Insanely simple. I wonder if this method is used in APT groups ? 🤔 Typical corporate environments operate in Microsoft’s ecosystem, utilizing Outlook as their primary mail client. What you may have been unaware of , as I was, is that Outlook can be controlled via PowerShell with the use of COM Objects. Let’s take advantage of this feature and “puppeteer” Outlook – searching messages for juicy content, and forwarding them to an attacker-controlled account....

Wow, I can’t believe this still works, but it does. One of the biggest let-downs during any engagement, is getting your C2 implant blocked by AV/EDR. All the OSINT, Social Engineering, and research has gone out the window, and the Security Operations Center (SoC) is lit up. 😡 I’m talking Carbon Black or SentinelOne , etc. Windows Defender pretends to secure your computer, but with what I’m about to show you & countless AMSI bypasses – if you don’t believe Windows is broken by design , we can’t be friends....

You’ve identified your target’s e-mail address, and have done proper social engineering to set the context & expectation the target will receive a file. What do we send if we know very little about the target ? It’s typical in a business scenario to sign non-disclosure agreements, so we will use that as the “lure”. Fire up metasploit!? Nahh. That’s for script kiddies & testing in a Lab. 🤣 Ideally, we want to know information about the system where our payload was deployed, not get caught by EDR/AV , and successfully gain post-exploitation persistence....