Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts with replies and give us your feedback.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1976
Views
7
Helpful
3
Replies

Stun Attack

ankitohc
Spotlight
Spotlight

‎02-18-2025 12:21 PM

One incident happened where a user in my company complained that phishing emails were being sent from her O365 account. When I analyzed the PCAP, I noticed a connection established using STUN. It seems the intruder may have sent a link, and the user clicked on it, allowing the attacker to obtain her public IP address and port information.

Upon further investigation, we discovered a VBS script placed in the user’s public folder, which was automatically sending phishing emails to all users in the company. We deleted the script and stopped the scheduled task.

My main question is: how did the attacker gain access to her system behind the NAT? If I obtain someone's public IP address and port, can I exploit their system? What methods might the intruder have used to compromise the machine?

Sorry, but I am really curious to know this.


image.png
ending with 63.147 is our o365 ip address and ending with 226.333 (intruder) may be and 10.100.54.228 is user's machine ip

Labels:
0 Helpful
3 Replies 3

ankitohc
Spotlight
Spotlight

‎02-18-2025 12:22 PM

 
0 Helpful

BlakeRichardson
Meraki Community All-Star
Meraki Community All-Star

‎02-18-2025 01:25 PM

If the user has clicked on a link anything could have happened, the issue is user security awareness and not your external IP being at risk unless you have a bunch of insecure port forwards setup.

Platforms like Knowbe4 offer end user cyber security training. Be aware that most breaches are a result of human error.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Brash
Meraki Community All-Star
Meraki Community All-Star

‎02-18-2025 02:40 PM

My main question is: how did the attacker gain access to her system behind the NAT? If I obtain someone's public IP address and port, can I exploit their system? What methods might the intruder have used to compromise the machine?

There are many opportunities that attackers can use. I've listed a few common ones below:

- An attacker can hijack an existing insecure session to a compromised web service

- An attacker can use tactics (usually social engineering) for the session to be started from the client side. This is usually social engineering or domain typo squatting etc.

Because these tactics get the client to establish the session, NAT and inbound firewalls doesn't provide any benefit of security or obscurity.

Customers Also Viewed These Support Documents