Leveling up their credential phishing tactics. [Research Saturday] - CyberWire Daily

Summary5 min read

CyberWire Daily: Leveling Up Their Credential Phishing Tactics [Research Saturday] – May 17, 2025

Overview

In the May 17, 2025 episode of CyberWire Daily, hosted by Dave Bittner and powered by N2K Networks, industry expert Max Gannon, Intelligence Manager at Cofence Intelligence, delves into the evolving landscape of credential phishing. The episode, titled "Leveling up their credential phishing tactics. [Research Saturday]," explores the emergence of precision validated credential theft and its implications for cybersecurity defenses. This comprehensive discussion sheds light on the sophisticated methods threat actors are employing, the challenges they pose to security operations centers (SOCs), and strategic recommendations for organizations to bolster their defenses.

The Rise of Precision Validated Credential Theft

Max Gannon introduces the concept of precision validated credential phishing as a significant escalation from traditional phishing techniques. Unlike bulk phishing campaigns that indiscriminately target a wide audience, precision validated credential phishing involves meticulously targeting specific individuals within organizations and validating their credentials before leveraging them for malicious purposes.

“They're using pretty simple stuff, but they're using it in a different way. And by using it this way, they show that they have an understanding of how SOCs work, which is something that a lot of threat actors don't.” [01:14]

Gannon emphasizes that while the technical methods employed may not be inherently advanced, the strategic application of these techniques demonstrates a deeper understanding of SOC operations, making these attacks more effective and harder to detect.

Mechanics of Precision Validated Phishing

The discussion delves into the step-by-step process of how precision validated phishing operates:

Initial Phishing Email: Attackers send out credential phishing emails, often spoofing reputable brands like Microsoft. These emails aim to deceive recipients into clicking malicious links.
Reporting and URL Handling: Once a phishing email is reported, SOC analysts receive the URL. The attackers exploit the SOC's procedures by designing the phishing workflow to require additional validation steps.
Email Address Validation: Upon accessing the phishing site, users are prompted to confirm their identity by entering their email address. This step verifies the validity of the credentials, making the stolen information more valuable.
Secondary Verification: In some cases, after verifying the email address, the phishing site sends a confirmation email with a code or link that the user must use to proceed. This ensures that only active and monitored email accounts are compromised.

“They are taking advantage of a flaw in cybersecurity procedures, really. So for that, I'd rate them at, you know, pretty highly for having additional information about how we work...” [04:10]

Gannon explains that the use of such validation steps increases the profitability of these attacks by ensuring that the stolen credentials are active and can be monetized more effectively on the dark web.

Challenges for Security Operations Centers (SOCs)

Precision validated phishing presents unique challenges for SOCs:

Access to Email Addresses: SOC analysts often lack access to the victim's email addresses, hindering their ability to investigate and validate phishing attempts effectively.
Permission Constraints: Organizational policies may restrict SOCs from using or accessing certain email accounts, limiting their capacity to bypass phishing validation steps.
Detection Difficulties: The layered approach of these phishing campaigns makes it difficult to identify and neutralize threats, as initial indicators of compromise (IOCs) may not lead directly to the final malicious payload.

“SOCs are able to get maybe half of the IOCs they could gather otherwise. And because of this gating, oftentimes once the first couple steps go through, they're redirected to a final credential pushing page.” [09:19]

Real-World Examples

Gannon shares an example of a Microsoft Office credential phishing campaign:

“We got in a pretty standard looking Microsoft Office credential phishing campaign, and we went ahead and visited it and immediately came up with the notification that we needed an email address...” [05:16]

In this scenario, SOC analysts attempted to navigate the phishing workflow but encountered hurdles in accessing the necessary email accounts to progress, highlighting the practical obstacles posed by precision validated phishing.

Defensive Strategies and Recommendations

To combat this sophisticated phishing method, Gannon recommends the following strategies:

Open Communication Channels: Establish clear lines of communication between SOCs and other departments within the organization. This facilitates swift action and information sharing when advanced phishing attempts are detected.

