Filipi Pires
I’ve been working as Head of Technical Advocacy at SCYTHE, Founder & Investor at CROSS-INTEL, Advisor & Investor at Sherlockeye, BSides Porto Organizer, Red Team Village Director (DEF CON), Senior Advisor Raices Cyber Academy, Founder of Red Team Community (Brazil and LATAM), AWS Community Builder, Snyk Ambassador, Application Security Specialist and Hacking is NOT a crime Advocate. International Speaker at Security and New technologies events in many countries such as US (Black Hat & Defcon), Canada, France, Spain, Germany, Poland, Black Hat MEA - Middle-East - and others, I’ve served as University Professor in Master Degree in Portugal, Graduation and MBA courses at Brazilian colleges, in addition, I'm Creator and Instructor of the Course - Malware Attack Types with Kill Chain Methodology (PentestMagazine), PowerShell and Windows for Red Teamers(PentestMagazine) and Malware Analysis - Fundamentals (HackerSec).
Session
This session focuses on identity-driven cyber investigations using malicious documents as the primary intelligence source. Rather than treating documents merely as delivery mechanisms, the talk explores how weaponized files especially PDFs, Word, and Excel documents are intentionally crafted to harvest identities, map victims, and support large-scale infostealer and credential theft campaigns.
Attendees will explore how malicious documents abuse embedded scripts, macros, metadata, and obfuscation techniques to evade detection while silently collecting identity-related data. The session breaks down how these files act as both an initial access vector and a rich source of intelligence, revealing attacker behavior, targeting strategies, and operational patterns.
Through real-world case studies, the talk demonstrates how OSINT techniques can be applied directly to malicious documents to uncover attacker infrastructure, command-and-control relationships, reused artifacts, leaked credentials, and victim profiling indicators. By correlating file metadata, extracted indicators, and open-source intelligence, participants will learn how to transform a single malicious document into a full identity investigation.
By the end of the session, attendees will understand how to investigate malicious documents beyond the payload, using them as intelligence artifacts to trace identity abuse, campaign evolution, and attacker tradecraft.