@danielcabaniel @CyberAmyntas discussing email phishing and mail server attack trends
#FireEyeSummit
![](https://pbs.twimg.com/media/Dom6f87W0AE2UjJ.jpg)
Subsequently staged data theft files on the Exchange server as .png files and downloaded from the server.
#FireEyeSummit
![](https://pbs.twimg.com/media/Dom8KIFU8AE7i4q.jpg)
#FireEyeSummit
![](https://pbs.twimg.com/media/Dom9AvdVAAA_ofT.jpg)
Screenshot is of a Canadian phone number accessing 2FA. Organization didn't have any presence in Canada.
#FireEyeSummit
![](https://pbs.twimg.com/media/Dom94NYW0AU_huW.jpg)
"This has been patched but we still see it leveraged b/c most orgs haven't applied patch"
Just by obtaining user email creds you can get code execution on victim machine using something like a COM scriptlet #DailyScriptlet
#FireEyeSummit
![](https://pbs.twimg.com/media/Dom_Em-XkAAFLiL.jpg)
#FireEyeSummit
![](https://pbs.twimg.com/media/DonAduLXgAYcCjJ.jpg)
#FireEyeSummit
#FireEyeSummit