Sushi Time

Hunting for Fresh Phish

If your goal as a company is to stop attacks in their earliest stages, proactively hunting for things that your detection technologies have either missed or identify poorly is a necessity. And because network data can be an exceptionally strong source of truth, using it to hunt for initial access is an awesome way to cut down attacks before they can cause considerable damage.

As a former threat researcher who regularly hunted across dozens of disparate customer environments, today I’ll share my favorite technique that helped to discover several attacks before they devastated our customers.

How They Got In

Phishing is one of the most common entry points into a company’s network, accounting for nearly 70% of known successful social engineering attacks in the last year

2022 Verizon Data Breach Investigation Report, figure 49. May 24, 2022. Accessible here.

. These attacks end up having a lot of variety in their ultimate goals – ransomware, corporate espionage, and monetary theft, just to name a few – but they share a number of characteristics which can be identified before they seriously impact your organization. Below we’ll walk through how to hunt for these similarities.

1. Identify an Anchor Point

It may sound obvious, but in order to click on a phishing email, a user needs to be actively browsing email. Using this as an anchor to start your search will drastically cut down on the noise and activity that you need to analyze.

Understanding what that activity looks like in your network hunting platform varies, but one important step is to recognize which email service your organization uses. As an example, if you’re using Microsoft 365, you should see activity similar to the following:Identifying Email Traffic

Figure 1: Identifying Email Traffic

Finding long sessions to those domains with considerable back-and-forth communication is a good way to pinpoint active communication.

2. Correlate

Now that you’ve identified users who are actively using email, it’s time to think about what phishing might look like for those users. While there are many ways to disguise links and load legitimate resources onto malicious websites, there are a few things that you can hunt for to help identify cases where a user visited and entered information into a malicious site. Note that finding any of the following activity (and especially when finding more than one) near active email sessions is worth deeper investigation.

Uncommon Sites

If you don’t have a way to leverage global knowledge about sites, this step may involve a lot of intuition and manual analysis. However, I wanted to include it because it is an important step in filtering down to possibly malicious activity.

Attackers regularly take advantage of technologies, techniques, and sites that are not well-known in order to easily bypass common detection capabilities. This includes creating new sites specifically to be involved in an attack, compromising existing sites

Why Small Businesses Get Hacked? June 12, 2020. Accessible here.

, as well as using legitimate cloud-hosting platforms that many technologies mistakenly blanket treat as trustworthy.Uncommon and Mistrusted Sites

Figure 2: Uncommon and Mistrusted Sites

Autofill Forms

Whether or not you'll see this depends on which browser a user prefers as well as their settings, though it’s the default behavior for Google Chrome. When a user loads a website that has any sort of input form, in the background Chrome will reach out to its autofill service (content-autofill.googleapis[.]com) and attempt to figure out which kind of data the form is requesting so that it can be automatically filled in.Chrome Autofill Traffic

Figure 3: Chrome Autofill Traffic

C2-like Communications Exist

When a user actually enters information into a website and hits submit, the information they’ve typed needs to be sent back to the attacker. This activity will often show up as a quick request and response with some site. Depending on how the attacker has set up their infrastructure, this site may be separate or the same as the original phishing portal.Traffic to Credential Collection Site

Figure 4: Traffic to Credential Collection Site

Moving Faster

As I mentioned at the beginning, the steps I described above have helped me detect the earliest stages of some potentially devastating attacks. But going from raw hunting results – things that might be interesting – to high-fidelity, actionable insights for our customers was a massive undertaking. I’d estimate that for every hundred potentially interesting findings, only one actually mattered.

That’s a lot of tedious work performing OSINT, analyzing network traffic, and correlating the two, and it definitely led to much frustration. So I left that job to build a platform to automate that workflow for everyone.

The above sample we walked through is an actual phishing attack where a user was browsing their email, clicked on a phishing link that was impersonating Microsoft, and entered their credentials. Feeding the potentially-interesting network flows into our NetworkSage platform gave me the following response in less than one minute:Output of NetworkSage Summary

Figure 5: Output of NetworkSage Summary

Instead of spending all of my time focusing on triaging the 100 results that may be interesting, I can be alerted to the one that is actually important.

Additional Resources

To dig deeper into what NetworkSage has to offer, I recommend the following resources:
Or, if you just want to get out and start exploring, get started in 5 minutes or less here!