Advanced Phishing Tradecraft - Nathan May

hey everybody howdy thanks thanks for coming to our talk and for hanging out here at the bsides with us thanks for sticking around I know we're the last Talk of the day so you know really do really do appreciate it and uh yeah welcome so we'll get started here uh my name is pizza bone this guy next to me is Nate the Great may we are pentesters at a company called ultraviolet cyber and you know just a little bit of backstory about this talk uh we're looking for a way to kind of give back to the security community and we thought we would we thought it' be fun to get up here and give a talk and we're not

exactly the best public speakers in the world so we thought hey let's give a talk at besides Philly so that's kind of the that's kind of how we decided to to put up put together this talk this talk is all about Advanced fishing tradecraft in 2024 and this talk is essentially just a breakdown of how we run our social engineering engagements for for clients at work so we're going to we're going to move fast we're going to cover a lot and hopefully there'll be some time for Q&A at the end and as far as his picture is concerned this is what Dolly thinks we look like it when we work on a daily basis so let's get this thing started so

just a quick little who am I like I said I'm Pizza alone pentester at ultraviolet cyber uh I've been working in tech for about seven about sevenish years now I started out working as a software developer over here at the Port of Philly where I was uh writing programs for container algorithms and their placement on the docs and I was doing a little bit of help desk stuff with that as well but I was looking to kind of like do more do more cyber stuff so after moving into the help desk I calleded my way into a sock analyst position and then I was doing that for a couple of years and then with a little

bit of luck and the right the right circumstances I was able to become a pentester at at UV which has been fantastic uh somebody has referred to this journey as a um Rags the richest cyber success story um which I think is pretty funny hey everyone I am Nathan may also penetration tester at ultraviolet cyber I have some background in the military did six years in the Army National Guard as an IT specialist and I've been doing security offensive security for about five years now so thank you all for coming super excited to give this talk and hope you guys has learned something all right so talking with a lot of our clients and customers at work

you know we seem we seem to the same common themes um that we consider to be issues with most fishing assessments and the first first thing is you know fishing is easy but good fishing is hard yes anybody can set up Go Fish and start sending some emails you know but in order to really really get a good impact for the customer it takes a lot more work work than that a lot of times as like a pentester one we're on strict time constraints so we really only have like a week or two weeks for a fishing engagement and also usually you know our customers they pay a ton of money and all they get at the end is like a report

so that report has to be really really good and full of impact and since fishing is really really difficult most fishing assessments are performed with allow listing and security exceptions you know I'm I'm always kind of conflicted by this because at the end of the day yes you want the emails to be essentially you want the emails to land in the inbox right because you want to test the users however this is very un this is very unrealistic I think you're missing a lot of things by setting you know white lists and allow listing um for for pent testers to actually try that because it doesn't show what it would actually take for an attacker to

get an email into the inbox the impact just isn't there um another common thing is people say oh we know we're good we're good with fishing because you know we use no and you know I think no is really really good for user training but I think it's I don't think it's very good for security testing Noble four focuses on the content but it really doesn't focus on misconfigurations exploiting SMTP relays doing SSO bypasses and things like that um essentially the best part of about no before is the content and the third thing is Click counting this is kind of like a weird metric for people um you know I think click counting is pretty

good because yes it provides insight into user susceptibility however a lot of people don't like click counting because they say hey we use security product so who cares if the you know who cares if the user clicked on the link and I think that matters a lot more than uh what most people think so in order to talk about you know some of the fishing techniques and stuff that we do we kind of have to cover some Core Concepts and the first one is how email works and how the SMTP protocol works so if you're a sender send sending the email from you know one computer to the other there's a little bit more that

goes on under the hood so once you that email leaves your computer it goes to your organization's SMTP server or Google's SMTP server and then from there it gets sent to the recipient's SMTP server and then from there it kind of hangs out there until the receiver takes that email requests it either through like a refresh or maybe a period of time and they get the email through POP 3 or IMAP and a couple things when it comes to email security is the main the main three are the SPF the dkim and what's known as Demar SPF this is all done through uh DNS records so the SPF uh verifies that the sending server is

authorized to send email on behalf of the domain so when the receiving SMTP server receives an email it does a quick lookup of the sending domain to ensure that the email that it received is actually Ved and not being spoofed uh by another SMTP server dkim domain Keys identified mail this uses this is a technique that uses uh public and private Keys as an Integrity mechanism to ensure that emails don't get corrupted or changed uh somewhere in transit so the emails we use the public and private keys to create like a message header special digest and then from there um that helps determine whether or not the email was modified or not and then both of these things kind

of form Demar uh Demar is what to do with the email if it passes or fails want it the SPF checks or the dkim check um you know you don't need SPF and dkim you can have one or the other in fact I think most people just use the SPF um but you can but you can have both uh once Demar determines you know did it pass or fail the checks uh it make it makes a determination and the the three main parts determinations it makes are none quarantine or reject um and just because it none yes it the email gets delivered but it also has like a monitoring reporting feature as well uh so there even though it doesn't

do any take any action on the email it might still uh send an alert so those are the three things when to comes to email security and then finally there's the email security platforms which focus a lot on domain reput reputation email content and Link inspection so with domain reputation it says hey is this email on a blacklist is this email on you know part of spam campaigns in the past um you know what's what's in the email content are there any buzzword trigger words um and that's a just a lot of string matching to help determine whether or not an email would be considered malicious or not and then there's link inspection if there's a

link embedded inside the email where does that link go you know there might be a spot that kind of checks the link real quick to ensure if it's malicious or not um is the domain associated with the link good bad so th things like that so it's it's it's difficult there's a lot of there's a lot of moving Parts associated with this so when it comes to fishing uh what would be considered a traditional credential fish is you know step one the attacker would send the email containing the fishing link to the unsuspecting user and then that user usually clicks the link and gets brought to some type of HTML fake login page um then we know with any luck they will

take the take the credentials and then they will submit them into this fake lockin page and then the credentials get passed to the attacker who then takes the capture credentials and logs into the real website now this is how fishing was done for a very long time probably like five or 10 years ago this was this was very common but this this does not work anymore and it's not really it's not a realistic method um and I will let Nate may tell us why sure so looking at this I'm sure all of you are thinking that's not going to work we have MFA right your usern and password basically useless to an attacker if all of your logins are

protected with multiactor authentication um you know you log in with the username password it then prompts you with a text code or maybe Google Authenticator you know one of these services that provides that secondary form of au uh authentication there's also MFA client security right so o to verify is a common example of this where it does there's a desktop application and it does an introspection check on the domain that you're authenticating to and if it does this check and it says hey they're trying to do MFA to um this malicious domain and that's not the legitimate uh server for this oat tenant then we're not going to continue with MFA and we're also going to report you

to to this client right we're going to tell them that you're trying to fish their login page so that makes things tricky there's also email software uh security software which Pete kind of talked about right there's Bots looking at everything you did you send an email the very first person that's going to look at it we not person the very first thing that we look at it is a bot right they're going to look at it say hey this email says download this software that's kind of suspicious let's look at it further let's visit this link oh it downloads malware okay we're not going to send this email to this user right there's so many checks that happen and it becomes

very challenging as attackers to get our malicious emails to the end user and have the entire Tech worked where we can get access to their account with you know MFA MFA client security and all these email security software products right proof Point there's there's so many out there so let's do better right let's break down how we're going to re-engineer this whole process and actually have success right let's show impact to our clients um not just say hey we had some clicks it was cool the end right what let's do more so one of the first things to really help this process be better is reverse proxy what we do is we set up a proxy server and

the link that we send to the user that we're trying to fish um all of the requests to that server just get forwarded to the legitimate end application right so if we're trying to fish Microsoft they're going to see the legitimate Microsoft page because every request they send to us we send to Microsoft they reply back to us and we forward that back to the end user the really cool thing about this is all we care about is your cookies right I could care less about your password your username what your MFA code was as long as we have those cookies we import them into our browser and now we're fully authenticated to octo whatever it is

that you're using as that user um also this makes our job actually a little bit easier right we don't have to build these custom HTML pages and play with CSS and stuff we just point to the real server and it looks identical right all these fancy you know loading animations all the things that you see on your real login page you have there so it gives the fish user a sense of familiarity it looks identical is identical it's the real site it's just being served by you instead of them um this is also super helpful because it gives us the chance to intercept those messages from the server and modify them before sending it back to the client I'll talk a little

