Hacking Humans – "When legit is the trick: Phishing’s sneaky new moves"
Podcast: Only Malware in the Building by N2K Networks
Date: February 3, 2026
Hosts: Dave (B), Selena (A), Keith (C)
Theme: Deception, influence, and social engineering in the world of cyber crime, with a focus on how threat actors exploit legitimate services to craft more convincing phishing attacks.
Overview
This episode explores the latest evolution in phishing: leveraging legitimate services and processes (particularly within Microsoft 365 ecosystems) to bypass traditional security awareness and defenses. The hosts break down cunning social engineering techniques such as device code phishing and abuse of "Direct Send" – both of which make malicious actions seem completely aboveboard. The energy is light and playful, but the insights are razor-sharp: the lines between safe and suspicious have never been blurrier, and both end users and defenders need to adapt quickly.
Key Discussion Points & Insights
1. Gamified Cold Open: Recognizing Malware ([00:17]–[01:44])
- The episode kicks off with a Family Feud-style game about signs of malware:
- Signs of malware: Sluggish computer, unexpected popups, changed homepages, antivirus alerts, unexplained webcam light.
- What malware steals: Top answers—money and passwords.
- Quote:
- Selena: "It suddenly gets really slow, like it's thinking about every bad decision it's ever made." ([00:50])
2. The Trend: Social Engineering + Abuse of Legitimate Services ([02:45]–[04:53])
- Threat actors are increasingly chaining together credible-sounding social engineering lures with technical tricks that exploit actual, trusted services.
- Examples: Device code authentication attacks, leveraging “Direct Send” in Microsoft 365.
- Quote:
- Dave: "Social engineering is the easy way to get around technical solutions. If I can trick you into doing something... you're not dumb, you're human." ([04:08])
3. Deep Dive: Device Code Phishing Attacks ([05:49]–[14:20])
What is Device Code Phishing?
- Threat actors exploit Microsoft OAuth device authentication flows.
- Common scenario: The victim receives a seemingly legitimate email from HR or company communications about pay raises or benefits, with a link or QR code.
- The QR code initiates the real Microsoft device code authentication process, which people recognize from setting up TVs or apps.
- Once the code is provided, attackers harvest authentication tokens, not passwords.
Why Is It So Effective?
- All the visual and technical cues are legitimate:
- Real Microsoft URLs, actual authentication prompts, and expected login flows.
- "We’ve been saying all this time, make sure you use MFA, but now... this is MFA, because you’re getting your device code." - Keith ([08:40])
- Red team tools like Squarefish, originally built for security testing, have been adapted and scaled by cybercriminals. The public release of tools like Graphfish contributed to a surge in such attacks.
Notable Moment:
- Selena: "Social engineering really plays a role here, right? Like you have to craft a good and believable lure that makes someone think, okay, I should engage with this." ([07:14])
- Keith: "Squarefish 2 is really that on steroids. It's scalable phishing, it's high automation, low skill, so low entry level, high volume capabilities and just more widespread adoption... the red teamers may have been the ones that kind of let the criminals know that, hey, this is a new way how you could fish." ([11:03])
Timeline of Adoption
- Surge in attacks after public release of Graphfish (Russian forum Exploit, Summer 2025), with widespread use picking up in the fall.
- Selena: "Stick around after the break." ([13:44])
4. Defense & End-User Training ([16:05]–[19:02])
Defensive Limitations
- Password managers can’t help, since attackers target authentication tokens (not passwords) via legitimate flows.
- Best technical mitigation: Block device code authentication for users who don’t need it; enforce conditional access policies and restrictive allowlists (IP addresses, applications, OS).
- Emphasize user training: Recognize social engineering and know not to provide device codes or credentials in response to unexpected prompts.
Human Verification
- Double-check sensitive requests (especially from HR or finance) through a second channel: Teams, chat, phone, etc.
- Selena: "If you get an unsolicited email from someone ... ping them on Teams ... just double-check and verify no matter what." ([19:02])
5. Spotlight: Abuse of Microsoft Direct Send ([21:42]–[27:18])
What is Direct Send?
- A feature in Microsoft 365 permitting internal devices/apps (e.g., printers) to relay messages without authentication, to recipients within the organization.
- Threat actors are abusing Direct Send to make phishing emails look as though they come from inside the organization, making traditional external warning banners useless.
Social Engineering Angle
- Attacker-sent emails appear internal, are more likely to be trusted, and commonly use lures like HR updates, voicemails, or bonus notifications.
