{
	"id": "97cddfef-0288-4e4e-8af8-00b9da56c6d1",
	"created_at": "2026-04-06T00:19:36.457504Z",
	"updated_at": "2026-04-10T13:13:03.741593Z",
	"deleted_at": null,
	"sha1_hash": "3bc076b6147f94095b176f776f58583ca7d77621",
	"title": "48 Minutes: How Fast Phishing Attacks Exploit Weaknesses",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 107853,
	"plain_text": "48 Minutes: How Fast Phishing Attacks Exploit Weaknesses\r\nBy John Dilgen 20 February 2025\r\nPublished: 2025-02-20 · Archived: 2026-04-05 15:25:05 UTC\r\nKey Findings\r\nReliaQuest recently responded to a manufacturing sector breach involving phishing and data exfiltration. In this\r\ncase, attackers achieved a “breakout time” of just 48 minutes—the critical window between initial access and\r\nlateral movement when the potential for damage skyrockets. This figure aligns with the 2024 average and a marks\r\n22% faster speed compared to 2023. This incident demonstrates a stark reality: Attackers are moving faster than\r\nsecurity teams can respond, creating an urgent need for automated, faster-than-human response capabilities.\r\nThe attackers used phishing and evasion techniques commonly associated with the “Black Basta” ransomware\r\ngroup. Working closely with the customer, the ReliaQuest Threat Research team provided investigative support\r\nand practical remediation guidance, helping to quickly mitigate the attack’s impact. In this report we’ll cover:\r\nOur original research and technical findings on the attack, focusing on attacker’s speed and strategies.\r\nActionable recommendations for defending against these tactics.\r\nA forecast on how these tactics may develop in the near future (within three months).\r\nAttack Lifecycle\r\nFigure 1: Timeline of the attack cycle from phishing to exfiltration\r\nInitial Access\r\nTo gain entry into the organization’s network, the threat actor used social engineering and end-user manipulation.\r\nhttps://www.reliaquest.com/blog/blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses/\r\nPage 1 of 8\n\nMore than 15 users were targeted with a flood of spam emails. Next, the threat actor sent a Teams message using\r\nan external “onmicrosoft.com” email address. These domains are simple to set up and exploit the Microsoft\r\nbranding to appear legitimate. The threat actor posed as an IT help-desk employee, likely pretending to assist users\r\nwith the flood of emails that was preventing them from working—a common tactic used by ransomware groups\r\nlike Black Basta.\r\nThe threat actor then used Teams to call at least two users and convinced them to open the remote-access tool\r\nQuick Assist, join a remote session, and grant control of their machines. Quick Assist, native to Windows hosts, is\r\noften used in these attacks because attackers can easily convince users to open it and join a remote session using a\r\ncode. In this incident, one user granted the threat actor control of their machine for over 10 minutes, giving the\r\nthreat actor ample time to progress their attack.\r\nWhy Does This Matter?\r\nThis tactic of using email spam instead of malicious links or attachments is particularly effective because the\r\nemails themselves aren’t inherently malicious, leaving security tools with nothing to detect. Moreover, the end\r\nuser doesn’t need to interact with the email directly. Instead, the flood of spam makes the target’s inbox unusable,\r\ngiving the threat actor a plausible reason to pose as IT staff offering to resolve the issue. This low-tech but highly\r\neffective method allows threat actors to gain initial access and convince users to grant them control of their\r\nmachines. Given its success, it’s likely that other threat groups will adopt this technique in the near future.\r\nStep Up Your Defenses:\r\nHelp-Desk Verification Procedures: To hinder threat actors impersonating IT help-desk employees\r\ngaining initial access into networks, establish robust verification procedures to ensure end users confirm\r\nthey’re interacting with legitimate help-desk staff. It’s also best practice to require end users to verify\r\ninternal private information—such as help-desk ticket numbers, a predetermined passphrase, or their\r\ncomputer name— rather than information that can be easily obtained through online data breaches or social\r\nmedia.\r\nLock Down RMM Tools: Configure Group Policy Objects (GPOs) to block Quick Assist and other remote\r\nmonitoring and management (RMM) tools from being used for remote access. This measure prevents\r\nattackers from deceiving users into joining a session, effectively denying them initial access.\r\nHow ReliaQuest Helps You\r\nTo promptly identify a social-engineering attack, we recommend deploying the following ReliaQuest-authored\r\ndetection rules.