[llimos]

Agreed. This is something that made me very annoyed when they did it to us. I know exactly what I'm doing, I know that you can't infect a computer from opening a link unless the attacker possesses a new browser 0-day, and expecting your average employee to worry about new browser 0-days is ridiculous.

If it were an obvious phishing URL, like a variation on the company domain, then fine (maybe). But it wasn't.

[createdapril24]

I've run such phishing campaigns where the link:

1. (Windows specific) Opens up a Windows file share, which causes the person to authenticate to the file share, which through PtH/Responder results in their enterprise credentials being stolen.

2. Exploited a XSS or CSRF attack on an internal/management endpoint. Which in turns allows a pivot from external to internal access.

3. Steals a web session, cached password or authentication token, resulting in compromise of employee credentials to be used elsewhere (e.g. reused to access enterprise VPN).

These are just some not-a-browser-0day examples of a single click being game-over dangerous.

[alanfranz]

That exploit could happen ANYWHERE on the web. Any freaking link. Anything on a newspaper website, or social network.

You're talking about vulnerabilities in components, or other software, here. The user, by himself, is doing nothing wrong.

Why don't you just restrict employees to the intranet, then? Why do you give them free roam on the whole internet, but then you tell them "don't click the wrong link!".

Phishing happens when the user does something which is actively wrong. When the user opens an Word/Excel with VBA from an untrusted source and bypasses security restrictions. If they execute/install something unsigned and untrusted from some random site.

Click = fail is just wrong. Links are how the internet works. You aren't teaching anything.

[ric2b]

> 3. Steals a web session, cached password or authentication token, resulting in compromise of employee credentials to be used elsewhere (e.g. reused to access enterprise VPN).

How do you do this without a browser vulnerability (and assuming it's not also XSS/CSRF like the previous point)?

[createdapril24]

You can do this with chains of vulnerabilities, including but not limited to insecure redirects, CSP bypasses, insecure cookies. Another useful technique is session fixation - you give your victims sessions you've started and often their SSO experience will connect _their_ credentials to _your_ session.

Also to distinguish between #3 and, XSS in #2 was intended to mean "persistent stored XSS" as opposed to "reflected XSS". In the case of reflected XSS, this can be chained with CSP bypasses and insecure cookies to grab out e.g. bearer tokens.

My overall point is that heap fung shui 0day not required for 1-click ownage. In practice, I've not had to burn browser 0day to compromise organizations or their customers.

[ufmace]

I assume you're right on those techniques, but 2 things:

1. It sounds like they'd have to be pretty well targeted against the precise systems of that particular company in order to work. Which would tend to suggest more targeted spear-phishing attacks and extensive recon being done against the company systems somehow before anybody launched a real black-hat attack.

2. At that point, it feels hard to blame the individual employee versus whoever misconfigured those corporate services in the first place. Though I would guess it's fairly common for those kind of things to happen due to many systems being set up without the help of true experts and the unlikeliness of a real attack against them without either a highly-skilled black hat targeting them or securing the services of a skilled and prices pen test team.

[createdapril24]

1. You are correct. I would measure the effort in terms of a small number (1-3) weeks of recon and targeting for a team of two.

2. I agree. Individual employees are not at all to blame. Companies who are blaming their employees for getting phished are doing it wrong. The correct action to take is to inform employees and build the other kinds of mitigations mentioned elsewhere in this topic tree.

[cutemonster]

> I've run such phishing campaigns

To test if employees are easy to pish, or was it for real (black hat)?

[createdapril24]

The former _only_.

I'm usually not testing only whether employees are easy to phish (the answer is pretty much 100% yes). I'm testing end-to-end: can you as a company prevent me from phishing through email protections? Can you detect when I'm phishing your employees? Will your employees report potential phishing emails? Can you figure out (without me telling you) which employees were targeted and which attacks were successful? Can you figure out which credentials/machines would need to be quarantined/rotated/examined?

[cutemonster]

This job seems like fun :-)

Even more fun if you were allowed to social engineer your way into the office and steal someone's powered on not-screenlocked laptop :-)

[D2187645]

Same domain cant garunteed to be safe.