Amy Ciminnisi 0:00

Welcome to the Talos Takes Podcast, where we discuss Talos' latest research and security news. This podcast is for everyone, from the C-suite to the front line. Hello, everyone, and welcome to Telos Takes. I'm your host, Amy Ciminnisi, and today we're tackling two topics in the Cisco Talos 2025 year in review: advanced persistent threats and phishing. In 2025, we saw a surge in sophisticating phishing campaigns that mimic everyday workflows. We also saw the exploitation of Microsoft 365's direct send. And also the complex blended operations of state-sponsored actors from China and North Korea. So we have a lot to cover today. Let's get started. I'm joined today by Martin Lee from Talos. Martin, as always, pleasure to have you on.

Martin Lee 0:57

Hi, yeah. Thanks for thanks for inviting me. It's a great pleasure.

Amy Ciminnisi 1:00

So, Martin, the 2025 report shows that phishing is still the primary way that attackers are getting a foot in the door. They accounted for about 40% of our incident response cases. But what has also caught our eye is a move toward internal phishing once they are already inside. Can you talk to this a little bit and maybe explain how defenders should adapt to this kind of two-front war where they're keeping people out, but then also spotting them when they're inside?

Martin Lee 1:32

We should start with thinking about the bad guys will always go for the techniques that offer them the best return on investment. Phishing is always a good bet. Um, it's okay, it requires skill, but it's not complicated to do. We don't need complex exploit code, we don't need potentially a tool that we've bought off the dark web and had to pay money for. We just politely ask people uh things, you know, would you approve this? Would you give me your password? And uh yeah, unfortunately, human nature is such that um, yeah, phishing, social engineering um will always work just because we're we're human um and we always have been. Um and it's always going to be going to be an issue. Um what yeah, what has been interesting is certainly in the past we'd have considered more phishing as a way to gain access to systems, so like external systems. Um the fact that bad guys are using internal phishing, I think, is uh is really quite interesting. But in terms of defense, it doesn't really change anything. Um certainly I I'd say to anyone, be suspicious, be be really suspicious about um unexpected requests, even if they're coming from um from outside, whilst spam filters are you know are really good, malicious fish, external fish can still creep in. Equally for the bad guy, once you're in the network, there tends to be even fewer um uh detections or analysis of emails. So it gets even easier to send those kind of um those kind of requests internally across the internal network. And certainly for defenders, there are going to be less chances to be able to catch the attacks. So it's all about one profiling users. What do they normally do? Um if someone who works nine to five suddenly sends a dozen identical emails at 3 a.m. Maybe you want to you you want to have a think about that. Secondly, for recipients of these things, yeah, we always need to think twice. Uh we always need to be questioning things, we always need to be thinking, hey, it does this does this sound right? And if it isn't, get in touch with them out of bound, you know, uh contact the the recipient over whatever internal messaging system you've got, like uh like WebEx or or even better, pick up the phone. Just say, you you know, you sent me this thing. Uh can I can I just double check? Is that is that actually what you want me to do? Because that's how we're going to defeat it.

Amy Ciminnisi 4:17

Yeah. So what are some reasons why attackers would want to phish internally? Is it for persistence? Is it to move laterally? Like what are kind of the the goals that they are trying to achieve?

Martin Lee 4:33

Once you've got your toe hold into a network, um, typically then your attacker wants to spread their access. So find out where those key systems are. Um the the that has the you know the the juicy bounty that they want to get their hands on, whether that's to steal data or um install and detonate ransomware on key systems, they're looking to get their hands into those key systems. Um, yes, you could do that through software exploits, through reconnoitering the network, looking for systems. Or yeah, you can just politely ask someone, um, you know, say, oh, I'm trying to get into the financial system, but my login won't work. Um, could you could we try with yours? Just anything along those lines, or hi, it's the help desk here. Notice you've we we're we've done an audit of passwords, and we just need you to change your password. I'm gonna send you a link here. Could you could you just click that and and change your network password? For the bad guys, yeah, it's all about getting access to other systems. They're always going to go for the those um mechanisms that have the highest return on investment, and politely asking people things is typically a very, very good way of doing it. And of course, doing it on an internal system removes some of those perimeter defenses that are that are scrutinizing and analysis analyzing emails as they're coming into the network. So once they're inside, uh there's going to be less scrutiny because, yeah, we need to let people do their jobs. So there's gaps in the defenses that they can slink behind and um, yeah, just politely ask people for credentials to systems.

