A campaign is discovered that uses shipping-themed emails to deliver the Agent Tesla malware. The email contains shipping information usually found on a bill of lading and contains specific information such as the captain’s name, type of vessel, and other particulars. Victims are encouraged to download the attachment, in this case a .CAB file, and give the file a certain naming scheme. The actor uses an imposter email address to add credibility to the email; additionally, the actor also uses actual ship names in the email. The area reported as the destination matches the actual area of shipment for that particular ship. The attachments are usually between 500k and 1.5m in size and could either have zero detections in VirusTotal or more than 50 depending on the attachment. There have been several hundred different samples obtained. Stolen data is exfiltrated via HTTPS or SMTPS (using port 587). It is also revealed that the email addresses used for exfiltration are often legitimate email addresses within the shipping companies mentioned, indicating success in obtaining credentials for compromised email accounts. Agent Tesla exfiltrates stolen data via HTTPS, and more commonly, over email (SMTPS, tcp/587). While the former (HTTPS) destinations tend to be rather random, the latter (email) destinations are often hosted on email domains that also belong to shipping companies. This indicates that the campaign is likely successful to some extent, and over the months in fact has managed to steal valid email credentials (and probably more than that) from firms in the shipping and logistics sector.