Abusix, Inc.

Russia's GRU hijacked 18,000 home and office routers last year — not with malware, but with DNS. No exploit dropped. No payload installed. APT28 (Forest Blizzard) simply reconfigured the DNS settings on unpatched MikroTik and TP-Link devices to point at attacker-controlled resolvers. Every DNS query that crossed those routers — including Microsoft Office OAuth authentication requests — was silently intercepted. Tokens extracted. Sessions hijacked. Lumen Black Lotus Labs and UK NCSC published the analysis this week. The attack surface wasn't the users. It wasn't the endpoints. It wasn't the applications. It was the infrastructure that the whole network blindly trusted to direct traffic. For network operators and ISPs: the routers on your customers' networks are part of your attack surface whether you manage them or not. When DNS is compromised, every security control upstream of it is irrelevant. The signals exist. DNS configuration drift, anomalous query resolution patterns, infrastructure-level behavioral changes in your IP space. If you're watching the right layer, this attack leaves footprints before the credential harvest starts. #CyberSecurity #DNS #NetworkSecurity #ThreatIntelligence #ISP

Happy 4 years, Daniel! 🙌 From Guardian Ops' earliest planning phases to deploying to our first customers — Daniel has been there for all of it, and it shows in everything he builds. Beyond the technical depth, he's the person who stops what he's doing to help and makes everyone around him better. We asked him to reflect on four years — his advice and proudest achievement are in the slides below. Thank you for being such a core part of this story. Here's to what's next! #TeamAbusix #WorkAnniversary #GuardianOps

The FBI released its 2025 Internet Crime Report this week. Record losses: $21 billion. Up 26% from the year before. The number that stands out: phishing was still the #1 complaint type — 191,000 reports. Not because phishing is getting more sophisticated. Because it's getting more scalable. Volume is the strategy. For network operators and hosting providers, this is the signal buried in the noise: the attack infrastructure is distributed across legitimate-looking infrastructure — compromised cloud instances, residential proxies, aged domains. The losses accumulate because detection is still mostly reactive. You see the fraud after the email lands, not before the sender staged the campaign. $21 billion is a cost that sits somewhere. It sits with customers. It sits with carriers. It sits with the providers who routed the traffic. The economics of internet abuse aren't someone else's problem. #CyberSecurity #ThreatIntelligence #EmailFraud #AbuseOperations #NetworkSecurity

🎉 Happy 3rd work anniversary, Celine! Over the past three years, Celine has become a key part of our team — from Mail support to applying her investigation skills with Guardian Intel. As a Data Services Analyst, her attention to detail and reliability consistently stand out. We asked Celine to reflect on her time at Abusix — check out her insights in the slides below 👇 Thank you, Celine, for all your hard work and impact. We’re excited for what’s ahead! #Abusix #WorkAnniversary #Team #Cybersecurity

Europe is leaving US email platforms behind. But the hard truth no one's saying out loud: the risk doesn't leave with them. Without infrastructure-level protections, you're not fixing the problem — you're relocating it. We wrote about what's actually missing, and why the window to get this right is shorter than most organizations think. Worth a read if you're in email security, infrastructure, or trust & safety. 👉 https://lnkd.in/etkV9PUN #EmailSecurity #Cybersecurity #Abusix

From inbox to dark web in under 48 hours. New research from Whiteintel (March 2026) tracked the full lifecycle of infostealer malware: a single malicious email attachment results in corporate credentials listed for sale on dark web marketplaces within 48 hours of infection — well before most security teams detect the breach. Infostealer delivery via email rose 84% in 2025. The gap isn't just a detection problem. It starts earlier: the email should never have arrived. An IP that's been observed distributing malicious payloads doesn't get a fresh start with every new campaign. The sending infrastructure has history. That history is visible — if you're looking at the right signals. By the time a detection rule fires, the credential is already being sold. The only layer that closes the gap before it opens is blocking malicious sending infrastructure before delivery, not after infection. We see that infrastructure in real time. That's the 48-hour problem worth solving. #ThreatIntelligence #InfoStealer #EmailSecurity #CyberSecurity #AbusePrevention

Final day at RSAC Conference 2026 🚀 It’s been a great week connecting with partners, customers, and the broader security community in San Francisco. If you’re still at RSA and want to talk email abuse prevention, infrastructure security, or threat intelligence, there’s still time to connect with Larry Ellis. Book a meeting: https://lnkd.in/eCmbM62i #RSAC #RSAC2026 #Cybersecurity #Abusix

AI-generated phishing now achieves a 54% click rate. Standard phishing: 12%. Kaseya's 2026 security report calls it official: AI-generated content is now the *default* in phishing campaigns. 83% of phishing emails last year used it. 40% of BEC attacks. The grammar errors, the awkward phrasing, the obvious tells — gone. Your users can no longer be trained to spot what doesn't exist anymore. Here's what that means for your abuse team: the first line of defense just got a lot less reliable. Content-based filters were already a losing game at scale. Now they're losing faster. When AI can produce perfect, contextually relevant, grammatically flawless phishing at industrial volume, the detection signals you're left with are the ones the attacker *can't* fake: — How long has this domain been registered? — What's the sending IP's reputation history? — Has this infrastructure been linked to abuse before? Network-layer signals don't hallucinate. They don't get better prompts. They don't learn to sound more legitimate. An IP that sent 10,000 spam messages last week is still the same IP — regardless of what the email says. The teams winning the phishing fight in 2026 aren't the ones with better content filters. They're the ones who never needed to read the email in the first place. #EmailSecurity #Phishing #CyberSecurity #AbuseManagement #ThreatIntelligence

Heading to RSAC Conference 2026 in San Francisco? Larry Ellis will be there meeting with partners and security leaders. If you’d like to talk about email abuse prevention, infrastructure security, or threat intelligence, grab a time on his calendar. 📅 Book a meeting: https://lnkd.in/eq4_Erb6 #RSAC #RSAC2026 #Cybersecurity #Abusix