Oh My Phish!

welcome everyone today uh thank you for being here it means a lot to us I know everyone's thinking about sandwiches the bide sandwich uh so I'll try to make this really quick uh we'll make sure we finish on time and then you guys can enjoy the sandwich we wanted to start the talk with some disclaimers first and foremost I want to make sure everything we present here is not just our work but is our team's work um so I just want to give a big shout out to Jack who's here in the front and Wes and arn who are not here today thank you for your help for everything we discussed today we are no expert we just here to

share our experiences with you guys so if we say anything wrong if there's any feedback correction and if you want to have a discussion with us please do feel free to talk to us after the presentation and last and the most important one whenever I say V in this stock I mean my old team I'm not with these guys anymore but I'm still quite habituated to say V uh so when I say V I mean these guys all right let's start with an introduction cool um hello everyone um my name is actually tham Singh I am a r team consultant at rilan we are basically a global cyber security company um I I'm currently mainly just

focusing on the red team and the purple team side of things I do a lot of initial access um just you know that's that's my Niche that's my specialization at this company um I'm not going to run through too much you can see my sets you know got some offensive security sets I've got some Zero Point Security sets um I've had crash sets I've let them expire um yeah that's that's me thanks to you uh hi everyone I'm du bani I'm the current head of adversary mission of stalling Bank um previously I establish and headed the team at resilient where I had a pleasure to work with tan I specialized in delivering red team engagement and looking after the team uh

and lately my focus really has been on less common environments such as Mac uh which is a fun thing so why this stock to start with right um and the reason being of this stock is we have done a decent amount of fishing last year and one of the things that we have realized is the landscape has changed quite a lot as compared to when we used to do fishing a couple years ago you know it's getting constantly a bit harder uh to make sure that emails are getting delivered in the inboxes uh you know making sure they look realistic making sure there is engagement with the crowd and while doing all of these we also want to make

sure we bypass the security controls deployed by the clients um because no one really likes to use you know shortcuts and legs up right we all want to be that person or the team that gets the fishing gets initial axis without any help right um and then in this talk what we wanted to dive into is some of the challenges that we have faced while trying to achieve this and how did we go about fixing them so the talk has been divided into five stages um this is not a talk about how to do fishing so we won't have a chance to go through each one of them in deep but we will skim through the first

three phases but really fun part is the last two where we technically Deep dive into some of the challenges and how did we get around them so let's get started phase one reconnaissance I'm sure pretty much everyone here has heard reconnaissance is the most important part of any engagement um so we start with creating a profile of the client that we want to Target right now we uh we categorize this information into three categories of course there can be more there can be less but we usually sort of group them into three section the first one is organiz organizational information so collect as much information as you can about your client by that I don't only mean the structural

information but you also have to go a bit further I get information about how does the internal communication looks like how does the document looks like what is the color that they seem to use in their emails what is the font but all of that really helps when you're trying to build a realistic campaign as well as try collect information that may help you design your campaign so if there's any upcoming events with the organization has there been any big changes in the company have they acquired a sub company that you can use use in your story line have they you know any major policy changes that may may be helpful to design the campaign

once you have done that we try collect personal information so this essentially people we want to send the fishing to uh get the get the list of targets now this is quite important especially getting the job title name and email email for obvious reason job title because you want to make sure you don't send end up sending fishing campaign to someone who is in a security team right so you need to make sure you profile your targets and lastly the technical information so this is where the fund really begins this is when you start enumerating their uh their environment the root domain subdomains IP they own they Main infrastructure um you know uh list of

email addresses what sort of internal tools or or technology they use do they use teams do they use slack you may you may be able to use them to your advantage when you're trying to design the campaign as well this is also the phase where you can start uh you know start being a bit more technical you can start looking at some misconfiguration that you can use to your advantage so if you have a teams if they use teams do they allow external messaging uh if they use selfhosted email does it allow email relaying are they broken SPF record that can allow you impersonation so start collecting all of this information really the Target or the outcome of this

