVE-2025-5777)

• Summary: A security weakness (CVE-2025-5777) in Citrix systems was used in June 2025 to let hackers sneak in without passwords.
• Why it matters: This affects remote work tools. Beginners should ensure software is updated to avoid this.
• BleepingComputer

6. SparkKitty Malware on App Stores

• Summary: In June 2025, SparkKitty malware hid in apps on Google Play and Apple App Store, stealing photos and crypto wallet info.
• Why it matters: Even trusted stores can have risks. Beginners should check app permissions carefully.
• BleepingComputer

7. CoinMarketCap Web3 Popup Hack

• Summary: A June 2025 attack on CoinMarketCap used fake popups to steal crypto from visitors’ wallets.
• Why it matters: Trusted sites can be hacked. Beginners should avoid clicking popups on crypto sites.
• BleepingComputer

Shift Drill – Apply What You’ve Learned: The DocuSign Redirect Incident

Scenario: You’ve just logged in for your shift as a SOC analyst. An urgent high-priority alert hits the queue: a user has flagged an email claiming to be from DocuSign — but the system is asking them to authenticate using their Google account.

Your initial triage of the reported email immediately reveals these critical red flags:

• Sender: [email protected] (a typosquatting attempt—when hackers use a fake email address that looks almost like the real one)
• Redirect URL: The supposed login page is hosted on webflow.io (a legitimate platform often misused for phishing scams, not DocuSign’s official site)

Read the full Malwarebytes breakdown of this phishing campaign for context →

New to phishing? It’s when hackers send fake emails to trick you into sharing personal info, like passwords.

Complete the questions below and share your answers in the comments

Don’t feel pressured to have perfect or complete answers! Whether you’ve got a full triage plan, a few initial thoughts, or even questions about the scenario—drop them in the comments below! If you’re stuck, ask for help—the community’s here to support you.

Why this matters: Spotting suspicious emails and explaining risks clearly are key skills SOC analysts use every day to protect organizations.

Start Here – Build Your Analyst Instincts

If you’re new to the SOC world, let’s start with the basics: noticing what’s suspicious and explaining it clearly. Try these questions to practice thinking like an analyst.

1. Identify the exact small details in this email (sender, content, links) that would make you suspicious.
2. Explain why a DocuSign email asking for Google login details feels wrong or unusual, beyond just technical details.
3. Describe how you’d warn a non-technical colleague about this email—why it’s suspicious and what they should do—without using techy terms.

Tip for Beginners: Try sketching the attack steps (e.g., email → fake site → stolen password) on paper to visualize how the scam works. This can help you spot patterns in future alerts.

---

(Optional): Level Up – Triage, Hunt, and Respond

Ready to think like a pro SOC analyst? You have 10 minutes to gather info and prepare a quick update for your shift lead. (Newbies, feel free to skip this or try it later!)

1. Find the specific malicious domain or full URL used for the phishing page hosted on webflow.io, according to the linked article.
2. Choose one Indicator of Compromise (IOC) or common email trait you’d check first in your email logs to find other users who got this or similar phishing emails.
3. Outline your step-by-step process: which specific log sources (e.g., email logs, firewall logs, SIEM) and security tools you’d check to see if anyone in your organization visited or tried to visit the suspicious webflow.io URL.
4. Create the logic for a new detection rule or alert (in plain language or pseudocode) to catch this attack pattern in your SIEM. What conditions would you include?

---

Shift Recap – From Threat to Action

What Next?

Reading intel is step one. Applying it is how you win. Don’t just browse — drill your instincts with hands-on challenges that build SOC muscle memory.

---

This Week’s Starter Pack (Perfect if you’re new or want focused practice)

• Real Threats → Real SOC Skills, Vol. 1: Phishing Detection
  Walk through phishing patterns, tactics, and how to detect them.
• Challenge 1: Phishing Analysis – DocuSign Impersonation
  Test yourself on the exact threat covered in this week’s drill.

---

Want the Full Arsenal?

• All Real Threats → Real SOC Skills Volumes
  Browse all past deep dives with linked challenges.
• All Skill Challenges (Tracker Hub)
  Practice drills sorted by skill type, threat category, and difficulty.

---

Catch Up on Past Issues
Even if it’s last month’s attack, the skills still matter — real attackers don’t use expiration dates.
Browse Past SOC Skills Weeklies

Lock In — Don’t miss out on our updates!

Want the next threat drops, challenges, and tools in your inbox?
Join the Crushing Security Newsletter

Make It Better!

Got an idea to improve this series? Suggest, tweak, or challenge an idea — all feedback helps us all improve. Drop thoughts below or hit up Steve.