Tobias Knecht

83% of phishing is now AI-generated. Click rates: 54% vs 12% for standard phishing. You can't train users to spot perfect English. But you can check if the sending IP is dirty. Network-layer signals don't get better prompts. #EmailSecurity #Cybersecurity #Phishing

Operation Synergia III: 94 arrests, 45,000 malicious IPs sinkholed. Big numbers. Here's the data reality: every one of those IPs had an abuse trail — complaints, reputation signals, behavioral telemetry — that existed long before any arrests. Enforcement acts after. Good data a

DKIM replay attacks: attackers take a real Apple/PayPal email (already signed, already verified), and send it to you as a scam. DMARC passes. Everything looks clean. Authentication verifies the message. Not the intent. #EmailSecurity #Cybersecurity #ThreatIntelligence

Attackers are fuzzing email content — mutating messages in real-time so no two look alike. Signature databases can't keep up. But you can't fuzz the sending infrastructure. IP behavior, reputation signals, abuse history — that layer doesn't lie. Content-based detection has limi

Google took down BADBOX 2.0: 9M Android devices, pre-infected at the factory, used as residential proxies for spam and fraud. These IPs look legitimate. That's the point. IP reputation alone wasn't built for this. Behavioral signals are non-negotiable now. #ThreatIntel #Botnet

4 IoT botnets. 3M+ compromised routers & webcams. US DoJ + Canada + Germany just shut them down. Those infected devices were *someone's* network. Probably multiple ISPs that had no idea. Closed-loop abuse management means finding out before the feds do. #Cybersecurity #ISP

NIS2: Board members face personal liability for cybersecurity failures. DORA: Forensic evidence within hours. 24h early warning + 72h full incident notification. This isn't a compliance checklist. It's a requirement to *prove* you can see threats on your network in real time. #

NIS2: Board members face personal liability for cybersecurity failures. DORA: Forensic evidence within hours. 24h early warning + 72h full incident notification. This isn't a compliance checklist. It's a requirement to *prove* you can see threats on your network in real time. #

Infoblox: Attackers are now hosting phishing pages inside .arpa — reverse DNS infrastructure that most security platforms categorically trust. It bypasses "a significant number of security platforms." The attack: find where security has institutional blind spots. Exploit until

Infoblox: Attackers are now hosting phishing pages inside .arpa — reverse DNS infrastructure that most security platforms categorically trust. It bypasses "a significant number of security platforms." The attack: find where security has institutional blind spots. Exploit until

The exploitation window after CVE publication is now measured in hours, not days. Flashpoint 2026: weaponized exploits hit criminal forums almost simultaneously with disclosure. Your patch cycle can't move that fast. Your abuse detection layer has to. #ThreatIntelligence #Abus

Attackers flood SOCs with commodity phishing not to win — but to drown the signal. 66% of SOC teams can't keep up with alert volume. Buried in the noise is the spear-phishing that matters. Pre-filtering at the IP/network layer reduces the queue. That's the actual value proposit

Trump's new EO: DOJ to prioritize BEC, phishing, ransomware prosecution. FBI reported $12.5B in cybercrime losses in 2024. When the US gov names something a national security threat, enterprise liability calculus shifts. Companies with documented abuse response capabilities are

SocksEscort (369K infected routers) got taken down by Europol + DOJ this week. Same week: KadNap launched — 14,000 routers, P2P architecture specifically designed to survive the next takedown. No central server. No sinkhole point. Botnet operators are engineering around law enf

AI phishing now passes every content-based filter. Perfect grammar, personalized lures, no template tells. Content analysis was always fragile. Now it's obsolete as a primary layer. Behavioral, network-layer signals are what actually catch this. Infrastructure doesn't lie. #Em

66 threats per user, per day. Up from 29 in 2024. DNSFilter 2026: 65% of threat domains are newly registered — no prior reputation to match against. The blocklist-first approach is running out of road. Behavioral signals are where the detection moved. #ThreatIntelligence #DNSS

We're heading to InCyber Europe 🚀 Tobias Knecht will be at the Trust & Safety Forum in Lille, March 31–April 2. Are you going? Let's connect! #InCyberEurope #TrustAndSafety #Abusix

Flashpoint 2026: 3.3 billion credentials compromised last year. Identity is now the primary exploit vector — not malware, not zero-days. That much stolen data doesn't sit idle. It gets stuffed against your users' accounts right now. Real-time behavioral signals catch it. Static

FBI + Europol seized LeakBase. 14 countries. 37 targets. 142K member database now in law enforcement hands. The credentials they traded? Still in circulation. Enforcement matters — but the networks that got hit still need to clean up independently. #CyberEnforcement #ThreatInte

NIS2 + DORA grace periods ended in February. Full enforcement is live. 24-hour early warning. 72-hour incident reporting. C-suite personal liability. You can't meet those windows if you don't have continuous network visibility. The compliance pressure just became very personal.