Attack spotlight

Abusing Discord to deliver Agent Tesla malware

July 2, 2024

Abusing Discord to deliver Agent Tesla malware

Sublime Security Attack Spotlight: Attempts to deliver malware by sending a fake purchase order.

On this page
Ready to see Sublime 
in action
Get a demo
Authors
Threat Detection Team
Threat Detection Team
Sublime

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected.

EMAIL PROVIDER: Google Workspace

ATTACK TYPE: Malware/Ransomware

The Attack

Attempts to deliver malware by sending a fake purchase order message. Attack characteristics:

  • Embeds a fake PDF logo to bolster legitimacy
  • The fake logo and “Download PO.PDF” are hyperlinked to  cdn[.]discordapp[.]com
  • When the link is clicked, a VBE file is downloaded from Discord's CDN, which downloads and executes AgentTesla
Agent Tesla is a .Net-based Remote Access Trojan (RAT) and data stealer for gaining initial access that is often used for Malware-as-a-Service (MaaS). In this criminal business model, threat actors known as initial access brokers (IAB) outsource their specialized skills for exploiting corporate networks to affiliate criminal groups. As first-stage malware, Agent Tesla provides remote access to a compromised system that is then used to download more sophisticated second-stage tools, including ransomware.

Source

Detection signals

Sublime detected and prevented this attack using the following top signals:

  • Free file hosting service: The malware is hosted on Discord’s file sharing server. By using high reputation infrastructure, the link is less likely to be deeply inspected.
  • Link to auto-download of a suspicious file type: The link auto-downloads a VBE file, which is often used to deliver malware.
  • Mismatched sender and reply-to: The message’s from address doesn’t match the reply-to. We typically observe this when the adversary has compromised an account to send the initial message, but may lose access, so they redirect replies to an account they own.
  • Unknown sender: The sender has rarely, if ever, communicated with anyone at the targeted organization.

Sublime detects and prevents malware/ransomware delivery and other email based threats. Deploy a free instance today.

Heading

About the authors

Threat Detection Team
Threat Detection Team
Sublime

The Threat Detection team at Sublime is responsible for monitoring environments to discover emerging email attacks and developing new Detection Rules for the Core Feed.

Get the latest

Sublime releases, detections, blogs, events, and more directly to your inbox.

check
Thank you!

Thank you for reaching out.  A team member will get back to you shortly.

Oops! Something went wrong while submitting the form.

Related Articles

December 4, 2025
Sublime’s AI agents are just the tip of the platform
Machine learning

Sublime’s AI agents are just the tip of the platform

Aryan LuthraPerson
Aryan Luthra
ML Researcher
Person
November 21, 2025
You’ve been invited to join a Meta for Business scam!
Attack spotlight

You’ve been invited to join a Meta for Business scam!

Luke WescottPerson
Luke Wescott
Detection
Person
November 13, 2025
Salesforce infrastructure abuse: Stopping email scams and spam sent via SFDC
Attack spotlight

Salesforce infrastructure abuse: Stopping email scams and spam sent via SFDC

Brandon MurphyPerson
Brandon Murphy
Detection
Person
See all blog posts

Now is the time.

See how Sublime delivers autonomous protection by default, with control on demand.

Get started
Get a demo
BG Pattern
Sublime Logo
Resources
BlogEvents
Community slack
Resource center
EML Analyzer
Sublime Core Feed
API reference
Documentation
Security at SublimeICS Phishing Playbook
©2025 Sublime Security, Inc.
TermsPrivacySecurityDisclosurePrivacy choices