Meraki

Community

Stun Attack

AnkitSharma1
Here to help
Tuesday
Tuesday

Stun Attack

One incident happened where a user in my company complained that phishing emails were being sent from her O365 account. When I analyzed the PCAP, I noticed a connection established using STUN. It seems the intruder may have sent a link, and the user clicked on it, allowing the attacker to obtain her public IP address and port information.

Upon further investigation, we discovered a VBS script placed in the user’s public folder, which was automatically sending phishing emails to all users in the company. We deleted the script and stopped the scheduled task.

My main question is: how did the attacker gain access to her system behind the NAT? If I obtain someone's public IP address and port, can I exploit their system? What methods might the intruder have used to compromise the machine?

Sorry, but I am really curious to know this.


AnkitSharma1_0-1739910142454.png

 

 

ending with 63.147 is our o365 ip address and ending with 226.333 (intruder) may be and 10.100.54.228 is user's machine ip
 
 

 

 

0 Kudos
3 Replies 3
AnkitSharma1
Here to help
Tuesday
Tuesday

 

 

0 Kudos
BlakeRichardson
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

If the user has clicked on a link anything could have happened, the issue is user security awareness and not your external IP being at risk unless you have a bunch of insecure port forwards setup. 

 

Platforms like Knowbe4 offer end user cyber security training. Be aware that most breaches are a result of human error. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Brash
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

My main question is: how did the attacker gain access to her system behind the NAT? If I obtain someone's public IP address and port, can I exploit their system? What methods might the intruder have used to compromise the machine?

 

There are many opportunities that attackers can use. I've listed a few common ones below:

 - An attacker can hijack an existing insecure session to a compromised web service

 - An attacker can use tactics (usually social engineering) for the session to be started from the client side. This is usually social engineering or domain typo squatting etc.

 

Because these tactics get the client to establish the session, NAT and inbound firewalls doesn't provide any benefit of security or obscurity.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.