\r\nDetection Rule\r\nMITRE\r\nATT\u0026CK ID\r\nSummary\r\nhttps://www.reliaquest.com/blog/blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses/\r\nPage 2 of 8\n\n003944 – Inbound\r\nEmail Wave To\r\nSingle User\r\nTA0001:T1566\r\nPhishing\r\nIn this attack, a mass email spam campaign preceded initial\r\naccess. This detection rule identifies unusual spikes in email\r\nvolume from external sources targeting a single user, enabling\r\nearly alerts to mitigate spam campaigns and protect the\r\norganization from potential threats.\r\n003981 –\r\nSuspected\r\nMicrosoft Teams\r\nPhishing to\r\nMultiple Users\r\nTA0001:T1566\r\nPhishing\r\nIn this attack, Microsoft Teams was exploited for phishing.\r\nFollowing mass email spam campaigns, external actors created\r\nEntra ID tenants to impersonate help-desk staff and added targeted\r\nusers to Team chats. This detection rule detects such malicious\r\nactivity by identifying unusual patterns and behaviors associated\r\nwith phishing attempts on Microsoft Teams.\r\nGreyMatter Automated Response Playbooks enable remediation actions to be automatically executed as soon as a\r\ndetection rule is triggered. Implementing Automated Response Playbooks can reduce the mean time to contain\r\n(MTTC) a threat to less than five minutes, significantly limiting potential damage by halting a breach in its early\r\nstages. Configuring the following Automated Response Playbook in conjunction with the detection rules above\r\nwill help ensure swift containment and effective remediation of threats.\r\nDisable User: When a user interacts directly with a Teams phishing attempt, as seen in this incident, this\r\nPlaybook prevents the attacker from gaining access to the user’s host.\r\nDefense Evasion\r\nOnce inside the network, the threat actor employed dynamic-link library (DLL) sideloading to evade detection.\r\nDLL sideloading works by placing a malicious payload in the same directory as a vulnerable application. Because\r\napplications prioritize loading DLLs from their own directory before searching other locations, the malicious\r\npayload is executed instead of the legitimate DLL, making it harder for security tools and analysts to detect. In\r\nthis incident, the DLL “winhttp.dll” was loaded into the OneDrive update file OneDriveStandaloneUpdater.\r\nWhy Does This Matter?\r\nReliaQuest has frequently observed help-desk employee impersonation attempts involving files with “update” in\r\ntheir names. Such files appear legitimate, making them less likely to raise suspicion among users or security\r\npersonnel. Malicious DLLs can masquerade as legitimate processes, complete with valid digital signatures and\r\nstrong reputations, increasing the chances of causing damage like spreading malware to additional hosts on the\r\nnetwork.\r\nStep Up Your Defenses:\r\nExpand Logging and Visibility: To counter this tactic, deploy endpoint detection and response (EDR)\r\nsensors across critical infrastructure and the wider environment. Organizations should also forward logs to\r\nhttps://www.reliaquest.com/blog/blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses/\r\nPage 3 of 8\n\na unified location to ensure security teams have the visibility needed to detect DLL sideloading through\r\nbehavioral patterns and contain malware before it spreads.\r\nHow ReliaQuest Helps You\r\nDefend against these tactics by deploying this detection rule, designed using the most up-to-date threat\r\nintelligence.\r\nDetection Rule MITRE ATT\u0026CK ID Summary\r\n000673 –\r\nSuspicious\r\nProcess\r\nInjection\r\nTA0004: T1055.001 –\r\nProcess Injection:\r\nDynamic-link Library\r\nInjection\r\nProcess injection was used in this attack to inject malicious\r\ncode into legitimate processes, allowing the code to mimic\r\ntrusted activity. This detection rule monitors processes in\r\nfrequently abused system locations, flagging behavior that\r\nmay indicate malicious activity.\r\nTo maximize the effectiveness of this detection rule, implement this GreyMatter Automated Response Playbook\r\nfor rapid containment and efficient threat resolution.\r\nIsolate Host: DLL sideloading indicates active malware execution on a host. Isolating the host blocks\r\ncommand-and-control (C2) communication and prevents lateral movement.\r\nC2 and Lateral Movement\r\nWhile the overall breakout time in this incident was 48 minutes, the attacker initiated C2 communication just\r\nseven minutes after using Quick Assist for initial access. They began attempting lateral movement within eight\r\nminutes; if these attempts had been successful, the breakout time would have been even lower.\r\nThe attacker established C2 communication through HTTPS connections over ports 443 and 10443 to the domain\r\n“uptemp[.]icu.” The attacker initially attempted to propagate the malicious DLL “winhttp.dll” using Server\r\nMessage Block (SMB), embedding it into the same OneDrive update file across approximately 10 hosts on the\r\nnetwork. When some connections failed, the attacker adapted by switching to remote desktop protocol (RDP)\r\ncombined with PowerShell, demonstrating agility and persistence. PowerShell was then used to remotely create\r\nscheduled tasks that executed OneDriveStandaloneUpdater with compromised administrator accounts.