Havoc Shield Blog

The Hidden Link between UNC Path Injection and Phishing

Written by Brian Fritton | Nov 5, 2020 6:00:00 AM

UNC Path Injection is an attack that we consider to have originated in the 1990s.  It's exact origins are difficult to trace, but the mid-1990s were a period of tremendous growth in terms of adoption of the Windows NT operating system, and anecdotally that seems to be the operating system that some of the early UNC Path Injection attacks occurred on.

Where it All Started

The premise of a UNC Path injection attack is that a "bad actor" (a malicious person) could ask you to click a link that supposedly pointed to some valuable resource -- like a document or a presentation -- and that you could click the link and have that document or presentation pop up on your screen.  The legitimate use of UNC Paths were mostly within a company -- e.g. a head of marketing giving a link to a head of sales containing a sales presentation.

But, in the mid-1990s as email was becoming more commonplace, cyber criminals realized that they could use something that conventionally had been used for internal communications, even if they were attacking from the outside of that organization.  An outside attacker preying on an internal company employee, could potentially get that employee to click on a UNC Path (potentially sent to them via email).  And, that UNC Path might be one that was less than benign -- it could potentially be (for example) a UNC Path that caused an employee to accidentally launch a program that took some malicious action on their data or configuration.  Most attacks of that nature relied on the UNC Path Injection technique (although it may not yet have been known by that name).

Was UNC Path Injection the Precursor to Phishing?

Here's the rub.  If you read the above paragraph again, it sounds a whole lot like the technique that we currently refer to as phishing.  Let's look at the similarities:

  1. Valid links (whether UNC Paths or URLs) train us all to rely on the convenience of being able to click on a link to get ushered right over to some resource that we want to quickly access/review.
  2. Cyber attackers have found ways to point those links (whether UNC Paths or URLs) at resources that are malicious in nature.  Malware, resources that inadvertently cause us to harm our data or configuration, or resources that encourage us to unknowingly disclose some confidential information.
  3. The recipient of a malicious link (whether it's a UNC Path or a URL) is especially vulnerable when the cyber criminal conveys the link in a way that seems contextually legitimate.  Like a message that appears to be from an employee's manager or colleague, and appears to ask the employee to take some action that feels routine/normal..

See the similarity in the attack vector?  We do.

Phishing is the "Little Brother" of UNC Path Injection

Although we don't have an airtight lineage demonstrating that the earliest phishing attacks were inspired by UNC Path Injection, we see a valuable lesson here.  When a new hacking TTP (Tactic, Technique, or Procedure) emerges, we can learn a lot from the past -- by thinking back to prior hacks that have a similar resemblance -- and thinking through what mitigations were (and weren't) effective in that prior attack.

In the case of Phishing and UNC Path Injection, the most effective mitigations have much in common:

  1. Protective Technology: in both cases, there was an effort to implement protective technology.  In the case of UNC Path injection, many application makers revised their applications to display UNC Paths not as clickable links, but as plaintext.  The recipient would have to conciously go through the effort of copying/pasting the link in order to take action on it.  In the case of phishing, webmail providers (and other email systems) implemented sophisticated filtering and safety checks, to either hide potentially-malicious phishing emails, or to present a prominent on-screen warning about the suspicious message.
  2. Training: No protective technology is perfect.  So, in both the history of UNC Path Injection and the history of Phishing, training came along to encourage employees to think twice before clicking on a link.  Training encouraged employees to think about the context of the message, the reputation of the sender, and the verification techniques that could either prove or disprove that the link was safe to click.  These "human factors" supplement our safety in a way that no protective technology can: they help us develop mental "pattern recognition" that transcends any single situation, and benefits us for the long term in a wide variety of situations.
  3. Policies: we're more about the "carrot" than the "stick", but infosec policies have evolved in a way that insist that employees not install or access resources of unknown origin.  We list this third intentionally; we think the other two mitigations have generally been more effective than this one.  However, it's reasonable and necessary to have policies that express the obligations that employees have with regard to resources that they access on behalf of the company.

We may never know whether the earliest phishing attacks were directly inspired by UNC Path Injection or not -- but the similarities give us a huge headstart in terms of thinking about how to stay safe.  When some future attack involving some different type of clickable link arises, we'll be able to look back on both UNC Path Injection and on phishing, and carry forward some of the good lessons that we've learned the hard way over the years.