“Every company that has a SOC, whether they're internal or external, needs to have clear communications with them.” [15:13]
Enhanced User Awareness: Educate users to recognize signs of phishing, such as unexpected prompts for email addresses or the absence of password manager autofill features on legitimate sites.

“Looking for obvious signs like... it's not giving me the autofill information here when it always does on the Microsoft accounts.” [14:09]
Attack Path Management: Utilize tools like Bloodhound Enterprise powered by Spectrops to visualize and manage potential attack paths, thereby reducing the risk of credential exploitation.
Targeted Simulations and Training: Implement simulated phishing campaigns tailored to identified threats, enabling organizations to train their employees effectively against specific phishing tactics.

Industry Impact and Trends

Gannon notes that the oil and natural gas sector has been particularly targeted by precision validated phishing campaigns. However, this trend is spreading across various industries, emphasizing the need for widespread awareness and adaptive security measures.

“The one we have seen it with most is the oil and natural gas sector. They're the ones we've seen the most of this with, unfortunately. But it's becoming all around more common.” [12:12]

Conclusion and Key Takeaways

Precision validated credential phishing represents a significant evolution in cyber threats, combining straightforward techniques with strategic execution to enhance the effectiveness of credential theft. Organizations must prioritize open communication, user education, and advanced attack path management to mitigate these risks. By staying informed and adopting proactive defense mechanisms, security teams can better protect their assets against these emerging phishing tactics.

Final Remarks

Max Gannon's insights underscore the importance of adaptability and collaboration in the face of increasingly sophisticated cyber threats. As precision validated phishing continues to evolve, so too must the strategies employed by defenders to safeguard critical information and maintain robust security postures.

For more insights and detailed analysis, listen to the full episode of CyberWire Daily or visit the show notes for additional resources.

