Subject: Engage Report: Real phishing is only two step phishing
Tactics: TA0001 Initial Access
Technique: T1566.001 Phishing: Spearphishing Attachment
Procedure:
Threat actors initiate the attack by sending phishing emails from compromised accounts. These emails often contain a Microsoft Visio (.vsdx) file hosted on SharePoint, which is used to deliver malicious URLs.
Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0004 When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated from, or where a link is clicked.
Engagement Opportunity:
Deploy a controlled environment with a SharePoint page hosting a decoy Visio file. Monitor user interactions and track any attempts to access the embedded URL, especially by holding down the Ctrl key as instructed in the phishing email. This can help identify potentially compromised accounts and gather information about the attacker’s techniques.
Threat Actor: Unknown
Threat Objective:
To steal user credentials and potentially gain further access to sensitive information and systems within the targeted organizations.
Deception Opportunity:
Create a deceptive SharePoint page with a fake Visio file containing a decoy URL that leads to a controlled environment. This can lure attackers into interacting with the decoy, allowing defenders to observe their behavior, collect valuable threat intelligence, and potentially identify the attackers.
Sensor Data Placement: Application
Observable Level: Core to Some Implementations of (Sub-)Technique
Scoring Rationale:
The use of Visio files in phishing attacks is a relatively new tactic, but it is becoming more prevalent. This technique is not universally employed by all adversaries but represents a core implementation of the broader phishing and spearphishing techniques.
Link to Report:
Link to Report II.:
Additional Comments:
The increasing use of trusted platforms and file formats like SharePoint and Visio in phishing attacks highlights the need for organizations to enhance their email security measures and user awareness training.
Possible elements: Deceptive Email with Hidden Links, Deceptive Phishing Email with Delayed Delivery, Honeypot MS Exchange
MSG (Pseudocode):
# Malicious Sub-Graph Standard
# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])
# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])
# Example: Visio Phishing Attack Graph
[1]: Initial Access [TA0001] - Phishing [T1566]: Spearphishing Attachment [T1566.001] - Send phishing email with SharePoint link to Visio file (Core to Some Implementations of (Sub-)Technique)
[2]: Command and Control [TA0011] - Application Layer Protocol [T1071]: Web Protocols [T1071.001] - Host Visio file on SharePoint with embedded malicious URL (Lack of User Awareness)
[3]: Defense Evasion [TA0005] - Command and Scripting Interpreter [T1059]: JavaScript [T1059.007] - Use JavaScript to redirect user to phishing page when Ctrl+click is detected (Lack of User Awareness)
[4]: Credential Access [TA0006] - Input Capture [T1056]: Keylogging [T1056.001] - Capture user credentials on fake Microsoft 365 login page (Lack of User Awareness)
1 --> 2
2 --> 3
3 --> 4
# Pseudocode Standard
# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]
# Example: Visio Phishing Pseudocode
function Initial_Access_Phishing(target_email):
# Send phishing email with SharePoint link to Visio file
return sharepoint_link
function Command_and_Control_Application_Layer_Protocol(sharepoint_link):
# Host Visio file on SharePoint with embedded malicious URL
return visio_file
function Defense_Evasion_Command_and_Scripting_Interpreter(visio_file):
# Use JavaScript to redirect user to phishing page when Ctrl+click is detected
return phishing_page
function Credential_Access_Input_Capture(phishing_page):
# Capture user credentials on fake Microsoft 365 login page
return stolen_credentials