phase is have a full picture of who you're going to go after people that you're going to Target and the technology that you have to bypass as you do that once that is finished we're going to get into the planning phase um so this is when the shifts from you know collecting information to start actually actively taking part in the engagement the first thing when you start planning is you need to decide what you want to get out of this engagement right and we usually again categorize into three there could be more there could be less the first one is do you want it to be a reconnaissance campaign so that's usually a generic campaign that you're

using to collect more information second is credential capture as the name suggests um this is where the aim is to get some credential from the client or the victims or the third one is malware deployment so the aim is to get initial access within the client a thing to note here is lately we found wishing to be a little bit more successful with our malware rather than sending just an email asking them to do action so we try to get them on a call calendar invite seems to be a little bit more trustworthy than you know email to do certain things um so try to get them on a call and then ask them to do some

actions that you need to it just looks a bit less suspicious the another thing that has been really helpful for us is linking all of these campaigns together so what we have done in past is if we manage to capture some credential as part of credential capture we try to use that for our malware deployment so we make them part of our next fishing story so you know you can use something on the lines of we saw your password has been leaked on an online platform at the redact password in the email and he allows to build that trust with the victim there you know how can someone know my password this has to be

legitimate it's my company password coming from an IT team so you can link those camps together as well and lastly when you try to decide the preex there's hundreds of different preex that you can go with we usually categorize them again in three I know there's a lot of three today actually uh the subdomain predex so we look at all the subdomain they own and we see if we can use that to our leverage the reason being it's quite easy to buy a domain that looks like a subdomain so if the client has it. client name you can usually go it hyphen client name and there's are quite a decent Chan that they're available similarly same with

third party domain again quite easy to buy domains and that that looks realistic and then internal policy base are always nice to have now every predex has come with we try to have five elements on it and we quite regly uh sit and make sure that it hits all these five points right so the first one and the foremost important is it needs to build the trust with the victim or the target you're going after so there has to be element of you know making it look familiar making it make sure it's the internal Department name that you're using is same as to what company use because if they call team it security and you say s so it might not

make sense to them right so you have to create that trust there has to be relevance of course if you send something that makes no sense to them why someone going to read through and perform your action but relevance can also be in technology as well so if they use let's say Microsoft form uh try using that same thing uh in the storyline instead of using something like a monkey it may just look a bit unusual to them and make them feel that is not a realistic thing there has to be a sense of urgency so you need to make sure there's a time limit to it what we do tend to avoid is to make a sense of

urgency of do this now because that is kind of give away that this is a fishing campus so give them a timeline don't leave them open-ended but don't make it to do it now trigger an emotion of course make them as much as I don't like to say you know there has to be either fear curiosity or excitement because that will force them to act up on what you're asking them to do if there's no emotions they might just ignore it completely and then lastly keep it simple I'm sure everyone here and everyone out there also gets you know 30 40 emails a day if your email is too long they're probably going to ignore it

so make it short Make It Sweet to the point uh and just keep it professional let's look at example scenario that has been quite successful for us uh in in the last year so the preex here is an employe well-being serw uh it is sent by helpes at hren cm.com so this is where we trying to impersonate one of the subdomain that we found they use for their internal communication which was essentially hr. client name.com um the email pretext includes that the 20 user will get 20 pound Amazon voucher as well uh and we're going to use Microsoft form uh to um to complete this survey but of course the they need to log into a fake o365

account before they can get to the Microsoft form uh the aim here is to capture some credential as well and then lastly the text tag that we use for our attack is y email accounts and evil Go Fish which I'll come to in a second now um if I compare this to the five emotions that we try to hit right now you know there is a sense of urgency because you want to get that money if you if you're really excited there's a sense of emotion because it's exciting you're going to get free money uh there's a timeline you want to do at sap if you want to be the one of the 20 who

gets the money it's simple if you can um see the email is it's four line email uh there's not too much you know random things in it it's just to the point uh and lastly it's trustworthy because it's coming from a domain that looks similar to them is using the technology that they're quite used to which is Microsoft form so we know using something random uh and also we're not asking the uh victim or the target to perform any suspicious action we're just asking them to fill out a form which looks a lot more realistic so at this point you have a plan uh you know you've collected your information so this is where the team

