I’m Just Asking Questions: Social Engineering as a Reporter 

MITRE Techniques

• [T1593.001 ] Gather Victim Identity Information: Social Media – Used LinkedIn to identify journalists and gather details for impersonation (‘We researched journalists and local news outlets using Google, Google Maps, and LinkedIn to identify a reporter we would impersonate.’).
• [T1593 ] Gather Victim Identity Information – Used corporate blogs, contact pages, leadership bios, and news to build credibility and profiles (‘Corporate blogs, social media, and news articles are good starting points for OSINT gathering.’).
• [T1585.001 ] Establish Accounts: Social Media Accounts – Created a ProtonMail account in the journalist’s name to support the fake persona (‘A ProtonMail account was created in that journalist’s name.’).
• [T1583.001 ] Acquire Infrastructure: Domains – Registered a lookalike domain to support the phishing infrastructure (‘We registered a lookalike domain…’).
• [T1583.002 ] Acquire Infrastructure: DNS Server – Stood up infrastructure to host the lookalike phishing domain and direct victims to the malicious page (‘We registered a lookalike domain and stood up an Evilginx server pointed at the client’s real Microsoft login flow.’).
• [T1056 ] Input Capture – Captured usernames, passwords, MFA tokens, and authenticated session cookies through the fake login flow (‘capturing username, password, MFA tokens in real time and harvesting the authenticated session cookie’).
• [T1133 ] External Remote Services – Targeted the organization’s Microsoft login flow and Teams-related interaction to lure the executive into using external services (‘pointed at the client’s real Microsoft login flow’ and ‘supplied a Teams invite controlled by his organization’).
• [T1566.002 ] Phishing: Spearphishing Link – Sent a targeted email lure and later a phishing link to the executive (‘We manually composed an email template to each member of the C-Suite…’ and ‘Reply to Bob asking them to join the provided teams meeting (phishing link)’).
• [T1191 ] Malicious Link – Used a link-based lure to drive the target to the phishing landing page (‘Could we have joined a Teams call and shared the link in the chat?’).
• [T1557.001 ] Adversary-in-the-Middle: LLM/Proxy? – Evilginx intercepted the authentication session between the victim and the legitimate Microsoft login page (‘Evilginx is an adversary-in-the-middle framework that replicates a legitimate login page, capturing username, password, MFA tokens in real time and harvesting the authenticated session cookie.’).