Staff Threat Research Engineer at Proofpoint
Michael August Raggi is a Staff Threat Research Engineer at Proofpoint. He has pioneered attribution methodologies in the fields of cyber threat intelligence and fine art theft recovery. Previously, he has worked as a Cyber Intelligence Analyst at BAE Systems, in the financial services sector as a Cyber Threat Analyst, and worked recovered stolen fine artworks created by the foremost living American artists. Michael's historic publications have focused on advanced persistent threat targeting against the US critical infrastructure sector, energy networks in the South China Sea, recent operations conducted during the Russia Ukraine conflict, and repeated targeting of Tibetan dissidents by threat actors aligned with the Chinese State. His primary focus is tracking APT adversaries in the APAC region and developing analyst tools to automate the detection of top tier threat actors.
Beginning in April 2022, Microsoft announced that they would by default block macro enablement in files within the Microsoft Office Suite. Following this announcement, the APT threat actor landscape in Europe and Asia underwent dramatic changes as macros became an unreliable weaponization technique of choice for phishing attacks. This presentation will measure the impact of Microsoft Office macro disruption on the APT landscape one year from the announcement by examining the tactics of 4 APT actors who actively targeted European and Asian entities with phishing campaigns in 2022 and 2023. Michael will conduct an in depth exploration of Chinese state aligned APT actors Sharp Panda, TA423/APT40, TA416/Mustang Panda, and the Turian malware operators (“Backdoor Diplomacy”). By examining APT tactics before disabled macros and after disabled macros, a clear trend will emerge indicating that threat actors cannot rely on macros as a stage 1 delivery mechanism in phishing. Further it will demonstrate how innovation has been stimulated by widespread disruption of threat actor techniques and highlight how new tactics like the use of archive-based attachments and cloud-based delivery infrastructure have replaced macros as APT weapons of choice.