TNW Creations Ranked Top 15 Military Veteran Digital Marketing Agency in the United States for 2023 Read More

The U.S. Small Business Administration Spotlight features TNW Creations' CEO Erin LaVaux Quarles Read More

Constant Contact Malicious Link Warning

Carefully examine links before clicking emails using Constant Contact, the popular email campaign service.

Update [03/31/2022]: This is an active incident. Microsoft will post more details as they become available. Microsoft detailed NOBELIUM’s latest early-stage toolset, composed of four tools utilized in a unique infection chain: EnvyScout, BoomBox, NativeZone, and VaporRage.


The NOBELIUM indicators of compromise (IOCs) associated with this activity are available in CSV on the MSTIC GitHub.

Updated NOBELIUM IOCs to include MD5 hashes.

Any humanitarian organization who works directly with US Aid, as well as those who are connected indirectly through another program - need to be cautious with email links as well as scan for current compromised networks.

Woman on orange and white background, phishing email icon, tnw creations

Microsoft announced a sophisticated and widespread attack that sent 3,000 malicious links to 150 organizations. And the threat is still active.

Tom Burt, a vice president at Microsoft stated on Thursday May 27, "The hackers appeared to target "many humanitarian and human rights organizations"

Microsoft states NOBELIUM, the threat actor who orchestrated the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components is behind this spear-phishing campaign meant to corrupt networks of organizations who work with US AID.

Screenshot of US Aid Constant Contact Email Phishing

Malicious US Aid email example courtesy of Microsoft.Com

Before opening any emails from Constant Contact or other email campaigns, always check the senders and links by hovering over the link. Make sure your operating systems are up to date, make sure your antivirus security software is up to date.

What you can do if you suspect you may have been part of this compromise

For Microsoft Windows Users, apply these mitigations to reduce the impact of this threat. Check the recommendations on Microsoft for the deployment status of monitored mitigations.


  1. Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
  2. Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. (EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.)
  3. Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  4. Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  5. Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
  6. Enable multifactor authentication (MFA) to mitigate compromised credentials. Microsoft strongly encourages all customers download and use passwordless solutions like Microsoft Authenticator to secure your accounts.
  7. For Office 365 users, see multifactor authentication support.
  8. For Consumer and Personal email accounts, see how to use two-step verification.
  9. Turn on the following attack surface reduction rule to block or audit activity associated with this threat: Block all Office applications from creating child processes. NOTE: Assess rule impact before deployment.


Indications you have been compromised

Email  -  Spoofed email account
Email  - Spoofed email account


Malicious ISO file (container)


Malicious ISO file (container)


Malicious ISO file (container)


Malicious shortcut (LNK)


Cobalt Strike Beacon malware


Cobalt Strike Beacon malware


Domain, Subdomain used to distribute ISO file

Domain, Subdomain in Cobalt Strike C2


Domain, Subdomain in Cobalt Strike C2


Domain, Subdomain in Cobalt Strike C2


Domain, Subdomain in Cobalt Strike C2


192[.]99[.]221[.]77IP address
IP resolved to by worldhomeoutlet[.]com


83[.]171[.]237[.]173IP address
IP resolved to by *theyardservice[.]com


DomainActor controlled domain

Antivirus Detection

Microsoft Defender Antivirus detects threat components as the following malware:


What to do next

TNW Creations is a Web Development & Media Publishing Agency in Austin, Texas. Web Development, cyber security, web design, clean energy web host, Advanced SEO, Digital Marketing and more since 1995.

I've been programming, designing, writing and publishing professionally online since 1995. I've worn many hats throughout my life, but the common core of my career has always been media. Besides the portfolio you see on TNW Creations, my internet presence has been substantial for over 2 decades. In 1995, while still in college, I founded TNW Creations and became part of the grassroots development for teaching the Lakhota language online. By 2004, my bilingual work was listed on many sites, including National Geographic , Encarta and Touchstone Pictures Hidalgo. When I'm not developing and writing, you'll find me managing MagicStoryLand.Com, creating kid-friendly game & video content, investigating and initating hostile website takedowns, posting salty articles about cyber threats, moderating UnifyLife.Org and enjoying my  community, church & family.