\r\nWhy Does This Matter?\r\nThe rapid progression of this attack posed significant challenges for the organization’s security team in\r\ninvestigating and containing the threat. This narrow window of just 48 minutes for breakout time highlights the\r\ncritical need for swift responses and using automation to bring down MTTC. For instance, ReliaQuest customers\r\nwithout automation reported an average MTTC of 6.3 hours—more than enough time for threat actors to advance\r\nthrough the kill chain and inflict significant damage.\r\nhttps://www.reliaquest.com/blog/blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses/\r\nPage 4 of 8\n\nStep Up Your Defenses:\r\nLimit RDP Use: To prevent lateral movement via RDP, configure GPOs to restrict access based on specific\r\nusers or hosts. Additionally, ensure that the principle of least privilege is strictly enforced, and only\r\nnecessary users and hosts are allowlisted for RDP access.\r\nHow ReliaQuest Helps You\r\nTo combat these tactics, organizations should adopt the following detection.\r\nDetection Rule MITRE ATT\u0026CK ID Summary\r\n000149 –\r\nSuspicious\r\nScheduled Task\r\nCreated\r\nTA0002: T1053.005 – Scheduled\r\nTask/Job: Scheduled Task TA0003:\r\nT1053.005 – Scheduled Task/Job:\r\nScheduled Task TA0004: T1053.005\r\n– Scheduled Task/Job: Scheduled\r\nTask\r\nTo execute the injected process on other internal\r\nhosts, the attacker used scheduled tasks. This\r\ndetection rule detects when a newly created\r\nscheduled task deviates from standard naming\r\nconventions or schedules a suspicious process\r\nto run.\r\nFor enhanced defenses, we recommend deploying the following GreyMatter Automated Response Playbooks\r\nalongside the above detection rule:\r\nIsolate Host: When an attacker uses a scheduled task to execute on a host, this Playbook isolates the host\r\nto stop the malicious file from spreading and block C2 communication.\r\nDisable User: This Playbook disables the account used to create the scheduled tasks to stop further\r\nmalicious activity.\r\nPrivilege Escalation\r\nIn the next stage of the attack, the threat actor accessed a service account used to manage an SQL database. Due to\r\nlimited logging visibility, the method of access couldn’t be determined. Using the SQL service account, the threat\r\nactor created a domain admin account and domain admin permission groups, adding the additional accounts under\r\ntheir control. Now, the attacker had the elevated permissions necessary to exfiltrate data.\r\nNext, the attacker used the SQL account to scan the network for vulnerable targets with SoftPerfect Network\r\nScanner (netscan.exe). This tool, often exploited by attackers, helps to identify devices that compromised accounts\r\nhave read and write access to—often serving as a precursor to lateral movement or data exfiltration.\r\nWhy Does This Matter?\r\nBetween January 2024 and July 2024, ReliaQuest found that 85% of compromises involved service accounts.\r\nThese accounts are frequently targeted as they are often over-privileged and poorly secured. Service accounts\r\nserve as a critical foothold for attackers, offering weak controls that can be abused at various stages of the attack\r\nhttps://www.reliaquest.com/blog/blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses/\r\nPage 5 of 8\n\nlifecycle, as observed in this attack. Their access to multiple systems across an organization further increases their\r\nvalue, making them even more attractive to attackers.\r\nStep Up Your Defenses:\r\nFortify Service Accounts: Service accounts are intended for automated processes and shouldn’t be\r\naccessed by users. As such, organizations should configure service accounts to block interactive logins\r\nwhenever possible. The scope of these accounts should also be restricted, ensuring they have only the\r\npermissions necessary to interact with required hosts. This minimizes the risk of exploitation and prevents\r\nattackers from pivoting to other hosts.\r\nHow ReliaQuest Helps You\r\nWe recommend deploying the following detection rule to protect against privilege escalation.\r\nDetection Rule MITRE ATT\u0026CK ID Summary\r\n000166 –\r\nInteractive\r\nLogon with\r\nService Account\r\nTA0003: T1078.002 –\r\nDomain Accounts\r\nTA0004: T1078.002 –\r\nDomain Accounts\r\nTA0005: T1078.002 –\r\nDomain Accounts\r\nIn this incident, the attacker leveraged a service account to\r\naccomplish multiple objectives, including creating domain\r\nadmin accounts and performing network scans. This\r\ndetection rule identifies signs that a service account is\r\nbeing accessed by a human rather than an automated\r\nprocess, providing early alerts before the attacker can\r\nexploit the account.