Phishing by Design: Two-Step Attacks Using Microsoft Visio Files

Summary:
Perception Point researchers published a blog post on November 11, 2024, regarding an observed dramatic increase in two-step phishing attacks targeting hundreds of organizations by leveraging Microsoft Visio’s .vsdx files. By weaponizing .vsdx files rarely used in phishing attacks, the adversary exploits user trust in the reputation of Microsoft and concurrently adds a new layer of deception designed to evade detection. These weaponized files deliver malicious URLs designed to steal the target's credentials by harvesting them from a fake Microsoft login page. The attacks begin with the adversary leveraging breached real email accounts to send phishing emails to their targets. These emails pass authentication checks like SPF, reinforcing the emails’ legitimacy in the eyes of the victim and their organization’s security systems. Clicking the disguised malicious URL leads the victim to a SharePoint page that hosts a Visio file. Often these SharePoint accounts are compromised as well. Inside the Visio file, the adversary embeds another URL. The embedded URL is hidden behind a clickable Call-To-Action that requires victims to interact. Interacting with the embedded link redirects victims to a carefully mimicked Microsoft 365 login page where attackers harvest the target’s inputted credentials. When crafting the phishing emails, the adversary interchanges direct URL links and .eml files containing the URL within the content of the email with the rest of the content describing the document to be a business proposal or purchase order from one of the organization’s trusted vendors. These Visio files often incorporate the victim organization’s logos and branding to enhance its credibility. For targets to access the embedded URL, the Call-To-Action required within the Visio file is clicking a “View Document” button which helps attackers avoid automated detection tools.

Security Officer Comments:
A critical component of this campaign is the compromised real accounts used to spread these phishing emails and host the Visio files. Using these accounts to bypass automated security measures is integral to the success rate of these attacks. In a recent article by Microsoft, they discuss the increasing abuse of their legitimate hosting services and others like Dropbox. While exploiting trust in familiar tools these adversaries are using sophisticated tactics in the attack chain to avoid automated detection. Although Perception Point does not explain how the threat actors in this campaign gain initial access to these breached email accounts, in similar campaigns recently observed by Microsoft, the initial stage of a typical attack chain involves compromising a user account belonging to a trusted vendor via password spray or AiTM attacks and using that account to continue to move laterally.

Suggested Corrections:
Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues.

Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.

As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.

Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.

Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.

Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.

Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.

Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.

Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.

Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.

It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.

If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.

Link(s):

https://www.infosecurity-magazine.com/news/microsoft-visio-files-phishing/

https://perception-point.io/blog/phishing-by-design-two-step-attacks-using-microsoft-visio-files/