Unveiling Modern Phishing: Precision Tactics, Deletion Scams, and Advanced Threats

Okay, so you want to hear more about what keeps us busy in the SOC? Yeah, things are definitely not getting simpler out here. We talked a bit about some of the newer phishing tricks, and those are still very much on our radar. It’s a constant game of catch-up, honestly.

Overview

Let’s revisit that precision-validating phishing technique. We’re seeing this more and more, and it’s definitely a step up for the bad guys compared to the old massive spam campaigns. Instead of just spraying emails everywhere and hoping someone clicks and gives up their password, they’ve gotten smart. They’re doing their homework first, only focusing on a specific list of valid email accounts they’ve already got.

Precision Phishing

The way it works, from what we can tell and what researchers like Cofense are calling out, is pretty clever. A user gets an email, clicks a link to a fake login page, and types in their email address. But before they even ask for the password, that page is running a real-time check against the attacker’s list. They’re using little bits of API or JavaScript embedded in the page to do this validation. If the email isn’t on their pre-harvested list, the page might just error out or even harmlessly redirect the user somewhere else, like Wikipedia. This helps them avoid being easily spotted by security tools or sandbox environments that can’t get past that first check. The real goal is to make sure that if they do get a password, it belongs to a real, active account, improving the quality of their stolen data. It makes their campaigns more efficient and helps them fly under the radar longer.

Deletion Lures

Another one that keeps popping up uses a sense of urgency, like those file deletion reminders. You get an email saying a file, often pretending to be a PDF, is about to be deleted from a service like files.fm. Naturally, people freak out about losing a document, so they click the link.

Now, here’s the nasty part, and Cofense researchers described this well as basically forcing the user to choose their “poison”. The link does take you to a files.fm page that looks legitimate, where the supposed PDF is. But when you go to open it, you’re presented with two bad options: preview or download.

• If you choose preview, you’re immediately sent to a completely fake Microsoft login page designed just to steal your credentials.
• If you choose download, you get an executable file instead of a PDF. It pretends to be something like Microsoft OneDrive but it’s actually ScreenConnect remote desktop software. So, either way, they’re getting what they want: credentials or remote access, just through different routes. Same goals, different paths to mess you up.

Beyond Phishing: Multi-Stage Attacks

Beyond just phishing emails, we’re seeing threats that are much more complex, multi-stage attacks. These aren’t just simple clicks; they involve chaining together several techniques. One example the sources mentioned involves starting with vishing (that’s voice phishing, where they call you) and then moving into using legitimate system tools and remote access software.

In that specific attack, they delivered a malicious payload via a Microsoft Teams message. Then, they used Microsoft Quick Assist for remote access to the environment. They even deployed signed binaries like TeamViewer, used malicious DLLs, and set up a JavaScript-based command-and-control backdoor. It’s living-off-the-land combined with social engineering and using tools that might not immediately look suspicious.

Remediation and Recommendations for Cybersecurity Teams

Identifying and Containing Risks

• Implement multi-layered security to detect and block threats at various stages.
• Conduct regular audits and penetration tests to identify vulnerabilities early.
• Utilize machine learning tools for behavior anomaly detection.

Preventive Tools and Policies

• Deploy advanced email filtering to prevent spear-phishing attempts.
• Set up DMARC and SPF protocols to avoid email spoofing.
• Use endpoint detection and response (EDR) solutions for threat hunting.

Employee Training and Incident Response

• Regularly train employees on identifying phishing emails and suspicious activities.
• Strengthen incident response plans focusing on rapid detection and containment strategies.
• Encourage a culture of skepticism towards unsolicited communications and requests.

All of this just reinforces how crucial it is for everyone to be incredibly skeptical. Any email asking for credentials, any unexpected file, any urgent request – you just have to pause and think. These attackers are getting really good at making things look legitimate and finding new ways to bypass defenses and target users directly. It definitely keeps us on our toes here in the SOC!