Meta vs. NSO: The Pivot from Zero-Click to Spear-Phishing

Saw the news dropped earlier regarding Meta filing a contempt order against NSO Group. It seems the permanent injunction from 2019 didn't exactly deter them; it just forced a pivot in TTPs.

According to the report, NSO is moving away from their notorious zero-click exploits and back to good old-fashioned spear-phishing. They are attempting to trick users into clicking malicious links that route to external domains. While zero-clicks are terrifying, this vector actually gives defenders a fighting chance. We can block the domain, analyze the landing page, or catch the redirect.

I've been updating our IOC lists to account for this shift. Since the attack relies on user interaction, we're seeing a lot of suspicious URL shorteners and lookalike domains in our proxy logs.

For those hunting for this, I threw together a quick Python snippet to scan exported proxy logs for high-entropy domains often used in these campaigns:

import re
import math

def get_shannon_entropy(string):
    probability = [float(string.count(c)) / len(string) for c in dict.fromkeys(string)]
    entropy = -sum([p * math.log(p) / math.log(2.0) for p in probability])
    return entropy

log_entry = "User clicked: http://x8f9a2d1-verify-login[.]net"

# Extract URL (simplified regex)
url_match = re.search(r'http[s]?://([^\s]+)', log_entry)
if url_match:
    domain = url_match.group(1)
    if get_shannon_entropy(domain) > 3.5:
        print(f"[ALERT] High entropy domain detected: {domain}")


It's basic, but high entropy is a solid baseline for detecting the randomly generated domains often used by these vendors. Anyone else seeing similar patterns in their telemetry, or are people still relying mostly on mobile EDR alerts?