Hunting 4 Two Way Phish

Attackers are using phishing emails to deliver malicious Microsoft Visio attachments that redirect to credential harvesting pages.

Suspected TTPs:

  • Spearphishing Attachment [T1566.001]
  • Exploit Public-Facing Application [T1190]
  • Drive-by Compromise [T1189]
  • Command and Control [T1071]
  • Exfiltration [TA0010]
  • Impact [TA0040]

Name:
Hunting 4 Two Way Phish

TTP:
T1566 Phishing

Hypothesis:

Attackers are using phishing emails to deliver malicious Microsoft Visio attachments that redirect to credential harvesting pages.

Suspected TTPs:

  • Spearphishing Attachment [T1566.001]
  • Exploit Public-Facing Application [T1190]
  • Drive-by Compromise [T1189]
  • Command and Control [T1071]
  • Exfiltration [TA0010]
  • Impact [TA0040]

Campaign Type:
Data Driven

Data Sources:

  • Email Gateway Logs
  • Web Proxy Logs
  • Endpoint Security Logs (e.g., Sysmon, EDR)
  • Network Traffic Logs

Tools:

  • PowerShell
  • Splunk
  • Sysmon
  • Wireshark

Scenario:

  • Initial Access: Attacker sends phishing emails with malicious Visio attachments.
  • Execution: Victim opens the attachment and clicks on the embedded malicious link.
  • Defense Evasion: Attacker may use obfuscation techniques to evade detection.
  • Discovery: Malware may gather system information, such as OS version, installed software, and network configuration.
  • Command and Control: Malware may establish communication with a C2 server.
  • Exfiltration: Sensitive data, such as login credentials, may be exfiltrated to the C2 server.
  • Impact: Attacker gains access to sensitive information, potentially leading to further attacks or data breaches.

Hunting Strategy:

  1. Analyze Email Gateway Logs for emails with Visio attachments and suspicious URLs.
  2. Correlate the events and identify any patterns or anomalies.
  3. Investigate any outliers or suspicious events.
  4. Analyze web proxy logs for any communication with known malicious IP addresses or domains.
  5. Analyze endpoint security logs for any suspicious process execution or network connections.
  6. Analyze network traffic logs for any communication patterns indicative of command and control or data exfiltration.
  7. Validate potential threats by checking for known malicious file hashes or signatures.
  8. Remediate by removing the attacker’s access and patching any vulnerabilities that were exploited.
  9. Report findings and recommendations to the organization.

Recommendations:

  • Implement strong password policies and multi-factor authentication.
  • Monitor for any unauthorized access to sensitive data.
  • Keep systems and applications up-to-date with the latest security patches.
  • Educate users about phishing attacks and how to identify suspicious emails.
  • Block or quarantine emails with suspicious attachments, especially those with embedded URLs.

Threat Hunting Emulation: Two-Step Phishing Attack Using Microsoft Visio Files

Objective:

  • Emulate a two-step phishing attack using a malicious Microsoft Visio file.
  • Generate representative security events for analysis and detection.

Target Techniques:

  • Spearphishing Attachment [T1566.001]
  • Exploit Public-Facing Application [T1190]
  • Drive-by Compromise [T1189]

Environment:

  • Controlled test environment mirroring your production environment.
  • Security monitoring tools (SIEM, EDR) configured for event collection.
  • Necessary auditing policies enabled.

Emulation Steps:

  1. Malicious Visio File Creation:

    • Create a Visio file (.vsdx) and embed a malicious URL linking to a credential harvesting page.
    • Obfuscate the URL using various techniques (e.g., encoding, shortening services).

  2. Phishing Email Delivery:

    • Craft a convincing phishing email with the malicious Visio file as an attachment.
    • Deliver the email to a designated test account within your environment.

  3. Victim Interaction:

    • Access the test account and open the Visio file.
    • Click on the embedded malicious link.

  4. Credential Harvesting Page:

    • Set up a controlled credential harvesting page mimicking a legitimate service.
    • Capture any submitted credentials for analysis.

  5. Post-Exploitation Activities (Optional):

    • Simulate additional attack stages, such as command and control communication or data exfiltration.

Evaluation:

  • Monitor security alerts and events generated during the emulation.
  • Analyze the effectiveness of your email security, web filtering, and endpoint protection solutions.
  • Identify any gaps in your defenses and refine your detection rules.

Note:

  • Conduct all activities in a controlled environment; do not impact production systems.
  • Use benign tools and scripts to avoid damage or data loss.
  • Document all steps and findings for future reference.

False Positive Consideration:

  • Legitimate Visio files may contain links to external resources.
  • Network traffic to legitimate websites may be flagged as suspicious.

D3 Diagram:

Leave a Reply