- Quote:
- Keith: "Again, you’re thinking that this is safe. You’re not seeing those red flags of it being an outside person... So you’re more than likely to be a little bit more trusting." ([23:48])
Technical Mechanics & Defense
- Attackers use virtual hosts and third-party email appliances to relay mail into Microsoft 365 tenants.
- Mitigation: Use mail flow rules to block unauthenticated relays; disable Direct Send if not in use; enforce email authentication (SPF, DKIM, DMARC).
- Quote:
- Selena: "If you’re not actively using Direct Send for business critical information, you can just reject direct." ([25:54])
6. Organizational Recommendations & Security Strategy ([29:10]–[34:41])
- Enforce email authentication and fraud detection mechanisms.
- Remove unnecessary services and permissions, e.g., disable PowerShell for non-essential users.
- Keep abreast of threat intelligence—follow underground trends to anticipate new attack methods.
- Quote:
- Selena: "You do need to have a knowledge and understanding of how the business operates before you just, you know, block all IPs from China." ([29:19])
- Keith: "You need to have that threat intelligence to see what’s being talked about out there in the underground... chances are you’re going to start seeing that being adopted in the months following that, and then you can kind of get out ahead of that." ([30:36])
7. Reflections: The Always-Shifting Threat Landscape ([31:53]–[34:41])
- Despite better training and defenses, attackers simply adapt—the "basics" of security are now different, and the bar is higher.
- Quote:
- Dave: "As the threat actors grow more and more sophisticated... solutions are becoming less and less satisfying." ([31:53])
- Selena: "The basics, the bar for the basics, I think has increased. So it used to be MFA everywhere solves account takeover. That’s not true anymore." ([32:31])
- Keith: "Bad guys aren’t going to just say, ‘ah, you got me, I’m going to go, you know, sell hot dogs or something.’ They’re going to continue to come up with new ways and collaborate, just like we collaborate." ([33:58])
Notable Quotes & Memorable Moments
- "If someone asks you for your device code, say no. If someone's asking you for username and password, say no. Keep it secret, keep it safe." — Selena ([18:31])
- "[Attackers] are climbing up... all the threat actors are wearing drywall stilts now so they can reach more of the fruit." — Dave ([34:49])
- “In some ways the solutions are less and less satisfying... The doctor says 'well don't do that.'” — Dave ([31:53])
- "Escaping into the woods or without Internet: 'thoroughing in the towel.'" — Selena ([21:07])
- "Operationalizing your intelligence... if your intelligence doesn't have actionable takeaways it’s just information." — Selena ([31:26])
Important Segment Timestamps
- [00:17] Family-Feud style malware symptoms and lures
- [04:08] Social engineering as a circumvention of technical controls
- [06:10] Device code phishing breakdown
- [08:40] Why device code phishing slips past traditional “phishing awareness”
- [11:03] Rise of criminal automation: Squarefish and Graphfish
- [13:44] Graphfish goes public, device code phish increases
- [16:05] Can password managers help? Why not
- [18:31] User training for device code phishing; “Keep it secret, keep it safe”
- [22:01] Microsoft Direct Send misuse for lookalike internal phishing
- [23:48] Loss of external tagging, increasing user trust
- [25:54] Technical fixes: disable unused services
- [29:19] Organizational best practices—don't blindly block, understand impact
- [30:36] Use intel to get ahead of criminal adoption curves
- [32:31] Defenders’ bar keeps moving up; attackers get more creative
Key Takeaways for Listeners
- Phishing is evolving: Sophisticated attacks exploit what we perceive as safe by leveraging trusted workflows and internal features.
- No more silver bullets: Solutions must now address the abuse of legitimate services, not just obvious “bad” indicators.
- Adapt, educate, restrict: User awareness needs to keep up, but so do enterprise defenses—restrict unneeded features, validate requests, and operationalize threat intel.
- Stay human—but stay cautious: Trustworthiness of digital cues is fading; verification and skepticism are your best defenses.
For anyone responsible for security—or just hoping to avoid being the “weakest link”—this episode is a wake-up call that the attacks of tomorrow are already exploiting our trust in today’s technologies.
![When legit is the trick: Phishing’s sneaky new moves. [OMITB] - Hacking Humans cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2Fd0aef40a-0066-11f1-9552-53f3f6498fa7%2Fimage%2F14002263e169460f16ca12e04624eb3a.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)