Amy Ciminnisi 6:12

Yeah. So let's talk about some of those lures that people are using. Political themes have taken a backseat and travel and logistics lures are surging. They are basically mimicking daily business workflows now. What does this tell us about how attackers are evolving their playbooks? What should teams be keeping an eye out for?

Martin Lee 6:33

Yeah, nothing changes. Seriously. Number one, whatever is in the news, if it's a hot, if it's if it's a headline, if it's something people are concerned about, that will be a lure that the that the um the bad guys will will will send. Um if it's the time of year you get a bonus, it'd be like, oh, hey, here's some important information about your bonus, tax year, tax return time. Hey, here's some information you need for your tax year. It's looking for anything that people won't either won't engage their critical thinking of and will just think, yeah, here's that email I was expecting, or oh goodness, I was expecting this, I might as well do it, do it now. Or something that you really want to engage with. So breaking news, something important, something, something that you were dreading, something that that that's in the back of your mind. It's all about disengaging that critical thinking. Because if somebody emailed me, oh yes, uh I've got important information about your house purchase, I'm like, what? You know, I'm not. No, no, what is this? And already I'm I'm I'm thinking, well, this is wrong. Or, you know, somebody emails me about latest, latest hot news from Arsenal Football Club. I'd be like, well, I don't care. Um delete. Or if somebody says, Oh, your parcel has been detained at customs, I'll be thinking, oh, you know, that thing that I ordered, uh, it hasn't come. I was waiting for it. I'm gonna click, I'm gonna click. Um, or if it's the right, if it's the right time of year, if it's as I say in tax year, you know, here's some important information you need for your tax submission, like, oh goodness, I've been dreading that. Yes, I need to click. So it disengages that critical thinking. If it's anything that you're looking at and you think, well, this is wrong. That's that's not quite right. That's what the bad guy was want to want to avoid. So it's those instant clicks, oh, I want to know this, or I know what that was, I was expecting it. Those are the things that they that they want to try and fool you with. And although although the actual lures themselves changes, what they're trying to do and the techniques that they're that they're using broadly stay the stay the same year in, year out.

Amy Ciminnisi 8:50

One of the most surprising things that we saw in Talos Incident Response last year in 2025 was the surge in Microsoft 365 direct send attacks. This is a feature that has been around for years. Why did we see it weaponized so widely last year? And can you also just quickly, for those who might be newer to the field, what what even is direct send?

Martin Lee 9:16

So it's a means of sending internal emails. Um, I think it it's unique to Microsoft, if I remember rightly, that doesn't require authentication. So the idea is your scanner or your printer can send you things through the email. However, as a security professional, you've got to look at this. Why? Why did anyone think implementing an unauthenticating messaging protocol would be a good idea? You know, it's not like our lives are difficult enough. Who? Who thought this was a good idea and who greenlit it? So, oh yeah, no, I agree with this. Nothing could possibly go wrong here. So, number one, yeah, monumentally a stupid idea. Let's say it, let's be honest. I think probably we've been lucky for a long time that the bad guys haven't cottoned on to this. Reminds me a bit of a few years ago when somebody read the PDF specification in detail and identified that you could execute executables from within PDFs, and then just suddenly there was there was loads and loads of exploit of this feature. It wasn't a vulnerability or a bug, it was a feature. So I think we've we we we've kind of got the same situation here. Clearly, someone has been going through the specs or has been playing around or just had a you know a brainwave of genius and just thought, what? I can send messages without authentication. Okay, time to have fun. So as a means of sending internal fish, I mean it's an absolute gift for the bad guys because as soon as you've got on the network, as soon as you can connect to that corporate um email system, you can then impersonate who you want, um, send those messages. And because they're internal, because of the way that the protocol works, you're not going through those external incoming email checks that are considering it and thinking, I don't know about that, it's looking a bit dodgy. We're bypassing all of that. So for the bad guys, it's an absolute gift. The fact that it's only recently been exploited is honestly it's serendipity. However, fortunately, uh you can turn it off, you can disable this feature in inverted commas. Um, so the first thing, I mean, any network administrator or security guy who who's reading this should do um is honestly look at just disabling this. If you have systems, scanners, printers that need it, okay, you might have to live with it, but you might want to filter um those emails that are going into the system. But the best thing that we can do is just disable this. Um, it's a bad idea.

