B (4:08)

Well, I mean, I think social engineering has become a thing of its own these days. And it seems to me like there's no technical solution to social engineering. Or I guess maybe a better way to phrase that is social engineering is the easy way to get the best way to get around technical solutions. Right. If I can trick you into doing something. And we're all human, so we're all. It's something we see over on the Hacking Humans podcast. We talk about, you know, you're not dumb, you're human, and so you fall for these things. And it's interesting to me what you're talking about, of chaining together some of these things to make the attacks even more powerful.

C (4:53)

It's just like using the game show analogy that we were just talking about. You are the weakest leak, Dave.

A (4:59)

Goodbye.

B (5:00)

I can vouch that, yes, in most cases and certainly. And when it comes to the hosts of this show, I am the weakest link.

A (5:08)

You know what, Dave? I was actually thinking about you earlier today. I had hummus for lunch.

B (5:14)

Oh, all right. That's dip adjacent.

A (5:17)

Yes. And I thought, you know who would appreciate this lunch, Dave?

B (5:23)

No, I do. I enjoy a good hummus. Was it a straight hummus or was it some sort of spicy flavored hummus?

A (5:30)

Just regular with avocado on a sandwich.

B (5:32)

Yeah, classic. Classic. Good for you.

A (5:35)

Keeping it easy. Keeping it easy.

B (5:37)

That's right.

C (5:38)

Well, we. Well, we also can't have an episode without talking about dips. So this is one of our first cold opens that we didn't talk about dips. So we have to throw it in there somewhere.

B (5:48)

That's right. Yeah.

A (5:49)

It has to be a snack, something that you can eat in front of the TV. And actually, talking of TVs, it's a really great analogy for the device code fishing because I think most people are familiar with when you get a new tv, you set it up like a little device. A device code will pop on screen. So scan this QR code to add your account to this television, for example.

B (6:10)

Right.

A (6:10)

And it's sort of that authentication flow that threat actors are taking advantage of. And in these cases that we're seeing, it is the Microsoft OAuth device authentication flow. So, you know, Microsoft 365. It'll say, hey, you know, add, scan this code, scan this QR code to add a new device to your account. So there'll be these really interesting lures and oftentimes they're business relevant themes, something that you might be expecting anyways from your HR or your company comms. And sometimes it's a link to a QR code, sometimes it's a QR code, but you scan it and then it kickstarts the device code authentication process. And we see this both from e crime actors as well as APT and espionage threats.

B (6:56)

Well, help me understand here, Selena. I mean, how does it begin? Am I just going through my email and I see something that perhaps pretending to come from HR or something like that?

A (7:14)

Yeah, yeah. So we've seen a variety of themes. One that I thought was pretty compelling was salary bonus, employer benefit, things of that nature that come at the beginning of the year. Do you. Yeah, here's the pay rise, employee employee pay rise. And so it'll look like something that was like a document that was shared or something that was shared from Microsoft. And so you know, it's, it's a URL you'll click on. In combination, it'll lead to like a QR code. You scan that and essentially it takes you through that overall process. So, so social engineering really plays a role here, right? Like you have to craft like a good and believable lure that makes someone think, okay, I should engage with this. And so you log into an application with the legitimate credentials because that's the process. So you point them to FAT app and then it will generate a token. So this is what the threat actor is actually looking for. So it'll say, okay, how do you give me this token or turn it over in some way? Or they'll email it to you. So you might click on the link, log into legitimate service, it'll show you this token and then that's what you kind of hand over to the threat actor. So once this user is actually presented with the device code, that's how it's, that's the key, right. That will unlock the account, so to speak.

C (8:40)

I think this is really neat too because at least from reading your articles, if I'm getting this correctly, so you're getting this device code and it's coming from a legitimate link, like a legitimate Microsoft URL, I guess. So there's no suspicious link. So we've been training for phishing all these times. Don't click on suspicious links. But now this is, is a legitimate link. So if you check the URL, it's fine. We've been saying all this time, make sure you use mfa, but now this by, this is mfa because you're getting your device code. So it's kind of brilliant in the fact that it kind of just really goes against everything that we've been teaching for anti phishing all these years of don't click, check the URL, don't click on a suspicious link when now everything is legitimate, all in this process.