bit later about how we weaponize this to kind of break some Security checks but this is a very key part in this whole uh reverse proxying um technique there's also bot detection right like I said first thing that's going to look at your email is p series of bots trying to figure out hey is this bad or is this safe um links are being reviewed so what we do is we do bot detection right if we think that a bot is looking at our website we're going to send them somewhere else something totally innocent you know could be a news site could be whatever we want just not the fishing page not you know maybe

a malicious file um and if it's a human we'll send them to the legitimate Service uh we also like to look for misconfigurations and vulnerabilities this is obviously something that you're never going to get if you're just using Nova before or you know allow listing your pent testers to email to do fishing assessments if you're let right in the front door there's no need to search for a back door right so we like to emulate real attackers and search for vulnerabilities that let us entirely bypass your security products and we'll break down a little bit of the things that we like to look for and how they work so here's kind of a high level

overview of this new process that you know we we like to use um and this is assuming we have not found any vulnerabilities that allow us to just land right in an inbox without any checks um so we like Go Fish it's helpful I'm sure a lot of you have heard of it uh it kind of helps automate and organize a lot of these um campaigns right you can create groups of targets you can create templates for your emails and just helps automate things so we use goish to send our email um obviously bot looks at it goes to our bot detection page we say oh it's a bot let send them to this nice innocent page with nothing

crazy to see theot reviews it says Ah this this looks pretty good this looks safe we're gonna send this email to the user the user clicks the exact same link goes to our bot detection we say oh you're not a bot let's get you proxy get you logging into this website yep a little bit more on Go Fish open store is super easy to use if you haven't heard of it or haven't played with it and you're interested it's it's a fun time um has some cool dashboards for metrics and tracking really just makes everything easier helps automate message delivery organize a to buy campaigns uh and like I said you can store templates if you're fishing emails

or whatever else you want I would say I would caution you against using go fish for the landing page feature this tool does not provide any of the services that I've been talking about or at least you know free open source tool um it doesn't do any B detection doesn't do any reverse proxying it's essentially hey build an HTML page hope that users submit credentials and then you'll have credentials and that's that's not great so use go fish for automation not for actually hosting your landing page little intro into reverse proxying um just in case you're new to the the term and the concept uh so so the way this flow works is when the user clicks

on a link We detect that they're a human they make a request to our reverse proxy right like hey load the login page we send that to the server the server response to the proxy we forward that response and maybe modify things and send it back to the user and this Loop iterates until authentication completes right so the first Loop might be submitting username second might be password third Loop might be the MFA and that keeps going until we hey this user has now authenticated to the service let's cut them off send them somewhere else and now we have their cookies we've we're in as that user when you're creating or spinning up a reverse proxy for the first time um

there are a few things that you want to look at so the first um is the Target right you want to tell the reverse proxy where am I sending all this data that these clients are requesting right so you point that to whatever it is that you're trying to fish whether it's you know GitHub OCTA Gmail Microsoft 365 or Office 365 whatever service it is you want to tell the reverse proxy hey go to this domain send all of the traffic that you get over here you also want to tell it the termination redirection URL this is how we identify when the fished victim has completed authentication um the way that we do this is typic with burp Suite

right we'll go to you know Office 365 and log in and we'll see what requests are made to the server immediately after a successful uh authentication that were never made before authentication that way we can tell the reverse proxy Hey whenever you see a request to this resource this person must have finished the whole process let's get them let's break the loop send them away and then we'll take their uh cookuse um there are also transform rules so these are the those modifications to the data that we get from the server that we modify before we send it to the client um this is where it gets fun trying to break security products right there's

lots of browser security features JavaScript and just the way that browsers load the internet um so Integrity checks hey what if we rewrite the content of this website to change the word integrity to extra gritty and now all of those Integrity checks don't happen we can put whatever we want there and it's not going to do any Security checks same thing with nons changes to n or whatever you'd like we're just having fun here um and then you can you know look at other security configurations that might be giving you issues right cores and all sorts of things um like I mentioned before with octav verify if you have the octav verify application on like say windows uh host and you use

something like o fastp pass and does that like local introspection check on the server um the way it knows how to contact the application on your host is the server sends it hey Point go to1 127.0.0.1 um uh and this support that's where op verifies listening and you know you can send it the website that you're authenticating to will make sure it's legit What happens if we rewrite that um with default configurations it kind of fails open and it continues with the Fastpass authentication um there is a configuration with an OCT that you can change to make that not happen um but if you're allowing other forms of MFA as well it will just fail open and let you

