Just as security professionals will tell you that layered defensive strategies are the best when it comes to staving off successful attacks, so attackers will often look to precisely the same when executing their cyber attacks. Two-step phishing attacks have, in the words of security researchers from Perception Point, “become a cornerstone of modern cybercrime,” leveraging trusted platforms “to deliver malicious content in layers to evade detection.” Everything changes, but everything stays the same. Those same researchers have warned of a new attack methodology employing such 2SP tactics but involving Microsoft Visio files as a new evasion tactic. Here’s what you need to look out for and what steps you can take to mitigate the risk of falling victim to these new 2SP cyber attacks.
Two-Step Cyber Attacks Are The Pinnacle Of Phishing By Design
A new analysis published by Peleg Cabra, the product marketing manager at Perception Point, has revealed how security researchers working for the vendor have found threat actors increasingly turning to the use of Microsoft Visio .vsdx format files to evade detection during credential stealing cyber attacks.
Because Visio is a commonly used tool employed in the workplace to help visualize complex data or workflows, the use of .vsdx format files fits nicely into the threat actor strategy of “harmless familiarity” being at the heart of many a phishing attack. Now, the Perception Point researchers said, the exact same files are being weaponized in the delivery of malicious URLs as part of a two-step phishing attack scenario: drop the lure, set the trap.
Describing what they referred to as a “dramatic increase in two-step phishing attacks leveraging .vsdx files,” the security researchers explained how the cyber attacks represented “a sophistication of two-step phishing tactics, targeting hundreds of organizations worldwide with a new layer of deception designed to evade detection and exploit user trust.”
Evolution Of The Two-Step Phishing Cyber Attacks
If such a warning were necessary, here it comes: email account security is vital if cyber attacks such as these latest two-step phishing ones are to be stopped. Why so? Because, the researchers said, they started with threat actors leveraging breached email accounts in order to send emails that pass basic authentication checks as they come from genuine domains.
These emails will contain a common phishing component designed to lure the recipient into the trap: a business proposal or a purchase order, accompanied by an urgent request to view and respond to. Of course, when the victim does just that, and click the URL, they get led to the trap itself: an often-compromised Microsoft SharePoint page itself, but whatever one that is hosting a .vsdx Viso file. The layers of the cyber attack start unraveling at this point, with another URL embedded in that file and behind what the researchers described as a clickable call-to-action, most commonly a “view document” button.
Please Hold Down The Ctrl Key Is An Instruction In These Newly Uncovered 2SP Cyber Attacks
This is where these 2SP cyber attacks get really clever, although I hate applying that word to cybercriminals. “To access the embedded URL, victims are instructed to hold down the Ctrl key and click,” the Perception Point researchers said, “a subtle yet highly effective action designed to evade email security scanners and automated detection tools.” By asking for this human interaction, the attackers hope to bypass automated systems that don’t expect such a behavior in an attack.
The victim is now redirected to another fake page, this time one that looks for all intents and purposes to be a Microsoft 365 portal login page which is designed, of course, to steal user credentials. There is no mention in the Perception Point report of this step including a session cookie compromise tactic, which means that one way to stop it from being successful would be to have robust two-factor authentication in place for the account that is being targeted in such cyber attacks.
