[fareesh]

The way it is worded can also mean that there were XSS vulnerabilities in the internal tool since they are saying "gained information about how our processes work". I feel like that's a strange and vague thing to say. The right kind of xss vulnerability would enable them to bypass 2fa too, maybe steal backup codes even.

[berkes]

I understood that line as 'saw names, contact detail, positions and permissions of employees'

[Thorrez]

If there's an XSS attack I don't consider that phishing.

[fareesh]

Isn't it both? Phish first user, post to internal tool and xss attack second user.

[Thorrez]

Yeah I guess you're right, it could be like an exploit chain where 1 link in the chain is phishing to gain access to something and xss is the next link for lateral movement.

But I don't know what "The right kind of xss vulnerability would enable them to bypass 2fa too" means. If the attacker doesn't have 2FA I would think the attacker can't log in, thus meaning the first link of the chain has no purpose.

But I also think XSS in this case is not very likely. From interviews with the attackers it sounds like they're social engineering experts who hang out on social engineering forums, not XSS experts[1][2][3].

[1] https://krebsonsecurity.com/2020/07/whos-behind-wednesdays-e...

[2] https://www.nytimes.com/2020/07/17/technology/twitter-hacker...

[3] https://krebsonsecurity.com/2020/07/twitter-hacking-for-prof...