A (9:33)

Am I correct in that the authentication flow is legitimate, but the apps and things that they are saying, oh, you know, grant this application, that's something that the threat actor has sort of created. And with those, you know that that whole flow does look quite legitimate, right? Because it's using the actual device code creation technique is something that you do anyway, like when you're trying to add legitimate accounts to your M365, like, it's, it's something that you're like, okay, like I recognize this, I've done this before. Or maybe you've added an account to your tv, you've scanned this QR code, you've logged into, you know, these legitimate applications that you can put them on your tv. So it's this behavior that we're very used to doing in our, both in our personalized and professional lives too. It's like this process that we're like, okay, like this is, this is how we do things now. And it's actually, it's actually pretty clever. But so the landing pages themselves, like those URLs. Well, like when you're actually like, given the device code, those URLs will look suspicious, right? So it'll be like something seems off here. But a lot of times the pages are very well designed, they're very believable. It is the like sort of the, again, the screen of the flow that you, you might be used to. So it is something that is pretty interesting. And threat actors, we did used to see this occasionally with a little bit more targeted campaigns from the E crime sphere. There's actually been red team tooling that's existed for a while for this. So it's, it's, it's something that has like been known but not widely used until recently.

C (11:03)

Well, that's when I started doing some research on when you, when you shared the article for me. So, you know, you mentioned Squarefish and that like you said, that was a legitimate red team tooling. And you know, I went and I watched a video today of kind of how, you know, how that you know, really worked. But then, you know, I guess what the criminal threat actors kind of took that Squarefish first iteration from I think it was like 2022 to Squarefish 2 now, which was released in 2024. And so whereas that first Red Team tooling, it was really targeted. It was more manual. It took a high skill to be able to do that in limited volume that you could send with the fish. But now Squarefish two is really that on steroids. It's scalable phishing, it's high automation, low skill, so low entry level, high volume capabilities and just more widespread adoption on the criminal forum. So I thought that was really fascinating that really, that the red teamers may have been the ones that kind of let the criminals know that, hey, this is a new way how you could fish.

A (12:25)

Yeah, I think it's really interesting because it was, I mean, it was around and it was something that, you know, was not widely seen, but we had seen it from like, you know, Red Team and target attacks and from the E crime thing. And I remember last year, year before, there was a lot of talk about apt threat actors being like, oh my gosh, like, look at this really unique attack chain, this thing that these espionage threat actors are using now. Oh my gosh, it's so impactful. I remember one of my researchers being like, yeah, we've seen this. I was unimpressed.

B (12:57)

Ain't it the way. Yeah.

C (12:59)

I do have a quick question on this. When did proofpoint or when did you start seeing kind of a spike in these type of attacks? And the reason why I'm asking is that when I started doing research, one of the other phishing kits that does this is called graphfish, that was developed by a guy and on the Russian forum exploit in just this summer he released it publicly. So he was trying to sell it and it just wasn't getting a lot of traction. And all of a sudden this July, he's like, oh, I've developed this. I'm just going to put it out for public release. Here's the download link, here's the password. So I'm really curious if you really started seeing this spike from July onward.

A (13:44)

Yeah, it took a little bit more, but yes, it was definitely in alignment with when that tool was released for free, just out there for everyone. I think it was like a little bit more of a slower adoption, but come the fall we started seeing it pretty regularly. And now there's other ones too. We're seeing new fish kits emerge that use the device code authentication flow. Stick around after the break.

B (14:20)

And now a word from our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. ThreatLocker Protect is the core threat locker product focused on endpoint security, designed to prevent unauthorized software from running, control how applications interact and manage access to storage devices. Its building blocks are a allow listing, ring fencing, and network control. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the system resources they truly need to function. Network control locks down access by port, source, IP or dynamically with ACLs that automatically update as IP addresses change. Shut out cybercriminals with world class endpoint protection from Threat Locker. And we thank ThreatLocker for sponsoring only malware in the building. So let me ask you this, is this a situation where having something like a password manager could help? Because, you know, like my password manager will, if I try to log in to a site that isn't the site it's claiming to be, my password manager will throw a fit. It'll either not automatically fill in my credentials or it'll say, hey, what are you doing? This is not, you know, this, this, you're filling in your Microsoft credentials, but this is not Microsoft. Is that a possible avenue of defense?

