Categories
Cybersecurity Advisories

Phishing Campaigns Exploit Trusted MS Infrastructure

Threat actors are orchestrating highly targeted phishing campaigns that exploit Microsoft 365’s own trusted infrastructure to bypass traditional email security tools. Leveraging legitimate Exchange Online IPs and services like SharePoint, OneDrive, and Office 365-branded login portals, these campaigns are particularly effective at evading detection and deceiving end-users.

Key Tactics Observed Across Campaigns

Abuse of Microsoft IP Space

Attackers are sending phishing emails directly from compromised or attacker-owned Microsoft 365 tenants, making the emails appear legitimate to email security gateways and email filters. Since these emails originate from Microsoft’s IP ranges and pass SPF, DKIM, and DMARC, they’re often automatically trusted.

Use of Microsoft Services in Payload Delivery

Phishing emails frequently include links to:

  • SharePoint-hosted documents with embedded phishing links
  • OneDrive URLs leading to weaponized files or credential-harvesting sites
  • Office 365 login pages that look pixel-perfect but harvest credentials

These links are hosted on Microsoft domains, which makes them especially hard to detect and block. URLs such as 1drv.ms, sharepoint.com, and *.onmicrosoft.com are widely seen in these campaigns.

Targeting and Credential Theft

The campaigns are increasingly targeting high-value users—like executives, financial officers, and IT administrators. Once credentials are harvested, attackers often:

  • Pivot within the organization
  • Launch internal phishing using trusted email threads
  • Access sensitive data or set up OAuth apps for persistent access

Campaign Variants Identified

  • “Fax” or “Voicemail” notifications leading to credential harvesting pages
  • “Encrypted document” or “shared invoice” baits, hosted on SharePoint
  • OAuth abuse where victims grant permissions to malicious apps that maintain access without re-authentication

Why This Works So Well

  • Microsoft infrastructure is trusted by default in many organizations
  • Authentication headers are valid (SPF, DKIM, DMARC all green)
  • URL scanning often skips known-good domains
  • Users are trained to trust Microsoft-branded emails

What Organizations Should Do

Harden Microsoft 365

  • Enable Safe Links and Safe Attachments
  • Use Mail Flow (Transport) Rules to flag external use of Microsoft domains
  • Configure Defender for Office 365 with aggressive anti-phishing and impersonation policies

Educate End Users

  • Provide real-world examples of SharePoint/OneDrive abuse
  • Train users to treat “legitimate-looking” Microsoft prompts with caution
  • Highlight red flags like unexpected MFA requests or login prompts after clicking shared files

Monitor for Suspicious OAuth Activity

  • Review App registrations and third-party app consent
  • Enable consent governance policies and block risky app behaviors

Leverage Threat Intelligence & Hunting

  • Monitor Microsoft logs for anomalous login patterns
  • Watch for emails with links to sharepoint.com, onmicrosoft.com, or 1drv.ms
  • Utilize advanced hunting queries in Defender or Sentinel

These attacks demonstrate that relying solely on default trust settings is no longer a viable security strategy. Organizations must fundamentally shift their mindset, treating even familiar Microsoft services with a degree of skepticism. A proactive approach, combining technical controls with user awareness, is essential to effectively defend against these sophisticated and rapidly evolving phishing tactics.

Categories
Ransomware Social Engineering

Social Engineering Threat Actor Tactics for Data Exfiltration and Ransomware

Threat actors are increasingly employing social engineering tactics to circumvent standard security controls, enabling unauthorized data exfiltration for ransom and extortion. Conventional security configurations, including antivirus and endpoint detection and response (EDR) systems, often fail to detect or prevent these attacks due to their reliance on legitimate tools and human interaction. The primary methods observed are phishing emails and pretext phone calls impersonating technical support.

