CyberWire Daily - Leveling up their credential phishing tactics. [Research Saturday]
Episode Date: May 17, 2025This week, Dave speaks with Max Gannon of Cofense Intelligence to dive into his team's research on "The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders." Threat actors co...ntinuously develop new tactics, techniques, and procedures (TTPs) to bypass existing defenses. When defenders identify these methods and implement countermeasures, attackers adapt or create more sophisticated approaches. This research explores how cybercriminals are leveling up their credential phishing tactics using Precision-Validated Phishing, a technique that leverages real-time email validation to ensure only high-value targets receive the phishing attempt. The research can be found here: The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets. With bad directory hygiene and years of technical debt, Identity Attack Paths are easy targets
for threat actors to exploit but hard for defenders to detect.
This poses risk in active directory, Entra ID and hybrid configurations.
Identity leaders are reducing such risks with Attack Path Management.
You can learn how Attack Path Management is connecting identity and security teams
while reducing risk with Bloodhound Enterprise, powered by SpectorOps.
Head to spectorops.io today to learn more.
SpectorOps. See your attack paths the way adversaries do. They're not using any sort of really advanced techniques.
They're using pretty simple stuff, but they're using it in a different way.
And by using it this way, they show that they have an understanding of how soft work, which
is something that a lot of directors don't.
That's Max Gannon, intelligence manager with Kofence Intelligence. The research we're discussing today is titled,
The Rise of Precision Validated Credential Theft,
A New Challenge for Defenders.
My team has what we call qualitative groups.
And when we find some kind of interesting behavior, we tag it with a group.
And a lot of times we'll only see it once or twice, so it's not really worth writing about just yet.
But when we've seen enough of this qualitative group, especially if it suddenly starts to become more common,
then we'll really do an in-depth dive on it and start writing about it.
So this was originally something we saw in very small numbers.
It was enough to be mildly frustrating, but not a real problem.
And then, especially within the last month, we've seen it drastically increase
to the point where if it's annoying for us, it's got to be a big problem for socks.
Right. Well, can you explain what precision validated fishing is
and how it differs from traditional fishing attacks?
So the first step is, you know, someone gets an email, a credential fishing email, and typically it's Microsoft spoofing, but we've seen other brands as well.
And then usually this email gets reported and the SOC gets u r l and the sock tries to visit the u r l and.
The transition page send a prompt and it says hey i need you to confirm your identity and put in the email address that this link was sent to.
And so that's contacts that the sock needs to have.
And so that's context that the SOC needs to have. If they somehow get that information
and are allowed to use it, then they enter it
and they move on to the next step.
Sometimes this is the actual Microsoft-branded credential
fish, which has all the little bells and whistles
that you would expect.
And sometimes there is an additional step,
where once you've verified the email address,
then they send an email
to the email account and then you have to use a code or a link from that email to progress
onto the next step of the credential pitch.
And this final step is hosted typically on a different site.
And that final step usually stays up for significantly longer than the intermediary, the first step.
How do you rate the sophistication of these threat actors?
That's a bit difficult because, as I said earlier, they're not using any sort of really
advanced techniques.
They're using pretty simple stuff, but they're using it in a different way.
And by using it this way, they show that they have an understanding of how SOCs work, which
is something that a lot of directors don't.
But by making this validation only work a certain way, they're taking advantage of a
flaw in cybersecurity procedures, really. So for that, I'd rate them pretty highly
for having additional information about how it
would work, because that's unusual.
For sophistication, actual sophistication,
I'd rate it probably middle, because once you
get your hands on the code it's really easy
to figure out they don't do much in the way of obfuscation.
Well can you share an example of how this has been used in an actual fishing
campaign? Yeah certainly. So we got in a pretty standard looking Microsoft Office credential phishing campaign.
And we went ahead and visited it and immediately came up
with the notification that we needed an email address.
So this escalated things a little bit,
because while we do have access to email addresses,
a lot of customers don't like it when you
use an email address.
There's a lot of issues with that, especially for outsourced SOCs.
So we were able to get the information we needed and then find the list of targeted
email addresses and use an email address from that targeted list
and progress through the phishing get what we needed. Can we go through some of
the mechanics here? I mean how does the real-time email validation process work
within these phishing attacks? Yeah so the first step is really basic. It just
compares the email address you enter to a list of email addresses that the threator
has of people who've been targeted by the phishing campaign.
So that step, if you can find the list, which is usually obfuscated, but if you can find
it then you can bypass it.
The next step is actually sending the email address, sending an email to the email account.
Sometimes this involves clicking a link, sometimes this involves just copying and pasting a code.
And what kinds of technologies or methods are they using to validate the email addresses in real time?
So most of this takes place using pretty basic JavaScript that's just built into the
traditional machine page.
None of the actual techniques used are particularly advanced.
They're just combining known capabilities into a new method of doing things that makes
life very difficult.
We'll be right back.
And now a word from our sponsor ThreatLocker. Keeping your system secure shouldn't mean
constantly reacting to threats.
Threat Locker helps you take a different approach by giving you full control over what software
can run in your environment. If it's not approved, it doesn't run. Simple as that.
It's a way to stop ransomware and other attacks before they start without adding extra complexity
to your day. See how Threat Locker can help you lock down your environment at
www.threatlocker.com
Worried about cyber attacks? Cyber care from Storm Guidance is a comprehensive cyber incident response and resilience service
that helps you stay prepared and protected.
A unique onboarding process integrates your team with industry-leading experts.
So if an incident occurs, your response is optimal.
Get priority access to deeply experienced responders, digital investigators, legal and
crisis PR experts, ransom negotiators,
trauma counselors, and much more.
The best part?
100% of unused response time can be repurposed for a range of proactive resilience activities.
Find out more at cyber.care.com care slash cyber wire.
So what makes precision validated fishing particularly challenging for security teams to detect and analyze?
So it's especially difficult for external socks.
But even for a company who has an internal sock, it's difficult because first you need
the email address.
And as I said, typically socks are not provided with this email address.
So even if you somehow manage to get the email address, then you have to also get the company's
permission to use the email address.
And getting permission is sometimes just not possible.
So socks are pretty much blocked off by company policy
at this point.
And even if they somehow get approval
to use an email address, then if one of the next steps
involves sending a confirmation email,
they have to get access
to somebody's inbox. And that is, I've personally only heard of two situations in which that has happened. It's extremely rare. It's people are just not comfortable doing that with good reason.
So, SOCs are able to get maybe half of the IOCs
they could gather otherwise.
And because of this gating, oftentimes,
once the first couple steps go through,
they're redirected to a final credential wishing page.
And this final one has the IOCs that the socks need,
because the intermediary pages can be reported
and taken down but if the final one stays the same the contractors just send
out a new campaign with new intermediaries so the SOCs are just stuck
going for the first URL because that's all they have. Oh that's interesting. So
given all that and what are your recommendations then? I mean, how should organizations best defend themselves?
So luckily, there are very few situations
in which a email is sent to the email account.
So for most SOCs, the first obstacles they need to overcome
are finding the email address of the recipient
and being allowed to use that email address on the credential page.
So for this to happen, what they need is open communication.
They need to have a contact at the company who they can talk to, they can explain the
situation, they can say, okay, so we've got this, you know, potentially very advanced fish that is very much targeting specific people. Can you give us approval so we can
do this investigation so we can get this additional information and help protect you better? And
if there's that open line of communication, then they're going to have a lot more success
than somebody who is really just, they don't really have a good contact going.
Are there particular industries that you're seeing targeted here?
I think the one we have seen it with most is the oil and natural gas
sector. They're the ones we've seen the most of this with, unfortunately, but it's becoming
all around more common.
And what is the ultimate goal here?
I mean, are these financially motivated attacks?
Are they going after, is it a corporate espionage situation?
What are you all seeing?
So I think at a very base level,
what threat actors are trying to do
is improve their return on investment.
So credential phishing happens all the time.
And typically, once they send out,
threat actors will send out these mass email campaigns
trying to get as many credentials as they can.
But the credentials are typically unverified. So when they sell them in bulk on the dark web, they don't actually get very
much money for them. They just really don't get much money because they're not validated.
They don't have any sort of confirmation that these are active accounts, that these credentials
can be used and that sort of thing. But with precision validation, you can, the threat actors can not only sell it for more because it's validated,
but they can also sell it in groups.
They can say this specific list of people with this title at this
company, here are their credentials,
and they can sell it for a lot more than just a big collection of a thousand
email addresses and passwords.
So even if they're not doing an additional, a big collection of a thousand email addresses and passwords.
So even if they're not doing an additional more targeted approach, simply from return
on investment by using this technique, they're making a lot more money.
Is there a user awareness component here?
Can we educate our users to do a better job defending against, I guess, are there any specific tells
that you all have observed?
Yeah, so one of the biggest things
is the prompt for email addresses.
Even sometimes when you put in the correct email address,
it'll prompt you again for an email address,
just to make sure.
So what this really, to me, it's kind of a surprise,
or it should be a surprise because when you visit these web pages,
if you're using a password manager, all your credentials are already saved.
So if you're visiting a website and you think it's Microsoft,
and you go to the Microsoft website and your password manager isn't giving you
credentials,
then there's probably something wrong.
So looking for, I mean, obviously look at the URL,
but looking for obvious signs like, you know,
it's not giving me the autofill information here
when it always does on the Microsoft accounts,
you know, stuff like that
can really help you spot these things.
What are some of the key takeaways you hope that readers get if they check out this research?
So, the biggest thing I think that I'd like people to get from this is that every company that has a SOC,
whether they're internal or external, needs to have clear communications with them.
Because this is a very obvious situation in which communication is important.
And communicating can potentially help save people from getting compromised if they say,
okay, we know who else is on the list, we can inform them.
But if you don't have that communication,
then not only are they more susceptible to attacks
like this, but there are so many things that can go wrong
if a SOC doesn't have someone who they can say, hey,
we've noticed this trend.
And you do think about it with your users.
So for example, with FisherMe, we have specific SIMs, and we say, the intelligence
team says, we've seen this, and the SIMs are built based on that, and people can select
their SIMs.
So if there's communications between the SOC and other departments, the SOC can say, hey,
we're seeing this, and other departments who are responsible for training can say, okay, we're going to use sentence along with that, those themes that you've identified.
Our thanks to Max Gannon from Co-Fence Intelligence for joining us.
The research is titled, The Rise of Precision Validated Credential Theft,
A New Challenge for Defenders.
We'll have a link in the show notes.
And that's Research Saturday brought to you
by N2K CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our
executive producer is Jennifer Iben. Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening, we'll see you back here next time.