Loading summary

Transcript35 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network powered by N2K. What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectrops. Head to Spectrops IO today to learn more. Spectorops. See your attack paths the way adversaries do.
[01:15]
Max Gannon
We're not using any sort of really advanced techniques. They're using pretty simple stuff, but they're using it in a different way. And by using it this way, they show that they have an understanding of how SOCs work, which is something that a lot of threateners don't.
[01:40]
Dave Bittner
That's Max Gannon, intelligence manager with Cofence Intelligence. The research we're discussing today is titled the Rise of Precision Validated Credential Theft. A new challenge for defenders.
[02:00]
Max Gannon
My team has what we call qualitative groups, and when we find some kind of interesting behavior, we tag it with a group. And a lot of times we'll only see it once or twice. So it's not really worth writing about just yet. But when we've seen enough of this qualitative group, especially if it suddenly starts to become more common, then we'll really do an in depth dive on it and start writing about it. So this was originally something we saw in very small numbers. It was enough to be mildly frustrating, but not a real problem. And then especially within the last month, we've seen it drastically increase to the point where if it's annoying for us, it's gotta be a big problem for SOCs.
[02:40]
Dave Bittner
Right?
[02:41]
Unknown
Well, can you explain what precision validated phishing is and how it differs from traditional phishing attacks?
[02:48]
Max Gannon
So the first step is someone gets an email, credential phishing email, and typically it's Microsoft spoofing, but we've seen other brands as well. And then usually this email gets reported and the SOC gets the URL, and the soc tries to visit the URL and the crowdfunding page sends out a prompt and it says, hey, I need you to confirm your identity and put in the email address that this link was sent to. And so that's context that the soc needs to have. If they somehow get that information and are allowed to use it. Then they enter it and they move on to the next step. Sometimes this is the actual Microsoft branded credential phish, which has all the little bells and whistles that you would expect. And sometimes there is an additional step where once you've verified the email address, then they send an email to the email account, and then you have to use a code or a link from that email to progress onto the next step of the credential fetch. And this final step is hosted typically on a different site, and that final step usually stays up for significantly longer than the intermediary.
[04:04]
Dave Bittner
The first step, how do you rate.
[04:06]
Unknown
The sophistication of these threat actors?
[04:11]
Max Gannon
That's a bit difficult because as I said earlier, they're not using any sort of really advanced techniques. They're using pretty simple stuff, but they're using it in a different way. And by using it this way, they show that they have an understanding of how socs work, which is something that a lot of directors don't. But by making this validation only work this certain way, they're taking advantage of a flaw in cybersecurity procedures, really. So for that, I'd rate them at, you know, pretty highly for having additional information about how we work, because that's unusual for sophistication, actual sophistication. I rate it like probably middle, because once you get your hands on the code, it's really easy to figure out. They don't do much in the way of obfuscation.
[05:11]
Unknown
Well, can you share an example of how this has been used in an actual phishing campaign?
[05:17]
Max Gannon
Yeah, certainly. So we got in a pretty standard looking Microsoft Office credential phishing campaign, and we went ahead and visited it and immediately came up with the notification that we needed an email address. So this isolated things a little bit because while we do have access to email addresses, a lot of customers don't like it when you use an email address. There's a lot of issues with that, especially for outsourced socks. So we were able to get the information we needed and then find the list of targeted email addresses and use an email address from that targeted list and progress through the phishing, get what we needed.
[06:10]
Unknown
Can we go through some of the mechanics here? I mean, how does the real time email validation process work within these phishing attacks?
[06:18]
Max Gannon
Yeah, so the first step is really basic. It just compares the email address you enter to a list of email addresses that the threat actor has of people who've been targeted by the phishing campaign. So that step if you can find the list, which is usually obfuscated, but if you can find it, then you can bypass it. The next step is actually sending the email address. Sending an email to the email account. Sometimes this involves clicking a link, sometimes this involves just copying and pasting a code.
[06:54]
Unknown
And what kinds of technologies or methods are they using to validate the email.
[06:59]
Dave Bittner
Addresses in real time?
[07:01]
Max Gannon
So most of this takes place using pretty basic JavaScript that's just built into the crown troubleshooting page. None of the actual techniques used are particularly advanced. They're just combining known capabilities into a new method of doing things that makes life very difficult.
[07:30]
Dave Bittner
We'll be right back. And now a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com. worried about cyber attacks? Cyber Care from Storm Guidance is a compreh cyber incident response and resilience service that helps you stay prepared and protected. A unique onboarding process integrates your team with industry leading experts, so if an incident occurs, your response is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors, and much more. The best part? 100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at Cyber Care Cyberwire.
[09:12]
Unknown
So what makes precision validated phishing particularly challenging for security teams to detect and analyze?
[09:19]
Max Gannon
