[New RogueApp]: Newsletter Software Supermailer

[HuskyHacks]

⚠️ Please include as much detail as possible. Please do not submit any private, sensitive, and/or proprietary information.

• Contributor Name: [your name, research group name, or handle]
• RogueApp Name: [the name of the RogueApp]
• RogueApp Description: [the description of the RogueApp and the summary of how it is used maliciously.]
• App Owner Organization ID: [the ID of the organization that owns the RogueApp]
• App Publisher Name: [the name of the publisher of the RogueApp]
• App Publisher ID: [the ID of the publisher of the RogueApp]
• Permissions: [the permissions that the application uses, including the resource, permission scope, and type, i.e. Microsoft Graph - openid - Delegated]
• Tags: [any applicable tags, i.e. BEC, persistence, spam. Comma separated]
• MITRE ATT&CK IDs: [any applicable MITRE ATT&CK IDs. Comma separated]
• References: [References for the observed TTPs for the RogueApp. We require writeups on the specific adversary tactics for any submitted RogueApp. References can also include the official application documentation.]
• Date Added: [the date when the RogueApp was added to the repository]

Reference

The RogueApp specification is defined in types.ts. Please submit as much information as you can for each field (it does not have to be 100% complete but please submit everything you can!)

[syne0]

I don't have all the information but I can provide some! Contributor Name: Syne0 + anyone else who contributes if applicable RogueApp Name: Newsletter Software Supermailer RogueApp Description: Software used for email mass mailing, often abused to send phishing emails. Requires administrator consent to use with Microsoft365, which then allows the application to send from any mailbox within the tenant. App Owner Organization ID: Unknown App Publisher Name: Unknown. App Publisher ID: Unknown. Permissions: Microsoft Graph: Contacts.Read (Delegated) Microsoft Graph: Mail.Read (Delegated) Microsoft Graph: Mail.Send (Delegated) Microsoft Graph: offline_access (Delegated) Microsoft Graph: Mail.Read (Application) Microsoft Graph: Mail.Send (Application) Microsoft Graph: Contacts.Read (Application) Tags: BEC, spam, phishing MITRE ATT&CK IDs: T1583.006, T1566, T1588.002, T1657, References: https://www.darkreading.com/endpoint-security/supermailer-abuse-email-security-super-sized-credential-theft, https://trustifi.com/blog/what-is-a-supermailer-email-phishing-attack/, https://darktrace.com/blog/business-email-compromise-to-mass-phishing-campaign-attack-analysis, https://www.linkedin.com/posts/damien-miller-mcandrews_businessemailcompromise-activity-7231350791607881732-UAWJ?utm_source=share&utm_medium=member_desktop Date Added: [the date when the RogueApp was added to the repository]

I dont see a field for the actual Appid (asked about it in #15) but the Appid is a245e8c0-b53c-4b67-9b45-751d1dff8e6b

[HuskyHacks]

Thank you @syne0! Just wanted to let you know that I've seen this and your corresponding comment in the other issue and will get to this soon.

[HuskyHacks]

Added in https://github.com/huntresslabs/rogueapps/pull/16. I left some of the details as unknown but will install the app in my lab later and fill in any missing info. That PR also added the appID to the template field.

Thanks you for the first outside contribution to RogueApps!