Profile picture
Christopher Glyer @cglyer
, 10 tweets, 6 min read Read on Twitter
"You've Got Mail"

@danielcabaniel @CyberAmyntas discussing email phishing and mail server attack trends

#FireEyeSummit
APT34 compromised a trusted partner org - and used that to abuse trust (convinced user to enable macros) and successfully phish victim

Subsequently staged data theft files on the Exchange server as .png files and downloaded from the server.

#FireEyeSummit
C-level credential phished while on vacation - APT34 used account access to phish entire company. Even though infosec team blocked URL on web proxy - employees switched to guest wi-fi to access the URL.

#FireEyeSummit
2FA is critical to protect internet facing logins...but it's not effective if attacker can register their own phone number to receive 2FA.

Screenshot is of a Canadian phone number accessing 2FA. Organization didn't have any presence in Canada.

#FireEyeSummit
Outlook Ruler/homepage persistence FTW!

"This has been patched but we still see it leveraged b/c most orgs haven't applied patch"

Just by obtaining user email creds you can get code execution on victim machine using something like a COM scriptlet #DailyScriptlet

#FireEyeSummit
Exchange servers have lots of default web related files - so easy for attacker to blend in a web shell

#FireEyeSummit
A recent enhancement on web shells - dynamic web shells

#FireEyeSummit
Example of forwarding rules setup (commonly seen in business email compromise cases)

#FireEyeSummit
"To encourage the user to open the email - attacker calls a user directly. We've also seen it used to get a users second factor token code" @danielcabaniel

#FireEyeSummit
This talk had too many knowledge bombs for me to keep up with the live tweeting. You should check out the video when we post it later.

#FireEyeSummit
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Christopher Glyer
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!