continue and you know when we're doing raing a whole lot of burb Suite we have BB Suite open the entire time we're color coordinating you know this is pre-authentication post authentication what happens here like why is this resource not being loaded um that way you can kind of customize these transform rules this termination redirection URL and everything else that you need for the reverse proxy here's just a very brief part of the config file you know we can only fit so much in here um but you'll see you know the target we have login. microsoftonline.com this reverse proxy then knows any request you guys to forward there uh terminated or terminate redirect URL um and then the terminate

trigger you can see isomon reprocess um with that parameter at the end we know whenever we see that resource being requested by a client they've authenticated they're on the application let's you know end this Loop and send them to the redirect URL um and like I said this looks amazing to the client because it's identical to the a login page because it is right you can see at the top the domain isn't quite right um but it looks pretty cool it looks good to the user and every time you click a button it it operates the exact same way that you're used to things working looking at some bot detection now right this is really one of the

biggest fights of fishing we want to keep security products away from our fishing Pages we want to keep them away from if we're doing payload testing right like hosting malware C2 um you know agents we want to keep us away from all of that and what this really comes down to is pattern recognition um so figuring out ways to pull metrics from whatever browser or agent is requesting your resource um so we have some fun ways to do this right you can run JavaScript checks to get as much information as you can about who's visiting your website to look at user agents you know if they go through time sleeps um you know what the

screen height width depth is maybe you'll notice some weird patterns right if you're trying to fish someone who has um like a Gmail account send 10 emails with this link uh to their Gmail account and see that bot hit it every time and say hey every time you know this spot where you use this site they're coming from the same IP address or their window width is exactly the same every time and it's a little bit different than most users right find something that sets that bot apart and then build rules based off of that um so yeah part of that is assigning the appropriate cookies to indicate like hey we've now detected you as a bot or as a human

we're going to give you this cookie that way in future correspondence with you we know where to send you we like to use traffic to help coordinate this routing once we have a cookie assigned to an end user um you can use a proxy I'm sure there's so many other resources out there that do similar things um but we like traffic uh because a lot of our services are also hosted in Docker containers so here's an example of kind of those metrics Gathering um that I was talking about this is a little tool that we we use um it pulls information about whatever is visiting the website loads it up in the HTML but it also then logs

all of that data so basic 64 encodes everything you see on the screen and then sends it back to the server um so that's kind of what you see in that bottom right hand corner picture is all that data being sent back to us to say hey um this spot came from this IP address let's block that IP from seeing the fishing content and this is available I have a GI help link at the very end of this presentation has uh this HTML file for you know in case you want to use it this is an example of some traffic routing uh just because that's super helpful to figure out hey if you have this cookie signed let's send you to

this Docker container where we have the reverse proxy or let's send you to this other Docker container where we just have a boring website with no real malicious content on it um so you can see there's three services there and they all have this uh traffic HTP router um entry which says hey if the cookie has bot equals true then we'll send them to this container if it has bot equals false and this container and if there's no cookie at all let's send them to the bot detection uh dock container it's not quite as simple as this uh I kind of simplified and abbreviate a lot of things to make it as easy to put on a

screen as possible um but this is the general concept behind a lot of what we do and of course looking for security biop passes right a lot this is a lot of work if we can just get around your security products anyway we'd rather do that it's going to be better for us um and sometimes it even allows us to impersonate people inside of your business right if you're emailing someone from their legitimate like it support email they're going to do whatever you tell them to do it's it's a great time um so one thing you know when you're doing an external review of a client uh search for SMTP servers right p25 587 465 and then there are tools that you

can use to do manual SMTP testing SX is a good tool we use it all the time and it's pretty scary how frequently this actually works um we you know you can see in the SX command you have to specify the IP should I not even that that's terrible imagine that screenshot has a beautiful T Tac server and then an IP address after it so apologies for omitting that um but you can specify what the server is and then you say hey here's who we're sending from here's who we're sending to here's the subject here's the body any x-mailer headers you want um and it works way more than you think it should uh we you

know we'll drop in and say hey like we just emailed you from your own email address did you get it and oh yeah we did like that's kind of scary um and the cool thing about this is because it's coming from their legitimate SMTP server it's passing SPF right so it's it looks legit it's and if you're doing this in environment like Azure or something where there's connected attributes to that user your email is going to land in there with their profile picture attached to it it's gonna like say their name it's going to look perfect it's it's it's great um we also like to see if there's maybe misconfigurations with your email security products uh proof point is a

