3 min Security

Hackers use Visio files to spread phishing links

Hackers use Visio files to spread phishing links

Hackers are increasingly using files for Microsoft Visio to lure unsuspecting computer users to phishing sites. These utilise fake documents in compromised Sharepoint environments. Eventually, victims get redirected to a fake login page for Microsoft 365.

According to cybersecurity specialist Perception Point, the campaign concerns a so-called two-step attack pattern. Hackers first send emails through compromised accounts, which include a link to a Visio file in an (also hacked) Sharepoint environment. The malicious parties use links in those files to lure unsuspecting recipients to the actual phishing site.

E-mailscreenshot met als onderwerp "Platinum Proposal", met een bericht om een bijgevoegd document te beoordelen. Een .eml-bestand met een SharePoint-koppeling is bijgevoegd, gemarkeerd door een rode pijl.
Source: Perception Point

The whole purpose of this multi-layered approach is to appear as trustworthy as possible. First, the initial email arrives via a ‘real’ email address. It’s a compromised address, but the recipient doesn’t know that. The malicious party also bypasses standard security checks this way. The messages are typically about purchase orders or business proposals, so this part of the operation uses well-known social engineering tactics.

Compromised Sharepoint environment

The emails often contain an .eml file or Outlook email message. Basically, they’re emails with a saved email message attached to them. This attachment contains a link to a file in a Sharepoint environment, which is, in many cases, also compromised.

The document in the Sharepoint environment is a .vsdx file, a document type for Microsoft Visio. Visio is a programme for quickly creating flowcharts, diagrams, tables, organization charts, and other visual aids for business purposes. These documents are interactive and may include buttons that link to another document or website. The hackers hide their phishing links in exactly these buttons.

Diagram dat het pad van een cyberaanval via e-mail laat zien, van een aanvaller naar een gecompromitteerde inbox via verschillende stappen, waaronder e-mail, doelgebruiker, SharePoint-pagina en phishingpagina.
Source: Perception Point

Creating trust

By using .vsdx files, the hackers try to inspire trust. For example, these can be styled with the corporate identity of the company whose systems have been hacked. Such documents also include instructions to hold down the ‘control’ button when clicking the link. The reason for this is simple: that way hackers make sure it is a human opening the link and not a bot or other automated process.

The final step is the fake Microsoft 365 environment that opens, where the victim supposedly has to log in. If they do, the login credentials are captured. To stay ahead of such phishing attempts, Perception Point recommends measures such as Dynamic URL Analysis and AI security tools that specialize in malicious object detection.

Also read: Microsoft warns of spear phishing with RDP files