Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
@huskyhacks@infosec.exchange | Matt | HuskyHacks Profile picture
@huskyhacks@infosec.exchange | Matt | HuskyHacks
@HuskyHacksMK
infosec's little brother | the blue teamer's red teamer | Principal Sec Researcher & Red Teamer | 🎯 OffensiveNotion co-dev | PMAT creator | Cosmo + Kiki's dad

Jan 18, 2022, 5 tweets

🧵Notion for malware delivery🦠

WhisperGate's Discord CDN hosted malware had me thinking, what other common desktop apps have similar file embed/retrieval capabilities?

How about my favorite notetaking app, Notion?

1- Embed your payload. I'm using a Covenant Grunt HTA

2- Running a web proxy of your choice, click to download the HTA you just embedded. Intercept this request and find the GET request to the AWS S3 resource for this file

3- This link is now your phishing/social engineering method. Deck it out with tradecraft (shorten it, come up with a good pretext, get creative)

Once the target clicks on this link, you have a file-less payload delivery mechanism coming from a high trust domain, S3 AWS

4- 😈

good news, red teamers!

@NotionHQ's response to this was that this is intended functionality that a resource, regardless of access rights, is available to anyone for 24 hours if they have this link. So you now have an engine for unlimited high-trust (S3 AWS!) payload links

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling