Advanced Phishing Threat (APT) - Exploiting Modern Features
2021-06-12, 16:00–16:25, Track 2

Phishing is notorious for its ease of exploitation, high success rate, and variable impact. We will discuss how attacker's can elevate the legitimacy of a phishing campaign using low-severity vulnerabilities, and common features in applications. More importantly, we will then discuss various ways which you can protect yourself or your organization from these out-of-band attacks, which could escalate into catastrophic attacks against yourself, or your organization.

Phishing Campaigns are commonly regarded as disposable, light-weight engagements that are easily deployable in mass. This misconception leads many individuals to not consider the wide-spread implications or dangers that could be the result of a successful targeted campaign. It's important to note that while these campaigns can be lightweight, they can also be extremely thorough. In order to defend yourself, it's important to understand key ways that attacker's can leverage misconceptions in order to further legitimize their campaigns to halt attackers in their tracks, we first need to understand how they gain legitimacy, and what methods you can employ to ensure that you are protected from these vectors.

Some factors we will consider are: usage of multiple subdomains, obscure trust relationships, domain fronting, usage of intended features in software as a service, and leveraging browser-identifiable traits to create a targeted campaign against an organization. Using this information, we will then evaluate risk, and run a simulation of the implications of a single user falling victim to a phishing campaign.

Payton joined the Open Security team after completion of the Applied Cybersecurity Undergraduate Program at the SANS Institute of Technology. Having sharpened his pen-testing skillset and garnering recognition across the industry through his participation in various Capture-The-Flag competitions, Payton quickly set himself apart as a highly motivated self-starter. His experience in Web Application Development and offensive methodologies provide valuable insight to each of his engagements.