gets to work right um unfortunately we don't have the time to go through each one in detail so really going to skim through this uh but happy to talk about this if you want to after after the presentation but before I say uh anything I just want to make sure you guys appreciate the meme that tum spend a considerable amount of time to make rather than the presentation here uh so first step when we try to build the uh build the campaign is to buy the domain uh there's a few things we keep in mind uh when we try to buy the domain uh to make sure they are secure they have a good reputation starting with all our

domain are aged 6 months or more uh you know we we make sure we buy them as soon as possible we make sure they have domain privacy enabled so redacted all the who is information really um so I don't um you know we stay away from tlds like .co.uk where you cannot have domain privacy and we St towards where with the option is available uh we make sure there's all the relevant SSL being included with the certificate as well Sor with the domain and lastly we make sure all our domain are categorize as finance and health as well so overall we just make sure any domain that we use are at least checking the this four

boxes it's not more to make sure they have good reputation when we do it then we move into uh designing the website you know we pretty much all the infrastructure that we use throughout the engagement is on the cloud infrastructure um you know for obvious reason it's easy to tear up and down things um and we also make sure the website that we use the logo will use looks professional maybe even use the same color scheme that the client is using to make it look a little bit more relevant as well uh and I'm not saying we do that uh but charging GPT Dolly all of these are really good Tool uh to use you know to make a fake website really

quickly once that's done we go on and and set up the mailing infrastructure lately uh what we've been doing is using reputed service instead of self hosting it it just makes the life a little bit easier so you using services like G Suite o365 or S grid more often than not we just replicate what the client is using so if client on o365 will probably just end up going with that we also ensure that all the DNS record are are done properly so DC spfd Mark all of this allows to um make your email system look a little bit more mature and have a little bit better reputation and lastly um we've been onboarding our uh inboxes to do domain

warm-up services so this is something that came to us from our marketing team a discussion with the marketing team essentially we were we were wondering why does our marketing email land but not our fishing email and we realize one of the so sorry so that's the image there right so the marketing team always gets their email landed but the fishing team doesn't so that's why it's that um and the idea being is all these services do is you onboard your inbox that you're going to use and they send out an x amount of email every day these email are non-malicious and send to dummy inboxes but the idea is you're trying to create some age and reputation the

emailing ecosystem so that your inbox is not just been used to send an a email which may be potentially malicious but just sends very generic Hi how are we doing XYZ kind of email to create some reputation in the ecosystem once that's done we get to more fun F which is setting up the attacking infrastructure um so the first one that we we quite commonly use is goish which I'm sure quite few of you have is a mailing infrastructure and second Evil jins 3 which again I'm sure a lot of people here would have used it it's a reverse proxy that allows you to do man- in the-middle attack and capture the user credential and forward to fa if needed

to retrieve the token as well but what what we have been using lately instead of Go Fish and evil Jinx 3 is evil goofish I won't even say the handle you can see the handle that that I made it all it is is a combination of goish and evil Jinx together so something combined um so it sort of integrates really well one thing to note is evil goish has been archived a while back now it still works but it is out of date what we have ended up doing is to update it and make it work internally with evil uh Evil jins 3 Al so it has all the new features that we want to

out and once all of this is done then you get to the point where you write your email you make sure the email looks good and then lastly you do a Spam check so there are several website where you can send your email to a dummy email account and they'll just check for spam score so they check for some common things are there words that may be tricky or they may give away that it's a spam email and you you ensure that the email um is has a decent spam spam score so let's do a quick recap we did our enumeration we designed a several scenario based of the enumeration usually we have three scenarios ready

more often than not is three in each category so one for Recon one for cred and one for malware of course it depends on the time money uh that you have from the client but we usually try to hit three and then finally team has spent time to make sure uh the campaign has been built with all the obss that's possible and then we are ready to launch here now we get into the pre-execution phase um so this is what we tend to do before we launch um so this is essentially running trial runs internally with your team to make sure your email has everything it needs uh or everything is done properly so what we

