Podcasts
Research Saturday
Ep 377
Research Saturday 5.17.25
Ep 377 | 5.17.25

Leveling up their credential phishing tactics.

Show Notes
Transcript

[ Music ]

Max Gannon: Not using any sort of really advanced techniques. They're using pretty simple stuff, but they're using it in a different way. And by using it this way, they show that they have an understanding of how SOCs work, which is something that a lot of directors don't. [ Music ]

 

Dave Bittner: That's Max Gannon, Intelligence Manager with Cofense Intelligence. The research we're discussing today is titled "The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders." [ Music ]

 

Max Gannon: My team has what we call qualitative groups. And when we find some kind of interesting behavior, we tag it with the group. And a lot of times, we'll only see it once or twice, so it's not really worth writing about it just yet. But when we've seen enough of this qualitative group, especially if it suddenly starts to become more common, then we'll really do an in-depth dive on it and start writing about it. So this was originally something we saw in very small numbers. It was enough to be mildly frustrating but not a real problem. And then, especially within the last month, we've seen it drastically increase to the point where, if it's annoying for us, it's got to be a big problem for SOCs.

 

Dave Bittner: Right. Well, can you explain what precision-validated phishing is and how it differs from traditional phishing attacks?

 

Max Gannon: So, the first step is, you know, someone gets an email, a credential phishing email. And typically, it's Microsoft spoofing, but we've seen other brands as well. And then usually this email gets reported and the SOC gets the URL. And the SOC tries to visit the URL. And the credential phishing page sends out a prompt, and it says, hey, I need you to confirm your identity and put in the email address that this link was sent to. And so that's context that the SOC needs to have. If they somehow get that information and are allowed to use it, then they enter it and they move on to the next step. Sometimes this is the actual Microsoft-branded credential phish, which has all the little bells and whistles that you would expect. And sometimes there is an additional step where once you've verified the email address, then they send an email to the email account and then you have to use a code or a link from that email to progress on to the next step of the credential phish. And this final step is hosted typically on a different site. And that final step usually stays up for significantly longer than the intermediary, the first step.

 

Dave Bittner: How do you rate the sophistication of these threat actors?

 

Max Gannon: That's a bit difficult because, as I said earlier, they're not using any sort of really advanced techniques. They're using pretty simple stuff, but they're using it in a different way. And by using it this way, they show that they have an understanding of how SOCs work, which is something that a lot of threat actors don't. But by making this validation only work this certain way, they're taking advantage of a flaw in cybersecurity procedures, really. So for that, I'd rate them, you know, pretty highly for having additional information about how we work because that's unusual. For sophistication, actual sophistication, I'd rate it like probably middle because once you get your hands on the code, it's really easy to figure out. They don't do much in the way of obfuscation.

 

Dave Bittner: Well, can you share an example of how this has been used in an actual phishing campaign?

 

Max Gannon: Yeah, certainly. So we got in a pretty standard-looking Microsoft Office credential phishing campaign, and we went ahead and visited it and immediately came up with the notification that we needed an email address. So this -- I split things a little bit because while we do have access to email addresses, a lot of customers don't like it when you use an email address. There's a lot of issues with that, especially for outsourced SOCs. So we were able to get the information we needed and then find the list of targeted email addresses and use an email address from that targeted list and progress through the phish and get what we needed.

 

Dave Bittner: Can we go through some of the mechanics here? I mean, how does the real-time email validation process work within these phishing attacks?

 

Max Gannon: Yeah, so the first step is really basic. It just compares the email address you enter to a list of email addresses that the threat actor has of people who've been targeted by the phishing campaign. So that step, if you can find the list, which is usually obfuscated, but if you can find it, then you can bypass it. The next step is actually sending the email address, sending an email to the email account. Sometimes this involves clicking a link. Sometimes this involves just copying and pasting a code.

 

Dave Bittner: And what kinds of technologies or methods are they using to validate the email addresses in real time?

 

Max Gannon: So most of this takes place using pretty basic JavaScript that's just built into the credential phishing page. None of the actual techniques used are particularly advanced. They're just combining known capabilities into a new method of doing things that makes life very difficult. [ Music ]

 

Dave Bittner: We'll be right back. [ Music ] So what makes precision-validated phishing particularly challenging for security teams to detect and analyze?

