Attackers are using the Tycoon 2FA phishing kit to steal user credentials and bypass multifactor authentication.
Tag: Phishing
Hunting 4 Two Way Phish
Attackers are using phishing emails to deliver malicious Microsoft Visio attachments that redirect to credential harvesting pages.
Suspected TTPs:
- Spearphishing Attachment [T1566.001]
- Exploit Public-Facing Application [T1190]
- Drive-by Compromise [T1189]
- Command and Control [T1071]
- Exfiltration [TA0010]
- Impact [TA0040]
Engage Report: Real phishing is only two step phishing
Threat actors initiate the attack by sending phishing emails from compromised accounts. These emails often contain a Microsoft Visio (.vsdx) file hosted on SharePoint, which is used to deliver malicious URLs.
EU Phishing Campaign
The threat actors utilized phishing emails with attached PDF documents or embedded HTML links. These emails targeted European companies and organizations, aiming to harvest account credentials and take over the victim’s Microsoft Azure cloud infrastructure.
Deceptive Phishing Campaigns
Goal: Identify susceptible individuals and gather information about ongoing phishing campaigns.
Approach: Launching controlled phishing campaigns with deceptive lures.
Conduct internal phishing campaigns with fake but believable phishing emails. Track who clicks on links, downloads attachments, or provides sensitive information. This reveals vulnerable individuals and gathers intelligence about attacker tactics.
DarkComet RAT – Phishing
The attacker sent a spearphishing email containing a malicious Microsoft Word document (.doc) as an attachment. This document exploits a vulnerability (CVE-2012-0158) to execute embedded malicious code, ultimately leading to the download and execution of the DarkComet RAT payload.