- Two-step phishing circumvents security through user-triggered actions
- Fake Microsoft portal quickly obtains sensitive login credentials
- Advanced threat detection is key to combating phishing
Two-step phishing attacks are exploiting Microsoft Experts warn that Visio files (.vsdx) and SharePoint mark a new chapter in online deception.
Security researchers at Perception Point report Attacks utilizing .vsdx files have increased dramatically.
These files have so far rarely been used in phishing campaigns, where they are used as a delivery mechanism with victims redirected to a page that mimics the phishing Microsoft 365 Login portal designed to steal user credentials.
Phishing exploits trusted platforms
Two-step phishing attacks use malicious behavior to evade detection. Rather than delivering harmful content directly, these campaigns rely on trusted platforms such as Microsoft SharePoint to host legitimate-looking files.
Attackers embed URLs into Microsoft Visio files that direct victims to malicious websites when clicked. This layered approach makes detection by traditional email security systems more challenging.
Microsoft Visio, a widely used tool for creating professional diagrams, has become a new vector for phishing. Attackers use compromised accounts to send emails containing Visio files that appear to come from a trusted source, often mimicking urgent business communications such as proposals or purchase orders to prompt immediate action.
Because the attacker is using a compromised account, these emails often pass authentication checks and are more likely to bypass the recipient’s security system. In some cases, attackers include .eml files in emails that further embed malicious URLs that point to SharePoint-hosted files.
The attacker embeds a clickable button in the Visio file, usually labeled “View Document.” To access the malicious URL, victims are instructed to hold down the Ctrl key and click a button. This interaction requires manual action by the user, bypassing automated security systems that cannot replicate this behavior.
To mitigate the risks posed by such sophisticated phishing campaigns, Perception Point recommends that organizations adopt advanced threat detection solutions, including dynamic URL analysis to identify malicious links, object detection models to flag suspicious files, and Authentication mechanism used to minimize the impact of compromised accounts.