Alert: The new phishing combo trick that bypasses Office ATP
A few weeks ago, BitDam ATP detected an outstanding attack that was sent over email to one of our European customers and easily bypassed Office ATP. We analyzed it and since it was super-targeted, we assumed it’s a one time thing and moved on.
Surprisingly, since then we detected a few other attacks that use the same tactic. That’s when I thought it’s worthwhile to tell you guys about it!
Legitimate Sender and Email Address
It all starts with an email that is sent from a real legitimate email account. Seems like the hacker gained control over a mailbox of a real person. Moreover, in all these instances that we detected, the sender was from an organization that is in constant relationship with the targeted organization. Obviously, the attacker did some research prior to launching the attack. He or she targeted a specific organization and searched for vulnerabilities in the organizations surrounding that target – vendors, clients or service providers. Once such an opening was found, the attacker used it to take over a real email and send messages on behalf of a real user. Since this is a very targeted scam, it is likely that the compromised email owner didn’t even notice that an email that he was not intending to send was sent out of his mailbox.
Hiding Phishing in a Multiple-hop Journey
The next step was luring the receiver to click something. In one of these cases, the receiver was sent a “document” that he was requested to sign using DocuSign. Clicking the DocuSign button took him to a fake DocuSign page hosted on SharePoint, with a button saying “Please proceed here”. Clicking that, the user was transferred to a phishing webpage that looks exactly like a Microsoft login page, asking for the victim’s Microsoft credentials.
In another case, the excuse was “SENDER shared a file with you” using the sender’s real name.
Clicking the ‘open file’ button leads to what looks like a OneDrive webpage, which requires another link to access the document. This link is the phishing URL – taking the victim to a OneDrive login page that asks for username and password.
The first hop in all these attacks was hosted on SharePoint, which makes them more reliable and helps them to evade both email security and suspicious users.
Why are these attacks so dangerous?
These targeted attacks are extremely dangerous from two main reasons:
- Office ATP misses them. Even though BitDam ATP stopped them, they are proven to bypass Office ATP as well as other email security solutions. Why? First, since these attacks are very targeted and unique, they go below the radar of statistic-based security solutions. Secondly, because the phishing link is hidden behind several steps (a few clicks are required before getting to the phishing URL), and most security solutions fail to follow all these steps when scanning emails.
- They look very real! Sent from a real person’s mailbox, who the victim is in touch with, going through several web pages that all look legit and asking to login in order to access a file. All that looks like a normal and legit journey to access a file that someone you work with sent you. None of this is out of context so there is no reason the receiver will be suspicious.
The main thing that makes these attacks so unique and successful is the trick they are using in order to evade anti-phishing solutions. Combining multiple hops while counting on the user’s behavior to move from one hop to another, makes it almost impossible for email security solutions to identify that there is a phishing URL hiding there.
This, combined with the fact that these attacks are used rarely and are very targeted, turns them to undetectable by security solutions that base their verdict on statistical and machine learning models such as Office ATP and Proofpoint TAP. Using a different scanning approach that is 100% attack agnostic and doesn’t rely on knowledge of other threats, BitDam detects these attacks.
The Benefits of Targeted Attacks
In our video series ‘Get into The Phisher’s Mind’ which covers the decisions hackers have to make when they plan a phishing scam, we discussed spraying vs. cherry-picking. As you can easily tell, the attackers in these cases chose to go cherry-picking and tailored the attack to their specific target.
The cost for the attackers creating such a focused scam is clear – higher investment per attack. So why would they do that? The reason is that using such a targeted method, these attacks go below the radar of reputation and statistic-based detection engines which dramatically reduce their chances to be caught. Since many organizations these days still count on Office ATP as their main email protection, it’s safe to assume that the attack will reach the victim’s mailbox and he or she will be tricked.
The bottom line is that no matter how educated the receiver of these attacks is about phishing, the chances to realize that this is a phishing scam are very low. In addition, the commonly used anti-phishing solutions are struggling to detect these multiple-hop phishing attacks, especially if they are rare or targeted, so the risk is high.
What Can Be Done?
Trying to finish this post with a positive tone, I would encourage you to test your email security against the newest and most sophisticated threats that are out there, and would offer to protect your email and other collaboration tools using an advanced solution like BitDam’s. You can register for a free trial and see how effective it is on your own.