Amy Ciminnisi 12:05

Yeah, I mean, for the everyday person, it is so convenient to be able to go to your printers, scan something in, and get it sent right to your email, but incredibly, incredibly exploitable.

Martin Lee 12:20

Well, yeah, we can go back to the you know the early years of the of of the internet and all sorts of communication protocols that were really easy and simple and easy to to implement. And then the bad guys fight found ways of ways of abusing it. So so little by little, yeah, the world's become more complicated. We have to put more checks in, we have to do more analysis and and and defenses because it is a complex world and we've got to keep the bad guys out or at least frustrate them. Um, and here it's almost like it's a legacy protocol happily existing in the days of the early 90s when where everyone was good and benevolent. Um, yeah, it it uh it's gotta go. Gotta go.

Amy Ciminnisi 13:00

Gotta go. Yeah. So let's start moving into state-sponsored threats. The report highlights that Chinese linked groups are getting really aggressive. They are weaponizing zero days at a very high speed while also leaning in on older vulnerabilities that we've known about for a while. So when you have these APTs that are blending these really high-level technical exploits with very convincing phishing, it's a massive challenge. Um, can you share more about that and how defenders should start to kind of build that defense against that kind of blended threat?

Martin Lee 13:41

So it's always going to be challenging to defend against APT. Um, so if we just think about what those three letters stand for, it's advanced persistent threat. So on the advanced bit, potentially they have the full resources of a nation state behind them. If a nation state wishes to deploy maybe a hundred thousand vulnerability researchers and pay them and ask them to look for vulnerabilities in in operating systems and software, yes, of course they will find some and they will be far more um efficient and capable in finding vulnerabilities than criminals ever um ever would. So, yeah, that's always going to be challenging the advanced bit. Second bit is the persistent bit. Because they are less motivated by money in the way that the that the criminals are, they can take their time, they can identify the target that they want and take a long view over compromising it. Don't necessarily need to get it tomorrow or next week or next month. But if I keep plugging away, I will get there eventually, whether it's you know soon, in six months' time, in a year's time, there is that notion of persistence. So always going to be challenging in terms of defenses, but not impossible. And often, I mean, as with so much, it's just a matter of getting the basics right. The more that you have the basics right, the higher your chance you will have of being resistant to these kinds of attacks. So defenses start with boring stuff. Um, it starts with patching. Everything needs to be patched, it needs to be patched at the latest um patch level. Equipment devices which are end of life, you've got to get rid of them because they're no longer patched. Endpoint protection everywhere. Um, having visibility of what's connecting to your to your network, having the right network architecture. So you've got segregation so that it's difficult for things to spread, getting the identity right so that you know who has access to your network and to systems. There aren't any legacy accounts on it. There are the the service accounts that devices are using, you're you're you're tightening down their restrictions and you're keeping a close eye on them. Um, administrator accounts, no one creates a new administrator account. Um the ones that you've got are audited, they're checked. Um, and then having that ability to aggregate logs so you're hunting for the bad guys. You need a combined defense of one, making it difficult for them to get in, which is about getting those basics right. Then it involves having the mindset and modesty to think, well, do you know what? They're probably going to get in. I can make it really tough for them, but they may well get in. But once they get in, I can find them if I'm looking for them. If you're not looking, you will never find them. But if you are looking, if you have that logging data, if you have that ability to hunt in your telemetry, you will find them. And the thing that will always give them the way is the command control traffic. They need to phone home. Um, they need to get instructions, they need to exfiltrate data, and it's that which is very, very likely to give them to give them away. Those sticky fingerprints will always be there at the scene of the crime, but you gotta look, you gotta, you gotta look for them.

