Researchers at ReliaQuest have published a report on a phishing breach in the manufacturing sector that went from initial access to lateral movement in just 48 minutes.
The attackers began by swamping users with spam emails, then posed as tech support and offered assistance in stopping the flood of spam.
“To gain entry into the organization’s network, the threat actor used social engineering and end-user manipulation,” the researchers write. “More than 15 users were targeted with a flood of spam emails. Next, the threat actor sent a Teams message using an external ‘onmicrosoft.com’ email address.
These domains are simple to set up and exploit the Microsoft branding to appear legitimate. The threat actor posed as an IT help-desk employee, likely pretending to assist users with the flood of emails that was preventing them from working—a common tactic used by ransomware groups like Black Basta.”
After this, the attackers contacted the targeted employees via Microsoft Teams and convinced them to use the Windows tool Quick Assist to grant the attackers remote access to the computer.
“The threat actor then used Teams to call at least two users and convinced them to open the remote-access tool Quick Assist, join a remote session, and grant control of their machines,” the researchers write. “Quick Assist, native to Windows hosts, is often used in these attacks because attackers can easily convince users to open it and join a remote session using a code. In this incident, one user granted the threat actor control of their machine for over 10 minutes, giving the threat actor ample time to progress their attack.”
ReliaQuest notes that this social engineering technique can bypass security filters since it tricks the user into performing a malicious action without clicking a link or downloading an attachment. The attack also uses legitimate tools to gain access, rather than malware.
“This tactic of using email spam instead of malicious links or attachments is particularly effective because the emails themselves aren’t inherently malicious, leaving security tools with nothing to detect,” the researchers write.
“Moreover, the end user doesn’t need to interact with the email directly. Instead, the flood of spam makes the target’s inbox unusable, giving the threat actor a plausible reason to pose as IT staff offering to resolve the issue. This low-tech but highly effective method allows threat actors to gain initial access and convince users to grant them control of their machines. Given its success, it’s likely that other threat groups will adopt this technique in the near future.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Ars Technica has the story.
Here's how it works:
