This devious two-step phishing campaign uses Microsoft tools to bypass email security
- Two-step phishing bypasses security with user-activated actions
- Fake Microsoft portals quickly collect sensitive credentials
- Advanced threat detection is key to combating phishing
A two-step phishing attack uses Microsoft Visio files (.vsdx) and SharePoint, marking a new chapter in cyber deception, experts warn.
The security researchers at Perception Point reported a dramatic increase in the number of attacks using .vsdx files.
These files, which have rarely been used in phishing campaigns until now, are used as a delivery mechanism, redirecting victims to phishing pages that mimic Microsoft 365 login portals and are designed to steal user credentials.
Phishing abuses trusted platforms
Two-step phishing attacks combine malicious actions to evade detection. Rather than directly delivering malicious content, these campaigns rely on trusted platforms like Microsoft SharePoint to host seemingly legitimate files.
The attackers embed URLs into Microsoft Visio files that direct victims to malicious websites when clicked. This layered approach makes detection by traditional email security systems more challenging.
Microsoft Visio, a widely used tool for creating professional diagrams, has become a new vector for phishing. Attackers use compromised accounts to send emails containing Visio files that appear to come from trusted sources, often impersonating urgent business communications such as proposals or purchase orders to take immediate action.
Because the attackers use stolen accounts, these emails often pass authentication checks and are more likely to bypass the recipient’s security systems. In some cases, the attackers attach .eml files to the emails, further embedding malicious URLs that lead to SharePoint-hosted files.
The attackers embed a clickable button in the Visio file, usually called “View Document.” To access the malicious URL, victims must hold the Ctrl key and click the button. This interaction, which requires manual user action, bypasses automated security systems that cannot replicate such behavior.
To mitigate the risks of such advanced phishing campaigns, Perception Point recommends organizations use advanced threat detection solutions, including dynamic URL analysis to identify malicious links, object detection models to flag suspicious files, and authentication mechanisms to reduce the impact of compromised accounts. minimize.