end up doing is we send the email internally to several team members usually the team members that are not been part of the building phase because they haven't looked at it so they can be a fresh pair of I and we ask them to you know analyze the email see if it looks realistic convincing are there any grammar spelling checks does the end to end k chain works but you almost trying to replicate how a client would look at the email and make sure everything works um second thing we tend to do specifically wishing is doing an internal wishing run um so we set up the calendar in white as if we're going to Target one of our teammate we ask him to

impersonate as of his he joining from the client side you know introduce yourself as as you're the client and all you're trying to do is create some sort of famil familarity uh between the operator because it can be quite nerve-racking when you're in a call with your video on trying to lie to someone even though we are doing it for the good reason but you know it doesn't comes natural to to most of us at least you know um so it just makes that a little bit easier if you've done it once a couple time you're a little bit more used to it and then when first and second really goes well when then we get into the

final run which is ensuring um emails are landing in client inbox so how do we do that this is where uh the reconnaissance comes really handy um there's a unique thing about out of office replies which is you only get get an out of office reply if your email lands in inbox so if I send an email that is landing in spam you may not get a reply at all right so this got us thinking that we can potentially use this to confirm if our emails are landing in inbox or not right by sending the email to someone who we know is on a holiday and if it lands on the inbox we'll probably get a reply if it doesn't

then we won't of course there are several ways to collect this out of office inboxes you know there's reconnaissance or you can you can find this information on LinkedIn when people are on long leave sabatical and things like that um you can also use automated mailbox for the same action so mailboxes such as HR Support inquiry they may quite often have auto reply that are sent out when you send an email or you can also use your reconnaissance campaign for it so you can design a very generic non-malicious campaign that you send to you know couple hundred user and you collect all the email addresses that has an out of office reply set to them which

can be useful for this phas now one thing to really note here which we found by an error is um your out of office reply as only and this kind of depends on the configuration but more often than not it's only sent once every 24 hours to each sender because if imagine you have someone you know who's part of a cc in an email chain and other people are replying you may end up getting spammed with a lot of out of office so I think it's kind of best practice to make sure it's only spend once at least every few hours so if you have multiple emails or multiple versions of email that you want to test

you need to make sure either you send it to different people or you send it from different sending account to make sure uh you know you get the new out of office reply so at this point we've done everything we've built the campaign we've done our Recon we've done the planning we've tested it internally and we ready to launch and we launched the campaign and much to our surprise nothing really works um so at this point I had to start thinking what do we do as a team and I asked the team to take a step back and I try to take a step back myself and think what what can we do next and there's a

very simple solution where you're in this position which is you can walk over to someone like tum and just say this is not my problem can you go fix it uh so this is what I'm going to do here I'm going to pass it to T to go through the debug steps that he went through cool thank you D um yeah so I'll be talking the I'll be talking over the debok steps that we've taken to basically ensure that our fishing campaigns actually do land and stuff so let's do a quick recap we know know that our emails are not Landing because you're not getting out of office mailbox but we did test the mass email campaign

which is completely non malicious campaign all we're doing is just seeing if there are actually people that have out of offices right so we know that there are people there but when we do our email our malicious campaign they don't land so we've kind of done the domain warmup we've done the domain categorizing so we we basically have to take a step back and think okay what could be the actual issue so we've done a lot of Trials um some of the trials are actually in client environments and some of them are in our lab environments and we've discovered a very consistent pattern there are some Office 365 aggressive instances where if an email that is sent

from an external sender that has a URL or attachment it just lands in P so technically you know there is looking back there doesn't seem to be a way to actually even get them to set you know send a malicious payad or get them to you know click a link now we found a very unique approach um not sure if anybody has ever heard of this um we we've dubbed it so you know if you ever going to site us cite us um it's called Double the Trouble approach how this works is that you'll actually send a first email which doesn't have any URLs doesn't have any malicious attachments and we'll just follow up we'll send a