very common tool that people use to you know inspect email coming to their systems um and the way proof Point typically works you know I know there's you know Cloud hosted and selfhosted most people are doing Cloud hosted so if you do a DNS record look up for the MX record of the email address that you're trying to send to it's going to send you to a proof Point IP address right that way when you send an email to John example.com it's going to go to the proofpoint server proofpoint server is going to inspect it review it make sure everything's all nice and safe and then send it to the end user after it's determined that it's safe um so if we

can identify ways to not address the proof point server at all sometimes people forget to restrict the incoming connectors to their final SMTP server so they set a proof point they change their DNS records they're all like all the mails going to FR point they're all happy but they forget to restrict this end SMTP server and there's some easy ways to figure out where that SMTP server is and maybe address it directly one of those ways is Microsoft online email routing addresses um which comes with your Azure email accounts um so you can use tools like Azure ad internals to fol these domains um so that's bottom part is a little snippet to do this domain Recon on

test.com obviously change that with whatever your email domain is um and if they have a Microsoft online email routing address it's going to look something like example. onmicrosoft.com right um and so if you like I said if you send to John example.com you're gonna do a DNS resolution lookup it's gonna say oh yeah go to proofpoint docomo um and then PP hosted will review it and send it onto your final SMTP server but if we address John that example that on microsoft.com it goes directly to that SMTP server um hosted by Microsoft and we've seen this happen a lot too where people because they're using proof point they say hey we don't want to interfere at all with what's

happening at proof point right we trust them we if they send us an email we believe that it's saved so we're going to disable all of our security checks within Microsoft because if it's coming from point it must be good so then if you can address their own microsoft.com domain directly you have no security and it's it's great it's free fishing single sign on is Awesome from a defensive perspective right lots of um centralized monitoring visibility control but it's also pretty awesome for us as well I mean all we have to do is fish One login right we fish your OCT on and now we have whatever connect you have right so we might have slack

Salesforce email like all sorts of services that might be connected to OCTA um and we've also found that this can be beneficial uh if we get caught right say The Blue Team says oh this user got fished they have an OCTA session let's terminate their OCTA session we found that a lot of times those additional sessions that we create with new session tokens for those services like slack don't also get terminated and they don't have the visibility about what we have done on those so you know they might have caught us and terminated our OCTA session but we're still living in slack for another week and I will pass some on to feet to talk about crafting your fish like Bob

Ross all right folks it's Bob Ross time here um so all all the technical stuff aside you know we still have to put together an email that still has to go be viewed in front of a user and this is this is cult uh because humans are super super finicky um in all my experience I am I am always surprised at what a human being will and will not click on there doesn't there just doesn't seem to be any Rhyme or Reason to that and so since this is since there's no guarantee of success we really have to make a good fishing email in order to boost our chances as much as we possibly can so let's talk about crafting your

fish and the one of the most important things it it has to be Rel relevant to your target um you know a lot of common email fishing techniques are things like you know can you buy me some gift cards or this is the CEO talking to the lowest level help desk employee right like these these things aren't realistic and they're just simply not relatable for a lot of people and so they set off a lot of red flags so in order to come up with a really good fishing pretext you got to do some research and in this example you know in general LinkedIn company pages are your friend you know people are more likely to click on an email about Turkey

Trot photos when one it's around Thanksgiving and two your organization just had a turkey tribe so um it's got to be it's got to be super relatable so you want to look for things like events webinars parties changes to your or structure RTO mandates uh things things like that we want to play off the human emotion in this in this situation uh whether that's greed familiarity something else second you got to make it look pretty it's got to be so beautiful so nice it has to make the user feel like they've seen this email like a thousand times before and in order to do that there's a couple of things one you have to make sure the spelling is

correct spelling absolutely matters especially when it's a work email and you're in a professional setting now this could be tricky for some people who are like English Second Language and like I get that so if you are English Second Language one of the things I recommend is you know put it through chat GPT ask chat GPT hey is this is this grammar correct or you can copy paste it into like a Microsoft Word document and look for the Angry Red Lines or the blue lines and like just make the corrections there uh we like to use HTML instead of text you can do so much more with HTML emails than you can with text emails the uh the picture on

