From Ember to Inferno - Exchanging emails, shouldn't lead to complete disaster
2022-09-23, 15:30–16:00, Tesla

The most common vector for initial access obtained by threat actors is delivering phishing emails containing links prompting victims to download files or attaching weaponised documents thus entering the 9 circles of Hell. The security industry has taken great steps by creating "modern" solutions like EDRs/XDRs, even monitoring mailboxes to detect and respond in the early stages of the attacks. However, the attackers' ingenuity permits them to be one step ahead and either bypass them, or remain undetected and use the foothold as a launchpad to reach complete domain level access. It is almost safe to assume that at some point the users will be fooled and their systems will be compromised.

However this assumption (or even better fact) cannot stand for the rest of the domain. Organizations should not lose control of their Domain Controller because a user clicked a file! Propagation of malware could have been averted with proper domain configuration and baseline monitoring. This talk explores TTPs and configuration mistakes observed in incident response engagements featuring everybody's favorite technology: Microsoft Exchange, that led to a cyber hell that Dante himself would be proud to describe. Upon entering the purgatory, detection opportunities and challenges will also be showcased so all members of the community and the industry will have a chance to enter the paradise.


The talk will focus on discussing lessons learned from the investigations of several incidents, discussing TTPs that are commonly used by attackers when using email infrastructure in initial compromise and lateral movements, explaining their significance in the attack kill chain and explain what artifacts are created in windows environments, in order to assist defenders and responders when handling an incident.