Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Igal Gofman
Igal Gofman
Connect Directly
E-Mail vvv

Simulating Lateral Attacks Through Email

A skilled attacker can get inside your company by abusing common email applications. Here are three strategies to block them.

A big portion of breaching an organization's infrastructure involves challenging normal procedures and processes. A red team's main purpose is to simulate adversary activities and help the security administrators understand, monitor, and remediate the threats.

As a security researcher, I'm constantly looking for new ways to simulate advanced lateral movement, sophisticated Active Directory escalation, persistence, and exfiltration. One of our recent areas of focus has been on defeating network and domain boundaries by moving laterally within the network, with a focus on pivoting from unsecured networks to isolated secure networks.

One of the most common attack methods used by all adversaries is email, mostly because of the ease of use. Phishing attacks have always been a major source of worry for organizations. Over the last year, we have witnessed more organizations and individuals targeted by phishing campaigns designed to capture an employee's login credentials. Recently, the FBI's Internet Crime Complaint Center (IC3) issued a warning regarding some of those threats targeting the online payroll accounts of employees in a variety of industries.

My team and I decided to dig deeper into simulating how a skilled adversary can easily pivot to a compromised network segment by abusing commonly used email applications. Many email clients are built right into modern operating systems and can potentially help facilitate lateral movement.

The techniques described here are considered as post-exploitation, which means the user account has been breached and the adversary has full control over the user's workstation.

In many cases, adversaries use compromised account credentials to access employees' email in order to change their bank account information, sometimes adding a malicious Outlook rule to prevent the user from receiving alerts regarding a deposit or withdraw change. There are many account breach vectors, including phishing and password spraying.

By performing a phishing campaign, the adversary can easily gain system access to a user's workstation and can obviously control the installed mail client and all related communication. Instead of targeting users outside the organization by sending phishing emails or using cloud services to sync malicious metadata, the adversary can control all communication. Let's take this concept one step further to see how local access to an email client advances our agenda to pivot from network to network.

Use Case 1
Many times, advanced adversaries establish an internal command and control server (commonly referred to as a C2 server) to be used as a jump server to the outside world. The jump server can act as middleware between the infected workstations and an external C2 server. The internal C2 server can also be used as a man-in-the-middle proxy or a watering hole site. The adversaries can easily manipulate all mail hyperlinks shared by the compromised user/workstation to redirect the recipients to an internal watering hole website, bypassing many of the link detection and firewall application control mechanisms.

Use Case 2
Let's look at how we can build on top a known attack technique "fileshare infection" to pivot on an internal network using a compromised mail application. First, the adversaries must have the ability to weaponize a legitimate file. They would do this by focusing on widely used shared files by email platforms. There are many exploit options available online for free, including Office documents, PDF documents, and archive file vulnerabilities.

Now imagine what happens when a user's workstation is compromised. We all know many users love to share documents with their colleagues through email. The attacker has gained full control over email communication and can now inject malicious code into legitimate office files. These malicious files are now shared over a legitimate mail channel, which means that the adversaries use actual email correspondence instead of faking and acting on behalf of the user. The user would then reply or create a new email message using the malicious file. The mail recipient does not suspect that anything is wrong and opens the malicious file, exploiting the responsible file application.

As collateral damage, they can dump the global address book of the company and conduct a targeted phishing campaign against high-value targets such as IT or executive management.

Use Case 3
Instead of exploiting vulnerabilities in common files as described above, an adversary can use a much stealthier technique to leak credentials in the form of NTLM hashes to an internal C2 server. Usually, this is achieved by silently forcing a file application to authenticate against the C2 server using a specific protocol such as Server Message Block (SMB). The adversary can use the C2 to relay the received authentication attempt to any network protocol supporting NTLM authentication.

Microsoft has issued an optional security enhancement (Microsoft Advisory ADV170014) that provides organizations with the ability to disable NTLM single sign-on authentication as a method for public resources. However, this method is usually inefficient for internal resource communication, and in many cases will allow an internal network boundary bypass. A much more efficient way to mitigate this threat is by forcing NTLM signing on client and servers.

All the above examples show how linking several existing techniques together can be combined into one or more complex attack flows to achieve lateral movement and pivoting inside a network. Our team has demonstrated that this approach together with scalable automation is highly efficient and can be used to gain control over critical targets in real enterprise environments.

Related Content:

Igal Gofman is Head of Security Research at XM Cyber. He has a proven track record in network security, research-oriented development, and threat intelligence. His research interests include network security, intrusion detection, operating systems, and Active Directory. Prior ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
PUBLISHED: 2020-09-30
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
PUBLISHED: 2020-09-30
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.