A (16:05)

Well, it is a legitimate Microsoft authentication flow.

B (16:08)

So it is like, because they're only after the token.

C (16:11)

Yeah, it's password.

A (16:12)

Yeah, they're not. I see, yeah. So they're not after your username password, they're after that token. But from the enterprise perspective, there are things that organizations can do like for all users. So honestly, blocking device code, phishing if possible, is really the best option because you just lock this down and it just won't work. So even if they fall for the phish and get the device code and it just doesn't, it will block it. Right. So they won't be able to actually go through that whole authentication flow. But also using conditional access policies, so much more of an allow list approach. So these are the apps that we approve, that we know to be safe. There's also things like only using it for approved users or operating systems or IP ranges. So like using like named locations where it's like, okay, we know that you can log in from here, but if we're seeing attempts from Russia, this is, this is not good. So yeah, so there's also, you know, like again, using conditional access and, and the, those policies can really help prevent as well. And also like user training. Right. Like, this is something that's increasing with increasing frequency and making sure that people know that this is a new technique that they're using. I find that, you know, kind of talking to people and explaining when it comes from a social engineering perspective, like understanding why you might fall for something or why it's effective and not just being like here's a screenshot, but like here's why it's really effective. And kind of incorporating that into user training I think is very helpful.

B (17:42)

What's the training against this? How do you vaccinate people against this one?

A (17:48)

So usually it's like looking for suspicious URLs, right. But that doesn't really work because you're prompted to actually enter a device code. So that is really what it is. So it's the action and it's like looking at the technique overall and seeing the actual device code and seeing that this is how it can be abused. So not entering those from untrusted sources. So if you just get a random email from someone@gmail.com or you know, an email that says it's from HR, that's not working. The lore itself might look in align with our suspicious triggers. Right. Like the social engineering is important. There's.

C (18:27)

And it's sending a QR code though too. Isn't that the.

A (18:31)

In some cases. Yeah. Yeah. So, yeah. So having that, having that general awareness of being like this is what it's asking for. If someone asks you for your device code, say no. If someone's asking you for username and password, say no. Like another thing that we're like, keep it secret, keep it safe.

B (18:48)

Could you have a company policy in place, for example, that, that requests from folks like HR need to be verified in some other human to human way or is that just going to get old for HR really fast?

A (19:02)

Yeah, I mean that because it's just so much impersonation. I mean you should, that should already, you know, be part of your organization's user training. Like if you get an unsolicited email from someone that's pretending to be this person and it doesn't match what her email looks like, like ping her on teams, you know, like that it's always this sort of like double check and verify no matter what. You get that a lot with like business email compromises too. So like a lot of lookalike domains, for example, can be very, very good. And you know, if you're getting an unsolicited email from a supplier that looks basically identical to the domain, just call your supplier. Like, did you really mean to send me this. But what also happens too is right when you have account takeovers, sometimes there are your legitimate supplier that's emailing you, but the it's pwned by a threat actor. Right? So that is just like double checking when you get these unsolicited emails and things that you weren't expecting as part of your workflow, contacting them via phone or on a chat app or some, you know, some other way to make sure that it is. That it is actually them. And they did mean to say that you are getting a raise.

B (20:16)

I mean, basically, don't trust anybody anywhere, anytime, ever again.

A (20:22)

Is the theme of this podcast. Just go into the woods, right, people?

B (20:26)

Yes. Go build a cabin in the woods where you're out of range of cellular service. Build yourself a Faraday cage where you can't get satellite service and become a hermit. And yeah, just live a. Live a lonely life.

C (20:43)

I'm going to do that for eight days on my cruise because there I'm not being touched with the.

B (20:51)

Huh.

C (20:52)

No Internet.

B (20:53)

So, yeah, we'll see how long it takes before you or either you or your lovely bride spring for the expensive Internet package because you just can't stand it.

C (21:02)

No, I'm going. I'm going to be good. I'm going to be good.

A (21:07)

So I like to call escaping into the woods or without Internet thoroughing in the towel. Thorough.