Amy Ciminnisi 17:20

Yes. And I am thinking about some of the defenders listening to this who may not always have the resources to replace end of life devices and things like that. So do what you can, make it as difficult as possible while keeping pushing, you know, your your board, your department heads, and things like that for the resources that you need.

Martin Lee 17:49

Amy, I'll tell you what you can do to help with that. Create a honeypot.

Amy Ciminnisi 17:53

Okay.

Martin Lee 17:53

Create something that looks like a really juicy honeypot that an APT threat actor might like and leave a trail of breadcrumbs to it and see what you get. So, yeah, maybe you have this end-of-life device on your network and it's keeping you up at night. Well, do you know what? Go create a virtual version and expose it to the internet and see what happens. And I bet you within 48 hours, you'll have enough information to go to your finance director and say, look, this is why we need to replace that now. Otherwise, um, you know, make sure that we're setting aside a few million dollars for the inevitable breach. You'll get their attention with that. And if you can create honey pots, so stuff that you know looks plausible outside your your network or possibly in a in a in a DMZ connected to your network in some way, make a um a fake DNS entry for it. Um maybe post some public code that includes a commented-out username and password to that system. See what happens, um, and that way you'll you'll you'll start be able to understand what that threat is and demonstrate it to senior leadership.

Amy Ciminnisi 19:04

Absolutely. That's brilliant. I love that idea. So looking at other state-sponsored threats, we also saw North Korean operators doubling down on their contagious interview campaign. Essentially, they use incredibly refined IT worker personas, and it's classic social engineering, but it's still working. Why are these campaigns really effective? How can we educate our hiring teams and get them better at spotting these impersonators?

Martin Lee 19:35

Yeah, uh I mean it it's it's genius in its way. It's weaponizing offshoring development. You know, so I mean, I'm working from home today. Who knows if I really exist? So uh for organizations, yeah, many, many developers, software engineers want to ro work remotely, and why wouldn't you? And and similarly, they they they may be offshore or they may be in a different state um from where you're located. So uh this is one of the capabilities that AI is enhancing because we can use um uh video changing software to make someone who potentially is is North Korean look Eurasian or um Hispanic or black or what you know or whatever. We can also change their voice to remove any trace of um of accent if they have one, but but then again, they may well have been trained and educated to speak and a the mannerisms of the organizations that they're trying to um to infiltrate. The worry is is is once you allow a fake software engineer um or systems administrator inside of your organization, they can then extract key information there that you're then allowing them to create new ways in for other elements of the regime. So it's not a good thing. Um they can actually be very good software engineers. I've heard people say that actually they can be really, really hardworking because behind every uh front person that you're recruiting, there may well be a team of half a dozen who are actually doing the work behind them. But really, in in in terms of of risk, it's a really, really bad thing. Ultimately, the way to defeat this is actually meet people in person. So if you can't really meet someone in in person, I I'd be ever so slightly dubious. Um, so just meeting in person, you know, maybe you know, once to sign the contract, um, invite them to your head office so that you can actually show them around and do a proper induction rather than have everything fully remote. Meeting people from from time to time and organizing physical meetups, I think is is also a really, really good way, both of managing the team and also weeding out um fake employees. Um when it comes Comes to the North Koreans, there is specifically one weird trick that works an interview. So if you have your doubts about whether someone you're interviewing is AI or not, ask them this key question: how fat is Kim Jong un? Because they can't insult dear leader. So uh so I have heard they will instantly disconnect um because they can't jeopardize themselves um by um uh responding or engaging in any way with uh with the with the question. You know, another standard thing that certainly someone from HR would say is always follow up on references, check the CVs, check for clarity, check for um time zone of um uh of work and whether they're actually working in the time zone you expect them to. However, all of this can be can can be faked. You know, you can have you know why not someone in North Korea who's working at night, which is during your your office hours, but that doesn't work. Um also we do come across stories of people whose entire identities have been faked. Um, so they you know it it it looks to all intents and purposes like you can find the traces of their um employment trail because it is a genuine employment trail. You're just not in front of the person who you think that you're that you're in front of.

