Researchers at cybersecurity firm Perception Point have identified a new type of two-step phishing attack that exploits Microsoft Visio files (.vsdx) and Microsoft SharePoint. This strategy uses the .vsdx format to embed malicious URLs, effectively bypassing conventional security measures and targeting sensitive user credentials.
How Two-Step Phishing Leverages Microsoft Visio
Microsoft Visio, a widely used tool for creating diagrams like flowcharts and process maps, saves files in the .vsdx format, which has traditionally been considered a low-risk file type. However, recent phishing attacks have transformed these files into delivery vehicles for credential theft by embedding malicious URLs.
Phishing attacks have evolved significantly, with malicious actors increasingly employing multi-layered tactics to slip through the security nets. This approach signals a shift toward more sophisticated phishing schemes, where trusted software is weaponized to avoid immediate detection by security systems.
Escalation in Credential Theft via Visio Files
Perception Point’s team has reported a surge in phishing campaigns targeting organizations through these two-step attacks. According to the research, attackers first compromise email accounts to distribute phishing messages to unsuspecting users. Since these emails come from legitimate accounts, they pass authentication checks like Sender Policy Framework (SPF), making them appear trustworthy.
These emails often contain a sense of urgency, referencing documents such as purchase orders or business proposals. Sometimes, attackers attach a .eml file (Outlook email format) with a malicious link embedded within it. Once the recipient clicks on the link, they are redirected to a SharePoint-hosted Visio file, continuing the phishing process.
Embedded Links in Visio: The Next Phase of Deception
Within the Visio file, malefactors insert an additional link behind a clickable call-to-action button, typically labeled “View Document.” To access this link, users are prompted to hold down the Ctrl key while clicking—a subtle method to bypass automated detection tools, which do not mimic interactions.
Once clicked, the link directs users to a counterfeit Microsoft 365 login page designed to capture their credentials. Attackers often go a step further by adding organizational logos and branding to the fake login pages to enhance credibility, deceiving users into thinking they are on a legitimate Microsoft platform.
Implications of Visio-Based Phishing on Cybersecurity
Microsoft recently acknowledged the abuse of their platforms, including Visio and SharePoint, in these types of phishing schemes, highlighting an increasing trend of attackers exploiting trusted services to conceal malicious content. Traditional email security systems, while robust, are often unable to detect the multi-layered approach of these phishing methods. By embedding malicious links within the layers of familiar software, attackers gain an edge over many standard detection mechanisms.
The rise of two-step phishing tactics highlights the importance of enhanced cybersecurity protocols and awareness. With these attacks targeting businesses globally, experts warn that even less common file formats can be weaponized, and comprehensive protection measures are needed.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.