So it's especially difficult for external SOCs. But even for a company who has an internal SOC, it's difficult because first you need the email address. And as I said, you know, typically socks are not provided with this email address. So even if you somehow manage to get the email address, then you have to also give the company's permission to use the email address. And getting permission is sometimes just not possible. So SOCs are pretty much blocked off by company policy at this point. And even if they somehow get approval to use an email address, then if one of the next steps involves sending a confirmation email, they have to get access to somebody's inbox. And that is. I've personally only heard of two situations in which that has happened. It's extremely rare it's people are just not comfortable doing that with good reason. So SOCs are able to get maybe half of the IOCs they could gather otherwise. And because of this gating, oftentimes once the first couple steps go through, they're redirected to a final credential pushing page. And this final one has the IOCs that the SOCs need, because the intermediary pages can be reported and taken down. But if the final one stays the same, the threat actors just send out a new campaign with new intermediaries. So the SoCs are just stuck going for the first URL, because that's all they have.
[10:58]
Unknown
Oh, that's interesting. So given all that, what are your recommendations then? I mean, how should organizations best defend themselves?
[11:09]
Max Gannon
So luckily there are very few situations in which a email is sent to the email account. So for most SOCs, the first obstacles they need to overcome are finding the email address of the recipient and being allowed to use that email address on the credential mission page. So for this to happen, what they need is open communication. They need to have a contact at the company who they can talk to. They can explain the situation. They can say, okay, so we've got this potentially very advanced fish that is very much targeting specific people. Can you give us approval so we can do this investigation so we can get this additional information and help protect you better? And if there's that open line of communication, then they're going to have a lot more success than somebody who is really just. They don't, they don't really have a good contact point.
[12:08]
Unknown
Are there particular industries that you're seeing targeted here?
[12:13]
Max Gannon
I think the one we have seen it with most is the oil and natural gas sector. They're the ones we've seen the most of this with, unfortunately. But it's becoming all around more common.
[12:31]
Dave Bittner
And what is the ultimate goal here?
[12:33]
Unknown
I mean, is, is, is are these financially motivated attacks, are they going after, is it a corporate espionage situation? What are you all seeing?
[12:41]
Max Gannon
So I think at a very base level, what threat actors are trying to do is improve their return on investment. So credential phishing happens all the time. And typically once they send out, threat actors will send out these mass email campaigns trying to get as many credentials as they can, but the credentials are typically unverified. So when they sell them in bulk on the dark web, they don't actually get very much money for them. It's. They just really don't get much money because they're not validated. They don't have any Sort of confirmation that these are active accounts, that these credentials can be used and that sort of thing. But with precision validation, you can, the threat actors can not only sell it for more because it's validated, but they can also sell it in groups. They can say, this specific list of people with this title at this company, here are their credentials. And they can sell it for a lot more than just a big collection of a thousand email addresses and passwords. So even if they're not doing an additional, more targeted approach simply from return on investment, by using this technique, they're making a lot more money.
[13:55]
Unknown
Is there a user awareness component here? I mean, is, can we educate our users to do a better job defending against.
[14:04]
Dave Bittner
I guess. Are there any specific tells that, that.
[14:07]
Unknown
You all have observed?
[14:09]
Max Gannon
Yeah. So one of the biggest things is the prompt for email addresses. Even sometimes when you put in the correct email address, it'll prompt you again for an email address just to make sure. So what this really, to me, it's kind of a surprise, or it should be a surprise because when you visit these web pages, if you're using a password manager, all your credentials are already saved. So if you're visiting a website and you think it's Microsoft and you go to the Microsoft website and your password manager isn't giving you credentials, then there's probably something wrong. So looking for, I mean, obviously look at the URL, but looking for obvious signs like, you know, it's not giving me the autofill information here when it always does on the Microsoft accounts. You know, stuff like that can really help you spot these things.
[15:07]
Unknown
What are some of the key takeaways you hope that readers get if they.
[15:11]
Dave Bittner
Check out this research?
[15:14]
Max Gannon
So the biggest thing I think that I'd like people to get from this is that every company that has a soc, whether they're internal or external, needs to have clear communications with them. Because this is a very obvious situation in which communication is important. And communicating can potentially help save people from getting compromised. If they say, okay, we know who else is on the list, we can inform them. But if you don't have that communication, then not only are they more susceptible to attacks like this, but there are so many things that can go wrong if a soc doesn't have someone who they can say, hey, we've noticed this trend. Can you do something about it with your users? Because, so, for example, with FishMe, we have specific sims and we say the intelligence teams, as we've seen this, and the sims are built based on that and people can select their sims. So if there's communications between the SOC and in other departments, the SOC can say, hey, we're seeing this, and other departments who are responsible for training can say, okay, we're going to use sims. Along with that, those themes that you've identified for us Foreign.
[16:41]
Dave Bittner
From Cofence Intelligence for joining us. The research is titled the Rise of Precision Validated Credential Theft A New Challenge for Defenders. We'll have a link in the Show Notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.