attachments.office.net

Phishing Download Exfiltration

Attackers can compose an email, attach a file and use the direct download link to phish users. The caveat with using this method is the phishing link expires in approximately 15 minutes.

None

Attackers can compose an email, attach file(s) to exfiltrate and send the download link to themselves. This method is not ideal for large files due to the file size restriction in place.

Attackers can compose an email on O365 and attach a file and then use the file's download link to directly download the file. Restricted file types would first need to have their file extension modified (e.g. mimikatz.exe becomes mimikatz.exe.txt) and then upon download the file extension is modified back to the original extension.

https://twitter.com/mrd0x/status/1462852381830524931