reply to that first email that we sent and guess what that second email that we sent that has a malicious URL that has a malicious attachment gets into the inbox so this is a hypothesis you know it's a theory we've never really confirmed why this happens but our assumption is that the moment because it's all an email chain right the moment the first email is landed there is a trusted chain so whatever you follow up seems to be also trusted as well so this is an example of the first campaign that Dro created the scenario one the same you know upcoming well-being where we've actually divided it into two sections the first section basically just says look you know we

want to give you and stuff you know you want to check if you're good and then the second one is like this is the URL and surprisingly you know it does land very well so can I just add um so one of the things we also realize is if you have the same email content with a link and the exact same email without a link the one without the link still landed and I think this is when we end up concluding that the link has a lot of impact on your reputation in the email cool um so we are able to you know retest the campaign with the auto reply we do get an auto reply it works then we

we do the double or trouble approach we do get a response it does look promising now this is the screenshot that we got from a [Music] victim right so a victim actually did click the URL and they were like hey look guys I think there's something wrong with the link and all this I'm sure everybody has seen this before this is basically just smart screen doing its job it's it's a it's Microsoft has this thing called Safe Link it checks if a URL is you know considered malicious or not and in the screenshot you can clearly see that Microsoft is saying that this page is you know contains fishing threats so they are really on

it now this is something that again we've not seen many people talk about and I think we also one of the first few people to do it um when you're using evil goish you know I mean just in general evil engine if if people have used it you actually set subdomains so these subdomains are basically going to correlate to for example login Microsoft online.com you can change the root domain to whatever you want so if I want to make my root domain client name so it'll be login.c name.com that's just how it works now the cool thing is that Microsoft safe links what we found is that our domains are technically you know pre-registered domains that are not

owned by Microsoft they owned by us and we thought Microsoft is actually pretty good at sporting non- Microsoft domains hosting Microsoft login page go girl so he said why not we use CDN now I'm going to go into this bear with me it's going to be a bit complicated if you have any questions please feel free to reach out to me um we creating three different subdomains um three different uh CDN sorry so they're going to contain company name login company name www company name account which was the one that I mentioned previously those will be the ones that are in your evil engine X configuration the important bit here is that we're setting the origin to your

public VM IP address the one that you running evil goish for example and you're setting the host host header of the CDN to basically be itself so I'll explain why so all this means is that if you created a CDN called abc. aure edge.net your host is going to be abc. aure edge.net now another important thing is your default CDN in Azure have compression and have caching and I don't need to explain why you know that's how a CDN works that's what you're using a CDN for now we are not really using a CDN in a traditional sense of way we kind of using a CDN as a redirector we don't want our traffic to ever be cached we

don't want our traffic to ever be compressed cuz you know you might lose sensitive information and stuff next so again if you remember we spoke about the three different subdomains that we created if you actually see I'm going to try to zoom in here bear with me if you actually see those are the the subdomains that we've created here the three ones this is basically a fish evil engine fish um yeah not going to go over too much and this is how we actually configuring our evil engine X server so we actually confing for configuring the domain to Azure edge.net we don't own this root domain this root domain is owned by Microsoft but a fun fact is

that you know how when you create a public VM on your environment you can actually set a DNS label and guess what you can actually request a certificate for that so you can actually set you can actually request a certificate for a domain that is belonging to Microsoft imagine how insane that sounds right you don't need to go and you know get a random certificate for a random domain so this is what we've done you know this is very similar I mean I'm sure people who used EV Eng X know what this looks like you know you're getting a URL um this is how it's going to look like and this is basically the login

page now again sorry again if you see the URL is actually the CDN itself right the subdomain that we have so imagine a client a victim looking at this page you're going to be like oh it's a Microsoft page nothing wrong again insane part look at the certificate see who owns it it's Microsoft there it's it's pretty much very very hard to actually figure it out now the next one I'll go on this is I'm not going to go in this is just how the process looks like you know you you the victim will log in get the MFA prom you'll capture the tokens you'll capture the username you'll capture the password pretty straightforward now safe links does a very good J job at