the right is a HTML file um that's looks absolutely beautiful it's absolutely beautiful and that's something that just couldn't be made with text uh we like to focus also on like the customer colors uh these can usually be found in like the CSS files we like to use customer logos whenever we can um and these can be found in like the HTML uh links uh now it's difficult to make uh a document as beautiful as this this takes a certain amount of time and the developer in me says why would we want to create something when we could just steal it from somebody else and modify it right it's always so much easier to be able to

modify something instead of making something so we try to use pre-built templates whenever we can uh a good resource we have for this is codepen.io really good emails these are just a huge collection of marketing emails we'll look around we'll find one that we like and then we'll just modify to our purposes because it's way easier to change a couple icons and some text than to create like an entirely compl new new document so once we have our you know beautiful HTML fishing email put together uh we're going to have to talk about the content filtering content filtering is one of the ways that uh email security platforms will trigger uh on fishing messages and help determine

whether or not they're bad and really underneath the hood it's just string matching so the question becomes you know how do we break up strings of like these trigger words without ruining the entire email um so how do we break up the email and keeping the email together at the same time and the answer is HTML which is another reason why we use HTML uh we like to use these span tags you can throw a style in there you can use a zero withth Joiner which is kind of like like a spaceless space for lack of a better description uh we use these things because we can insert this HTML into any word we think

might be flag might flag the email mail but these these span tags they don't actually render when the HTML document is rendered so we can break using this approach we can break up the strings you know break up all the string matching but the document Still Remains intact another thing we like to do is base 64 images to mimic email signatures um for whatever reason if you're having trouble you know putting together an email signature then you know one of the things we have to do is we take a screenshot of it convert that that image into a base 64 string and then we'll just put that base 64 string into the image source tag and it usually renders

it renders pretty nicely or at least good enough so if someone glances at it it'll it'll pass the check and email signatures are really important in this situation because email signatures is one of the ways that people get feel very very familiar with emails we also like to use generic envelope senders to simulate automated messages uh email likes to flag a lot on things like HR it marketing um like specific departments um so in order to get away from that we like to use like no no reply support do not reply something super generic to make it look like it's just simply an automated message and people receive so many of those nowadays um they it almost doesn't even register

as it being different so this is an example of bypassing content filtering so this this is a fishing email we used an engagement a couple weeks ago uh what we were trying to do was we were trying to get the user to click on the link to visit a landing page to download the latest Sentinel one EDR agent which is really just a payload that we had and then install it which would trigger a call back to our C2 server um unfortunately in an email like this there's a lot of there's a lot of buzzwords in here things like Windows EDR agent update Mac OS Quest um names like check checkpoint Sentinel one right there's a lot of

things that could have triggered on this so in order to avoid all that stuff underneath the hood if you look at the HTML we'll see we did a lot of we did a lot of span HTML tags throughout all the words that we thought might be flagged um so it kind of looks like a nightmare under the hood um but it is a really good way of bypassing our content filtering checks so let's try to put this all together right step one in order to have a successful fishing campaign right you got to you got to have a good idea a really good pretext and I like to tell people do something that you would click

on because if you would click on it then there's a really good chance somebody else would click on then you have to get some names and emails um if we don't get some emails to clients then sometimes you know LinkedIn scraping may or may not be the way to go I do know a lot of people do it and then once you have your list of emails then you got to set up your reverse proxying and then you have to conf configure the Go Fish and then you got to make the Go Fish work with trfic because trfic implements our bot detection and once you got all the technical stuff set up you have to

actually put the email together through HTML crafting and then you have to break up that email in order to bypass the content filtering checks and then you got to hope and pray that your domains that you're using for your fishing attack have not been burned for some other odd reason and then if that all works you have to hope and pray that the user even clicks on it so so there's there's a lot of moving Parts when it comes to doing fishing well and that's why it's so incredibly difficult you know and assuming that the user even clicks on it fantastic you're successful uh but you're only going to be successful for a limited amount of time

because in six months this probably won't work one of these things on the list whether that's the reverse proxying or something with the Go Fish or the bot detection it w it won't work and then we'll have to kind of fix it it's really like a cat and mouse game Office 365 makes a change to their login page we have to make a change and then the cycle just kind of continues from there so how do we stop this well Nate May got the answers sure so a few resources to stop you know Advanced fishing attacks and this first one's obvious right we all know it fortunately we don't all do it but always check the URL right we can

