Overview:
In a campaign targeting hundreds of organizations worldwide, cyber criminals are exploiting Microsoft Visio files (.vsdx) and SharePoint to execute two-step phishing attacks.
With malicious URLs embedded in the .vsdx format files, as to bypass traditional security measures, this cyber criminal campaign is reaching end-users.
Ultimately, victimization can lead to Microsoft 365 account credential theft, account takeovers, Man-in-the-Middle attacks, and more.
How it Works:
A cyber attacker starts with a compromised email account, using it to send a seemingly legitimate message to a contact. The message contains an urgent request, saying that the recipient needs to review important documents.
Inevitably, there is a malicious (.eml) file attached. The attachment contains a URL directing the recipient to a SharePoint page that hosts a Visio (.vsdx) file.
Prior to this point, cyber security researchers rarely observed cyber criminal use of .vsdx files – a file extension commonly used to save business images; flowcharts, network maps, and process charts.
Inside of the Visio file, a recipient will find another URL behind a clickable call-to-action. In most cases, this is labeled as a “View Document” button.
To open the URL’s landing page, the recipient is instructed to press the “Ctrl” key while clicking – a subtle, yet extremely effective attack set-up that evades email security scanners and automated detection tools.
The Final Stage of Deception:
If a user proceeds to interact with the Visio file by holding the Ctrl key while clicking, the individual is redirected to a fake Microsoft login page, which looks identical to the authentic Microsoft 365 portal.
Once a user inputs his or her standard login credentials, the credentials are within the cyber criminal’s control.
The cyber thief can then login to the individual’s account, and leverage the contact list to target additional individuals with phishing threats – increasing the probability of success due to the seemingly legitimate nature of the communication.
The threat actor can also potentially move forward with a Man-in-the-Middle attack, BEC attacks, CEO fraud, ransomware deployment or any of a number of other sophisticated cyber attack types.
The Future of Two-step Phishing Campaigns:
Cyber security professionals anticipate that two-step phishing threats will become increasingly common. The layering of evasion tactics effectively enables these emails to circumnavigate standard email security mechanisms.
In terms of two-step phishing threat trends, cyber security experts are newly observing the use of Scalable Vector Graphics (SVG) attachments as vehicles for threat delivery. SVG files can contain HTML and execute JavaScript, allowing for the deployment of eerily authentic looking credential-stealing forms or the delivery of malicious URLs.
Two-step Phishing Campaign Prevention Strategies:
As a cyber security leader for your organization, consider pursuing the following:
1. Enforce strict email authentication protocols. These include SPF, DKIM and DMARC; measures that can assist with the verification of incoming emails and that can limit the risks posed by compromised accounts.
2. Elevate employee awareness. Inform users about the potential for sophisticated phishing attempts that request Ctrl-key interactions. Consider presenting simulated phishing scenarios, involving Ctrl-key interactions, as to improve employee vigilance.
3. Leverage advanced threat detection. These types of systems can analyze the behavior of files and links in real-time. They can detect and block malicious content, even when it’s hidden within seemingly legitimate file formats (.vsdx or SVG).
Cyber security leaders should also prioritize solutions that offer sandboxing capabilities as to safely detonate suspicious files and URLs before they reach end-users.
If you would like to learn more about preventing two-step phishing threats or other email security threats, please reach out to one of our experts.