Tactics, Techniques, and Procedures (TTPs)

  1. Initial Contact
  • Phishing Email Variant: An email is sent to an executive or staff member’s work or personal account, claiming a significant unauthorized charge to their bank account or credit card. It includes a phone number to dispute the charge.
  • Phone Call Variant: A threat actor cold-calls the target, posing as technical support personnel addressing a fabricated issue.
  1. Engagement
  • When the target calls the provided number or answers the call, the threat actor impersonates a legitimate representative (e.g., bank support or IT staff). They offer to resolve the issue by requesting remote access to the target’s computer under the guise of “fixing” a nonexistent problem.
  1. Remote Access Execution
    • The threat actor directs the victim to a legitimate remote assistance website (e.g., hosting tools like AnyDesk or TeamViewer).
    • The victim initiates a remote support session, granting the threat actor control over the system. While the victim can observe overt actions, background processes remain hidden.
  1. Reconnaissance and Tool Deployment
    • The threat actor identifies mapped drives or file storage locations on the system.
    • Self-contained, non-malicious executables (e.g., WinSCP, FileZilla) are downloaded. These open-source tools require no elevated privileges and typically evade detection by standard security controls.
  1. Data Exfiltration
  • Using the deployed tools, the threat actor transfers files from identified locations to an external server.
  • Transfer rates depend on bandwidth; a 1 Gbps connection can exfiltrate approximately 450 GiB per hour. Prolonged sessions maximize data theft.
  1. Post-Exfiltration Actions
  • The threat actor analyzes exfiltrated data for sensitive or regulated content (e.g., case files, SSNs, financial records).
  • Within 1–2 weeks, multiple staff recipients receive a ransomware demand email containing proof of compromise (e.g., file snippets, directory trees) and a negotiation request.

#### Example Ransomware Demand ####

Below is an anonymized excerpt from a recent demand email: 

Subject: Data Breach Notification – Immediate Action Required 

Greetings, 

We have compromised the [ORGANIZATION NAME] database, exfiltrating over 10 GB of proprietary and confidential data, including case files, client SSNs, passports, immigration documents, and tax forms (W-9, W-4, 8879). Attached screenshots and a file tree substantiate our claims. 

We are a sophisticated threat group with established platforms for data exposure. However, we propose returning your data upon reaching a financial agreement. In return, we offer: 

– Complete data deletion from our servers with video evidence. 

– Confidentiality of communications. 

– Security recommendations to remediate exploited vulnerabilities. 

Respond to this email to negotiate. Failure to engage within 3 days will result in: 

  1. Notification of your clients with evidence of the breach.
  2. Public disclosure on our website and affiliated media channels.
  3. Encouragement of client litigation against [ORGANIZATION NAME] for data loss.

Law enforcement cannot assist; we operate beyond their jurisdiction. Reply promptly to review the full scope of exfiltrated data and initiate resolution. 

[Attached: Screenshots, File Tree] 

#### End of Example ####

Prevention Measures 

This attack vector requires full human cooperation, making user awareness the primary defense: 

  1. Education Initiatives
  • Social Engineering Awareness: Train staff to recognize panic-inducing tactics and verify claims independently before acting.
  • Technical Support Protocols: Establish and enforce procedures for validating IT support requests through internal channels.
  • Billing Dispute Handling: Instruct staff to contact financial institutions directly for charge disputes, avoiding unsolicited contacts.
  • Incident Reporting: Define clear reporting pathways for suspicious interactions.
  1. Technical Controls
  • Least Privilege Access: Restrict file access to job-essential data, minimizing exposure despite challenges in law firm environments.
  • Session Timeouts: Implement timeouts for remote access sessions (active/inactive) to disrupt prolonged file transfers.
  • Application Control: Limit the applications that can run on your systems to only those that are necessary for business functions.
    • We recommend a two-phased approach to application control: starting with the easier lift of Blocklisting via EDR, then moving to the more comprehensive Allowlisting via Microsoft GPO or dedicated software when resources allow.
  • DNS Filtering: Block all DNS domains related to any non-approved Remote Monitoring and Management tools.

𝗟𝗲𝗮𝗿𝗻 𝗺𝗼𝗿𝗲 𝗮𝗻𝗱 𝘁𝗮𝗸𝗲 𝗮𝗰𝘁𝗶𝗼𝗻:

✔️Download our𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗜𝗻𝗶𝘁𝗶𝗮𝘁𝗶𝘃𝗲𝘀: 𝗬𝗼𝘂𝗿 𝗕𝗹𝘂𝗲𝗽𝗿𝗶𝗻𝘁 𝘁𝗼 𝗗𝗲𝗳𝗲𝗻𝘀𝗲-𝗜𝗻-𝗗𝗲𝗽𝘁𝗵” guide and enhance your security posture today:

Detection Strategies 

Standard security tools (e.g., antivirus, EDR) are ineffective against this attack due to their use of legitimate software. For organizations with mature security operations: 

  • Maintain an updated software inventory.
  • Implement continuous monitoring to detect and respond to unauthorized activities promptly.
    • Managed Detection and Response services can provide greater visibility over stand-alone antivirus or even EDR products by themselves
    • These services can also help you implement Application Blocklisting through EDR, specifically targeting Living off the Land Binaries and Remote Monitoring and Management tools that are known to be associated with published Threat Actor activity.

