Today, we’re sitting down with Rupert Marais, our in-house security specialist whose expertise spans everything from endpoint and device security to broad cybersecurity strategy and network management. We’ll be delving into the increasingly sophisticated world of phishing and business email compromise, exploring how threat actors are weaponizing trusted services to bypass our defenses. Our conversation will cover the anatomy of these multi-stage attacks, the critical steps needed for proper remediation beyond a simple password reset, and the deceptive new tricks attackers are using to fool even savvy users. We’ll also discuss the rise of real-time vishing kits and the next-generation defenses, like phishing-resistant MFA, that are becoming essential in this evolving threat landscape.
Attackers are using trusted services like SharePoint for initial phishing and then creating inbox rules to maintain persistence. Could you walk us through this multi-stage attack and explain why this “living-off-trusted-sites” tactic is so effective at bypassing traditional security? Please share some details on the steps involved.
It’s a really insidious tactic because it preys on the very fabric of modern collaboration. The attack begins with an email that doesn’t just look legitimate—it often is legitimate, sent from a previously compromised account within a trusted organization. This email masquerades as a standard SharePoint or OneDrive document-sharing notification. Because these services are ubiquitous in corporate environments, the recipient feels an immediate sense of familiarity and safety. There are no alarm bells ringing. The link they click leads to a convincing, but fake, credential prompt. Once the user enters their details, the attacker doesn’t just get a password; they get the keys to the kingdom, including the session cookie. This is where they establish persistence. They immediately create inbox rules to automatically delete all incoming emails and mark them as read, effectively turning the user’s account into a ghost. The user is completely unaware that their account is now a launchpad for the next stage of the attack.
When dealing with an adversary-in-the-middle attack, simply resetting a password is often insufficient. Can you explain why that is, and detail the critical, step-by-step process an organization must follow to fully revoke attacker access and remove their persistent foothold from a compromised account?
This is a critical misunderstanding that can lead to reinfection. People think, “I’ve changed the lock,” but they don’t realize the intruder is already inside and has made a copy of the key. When an attacker captures a session cookie through an AitM attack, they have an active, authenticated session. Changing the password doesn’t necessarily invalidate that session token. So, the first and most crucial step is to work with your identity provider to forcefully revoke all active session cookies for the compromised account. This kicks the attacker out immediately. Next, you have to undo their persistence mechanisms. This means a thorough audit of the account’s settings, specifically deleting any suspicious inbox rules the attacker created to hide their activity. Finally, you must review any changes made to multi-factor authentication methods. We’ve seen attackers enroll their own devices, giving them a way back in. Only after revoking sessions, deleting rules, and verifying MFA settings can you be confident the account is truly secure.
We’re seeing custom phishing kits used in voice phishing, or “vishing,” campaigns. How do these kits enable an attacker to control a user’s browser in real-time during a phone call, and what specific actions can they trick a user into taking to bypass MFA?
These vishing kits are terrifyingly effective because they combine sophisticated tech with classic social engineering. The attacker, posing as tech support, gets the target on the phone and directs them to a phishing site. This isn’t just a static page; the kit uses client-side scripts that give the attacker a live dashboard, allowing them to control what the user sees in their browser in perfect sync with the conversation. The attacker can say, “Okay, you should now see the login page,” and make it appear. After the user enters their credentials, the attacker relays them to the real site, triggering an MFA prompt. On the phone, they’ll say, “A security code was just sent to your phone for verification. Can you please approve it?” The user, believing they’re on a legitimate support call, approves the push notification or reads back the one-time password. The attacker, in real-time, uses that to complete the login. They essentially puppeteer the user through the entire authentication process, defeating any MFA that isn’t truly phishing-resistant.
Threat actors are using visual deception in URLs, such as placing a trusted domain before an “@” symbol or using homoglyphs like “rn” for “m”. Can you describe how each of these tricks works to fool a user and what makes them particularly dangerous for well-known brands?
These are clever tricks that exploit both how browsers work and how our brains process information. The first method uses the old Basic Authentication URL format. An attacker will craft a URL like microsoft.com:login@malicious-site.com. A user quickly glancing at this sees the familiar, trusted microsoft.com at the beginning and assumes it’s safe. However, the browser interprets everything before the “@” symbol as user credentials for the real domain, which is the malicious one after the “@”. The second trick, the homoglyph attack, is pure visual sleight-of-hand. By replacing the letter “m” with “rn,” which look nearly identical in many fonts, they create domains like rnicrosoft.com or rnastercard.de. This is especially dangerous when used in common service words like “confirmation” or “member,” as our brains are conditioned to skim these terms and automatically correct the visual discrepancy. For major brands, this is a nightmare because it erodes the trust users place in their digital presence.
To defend against these complex threats, experts recommend implementing phishing-resistant MFA and continuous access evaluation. Could you explain what these controls are and provide a practical example of how they would work together to stop an attacker who has already stolen credentials and a session cookie?
These are the foundational pillars of modern identity security. Phishing-resistant MFA refers to methods, like FIDO2 security keys or certificate-based authentication, that bind the authentication process to a physical device. You can’t be tricked into approving a push notification from halfway across the world; you have to be physically present. Continuous Access Evaluation (CAE) is a dynamic process where the system is constantly re-evaluating if a user’s session is still valid. It looks for risk signals, like if the user’s IP address suddenly changes from New York to another country, or if they attempt a sensitive action from an unrecognized device. In your example, if an attacker stole credentials and a session cookie, CAE would detect that the session is now being used from a new, suspicious location and would immediately challenge for re-authentication or simply revoke the session. Even if the attacker tries to log in, phishing-resistant MFA would stop them cold because they don’t have the user’s physical security key. Together, they create a layered defense that is incredibly difficult to bypass.
What is your forecast for business email compromise attacks?
My forecast is that these attacks will become even more automated, personalized, and financially devastating. We’re moving away from generic, mass-emailed campaigns toward highly targeted, AI-assisted operations. Attackers will use AI to craft perfectly convincing emails, mimic writing styles of executives, and even generate deepfake voice notes to add legitimacy to their requests. The abuse of trusted platforms as a delivery mechanism will become the default method, making initial detection harder than ever. The focus will remain on exploiting the human element, but with a technological sophistication that raises the stakes significantly. Consequently, the defensive focus must shift from simply blocking bad emails to a zero-trust model centered on identity, where every access request is continuously verified and phishing-resistant authentication becomes the non-negotiable standard for all organizations.