\r\nTo accompany this detection rule, organizations should leverage the following GreyMatter Automated Response\r\nPlaybook:\r\nDisable User: If a service account is compromised, this Response Playbook prevents further actions from\r\nbeing executed using the account, giving security teams valuable time to investigate and remediate.\r\nExfiltration \u0026 Impact\r\nIn the final stage of the attack, the attacker leveraged their elevated permissions on the SQL service account to\r\ncapture sensitive data stored on vulnerable servers. Using WinSCP, a free open-source file manager, they\r\nexfiltrated the data to a remote server under their control, hosted at the domain “pefidesk[.]com.” In the end, the\r\nattacker completed the entire process—from initial access to exfiltrating sensitive data—in just 30 hours.\r\nWhy Does This Matter?\r\nAttackers take advantage of the significant brand damage caused by data breaches to pressure organizations into\r\npaying ransoms. In 2024, 80% of breaches that we observed involved data exfiltration. Beyond financial costs,\r\nbreaches strain relationships with customers and third parties, exposing personal data and irreparably eroding trust\r\nhttps://www.reliaquest.com/blog/blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses/\r\nPage 6 of 8\n\n—often leading to revenue loss. In this instance, the organization took proactive measures to contain the threat by\r\ntaking multiple data centers offline. While this led to operational downtime and workflow disruptions, it\r\neffectively prevented further damage.\r\nStep Up Your Defenses:\r\nApplication Control: Configure GPOs on network devices to enforce application management. These\r\npolicies can prevent tools like WinSCP from executing and exfiltrating data to remote servers.\r\nHow ReliaQuest Helps You\r\nBy adopting the following detection rule, organizations can protect themselves from data exfiltration.\r\nDetection Rule\r\nMITRE\r\nATT\u0026CK ID\r\nSummary\r\n000063 –\r\nOutbound Web\r\nRequests from\r\nCritical Host\r\nTA0010: T1567 –\r\nExfiltration Over\r\nWeb Service\r\nCritical hosts like databases or domain controllers shouldn’t\r\nexhibit web traffic activity typically seen on workstations.\r\nOutbound web requests could signal an attacker using the web\r\nchannel for exfiltration, like in this incident. This detection rule\r\nidentifies web requests sourcing from critical hosts.\r\nWe recommend deploying the following GreyMatter Automated Response Playbook to ensure optimal protection\r\nat this stage of an attack.\r\nIsolate Host: Data exfiltration relies on outbound communication to transfer data outside the network. This\r\nPlaybook isolates the compromised host, blocking communication with external hosts or domains and\r\nensuring the data remains within the organization’s network.\r\nConclusion\r\nThe phishing and data exfiltration incident detailed in this report highlights a concerning reality: Attackers are\r\noutpacing security teams, making faster response times more essential than ever before. Based on trends\r\nobserved between 2023 and 2024, we anticipate breakout times will accelerate beyond the current average of 48\r\nminutes, leveling off at around 30 minutes. To stay protected within this shrinking critical window, organizations\r\nmust integrate automation into their containment strategies.\r\nThroughout 2024, help-desk impersonation has consistently proven to be an effective social engineering tactic,\r\ndeceiving end users into granting threat actors access to their machines. We expect this method to gain further\r\ntraction in 2025, potentially evolving with the use of alternative RMM tools like Qemu to enhance persistence and\r\nevade detection. While these techniques may continue to develop, the fundamental recommendations outlined in\r\nthis report remain vital for defending against these increasingly sophisticated and rapid threats.\r\nhttps://www.reliaquest.com/blog/blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses/\r\nPage 7 of 8\n\nIOCs\r\nArtifact Details\r\npefidesk[.]com Created on October 9, 2024, target for data exfiltration\r\nuptemp[.]icu C2 domain\r\nc80883615157bd83dfed24683eee343a7b2\r\nac5ab7949b3a260dc10e9f0044bb4\r\nMalicious DLL loaded by OneDriveStandaloneUpdater.exe -\r\nwinhttp.dll\r\nSource: https://www.reliaquest.com/blog/blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses/\r\nhttps://www.reliaquest.com/blog/blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.reliaquest.com/blog/blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses/"
	],
	"report_names": [
		"blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses"
	],
	"threat_actors": [],
	"ts_created_at": 1775434776,
	"ts_updated_at": 1775826783,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3bc076b6147f94095b176f776f58583ca7d77621.pdf",
		"text": "https://archive.orkl.eu/3bc076b6147f94095b176f776f58583ca7d77621.txt",
		"img": "https://archive.orkl.eu/3bc076b6147f94095b176f776f58583ca7d77621.jpg"
	}
}