Incident Response Preparation 

  • Pre-Incident Planning: Conduct regular incident response tabletop exercises with stakeholders (e.g., IT, legal, management) to define roles and strategies.
  • External Coordination: Engage breach counsel, incident response teams, and cyber insurance providers in advance to streamline response efforts.
  • Ransomware Payment Considerations: For guidance on ransom payment decisions, refer to expert analyses (e.g., “Do I Pay the Ransom?” by SecurIT360).

Conclusion 

This attack exploits human vulnerabilities and legitimate tools to bypass technical defenses, targeting an organization’s sensitive data. Combining robust user education, access controls, and proactive detection can mitigate risk. Preemptive response planning is critical to managing incidents effectively.

Categories
Compliance

Navigating the Future: Embracing NIST’s AI Risk Management Framework

Artificial intelligence (AI) is no longer a futuristic concept but a present-day reality reshaping industries across the board. As a vCISO, I’ve witnessed firsthand the transformative power of AI and the accompanying challenges it brings. One such challenge is effectively managing the risks associated with AI deployment. Enter the National Institute of Standards and Technology’s (NIST) AI Risk Management Framework (AI RMF), a pivotal tool designed to guide organizations in harnessing AI responsibly and securely.

Why AI Risk Management Matters

AI technologies offer unprecedented opportunities—from enhancing cybersecurity defenses to driving operational efficiencies. However, with these opportunities come significant risks, including data privacy concerns, biases in responses, and the potential for unintended consequences. Organizations may face regulatory penalties, reputational damage, and operational disruptions without a structured approach to managing these risks.

NIST’s AI RMF addresses these concerns by providing a comprehensive framework that helps organizations identify, assess, and mitigate AI-related risks. It serves as a roadmap for integrating AI safely into business processes, ensuring that innovation does not come at the expense of security and trust.

Understanding the NIST AI Risk Management Framework

At its core, the NIST AI RMF is designed to be flexible and adaptable, catering to organizations of all sizes and industries. The framework is built around four primary functions: Govern, Map, Measure, and Manage. Let’s delve into each of these components to understand how they contribute to effective AI risk management.

  1. Govern

Governance is the foundation of the AI RMF. It involves establishing policies, procedures, and oversight mechanisms to guide AI development and deployment. Effective governance ensures that AI initiatives align with an organization’s values, ethical standards, and regulatory requirements.

Key Elements:

    • Leadership Commitment: Senior management must champion AI governance, fostering a culture that prioritizes responsible AI use.
    • Policy Development: Clear policies outlining acceptable AI practices, data usage, and accountability measures are essential.
    • Stakeholder Engagement: Users are not the only stakeholders; a diverse group, including legal, compliance, and technical teams, ensures comprehensive oversight.
  1. Map

Mapping involves understanding the AI system’s context, including its intended use, operational environment, and potential impact. This step requires a thorough assessment of where and how AI will be integrated into business processes.

Key Elements:

    • Use Case Identification: Clearly defining the AI applications, the sphere of information, and their objectives helps in assessing relevant risks.
    • Contextual Analysis: Evaluating the environment in which AI will operate, including external factors like market conditions and regulatory landscapes.
    • Stakeholder Mapping: Identifying all parties affected by the AI system, from end-users to third-party vendors.
  1. Measure

Measurement involves evaluating the AI system’s performance and associated risks. This involves technical assessments and ethical considerations to ensure the AI operates as intended without adverse effects and meets organizational goals.

Key Elements:

    • Risk Assessment: AI tools have unique potential threats alongside opportunities requiring vigilance for reducing vulnerabilities and overreliance.
    • Performance Metrics: Establishing benchmarks to monitor AI effectiveness, accuracy, and reliability.
    • Bias and Fairness Evaluation: Ensuring that AI decisions are equitable and do not perpetuate existing biases.
  1. Manage

Managing AI risks involves implementing strategies to mitigate identified risks and continuously monitoring the AI system’s performance. This is an ongoing process that adapts to new threats and evolving business needs.