detecting when you're hosting Microsoft pages on non- Microsoft products there's another I mean there are other URL filtering products such as Mast um this is something that we've actually recently found on an engagement where MCAS is basically you know it does a very similar thing they have a feature called URL protection feature now it scans the URLs it detects if they're malicious and it actually is able to detect if you're running with the CDN so you're technically stuck again what if a client uses M car fun this is very fun um we have the web logs because we technically running a evil engine server right and from the bottom if you actually see that screenshot I'm not

sure if it's clear enough try to zoom in here H my bad sorry but the gist of it is it actually makes request to the page that you're actually redirecting to so all we've done is we thought okay if they're trying to detect an office page why don't we make a landing page with evil engine X because evil engine x 3 actually allows you to create landing pages funnily enough we created a landing page that looks like M cast's approved page and guess what it worked so yeah if you ever come across mcast feel free to use this pretty much guarantees you access it's fine not a problem so we are ready again you know

we ready again to relaunch um we know that the previous challenge was you know our URLs are the issue you know we fixed it with CDN and stuff and a custom landing page and we wait we send it out and we wait and we wait and nothing even the client that replied to us previously doesn't want to reply anymore we screwed so we take a step back again and we think that you know what could it just be that our email doesn't look legitimate we've gone through a lot of steps to make it look legitimate but could it just be that you know we can take it a step further and we said you know what let's try so we look back at

the email chain obviously the words are fine the only thing that is going to be a indicator of compromise is the domain name itself which in this case is going to be company name hyphen login and the random uid it's not really a uid it's just going to be a alph alphabet that is generated by evil engine X now this is basically how you set up the redirect to to whatever Microsoft form after they have successfully logged in the second part of the screenshot the one at the bottom where you actually edit the path you can actually edit the path to whatever you want so because we using a Microsoft forms we just edited the part to employee welling this looks

a little bit more legit doesn't look too generic now this is where we take it a step further so previously we used a CDN which was company named hyphen login why not just create another CDN in front so we created another CDN called company name company hyen health. ed.net and we basically created a redirect rule that is basically a 301 that redirects if someone requests company hyen health.net employe wellbeing they get redirected to our malicious company hyphen login and and basically it just looks like you know someone is actually trying to access a non-malicious page they get asked to log in and then after they log in they get access to the forms page now this is going to be a quick

demo of how that looks I'm not sure if the video is going to play well but I'll try so yeah so they basically go to company Health it's Notting display not display

B with

us it's not

sure

that's why you don't do live demos anywh I mean it's not even projecting the like in general let me just

try yeah sure see like it's detecting

yeah yeah I mean this is quite unfortunate now I I'm not sure why it's not presenting now if you want I will upload this this slide deck and you can actually see what we do next but I'll just talk over it and I I hope you guys can you know ah thank God yeah let me just try to let's see let's see if he presents yeah that's fine I'm not going I'm not going to play the video ask me for the video I'll give you the video um yeah so uh come on Okay so we've done that right we know it works everything is fine now cool way is with Microsoft forms you can actually

send an email directly to a person right so there is a functionality you can see here the second option there is basically someone's email address that I've blurred out once you've created a Microsoft forms you basically want to send them an email right and guess how the email looks like looks like this right now one something to note it will come from your 0365 mail address so you know they will still get it as the external sender but tell me that doesn't look legit enough right what if I told you that you can actually edit the URL in the HTML so if you actually create a Microsoft form and you actually capture the request it's actually making a a a

request to send mail which is Ms graphs endpoint and all we did was you know what we said this is the one the one on the left is basically the original URL which is the Microsoft form we changed it to our modified one which is the company health and we were like you know what let's see what happens now this is another video I'm going to try to play it I'm going to try let's see what happens it playing cool okay so you know user gets an email they're going to hover over the they start now look at the URL let have a malicious URL that's not a Microsoft forms URL you're going to click on it cuz it looks legit