B (21:15)

Oh, as in thorough. Oh, nice. Wow.

A (21:19)

That. That didn't. That failed.

B (21:20)

That's. That's. Well, that's a smart joke for this crowd.

A (21:24)

I forgot this wasn't Jeopardy.

B (21:26)

Yeah, with Family Feud, not Jeopardy. Family Feud, not Jeopardy. A thorough punishment probably isn't going to get very far for you on Family Feud the way it would on Jeopardy. But we'll allow it. What else you got for us today, Selena?

A (21:42)

Oh, yeah, well, the other thing I wanted to talk about was Direct Send, and I don't know if you guys have experienced this at all. Keith, did you have any yet?

C (21:48)

No, no, I was, I was, I was just getting ready to pivot to direct sends because this is fascinating too.

A (21:53)

Take us away.

C (21:54)

No, no, I was. Let. Let you set it and then I'll. I'll add the color. So.

A (22:01)

Microsoft's Direct Send feature essentially makes phishing emails that look like they're originating from within the organization.

B (22:10)

Thank you, Microsoft.

A (22:13)

Yeah, it's basically what it is. It's a feature in Microsoft 365 that allows devices and apps to relay messages to Microsoft tenants without authentication if the recipients are inside an organization. It's super useful for things like printers, legacy apps, it's widely, widely used. And again, this is abusing legitimate services. So just like the device code phishing, that's like very useful and very helpful and very important for workflows can be abused. I feel like just everything these days can be abused. And so now we have this direct send feature and threat actors have realized, oh, wait, hold on a second, I can do this. And so we do see that it can be misused to deliver unauthenticated messages that appear as real internal emails. So basically what the email will look like is that this is from you to you, or, you know, someone within your organization to you. And it will have something that is like, oh, again, sometimes a QR code. QR code, we do see that a lot where it's things like, oh, this is, you know, you have a new task or new priorities, or like, they love telling people they're getting raises at the beginning of the year, at the end of the year. So you have these sort of organizations, they would seem like they would be real within an organization stuff that you might be expecting. Hr, new voicemail, things like that. And it'll look like it's coming from them, but in reality it's a URL or it's a QR code. And mostly we see it with credential phishing, credential harvesting and account takeover, but it could, the same technique could be used to deliver malware.

C (23:48)

And this is the one kind of like the bad guys is on the inside. We've been so, again, accustomed to see on our emails external, you know, that's just tagged right in the subject line so that you know it's coming from outside. But now this is coming through and you think that, hey, well, this is, you know, Dave sent it to me or Selena sent it to me. It's coming from internal. So naturally, again, you're thinking that this is safe. You're not seeing those red flags of it being an outside person or from the outside. So you're more than likely to be a little bit more trusting and maybe click on it. Especially if the lore is HR bonus or salary increase or something like that, where you're going to be a little bit more curious and entrusting to the click on it. So I thought this was a very unique stop clicking on this stuff. And now we're seeing the actors now really start the pivot because I think our training is being more effective. People have a little bit more awareness. So now they have to kind of shake things up. How do we appear that we're coming from internal or the Q QR codes or you know, the, the device codes. Like, like we just talked about, how, how do we really kind of change up those ttps now to become more effective?

B (25:12)

Does this rely on someone else in your organization previously being compromised?

A (25:18)

No. So essentially what the flow looks like, he just as an example, a threat actor will connect to a virtual host and like RDP and then SMTP connections are initiated from these hosts to unsecured third party email security appliances. And then those messages are relayed through appliances to Microsoft 365 tenants belonging to those organizations. It's honestly a little confusing.

B (25:44)

I'm confused. I don't know about you, Keith, but she lost. Yeah. When you say appliance, what do you mean?

A (25:54)

So some sort of whatever you're using for your email security or whatever the apps and services that are incorporated within your tech stack, but essentially what it is, is what it really comes down to is threat actors are abusing the legitimate protocols that we use in printers to have printers talk to each other, for example. So you can print from the third floor when you're on the first floor to do something very similar. But the good news is you can disable it so you can reject Direct Send. You can basically use mail flow rules. So basically, like you can block email from unauthenticated relay IPs. You can like look at the headers to see if that, you know, if it's legitimate. But honestly, like if you're, if you're not actively using Direct Send for business critical information, you can just reject direct.

