Overview

• Google’s Threat Intelligence Group and Mandiant report a high‑volume campaign that began on or before September 29 and is being sent from hundreds of compromised third‑party accounts.
• The emails list contact addresses that also appear on Clop’s leak site, suggesting a possible link, though attribution to Clop has not been confirmed and no public claim has been posted on its site.
• Mandiant says at least one account used to send the messages was previously associated with FIN11, a financially motivated threat group tied to ransomware and extortion activity.
• Investigators say they have not found evidence that Oracle E‑Business Suite environments were breached or that data was exfiltrated, and Oracle has not responded to requests for comment.
• Researchers advise organizations to review Oracle E‑Business Suite logs for unusual access and note the emails pressure recipients to initiate contact rather than stating a specific ransom demand.