y it's going to open up company health and it's going to redirect to login page if you ever use Outlook you know that's how it works if you open up teams it asks you to login again you're going to log in this is fine MFA I didn't want to show you my password and give it a sec gu redirected to Microsoft forms so next slide you know we just just a quick recap we've used CDN we know how they work we've created custom landing pages our email has been basically made to look as if it's a Microsoft native you know email um now we ready to launch again can I can I just also add I think

one of the thing to also note is sending the email from micel form itself and changing the URL also increases the chance of your email Landing because now your email content looks exactly same to an official Microsoft email and it is coming from an official Microsoft API as well so it's the only thing different is the URL which would be different for every form anywhere so it's almost the realistic looking email as possible by Microsoft and this is just how it's going to look like on evil engine X you're going to capture username password tokens um very quick recap you know if these are the the challenges that we faced and these are the solutions the email is not Landing in

inbox use dou trouble URL getting blocked use a Microsoft domain or create a fake landing page lack of user engagement take it to the next level use a Microsoft product to to fish now there's one sentence at the bottom if you actually see I've said that there are other Microsoft products that can be abused such as Microsoft teams now this is going to be we don't have time unfortunately to present this come and speak to me and I I promise you this is an insane way of doing it all I can say is that it's a very similar method to how we were using the forms and we editing the URL Microsoft teams meeting URLs can be aded as well imagine how

insane that would be that's what we've done come and see me I'll show you a demo of it but yeah that's basically it um we we'll probably skip that in in spinner of time but end of the day gather these stats send it to your client make sure they're happy or unhappy I guess with your effort and then see how it goes uh um I don't know how much time we have left uh do we have time for questions yeah yeah we do have time for questions um again apologies on the slide breaking down in the middle I

apologize hi um so people increasingly using conditional access policies to stop a even engine you have much Lu getting past those device codes or anything else so that was something that um we didn't touch on again there are ways to obviously block it right even if you use CDN if you have a proper conditional access policy in place you're screwed or if someone uses fedo 2 keys let me know if someone if a company uses F2 Keys we' like to test it out we've never had a chance to um but yeah if they use Contin access policies we usually go a step further and just do you know malware campaigns instead of actually catching credentials it's just

that that's one of the reasons we create multiple different campaigns and we decide you know on the day what happens we'll we'll go with the flow I think once you've got your initial access as well then you can proxy from the infected machine and bypass the conditional access for all the other credential that you

capture a similar question what do you think the future of fishing is going to be with a lot of the password listing you're seeing coming from Apple and Android uh it comes from Octor as well one password they've all got passwordless initiatives that to the like time domain so that's a very good question um we've not had environments where there's a that's some sort of a zero trust policy that clients will eventually move on to I don't see that happening in the next one year two years and when that happens I'll have time to sit down I'll figure out something like this and I'll come here again and I'll present it to you

um hi uh thank you so much for the presentation I appreciate it uh just more on the non-technical side of the question um you know some of the stuff that we have been doing one of the scenario that we run into was the normally the SE level executives are always the targets right for for the bad uh for the bad vectors uh the challenge that we had was like you know the CIO was not informed about this fishing campaign and sometimes you know these HR leaders and you know Financial leaders all complain back to it security saying that hey who who authorizes who approved this like how do you guys you know handle those kind of because we want to

keep it secret we don't want to publish you know announce it to everyone like if you could help us with your experience yeah sure um so I see that quite often in my my new role now because I'm an internal sort of head of their team so we we do campaign I think the best thing is have the approval from the person in charge if anyone comes to me and we wer inform I just say it was approved by XY and Z so if you have anything it may be C so it may be coo but you need to have sub level of exec approval um and that's how I get around it um just a side note if

you actually notice the campaign that we use um I'm sure some of you in the audience might feel that it's a bit unfair it's a mental health well-being form that we sending out we've had clients actually say to us that this does not seem ethical now our counter argument is attackers don't care about about your feelings they just want you to ha if you really want to test your boundaries you got to push limits and that's basically what we try our best to do and before we do launch we do make sure the client point of contact is happy with it so we we won't launch any email without client seeing it so we make sure they are at least Happy from

