Email Security Blog

Cosmic Lynx Returns in 2021 with Updated Tricks

Crane Hassold February 11, 2021 BEC, Business Email Compromise, DMARC, Research

In July 2020, we published a report on a Russian-based BEC group we called Cosmic Lynx. In that report, we described the tactics used by the group, which included its targeting of senior executives at large companies with a global footprint and how it uses mergers and acquisitions (M&A) themes in its BEC email lures.

Shortly after we published the report, we saw a significant decrease in Cosmic Lynx activity for more than three months. While we can’t conclusively say that our report caused Cosmic Lynx to go on a hiatus, the timing was very notable. In mid-October 2020, though, we started to detect a resurgence in Cosmic Lynx activity, using the same tactics that we had previously observed prior to their disappearance.

In late-December 2020, however, we observed a shift in Cosmic Lynx’s tactics. First, the group started including references to a COVID-19 vaccine in their initial emails. Cosmic Lynx had previously used COVID themes in their communications earlier in 2020 as a way to build rapport with their targets, but the inclusion of vaccine references indicates the group is continuing to update their lures to reflect items of global interest. Examples of COVID vaccine references in recent Cosmic Lynx BEC campaigns have included lines like “The recent developments in vaccines offer glimmers of hope for the global economy,” or “The world economy is approaching a turning point amid hopes for a rapid recovery fueled by an early vaccine.”

Cosmic Lynx email referencing COVID-19 vaccines.

In addition to referencing COVID vaccines, Cosmic Lynx has also continued using other pandemic themes as a way to frame the rationale for the supposed acquisition. In some of their recent campaigns, the group writes that the pandemic “has created dislocations in several markets and we intend to seize the opportunity now” and “We must now position ourselves for the coming economic upturn even as we maintain vigilance in this uncertain period.”

Cosmic Lynx email containing COVID-19 themes.

Second, Cosmic Lynx changed the construction of the email addresses they use to send BEC emails. Since mid-2019, the email addresses used by Cosmic Lynx were constructed to mimic secure email and network infrastructure and referenced celestial bodies, like planets and stars. In December 2020, the group started using email addresses that seem to be created to look like more generic email infrastructure, sometimes resembling Amazon Simple Email Service (SES) naming conventions, such as eu-west-smtp-outbound[at]veritas-secure-gateway[.]cc or us-east-tls-smtp-gateway[at]trustnet-server[.]cc.

Finally, instead of continuing communication over email, Cosmic Lynx immediately attempts to redirect a target to phone communication. At the end of their recent BEC emails, Cosmic Lynx now includes a request like, “Can you please let me know when you are available and the best number to reach you at?” While we do not yet have concrete details about how these calls would proceed, it is likely that Cosmic Lynx will use technology to mask the voice of the actor.

Cosmic Lynx email requesting target’s phone number.

Since the end of December 2020, Cosmic Lynx’s BEC activity has returned to the consistently high volume we saw in early-2020. Since the beginning of 2021, we have observed 43 distinct Cosmic Lynx BEC campaigns targeting executive employees in 19 countries. Since July 2019, we have identified Cosmix Lynx attacks against targets in a total of 53 different countries around the world.

As we noted in our initial Cosmic Lynx report, the entrance of a sophisticated Russian cybercriminal group into the BEC scene shows that actors are realizing that the return on investment for BEC attacks is better than other types of technically sophisticated cyber attacks. Cosmic Lynx has demonstrated the capability to develop much more complex and creative attacks that sets them apart from other BEC groups. To protect against threats like Cosmic Lynx, organizations need to make sure they have defenses in place that are equipped to defend against identity deception attacks that traditional inbound email filters are not equipped to handle.

Recent Domains Associated with Cosmic Lynx BEC Attacks


Recent IP Addresses Linked to Cosmic Lynx Mail Servers


Laptop with multiple paddle locks with key holes

May 27, 2022 John Wilson

SMTPS: Securing SMTP and the Differences Between SSL, TLS, and the Ports They Use

What is the difference between SMTPS and SMTP? SMTPS uses additional SSL or TLS cryptographic protocols…

Agari Blog Image

April 27, 2022 Monica Delyani

5 Big Myths about DMARC, Debunked

With email attacks contributing to billions of lost dollars each year, a growing number of…

Computer Showing Secure Email Server

March 9, 2022 John Wilson

Securing Your Email with DMARC

Understanding the What, How, and Why of DMARC You probably already know this, but it…

Agari Blog Image

December 16, 2021 John Wilson

Common Phishing Email Attacks | Examples & Descriptions

What does a phishing email look like? We've compiled phishing email examples to help show…

Agari Blog Image

December 8, 2021 John Wilson

What Is Email Phishing? [How to Protect Your Enterprise]

Phishing emails can steal sensitive data and cost companies' reputation. However, protecting a company from…

mobile image