Cisco Talos Sees New Brand Impersonation Methodologies from Malicious Actors

New report details various novel TTPs used by threat actors to embed brand logos in emails.

Executive Summary

Cisco Talos has released a report detailing new findings around recent techniques, tactics, and procedures (TTPs) uncovered while investigating brand impersonation email campaigns. In the report, Cisco Talos detailed various novel TTPs used by threat actors to embed brand logos in emails, such as inserting brand-related words into HTML, using base64 encoding, fetching logos from remote servers, and attaching logos as images or PDFs.

Community Threat Assessment

Brand impersonation emails remain a significant threat to the retail and hospitality sector, due to the reliance on customer trust and frequent digital interactions. The retail and hospitality sectors handle large volumes of sensitive customer information, including payment details and personal data, making them attractive targets for cyber-criminals. Phishing emails that mimic well-known brands can deceive customers into divulging sensitive information or making fraudulent transactions, leading to financial loss and reputational damage for businesses. The RH-ISAC community has focused heavily on brand impersonation over the past months:

  • In the first half of 2024, Core Members have discussed a marked increase in brand impersonation campaigns targeting consumers.
  • In the first quarter of 2024, brand impersonation was the third most prevalent threat reported by RH-ISAC Core Members.
  • Imposter domains were the fourth most common TTP reported by Core Members.

RH-ISAC recommends Core Members review the information included in this report and factor in the mitigations below.


According to Cisco, Microsoft was the most frequently impersonated brand over the month they observed, followed by DocuSign. Most emails that contained Microsoft and DocuSign brand images were fake SharePoint and DocuSign phishing messages. Other top frequently impersonated brands such as Norton LifeLock, PayPal, and Chase, among others, were mostly seen in callback phishing messages. In this technique, attackers would include a phone number in their email and try to persuade recipients to call that number, thereby changing the communication channel away from email. From there, attackers may send another link to their victims to deliver different types of malware.


Per the Talos report, domain names should be registered with various extensions to thwart threat actors attempting to use similar domains with these extensions for malicious purposes, as well as concealing sensitive information in WHOIS records via privacy protection measures.

Domain names need to be updated regularly since expired domains can be easily abused by threat actors for illicit activities that can harm an impacted business’s reputation. Brand names should also be registered properly so that organizations can take legal action when brand impersonation occurs.

More Recent Blog Posts