This element involves setting up a fake email server that appears to be legitimate but captures all incoming emails, including phishing attempts or spam.
Rogue FTP/SFTP Server
This element involves setting up a fake file transfer server (FTP or SFTP) that mimics a legitimate one but captures attacker credentials and files, and logs their activities.
Fake Social Media Posts
This element involves creating fake social media posts or activity that appear to originate from the user but are actually designed to mislead or deceive attackers.
Fake Search Queries
This element involves manipulating the user’s search engine query history to include fake or misleading search terms.
Hunting 4 Two Way Phish
Attackers are using phishing emails to deliver malicious Microsoft Visio attachments that redirect to credential harvesting pages.
Suspected TTPs:
- Spearphishing Attachment [T1566.001]
- Exploit Public-Facing Application [T1190]
- Drive-by Compromise [T1189]
- Command and Control [T1071]
- Exfiltration [TA0010]
- Impact [TA0040]
Engage Report: Real phishing is only two step phishing
Threat actors initiate the attack by sending phishing emails from compromised accounts. These emails often contain a Microsoft Visio (.vsdx) file hosted on SharePoint, which is used to deliver malicious URLs.
Fake Print Jobs
This element involves creating fake print jobs that appear to contain sensitive or confidential information but are actually filled with fabricated data or trigger alerts upon printing.
Fake Clipboard Content
This element involves manipulating the user’s clipboard to contain fake or misleading information.
Fabricated Application Logs
This element involves creating fake entries in the user’s application logs, indicating actions or events that did not actually occur.
Honeyfile Documents
This element involves creating fake office documents (e.g., spreadsheets, presentations, text documents) that appear to contain sensitive or confidential information but are actually filled with fabricated data or trigger alerts upon access.