Blog
Category

48 Minutes to Disaster: How Phishing Attacks Exploit Weaknesses

By
Irina Smith
February 21, 2025
15
min read
Share this post

Introduction

In today's rapidly evolving threat landscape, cyberattacks are becoming increasingly swift and sophisticated. A recent incident investigated by ReliaQuest highlights the critical importance of speed in both attack execution and defense. This blog post delves into a real-world breach of a manufacturing company, where attackers achieved lateral movement in just 48 minutes1. We'll dissect the attack timeline, explore the tactics employed, and provide actionable recommendations to help organizations defend against these accelerated threats.

Attack Timeline: A Race Against the Clock

The following timeline details the stages of the attack, emphasizing the speed and precision with which the threat actors operated.

Phishing Attack Timeline: A Step-by-Step Breakdown of Initial Access, Lateral Movement, and Techniques Used. Credit ReliaQuest
  • 5:47 PM: Initial Access via Phishing and Social Engineering
    • A flood of spam emails targeted over 15 users, creating a diversion.
    • The attackers then sent a Microsoft Teams message from an external "onmicrosoft.com" email address, posing as IT help desk staff.
    • At least two users were convinced to open the Quick Assist remote-access tool and grant control of their machines.
  • 5:54 PM: Command and Control (C2) Established
    • Just seven minutes after initial access, the attacker connected the employee's desktop to their remote command-and-control server via ports 443 and 10443.
  • 5:55 PM: Lateral Movement Attempted
  • The attacker attempted to propagate a malicious DLL ("winhttp.dll") using Server Message Block (SMB) by embedding it into a OneDrive update file across approximately 10 hosts.
  • When SMB failed, the attacker switched to Remote Desktop Protocol (RDP) combined with PowerShell.
  • 6:35 PM: Breakout Time Achieved
    • The attacker successfully uploaded the malicious file using RDP and PowerShell and used PowerShell to trigger the malicious payload to run on compromised administrator accounts.
    • The attacker accessed a service account for managing an SQL database and created a new account with the highest administrative permissions.
    • The attacker used the SoftPerfect Network Scanner to scan the network for vulnerable targets.
  • 30 Hours: Data Exfiltration
    • The attacker leveraged elevated permissions to capture sensitive data stored on vulnerable servers.
    • Using WinSCP, the data was exfiltrated to a remote server under their control.

Key Findings

  • Breakout Time: The attackers achieved a breakout time of just 48 minutes, a 22% faster speed compared to 2023. The fastest breakout time recorded was just 27 minutes.
  • Initial Access: The attackers used a combination of email spam and Microsoft Teams phishing to manipulate users into granting them control of their machines.
  • Defense Evasion: The attackers employed DLL sideloading to evade detection, placing a malicious payload in the same directory as a vulnerable application.
  • Lateral Movement: The attackers used a combination of SMB, RDP, and PowerShell to propagate the malicious payload across the network.
  • Privilege Escalation: The attackers accessed a service account to create a domain admin account, giving them the elevated permissions necessary to exfiltrate data.
  • Data Exfiltration: The attackers used WinSCP to exfiltrate sensitive data to a remote server under their control.
  • Living off the Land: The attackers relied solely on the use of legitimate tools such as Quick Assist, Teams, SMB, RDP, and SoftPerfect to avoid detection.

Step-by-Step Defenses

To defend against these tactics, ReliaQuest recommends the following:

  • Initial Access:
    • Deploy detection rules to identify unusual spikes in email volume targeting a single user and suspected Microsoft Teams phishing.
    • Establish robust verification procedures for end-users to confirm they're interacting with legitimate help-desk staff
    • Configure Group Policy Objects (GPOs) to block Quick Assist and other remote monitoring and management (RMM) tools from being used for remote access.
  • Defense Evasion:
    • Deploy endpoint detection and response (EDR) sensors across critical infrastructure and the wider environment.
    • Forward logs to a unified location to ensure security teams have the visibility needed to detect DLL sideloading through behavioral patterns.
  • C2 and Lateral Movement:
    • Isolate hosts exhibiting DLL sideloading to block command-and-control (C2) communication and prevent lateral movement.
    • Limit RDP use by configuring GPOs to restrict access based on specific users or hosts and enforce the principle of least privilege.
    • Detect suspicious scheduled tasks that deviate from standard naming conventions or schedule a suspicious process to run.
  • Privilege Escalation:
    • Configure service accounts to block interactive logins whenever possible.
    • Restrict the scope of service accounts, ensuring they have only the permissions necessary to interact with required hosts
    • Identify signs that a service account is being accessed by a human rather than an automated process.
  • Exfiltration & Impact
    • Configure GPOs on network devices to enforce application management to prevent tools like WinSCP from executing and exfiltrating data.
    • Identify web requests sourcing from critical hosts
    • Isolate compromised host to block communication with external hosts or domains.