Key Elements:

    • Mitigation Strategies: Developing and deploying measures to address identified risks, such as access to new data sources or bias correction algorithms.
    • Continuous Monitoring: Regularly reviewing AI performance and risk factors to detect and respond to issues promptly.
    • Incident Response Planning: Prepare for potential AI-related incidents by incorporating them into plans and procedures.

The Benefits of Adopting NIST’s AI RMF

Embracing the NIST AI RMF offers numerous advantages for organizations:

  • Enhanced Security Posture: Organizations can strengthen their security framework by systematically identifying and addressing AI risks.
  • Regulatory Compliance: The framework helps ensure that AI deployments meet current and emerging regulatory standards, reducing the risk of non-compliance penalties.
  • Trust and Transparency: Demonstrating a commitment to responsible AI use fosters trust among customers, partners, and stakeholders.
  • Operational Efficiency: Proactive risk management minimizes disruptions and overreliance, ensuring that AI systems contribute positively to business objectives.
  • Ethical AI Deployment: The framework promotes ethical considerations, helping organizations avoid biases and ensure fair AI outcomes.

Implementing the AI RMF: Practical Steps for Your Organization

Adopting the NIST AI RMF may seem daunting, but breaking it down into manageable steps can facilitate a smooth implementation:

  1. Assess Current AI Initiatives

Begin by evaluating existing AI projects to understand their scope, objectives, and potential risks. This initial assessment provides a baseline for applying the framework.

  1. Establish Governance Structures

Form a dedicated AI governance committee comprising representatives from key departments. Develop policies that outline AI usage guidelines, ethical standards, and accountability measures.

  1. Conduct Comprehensive Risk Assessments

Utilize the framework’s mapping and measurement functions to identify and evaluate risks associated with each AI initiative. This includes technical vulnerabilities and ethical considerations.

  1. Develop Mitigation Strategies

Based on the risk assessments, strategies can be implemented to address identified risks. This may involve technical solutions, process changes, or additional training for staff.

  1. Implement Continuous Monitoring

Set up systems for ongoing monitoring of AI performance and risk factors. Regular reviews and updates ensure that the AI systems remain secure and effective over time.

  1. Foster a Culture of Responsibility

Encourage continuous learning and awareness around AI risks and best practices. Providing training and resources empowers employees to engage with AI responsibly.

Real-World Applications and Success Stories

Many organizations have already begun leveraging the NIST AI RMF to bolster their AI risk management strategies. For instance, a leading financial institution integrated the framework to enhance its fraud detection systems. By systematically identifying potential biases and implementing robust security measures, they not only improved detection accuracy but also ensured compliance with stringent financial regulations.

A Legal industry client we work with has developed assessment tools for the numerous AI tools or existing solutions that are adding AI capabilities.  By leveraging elements of the NIST AI RMF into their processes, the firm has developed methods to integrate AI tools safely maintaining client confidentiality and ethical standards.

Similarly, a healthcare provider employed the AI RMF to manage risks associated with patient data analysis tools. Through rigorous governance and continuous monitoring, they safeguarded sensitive information while enhancing patient care outcomes.

These success stories underscore the framework’s versatility and effectiveness across diverse sectors, demonstrating its value as a cornerstone of responsible AI deployment.

Looking Ahead: The Future of AI Risk Management

As AI technologies continue to advance, so too will the complexity of associated risks, including opportunities. The NIST AI RMF is designed to evolve alongside these changes, providing a dynamic tool that adapts to new challenges and innovations. Organizations that embrace this framework today will be better positioned to navigate the AI-driven future with confidence and resilience.

At SecurIT360, we are committed to guiding our clients through the intricacies of AI risk management. By leveraging the NIST AI RMF, we help organizations not only protect their assets but also unlock the full potential of AI in a secure and ethical manner.

Conclusion

The integration of AI into business operations is inevitable, offering immense benefits alongside significant risks. NIST’s AI Risk Management Framework serves as a crucial guide for organizations striving to balance innovation with security and responsibility. By adopting this framework, businesses can navigate the complexities of AI deployment, ensuring that their AI initiatives are not only effective but also secure, ethical, and compliant.

As we stand on the brink of an AI-driven era, the importance of robust risk management cannot be overstated. Embracing the NIST AI RMF is a proactive step towards building a secure and trustworthy AI ecosystem, fostering a future where technology and security go hand in hand.

At SecurIT360, we are here to support your journey in AI risk management, providing expertise and solutions tailored to your unique needs. Let’s work together to harness the power of AI responsibly and securely, driving your business forward with confidence.