B (26:46)

Send, turn it off, pull the plug.

C (26:50)

Yeah, I think a lot of the messages too, from reading your article and research on it, a lot of these do go to the junk mail folder. But the problem is everybody still looks at their junk mail folder and they see, well, hey, this is an internal email. Let me click on it and then let me see what's going on here. So the messages are failing. It doesn't have a great success rate, but you know, a lot of times it's still delivered to the junk mail, which people check. So.

B (27:18)

Not me, I don't check my junk mail. No.

A (27:21)

Do you check any email? Dave, are you, are you email free?

B (27:25)

I do. I mean, I, in general, I loathe email. It's just one of my least favorite parts of the day. When I think about it. I think it's time to check. I check it a couple times a day, but when I do, my body language goes, I have to check my email.

A (27:43)

I'm a Real sicko. Because I, I look at my email too much right now. I also just look at everything. Just constant bombardment of information.

B (27:54)

See, now Keith's about to go on his trip and, and my wife and I are opposites when it comes to this. When we go on vacation, she will keep up with her email so as to not have an avalanche when she gets back. I'm the opposite. I will ignore it the whole time I'm gone. Then when I get back, I do what I call declaring email bankruptcy just to mark everything is red. Counting on the fact that if it's really important, they'll email me a second time. Wow.

C (28:23)

Do you put in your out of office message? You know, if you want me to respond back to you, email me. I'll be back on like say, you know, the third tense or whatever. Email me then. Because otherwise you're, I'm just not going to see it.

B (28:36)

Yes, I do. Yes, I put, I put the work on them. I don't have time to go through a thousand emails when I get back from vacation. I'm exhausted from vacation.

A (28:45)

Yeah. When my husband listens to this episode, he's going to be like, Selena, you need to do what Dave does. Do that.

B (28:51)

He's right. He's phone now.

A (28:53)

Yeah, yeah. You remember what Dave said on the.

B (28:56)

Podcast, Selena, you don't have to reply right now. You don't have to reply.

A (29:00)

Nope. Nope.

B (29:10)

All right, well, big picture solutions here. I mean the top level recommendations, what should organizations be doing to protect themselves against these things? Selena?

A (29:19)

Yeah, so when it comes to, you know, direct send, obviously you can reject direct send, definitely enforce email authentication. So spf, dkim, dmarc, these things that are really critical not just for direct sent abuse, but within email abuse and email phishing campaigns. Of course, in general, using some sort of email fraud defense or email protection can be very, very helpful. But really, like, I feel like when it comes down to the abuse of legitimate services, sometimes it's just like, don't, don't let those services be abused. You know, like when we're talking about Click Fix, disabling PowerShell for organization for like users that don't need it, you know, like most people don't need to just Command our run PowerShell on their host. So things like that are components. It does take a little bit of effort. And you do need to say, is this something we can do? You have to do an asset inventory. You have to understand your own business processes and what people are using for what purpose. Because sometimes when you just block everything it can really disrupt business critical functions. Like anything else in security, you do need to have a knowledge and understanding of how the business operates before you just, you know, block all IPs from China.

B (30:35)

Right, right.

C (30:36)

The other thing is just like, you know, how we saw the correlation from the Phish kit being released on the underground to it being actively used. Again, you need to have visibility in what the threat actors are doing. You need to have that threat intelligence to see what's being talked about out there in the underground and seeing the new types of tools that are going to be out there. And then, because this is a, this is a great case in point where if you're following, you know, exploit in, and you know, you see this new fishing kit that gets released that's doing something very unique, chances are you're going to start seeing that being adopted in the months following that, and then you can kind of get out ahead of that so that when you see that first, you know, a device code fish, then you're already ahead of the game. So making sure that that intelligence drives operations.

A (31:26)

Yeah, yes. That's actually a great point. And you know, maybe we could just even have a podcast talking about operationalizing your intelligence, because it's not. Intelligence without actionable takeaways is just information. Yes, right. But yeah, looking at, looking at those patterns, I mean, Keith, I'm sure you see a ton with your job of like threat actors saying, oh, look at this new thing I have. And then it just explodes.

