Thanks to a submission to VirusTotal, it looks like F-Secure has identified the first step in the RSA hack back in March. It was a basic phishing email, with a zero-day Flash exploit payload. It wasn’t sent to a privileged user, either. But compromising a regular user account eventually allowed the attacker to leverage enough control to steal the RSA SecurID token information they were after. This is an interesting combination of simplistic delivery vector (note how simple the email is) with an advanced attack package. And of course, this was the first step in a sophisticated attack that eventually resulted in attacks on several defense contractors. The lesson to be learned here – security really is about the weakest link. Everyone in your organization needs to be trained and computer savvy enough to avoid being taken in with one of these phishing emails.