Attack spotlight

Abusing Discord to deliver Agent Tesla malware

July 2, 2024

Abusing Discord to deliver Agent Tesla malware

Sublime Security Attack Spotlight: Attempts to deliver malware by sending a fake purchase order.

On this page
Ready to see Sublime 
in action
Get a demo
Authors
Threat Detection Team
Threat Detection Team
Sublime

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected.

EMAIL PROVIDER: Google Workspace

ATTACK TYPE: Malware/Ransomware

The Attack

Attempts to deliver malware by sending a fake purchase order message. Attack characteristics:

  • Embeds a fake PDF logo to bolster legitimacy
  • The fake logo and “Download PO.PDF” are hyperlinked to  cdn[.]discordapp[.]com
  • When the link is clicked, a VBE file is downloaded from Discord's CDN, which downloads and executes AgentTesla
Agent Tesla is a .Net-based Remote Access Trojan (RAT) and data stealer for gaining initial access that is often used for Malware-as-a-Service (MaaS). In this criminal business model, threat actors known as initial access brokers (IAB) outsource their specialized skills for exploiting corporate networks to affiliate criminal groups. As first-stage malware, Agent Tesla provides remote access to a compromised system that is then used to download more sophisticated second-stage tools, including ransomware.

Source

Detection signals

Sublime detected and prevented this attack using the following top signals:

  • Free file hosting service: The malware is hosted on Discord’s file sharing server. By using high reputation infrastructure, the link is less likely to be deeply inspected.
  • Link to auto-download of a suspicious file type: The link auto-downloads a VBE file, which is often used to deliver malware.
  • Mismatched sender and reply-to: The message’s from address doesn’t match the reply-to. We typically observe this when the adversary has compromised an account to send the initial message, but may lose access, so they redirect replies to an account they own.
  • Unknown sender: The sender has rarely, if ever, communicated with anyone at the targeted organization.

Sublime detects and prevents malware/ransomware delivery and other email based threats. Deploy a free instance today.

Heading

About the authors

Threat Detection Team
Threat Detection Team
Sublime

The Threat Detection team at Sublime is responsible for monitoring environments to discover emerging email attacks and developing new Detection Rules for the Core Feed.

Get the latest

Sublime releases, detections, blogs, events, and more directly to your inbox.

check
Thank you!

Thank you for reaching out.  A team member will get back to you shortly.

Oops! Something went wrong while submitting the form.

Related Articles

December 29, 2025
5 email security trends from 2025
Sublime news

5 email security trends from 2025

Brian BaskinPerson
Brian Baskin
Threat Research
Person
December 18, 2025
How to build fast similarity search for email from the ground up
Sublime news

How to build fast similarity search for email from the ground up

Ross WolfPerson
Ross Wolf
Engineering
Person
December 16, 2025
Evolving our brand as Sublime grows
Sublime news

Evolving our brand as Sublime grows

Omar JalalzadaPerson
Omar Jalalzada
Head of Design
Kirk JohnsonPerson
Kirk Johnson
Creative Director
See all blog posts

Frequently asked questions

What is email security?
Email security refers to protective measures that prevent unauthorized access to email accounts and protect against threats like phishing, malware, and data breaches. Modern email security like Sublime use AI-powered technology to detect and block sophisticated attacks while providing visibility and control over your email environment.

Now is the time.

See how Sublime delivers autonomous protection by default, with control on demand.

Get started
Get a demo
BG Pattern
Sublime Logo Horizontal
Resources
BlogEvents
Community Slack
Resource center
EML Analyzer
Sublime Core Feed
API Reference
Documentation
Security at SublimeICS Phishing Playbook
©2025 Sublime Security, Inc.
TermsPrivacySecurityDisclosurePrivacy choices