The campaigns that have surfaced primarily target corporate environments using EPMM, aiming at IT administrators and security teams whose credentials are of high value. First reported in early October 2023, these campaigns are attributed to an advanced persistent threat (APT) group believed to originate from Eastern Europe. The timing of these phishing attempts coincides with the initial disclosure of the vulnerability, maximizing exploitation potential before patches are widely deployed.

Leveraging insider knowledge of EPMM environments, the attackers crafted emails with convincing domain names and sender identifications appearing to originate from Ivanti’s support infrastructure. These emails contained links leading to crafted websites mimicking genuine Ivanti update pages, embedded with malicious scripts.

How It Was Built

The campaign’s architecture begins with an initial phishing email purporting to be a critical update notification from Ivanti. The email subjects often read as “Immediate Action Required: Ivanti EPMM Security Update” with sender addresses appearing as

. The domains imitated were strategically configured to pass DKIM and SPF checks, enhancing legitimacy.

The infrastructure utilized a series of compromised servers across multiple geolocations, each hosting replicas of genuine Ivanti update sites. Here, the payload executed an exploit tailored to the CVE-2026-6973 vulnerability. The deployment followed strict modular design, enabling easy swapping of vectors as needed, keeping the campaign agile and evasive.

Email Example:

From: Ivanti Support <update-support@ivanti-secure.com>

Subject: Immediate Action Required: Ivanti EPMM Security Update



Dear User,



Due to a critical security vulnerability (CVE-2026-6973) discovered, an urgent patch is needed to ensure the security of your systems. Click the link below to download and run the mandatory update.



[Download Update](http://updates.ivanti-security.com/update-handler)



Ensure compliance by end of today to avoid service disruption.



Thank you,

Ivanti Security Team

The delivered script initiated a series of API calls to exploit the improper input validation flaw, inserting malicious scripts that executed remote commands. In parallel, victim credentials were harvested and exfiltrated to C2 servers managed by the threat actors.

Why It Worked

The effectiveness of this campaign is rooted in several key decisions. Firstly, the mimicry of Ivanti’s branding and sender identities strongly resonated with the targeted IT professionals, often overworked and likely to assume authenticity due to pressure to maintain security. Secondly, the exploitation of security conformity pressure—emphasizing urgent updates—played upon human factors, nudging recipients towards instant compliance without scrutinizing the emails’ legitimacy.

Moreover, the campaign’s use of sophisticated email domain configuration, ensuring that emails passed through spam and authenticity checks seamlessly, increased the open rate. Lastly, the dual use of credential harvesting and payload delivery in one sweep provided redundancy, ensuring that even in cases where exploitation failed, credentials were still compromised.

Operator Takeaways

For red team operators seeking to replicate or adapt this approach, focusing on three elements is critical:

• Domain Spoofing Excellence: Invest time in configuring email and website domains to withstand common authentication checks.
• Lure Authenticity: Craft messages that align with contemporary threats and industry pressures your targets face, especially focusing on urgency and familiar branding.
• Exploit Versatility: Maintain adaptability by modularizing your payload to switch tactics as defensive measures evolve.

Do’s and Don’ts

• Do: Utilize authentic domain setups to evade basic filters and capture victim trust gradually.
• Don’t: Rely solely on the promise of downloads; reinforce your approach with convincing content-based lures.
• Do: Ensure the payload is both effective and stealthy, ideally dual-purposed for maximal engagement.
• Don’t: Overcomplicate the email’s structure – simplicity coupled with authenticity sells the threat better.

References

Known Exploited Vulnerabilities Catalog – CISA

Ivanti Releases Critical Patch for EPMM Vulnerability

Related Reading

• Exploiting Out-of-bounds Write Vulnerabilities in Phishing Campaigns
• Analyzing Payload Delivery Techniques in Phishing Campaigns
• Local Privilege Escalation in Phishing Campaigns: Technical Analysis of Dirty Frag
• Exploiting BerriAI LiteLLM SQL Injection Vulnerability for Unauthorized Access

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.