make the link as pretty as it can be we can do B text we can do all these fancy things but if you check the link and go oh that's not my OCTA portal You' be us um ensure proper configuration for all email security products right we see way too much of this we have way too many open SMTP relays uh we're boothing internal senders so just use that uh SX command in the previous slide make sure you add the server to it um and test your SMTP servers it's super easy to do um and then fishing resistant MFA does exist um and it's very annoying for us when that does happen we have to resort

other methods like payload testing um but there are companies out there that do have fishing resistant MFA where it does you know domain binding it will refuse to authenticate unless it sees the right domain um MFA training is probably an easier one to implement if people are using OCTA right you sign in you put username password multiactor appication you get to the nice OCTA dashboard we steal your cookies we get to the nice OCTA dashboard we're stoked we're super excited we click on your email and it promps us for another set of MFA and we get super sad um so MFA training or second Factor reauthentication right we get super excited we have your session we're about

to get all of your stuff and then it asks us for asks us for another set of MFA and we have no answers for it so um that's an easier one that doesn't require you know Hardware based MFA or doesn't require every system have an application install it's just a configuration change within your environment um and kind of done but secure your SMTP servers right do these tests that we provided make sure proof point is not able to bypass make sure you can't do relays um it's not super difficult to test but most people just don't know about these things and they don't know to test them some cool tools to perform Advanced fishing um we've talked about a lot of

these right go fish uh helps us automate all the all the things all the sending of emails our Target lists you know our templates for those emails um gives us good metrics for how many things we sent it it kind of helps organize things that we can package up and deliver to a client say hey we sent an email out to 562 people and you know 500 were valid emails we got 61 bounce backs or whatever um traffic is sort of that tool I was talking about which can do routing based off of you know session tokens or domain or resource and Route you to the appropriate doc container evil is similar to mod lka we don't use it but

it's another good shout out right does this reverse proxy where it impersonates the it doesn't impersonate it forwards your traffic to the end server um mod lka is the one that we like to use we just like the control we are able to have over you know the transforms and the way that we can configure those Json files bot D is a bot detection Service uh they also have an open source GitHub repo which just kind of has like a beginner bot detection um like toolkit and it's a good introduction to learning about this right what kind of checks is bot doing to determine if you are a v or a human and how can we maybe steal some

of this code to make it better and make it work with our our solution burp Suite you'll be all over burp Suite when you're doing your reverse proxy making sure you know cores isn't breaking why is this string being put together from all these like um JavaScript variables and things like like that's something that we've noticed recently with OCTA is it's not just string matching they've like buried URLs inside of layers and layers of JavaScript and so you have to rewrite the JavaScript directly so that when those different variables in those JavaScript um you know variables get concatenated it becomes the right string um so it definitely gets tricky but perbet is your best friend swx that tool

to test SMTP servers um I have a little tool called swacky which just ingest an nmap XML file and you can say like who you want to send from who you want to send to for both internal and external and it kind of like flies through through your nmap XML file and test all the SMTP servers um browser metrics is just that site I kind of showed you guys earlier where it has you know what's the screen width of this agent what's the you know color support of this agent did it go through the Sleep check um all these things that maybe will help you get data for pattern recognition when you're building your body detction right

this is often going to be best if you don't want a case by case spaces you know the Bots for Microsoft might not look like the Bots for proof Point um cookie editor is a nice browser extension that makes our job really easy um we get your cookies we open up Cookie editor we paste them in we reload the site and all of a sudden we're in your email um it just makes it so that we don't have to manually create 50 different cookies based off the uh content that we got um Pete gave this a shout out but codepen.io reallygood emails awesome content if you're trying to build convincing official looking emails but you don't have the HTML or css knowledge

to you know do that or you're just lazy and want to steal other people's you know like that's what devasted it's great um and then this is kind of a shout out to our previous boss um but he has a really good write up on fishing um he did a training at uh St which is a security conference in Utah and just kind of walked through this whole process of setting up the servers and doing all these things it's like 90% complete so I apologize when you get to like the last two or three pages and they're like there's code missing here so I'll warn you ahead of time it's really really good content but it's it's

not done um and feel free to hit us both up we're on LinkedIn we'd love to talk to you guys about it you know that's why we're doing this talk we think this is fun stuff uh and something that you know we think the security industry could probably be doing better you know when we do pen testing and and social engineering engagements um so yeah feel free to hit us up thank you guys so much