Phishing is Dead, Long Live Spear Phishing

With the introduction of generative AI, AI-powered spear phishing has reached unprecedented levels of highly sophisticated and successful phishing attacks.

The key success for AI-powered spear phishing relies in:

• Easy access to data - saving plenty of time that is invested in learning the victim.

• Personalization - customizing the content for each victim and making it seem much more genuine and trusted.

• Impersonation - generating convincing content that mimics the writing style of the victim’s contacts.

In this blog, we will introduce new capabilities that further enhance AI-powered spear phishing, allowing it to reach its full potential.
We will show how to automate the process and scale even more. We will also show how to use Copilot for M365 to help us with the mission and finally achieve lateral movement.

So put on your hacker hoodie and let’s have some fun!

Spear Phishing with Copilot for Microsoft 365

If you are yet familiar with Copilot for Microsoft 365, I highly recommend you reading this blog.

Copilot for Microsoft 365 is an enterprise AI assistant that combines the LLMs with access to organizational data including files, messages and emails (!).

Let’s demonstrate how to use the Copilot chat to craft phishing emails from the available business data and how to achieve lateral movement within the organization.

Our starting point is a compromised account or a bad actor in the organization. For the sake of the demonstration, let’s name the compromised account Kris.

The first step is to pick our next victims. Since the copilot has access to messages and emails, it can easily answer the question “who are my top collaborators?”

Next, we will iterate over each collaborator and collect details including the email addresses and inquiry about the latest interactions with Kris.

Notice that we now know that Jane is expecting a file with the company guidelines from Kris !

To increase attack surface and achieve lateral movement, we ask the Copilot whether the conversation includes other contacts on the CC list, so they will get the phishing email as well.

Finally, after gathering all required information, we kindly ask Copilot to craft a genuine email to send back to Jane

Now we can simply take this exact snippet, add the Lions Team on the CC list, attach our own malicious “Company guidelines” file and send it back to Jane.

Bingo !

So far so good, but how do we scale?

Previously, we learnt how to access Copilot for M365 through the terminal and demonstrated how to interactively chat with Copilot through the terminal.

In order to automate the spear phishing with Copilot, all we need to do is to wrap the copilot chat script with questions from above, extract Copilot answers and finally distribute the emails in a loop for each collaborator.

Now if you haven’t put your hacker hoodie on, I suggest you do now, bring your own terminal, lay back and let the tool phish for you.

Crafting a phishing email, then moving to the next collaborator

To try it yourself, check out powerpwn Github repository for the new spearphishing module.

Are we doomed ?

Although these tools are very powerful, yet there are several things that can be done to stay protected:

1. Monitor your organization traffic for suspicious activities. For example API usage.
2. Analyze Copilots conversations to detect repetitive patterns.
3. Maintain a blacklist with known hacking tools.