 

Max Gannon: So it's especially difficult for external SOCs. But even for a company who has an internal SOC, it's difficult because first you need the email address. And as I said, you know, typically SOCs are not provided with this email address. So even if you somehow manage to get the email address, then you have to also get the company's permission to use the email address. And getting permission is sometimes just not possible. So SOCs are pretty much blocked off by company policy at this point. And even if they somehow get approval to use an email address, then if one of the next steps involves sending a confirmation email, they have to get access to somebody's inbox. And that is -- I've personally only heard of two situations in which that has happened. It's extremely rare. People are just not comfortable doing that with good reason. So SOCs are able to get maybe half of the IOCs they could gather otherwise. And because of this gating, oftentimes once the first couple steps go through, they're redirected to a final credential phishing page. And this final one has the IOCs that the SOCs need because the intermediary pages can be reported and taken down. But if the final one stays the same, the threat actors just send out a new campaign with new intermediaries. So the SOCs are just stuck going for the first URL because that's all they have.

 

Dave Bittner: Oh, that's interesting. So given all that, what are your recommendations then? I mean, how should organizations best defend themselves?

 

Max Gannon: So luckily, there are very few situations in which a email is sent to the email account. So for most SOCs, the first obstacles they need to overcome are finding the email address of the recipient and being allowed to use that email address on the credential phishing page. So for this to happen, what they need is open communication. They need to have a contact at the company who they can talk to. They can explain the situation. They can say, okay, so we've got this, you know, potentially very advanced phish that is very much targeting specific people. Can you give us approval so we can do this investigation so we can get this additional information and help protect you better? And if there's that open line of communication, then they're going to have a lot more success than somebody who is really just -- they don't really have a good contact point.

 

Dave Bittner: Are there particular industries that you're seeing targeted here?

 

Max Gannon: I think the one we have seen it with most is the oil and natural gas sector. They're the ones we've seen the most of this with, unfortunately. But it's becoming all around more common.

 

Dave Bittner: And what is the ultimate goal here? I mean, is -- are these financially motivated attacks? Are they going after -- is it a corporate espionage situation? What are you all seeing?

 

Max Gannon: So I think at a very base level, what threat actors are trying to do is improve their return on investment. So credential phishing happens all the time. And typically, once they send out -- threat actors will send out these mass email campaigns trying to get as many credentials as they can. But the credentials are typically unverified. So when they sell them in bulk on the dark web, they don't actually get very much money for them. They just really don't get much money because they're not validated. They don't have any sort of confirmation that these are active accounts, that these credentials can be used and that sort of thing. But with precision validation, you can -- the threat actors can not only sell it for more because it's validated, but they can also sell it in groups. They can say this specific list of people with this title at this company, here are their credentials. And they can sell it for a lot more than just a big collection of 1,000 email address passwords. So even if they're not doing an additional, more targeted approach, simply from return on investment, by using this technique, they're making a lot more money.

 

Dave Bittner: Is there a user awareness component here? I mean, is -- can we educate our users to do a better job defending again- I guess -- are there any specific tells that you all have observed?

 

Max Gannon: Yeah. So one of the biggest things is the prompt for email addresses. Even sometimes when you put in the correct email address, it'll prompt you again for an email address just to make sure. So what this really -- to me, it's kind of a surprise, or it should be a surprise because when you visit these webpages, if you're using a password manager, all your credentials are already saved. So if you're visiting a website and you think it's Microsoft and you go to the Microsoft website and your password manager isn't giving you credentials, then there's probably something wrong. So looking for -- I mean, obviously look at the URL, but looking for obvious signs like, you know, it's not giving me the autofill information here when it always does on the Microsoft accounts, you know, stuff like that can really help you spot these things.

 

Dave Bittner: What are some of the key takeaways you hope that readers get if they check out this research?

 

Max Gannon: So the biggest thing I think that I'd like people to get from this is that every company that has a SOC, whether they're internal or external, needs to have clear communications with them because this is a very obvious situation in which communication is important. And communicating can potentially help save people from getting compromised if they say, okay, we know who else is on the list. We can inform them. But if you don't have that communication, then not only are they more susceptible to attacks like this, but there are so many things that can go wrong if a SOC doesn't have someone who they can say, hey, we've noticed this trend. And you do something about it with your users because -- so, for example, with PhishMe, we have specific SIMs and we say, the intelligence teams, is we've seen this. And the SIMs are built based on that, and people can select their SIMs. So if there's communications between the SOC and other departments, the SOC can say, hey, we're seeing this, and other departments who are responsible for training can say, okay, we're going to use SIMs along with that, those things that you've identified [inaudible 00:13:45]. [ Music ]

 

Dave Bittner: Our thanks to Max Gannon from Cofense Intelligence for joining us. The research is titled "The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders." We'll have a link in the show notes. And that's "Research Saturday," brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tre Hester. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: CyberWire, Inc.