A surge in two-step phishing attacks leveraging Microsoft Visio files has been identified by security researchers, marking a sophisticated evolution in phishing tactics.
Discovered by Perception Point, the new attacks use Visio’s .vsdx format, a file type commonly employed for business diagrams, to disguise malicious URLs and bypass traditional security scans.
Microsoft Visio, often used for flowcharts and network diagrams, has now become a tool of deception in phishing campaigns. Attackers exploit the platform by embedding URLs within Visio files. The tactic takes advantage of users’ trust in Microsoft tools and creates a covert way to bypass security systems.
Unlike common attachments like PDFs or Word documents, Visio files are rarely flagged as threats, making them an ideal vehicle for delivering phishing links.
How the Attack Works
Perception Point researchers outlined the attack flow as follows:
- Compromised accounts: Attackers gain control of email accounts and send phishing emails from real, trusted accounts, ensuring they pass authentication checks
- Email content: The email often contains a .vsdx file or an .eml file (Outlook email message) attachment, appearing as legitimate documents like proposals or purchase orders
- Visio file delivery: Clicking on the email link leads to a Microsoft SharePoint page hosting the Visio file. The file may feature branding from the breached organization
- Embedded link in Visio: Attackers include a clickable link within the Visio file, usually disguised as a “View Document” button. Users are instructed to press the Ctrl key and click, a subtle prompt that circumvents automated security tools
When users comply, they are redirected to a fake Microsoft login page, where their credentials are stolen.
Growing Trend of Phishing Attacks Using Trusted Platforms
Perception Point has recently recorded a notable increase in Visio-based phishing attempts, a stark deviation from the usual methods involving more familiar file types.
According to the security firm, this tactic highlights the shift towards trusted platforms like SharePoint and Visio, which attackers manipulate to add layers of deception and reduce detection rates.
Acknowledging the issue, Microsoft has recently emphasized the need for heightened awareness around the use of its tools in phishing scams.
“Microsoft’s recent acknowledgment of the misuse of their services in phishing campaigns underscores a worrying trend: two-step phishing attacks leveraging trusted platforms and file formats like SharePoint and Visio are becoming increasingly common,” Perception Point warned.
“These multi-layered evasion tactics exploit user trust in familiar tools while evading detection by standard email security platforms.”
To protect against threats like this, firms and individuals should adopt key security practices: verify the sender’s identity before opening attachments, enable multi-factor authentication to secure accounts and conduct regular cybersecurity training to help users recognize phishing tactics.
Additionally, implementing advanced email security solutions that monitor unusual file types, like Visio files, can provide an extra layer of protection against evolving phishing schemes.
This article first appeared in Infosecurity Magazine, written by Alessandro Mascellino on November 11, 2024.