that

point um so what's the recommendation that you give to a client if you manage to land an email in with just a ton of Microsoft products is it like you know tough just wait for Microsoft to patch it and to tect stuff afterwards or is it something they can actually do themselves yeah I'm glad you asked this because I did practice the answer to that question uh I think the the recommendation really is defend in depth posture so while it may look quite easy there's a lot of things that went wrong and we had to debug and relaunch there's a lot of setup that we have done and all you're trying to do is force an attacker

to make one mistake um so you know the the best recommendation I can say is difference in that uh your user awareness has to be decent as well and then lastly conditional access policy has proven relatively hard to bypass at the moment you can if you manage to get an initial access but that just makes life a little bit harder as well so combination of those three yeah I think a lot of it relates to how much time we have right if you give me a month I will P you right but traditionally email campaigns fishing campaigns last us 12 days that's usually about it give me more time I will find a way in I not

saying that just for record his confidence security hi thanks great presentation just picking up on the Microsoft delivery mechanism is that similar to the ones you mention around the teams one that was presented here last year I haven't seen it so was what are you talking about the teams meeting URL modification sry so the the question is if the uh the teams that we were talking about is same as to the one that was presented here last year apologies I haven't seen it so done really know that yeah yeah yeah that's going to say okay no problem but did they use that with fishing or was that used in like some other form because I know there was one

that Microsoft claimed that they had patched which is where you could actually yeah where they actually but the difference was that was being used as a um because you could actually get nlm hashers you could get ntlm authentication with that so we've not used something we've use something very similar to that but we used it more in a fishing Contex yeah okay no it's good thanks

cool thank you guys awesome stuff you did so much manual debugging I deing of your own were there resources you utilized that had some good documentation steps and do you yourselves go on to publish the findings you have so the funny thing is when I started creating the slides I actually made it very very technical I've got a slight step by-step guide of how to even do the creation of your mail service and everything now unfortunately the talk was 45 minutes um we did a dry run of that and it was about 1 and a half hours to 2 hours now I'm not too sure what the way would be forward we do not have an

official website we do not have an official blog nothing that's something we might consider and if we do I'm sure you know reach out to us on LinkedIn check my LinkedIn you'll probably find it um but yeah there is a step toep guide that I've created as well if there's another talk in the future and you know touchwood I get to speak again I'll try my best and go over all the really nitty-gritty stu stuff and I guess uh resources from my side is really just hiring people like Jack and Thum to fix it for you makes life a lot easier you know not that try to don't try to pach them Mak clear

yeah thank you for that um you've spoken a lot about evil Go Fish evil Jinx Etc do you have any information on detecting that activ um no I think again it really goes back to uh defending that posture that we spoke about earlier today uh I think there's a lot of setup that goes into making sure it successfully land uh and there's a lot of space for an attacker to make mistakes as well um so I think you want to make sure you know I think if you do everything correctly you're basically pushing an attacker to make something wrong because they are going to get desperate they they don't have the you know the patience to keep going

at it so you're just forcing them to make one mistake in realistically with the user awareness if the lady who send us the screenshot if she send it to the internal it we would have been born there and then that's well now um there was actually a campaign that we worked on very recently which they used the um MFA provider Duo so they were not using Microsoft's native product um I'm not sure if anybody has messed around with using Duo and creating fishs for it I can promise you that we've not had luck it is insane they know if you are actually trying to spoof a domain so you know I'm not saying I'm not recommending

anyone I'm just saying you know if you have time take a look at if anybody has tried it they will know who I'm talking about Landy he's the guy that he'll automatically actually email you back so whoever your it guy is and he email you in the next like 2 hours after your campaign has started and let you know that there's something going on so there something that was one of the most insane ones that we've seen if you find our bypass do let us please cool I think that's it thank you again guys um yeah feel free to come and