FAQ Section:

Q: What is "breakout time?"

A: Breakout time is the period from initial access to lateral movement.

Q: What is DLL sideloading?

A: DLL sideloading involves placing a malicious DLL file in the same directory as a vulnerable application. Because Windows apps first search their own directories for the DLL files they need, the malicious one gets loaded.

Q: What is the role of Initial Access Brokers (IABs)?

A: IABs specialize in breaching networks and selling access to other threat actors.

Q: What is RaaS?

A: RaaS is short for ransomware as a service. Under this model, a core group develops the ransomware and rents it out to one or more affiliates.

Q: What are Automated Response Playbooks?

A: Automated Response Playbooks enable remediation actions to be automatically executed as soon as a detection rule is triggered.

Conclusion

The 48-minute breach underscores the urgent need for organizations to adopt proactive and automated security measures. As attackers accelerate their tactics, security teams must leverage automation and AI-powered defenses to match and surpass their speed. By implementing the recommendations outlined in this report, organizations can significantly reduce their mean time to contain (MTTC) and mitigate the impact of increasingly rapid and sophisticated cyber threats.

Share this post
Irina Smith

Similar articles

Cybersecurity

48 Minutes to Disaster: How Phishing Attacks Exploit Weaknesses

A recent manufacturing sector breach demonstrates how attackers combine phishing tactics with legitimate tools to quickly gain control and move laterally within a network, emphasizing the need for enhanced detection and prevention strategies.
Irina Smith
February 21, 2025
15
min read
Cybersecurity

Ascension Healthcare Ransomware Attack: Impact and Implications

A ransomware attack on Ascension Health in May compromised the data of nearly 5.6 million individuals and raised concerns about potential harm to patients due to disrupted healthcare services
Irina Smith
February 16, 2025
15
min read
Cybersecurity

Linux desktop vulnerabilities give untrusted users root

Linux desktop vulnerabilities give untrusted users root
Niranjan Maharajh
April 1, 2024
1
min read
Cybersecurity

Hackers are actively exploiting vulnerability in widely-used BIG-IP

Hackers are actively exploiting vulnerability in widely-used BIG-IP
Niranjan Maharajh
April 1, 2024
1
min read
Cybersecurity

Enhancing Cybersecurity for Legacy Medical Devices: Navigating Post-Market Challenges and Strategies

The healthcare sector faces a unique challenge in managing the cybersecurity of legacy medical devices. These devices, often operating beyond their intended lifespan, are integral to patient care but lag in modern security protocols, making them susceptible to cyber threats.
Niranjan Maharajh
April 1, 2024
2
min read
Cybersecurity

Cyberattacks in Connected Healthcare: 3 Actions to Protect Your Devices

Audio is generated by DropInBlog's AI and may have slight pronunciation nuances. Learn more In today's digital healthcare era, the threat of cyberattacks on connected medical devices is escalating. Recent cyberattacks in connected healthcare highlight the vulnerability of devices like pacemakers and insulin pumps to hacking, posing significant health risks.
Niranjan Maharajh
April 1, 2024
3
min read
Cybersecurity

Conquer Medical Device Cybersecurity Gap Assessment

In today's increasingly connected healthcare landscape, medical devices play a vital role, directly impacting patient well-being. However, their reliance on software and connectivity exposes them to potential cyberattacks. Mitigating these risks requires robust cybersecurity measures throughout the device lifecycle, from pre-market development to post-market monitoring. This blog post equips you with a comprehensive cybersecurity gap assessment framework to evaluate your medical device's cybersecurity posture, ensuring compliance and minimizing risks.
Niranjan Maharajh
April 1, 2024
3
min read
Cybersecurity

Apple Fixes 30 Cybersecurity Vulnerabilities in iOS 16.2 and iPadOS 16.2

Apple Fixes 30 Cybersecurity Vulnerabilities in iOS 16.2 and iPadOS 16.2
Niranjan Maharajh
April 1, 2024
4
min read
View all

Try the Professional Plan Free for 2 Weeks!

Explore all features of PMM for 2 weeks to see how it can simplify your post-market surveillance. If you cancel before the trial ends, your credit card will not be charged

Let's get started

Contact:
support@postmarketmonitor.com
Book a demoBlogPricingContact
Sign InSign Up
Privacy PolicyTerms of Service