C (31:49)

Absolutely, absolutely. That could be a good topic for sure.

B (31:53)

I feel as though I'm curious what the two of you think of this. I feel as though as the threat actors grow more and more sophisticated and more specialized in their approaches, that in some ways the solutions are becoming less and less satisfying. Does that make sense? Well, right. Like if the, it's kind of like, hey, document, my, my elbow hurts when I do this. And the doctor says, well, don't do that. Like, that's not, you know, that's not satisfying. But yet with a lot of these things, that seems to be where we are.

A (32:31)

Well, to Keith's point earlier though, I think that's a direct result of us doing those things. Right. So, like disabling macros by default. So it used to be right, like macro enabled documents were ever everywhere. And like, it was like if macros are enabled. So it's like you just had to block macros, like, don't enable macros. And then when Microsoft did that, it just like completely shifted the landscape and forced all this behavioral change. Same With MFA phishing. Right. So it's like, okay, well, don't not use MFA phishing. So now we have, MFA phishing is the norm. And so now threat actors have to adapt. So I think a lot of these things are a direct result of it, of us doing the basics and saying that this is, you know, this is how you, this is how you prevent this exploitation. But the basics, the bar for the basics, I think has increased. So it used to be MFA everywhere solves account takeover. That's not true anymore. Now you have multiple different ways that attackers are using techniques for account takeover. And so each one of those doors has to be locked. Not just the MFA door has to be locked. So I think that, that, that's part of it, but I also think that attackers are just getting a lot more creative and are, are finding a lot more unlocked doors and just new ways into organizations. Now they're coming in from the chimney is like.

C (33:58)

Yeah, yeah, you're, you're always going to get a reaction to what we do, you know, whether that be, you know, what we do as defenders or what we, you know, reactions to law enforcement takedowns. Bad guys aren't going to just say, ah, you got me, I'm going to go, you know, sell hot dogs or something. You know, they're going to continue to come up with new ways and collaborate, just like we collaborate to come up with new techniques in order to make money. Because really, at the end of the day, it's about money and information that they want and that's never going to go away.

A (34:32)

Yeah, I think there's always been this idea of basic cyber hygiene. Takes out a lot of the low hanging fruit for threat actors.

C (34:41)

No doubt.

A (34:42)

Yeah. And now there's just like more hygiene required.

B (34:49)

Well, all the threat actors are wearing drywall stilts now so they can reach more of the fruit.

A (34:58)

Yes, they're climbing. They are climbing up. Exactly. Yeah, right. How many metaphors can we squeeze into this podcast?

B (35:05)

Oh, all of them. I have an endless list.

A (35:15)

We will be right back after this quick break.

B (35:26)

Keith, enjoy your trip. I'm gonna go, go hang out in my Unabomber shack in the woods and hide from everyone, because to me, that's the only thing that's gonna work these days.

A (35:38)

And I'm gonna manifest Dave's method the next time I am on vacation.

C (35:43)

Yeah, I'll be thinking about you guys as I'm underneath a palm tree drinking a punch rum drink or something like that.

B (35:53)

You enjoy yourself.

A (35:54)

Enjoy. Well, thank you both for letting me talk about things that I find very interesting. I'm always fascinated by social engineering paired with the abusive legitimate services because it does just keep changing and threat actors are getting a lot more creative. So it's been very fun to to chat about this, to learn more about this as I go as well on my research journey. To all our listeners, we hope you took something away and the next game of Jeopardy. That you watch will have the answer for what is DirectSend. Thanks for tuning in. We'll see you next time.

B (36:30)

See you next time.

C (36:32)

See you next time.

A (36:33)

And that's only Malware in the Building Brought to you by N2K CyberWire in a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we're unraveling the mysteries of of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead in the ever evolving world of cybersecurity. If you like the show, please share a rating and review in your favorite podcast app. This episode was produced by Liz Stokes, mixing and sound design by Trey Hester with original music by Elliot Peltzman. Our Executive Executive producer is Jennifer Ibin. Peter Kilby is our publisher.

B (37:28)

Thank you to ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. For sponsoring only malware in the building, visit threatlocker.com.