Amy Ciminnisi 23:27

Let's move on to our final question here. Last year we saw a blur between espionage and financial motivation, especially with actors from China and Iran. They're sharing tools and infrastructure, which makes attribution really messy. I'm curious what you think this might mean for the future of attribution, but also like how does blurring of lines, you know, does it change at all how people should prioritize defense and response strategies?

Martin Lee 24:02

So attribution is always tricky. I'm I'm always really, really dubious when someone says, yeah, this is definitely X. Because realistically, we we don't know unless you you actively catch someone in the um in the act um or bring them to trial and they are found guilty of doing one particular act. All that you have are indications and signs. Um, we can interpret those in various different ways and say, well, you know, the the set of signs associated with this activity is consistent with this group that we've seen before, and it's possibly part of that, or even we might be brave and say it's probably part of it. Um when we start seeing um the these um muddying of signs that we have um two different groups who appear to be sharing infrastructure or sharing tools, we've then got to consider okay, well, what what are the various hypotheses here? It might mean that there is some kind of strategic partnership together between these two groups, but that's only one interpretation. We might have someone who previously was working over here who's moved jobs to over here and prefers to use this particular infrastructure and has taken their tools with them, which explains why we have two groups using the same tools. You know, we have to think about both push and pull. So this team here might have stolen the tools of this group over here, and that's why they haven't, because they think these are the best tools, and they've actually stolen them, which is why they've gotten. They might have bought it in some kind of online marketplace, they might have been given it either as a favor or in return for something else, or possibly as part of a strategic um uh partnership. So we need to think and and open oh, and of course, the other thing is are these really two different groups? They might be the same group.

Amy Ciminnisi 26:16

Right, right.

Martin Lee 26:17

So we need to keep our minds open when we see things, things changing. Yes, this might be a change on the strategic international landscape, and this is what we're seeing. On the other hand, it might just be someone has changed jobs. So keep an open mind. In any case, attribution is incredibly difficult. Um, within the defensive cybersecurity landscape, those of us who defend networks, our role is to keep the bad guys out, whoever they are. If you're working in, I don't know, Ministry of Foreign Affairs or something, or intelligence agency, you might be really, really interested about who is doing what. For the rest of us, it doesn't matter. We just want to keep them out. Worrying too much about who is doing um is doing what is probably detrimental. Instead of spending time worrying about it, go look for some out-of-patch devices and get them back up to patch, and then that'll probably help you more. So, yeah, we have to be aware of who's out there, what they might be trying to do, but most importantly, how are they trying to do it? How do we stop them? And just recognize, yeah, attribution is really, really tough. Um, and as um threat actors are moving to living off the land, um, using the share, you know, the cloud-based infrastructure that we all do, yeah, distinguishing between them becomes even more difficult.

Amy Ciminnisi 27:45

Well, that takes us to the end of the episode. Martin, thank you so much for joining.

Martin Lee 27:49

Ah, my pleasure.

Amy Ciminnisi 27:50

Yeah. For everyone listening, I highly recommend reading the full Talos Year in Review. It is really essential for anyone who's looking to get ahead of these trends and better protect their organization. You can find it in our blog. Martin's holding it. Oh, Martin's.

Martin Lee 28:09

No, no, it's not holding holding that. Even better, you should buy this awesome book that's like uh really, really good.

Amy Ciminnisi 28:16

Cyber Threat Intelligence by Martin Lee.

Martin Lee 28:18

Yeah, I mean, read read that, then read the year in review.

Amy Ciminnisi 28:22

Yes, absolutely. But year in review, if you are interested, you can find it on our blog and also in the show notes below. I'll be sure to put them there. And as I said last time, it's not gated. You don't have to fill out any prying forms. We just want to help as many people as possible. So take a read. Thanks again, and stay safe out there.