Alert: Malformed HTML helps phishing emails evade Office ATP
In the past week or two, our team at BitDam observed a spike in phishing emails that use illegal HTML structure in order to get into our customers’ inboxes. BitDam ATP detected and blocked these attack attempts at first encounter, but they did bypass Microsoft Office ATP among other solutions.
A Real Attack Example
As many other phishing attacks targeting businesses, this one too aims to get the user’s Microsoft credentials. The HTML email body fools the user to click a link in order to access a document on SharePoint. In this particular case, a financial document.
Clicking the “open” button would take the victim to a fake SharePoint login page that is used for collecting the credentials once entered.
So far this looks like any other phishing attempt and you would think most email protections solutions will detect it. So how come it went below the radar of Office ATP?
The Evasion Technique: Malformed HTML x2
Instead of just using the phishing link as part of the HTML, the attackers inserted the malicious code to the end of the HTML, after the <html> tag. In the below screenshot, you can see that the HTML code frame ends at row 38, while rows 40-60 contain some extra code, which is the malicious script.
Most security solutions miss the second body which means they would not identify the malicious part of the email in this case.
The attackers take advantage of the fact that most security products scanning emails wouldn’t scan the code that appears after the closing <html> tag, while browsers will try running the full code. The result – email security products won’t see the malicious part of the email (i.e. the phishing link), but end-users will see it and are likely to click it.
What Can You Do About It?
Keep watching out, as phishing attempts continuously become more sophisticated with attackers developing new tricks to evade traditional security tools.
And if you aren’t sure how good your current security is, and if it would detect such attacks, you’re welcome to use BitDam BAS2.0 called “Lucky Meter” which uses the latest attacks from the wild in real time to continuously test your security.
Alert: Error Messages, Double Click and RSS App Help Trick Security Solutions
In the past couple of weeks BitDam ATP detected some interesting phishing attempts that use a combination of several tactics to make it harder for security solutions to detect and block them and fail phishing training methods. As you can imagine…it works, and the leading email security vendors fail to detect these attacks.
An example from the wild
Here is an example of a specific attack that I found particularly interesting:
The original email contains a calendar invitation which looks completely legitimate. The sender nickname was modified per the threat actor desire as can be seen from the EML headers:
This means that the attackers had full control over the email server. Digging in a bit more, it seems like they created the designated email domain, wildwestdomains.com, for this purpose:
In fact, the domain was created only 3 days before the attack was sent out, as you can see in the following image.In fact, the domain was created only 3 days before the attack was sent out, as you can see in the following image.
Clicking the email attachment in this particular attack it was a calendar invitation), the user gets a fake error message.
Clicking “Retry”, the user is transferred to a website that is local on the filesystem or in an iframe, as you can see in the domain blob on this screenshot:
The local website shows another error message and requests a password. Once the password is entered it is sent to an RSS application and stored there.
From this point, the attackers hold the users credentials and you can be assured they will take full advantage of that.
Now, what did we have here?
So why is it so interesting? Each of the elements used in this attack is not new by itself, nor very sophisticated. However, using all of them in one attack which was properly orchestrated makes this attack almost undetectable by email security solutions. Here are the highlights of the tactics used in this attack:
Brand new email domain – solutions that base their detection on statistical models and reputation tend to trust new email domains as they don’t have any bad reputation yet. Attackers know that and use new email domains to reduce suspicion.
Fake error message – Clicking the link in the message leads to a fake webpage that looks like a Microsoft error message. Security solutions are trained to suspect webpages that ask for credentials when looking for phishing threats. Pages that look like error messages are likely to pass below their radar because they don’t look like a phishing attempt.
Requiring a second click – The webpage that asks users for their password is hidden behind another link. The user reaches it only after clicking the error message on the first webpage, which makes it more difficult for email security solutions to detect that this is a phishing scam (it needs to follow two clicks instead of just one).
Local webpage – The attackers use a local webpage which again, looks less suspicious from an email security solution perspective. Another obstacle for detecting it as a phishing attack.
Using RSS – For collecting the passwords, the attackers use an RSS application which makes it look even more legit, helping to bypass email defenses.
Based on BitDam’s observations within its customer base worldwide, many security solutions failed to detect this specific attack as well as similar phishing threats that use a combination of these techniques. These attacks remained undetected by other security products for many hours, while BitDam blocked it at first encounter.
Curious if this threat and newer attacks bypass your email security? You’re welcome to register for BitDam Lucky Meter – the next generation Breach and Attack Simulation which would send you the freshest attacks from the wild or access our malware feed.
Top Tips for MSPs to Protect Customers from Phishing and Ransomware
Unlike a couple of years ago, small and medium-sized businesses now deal with cyberthreats on a daily basis. Cybercriminals no longer overlook SMEs. They rather see them as valid targets, and a much easier prey than larger organizations. The fact that many small and medium businesses moved to working from home last year and started using collaboration tools like O365, OneDrive, Teams and Zoom makes the opportunity for bad actors even bigger. In fact, 43% of cyber attacks target small businesses. Ransomware and phishing attacks turned into significant threats for SMEs in 2020, with 66% of SMEs reporting that they are concerned or extremely concerned about cyber security risk.
How can you as an MSP help SMEs stay protected from these threats?
Many SMEs use external managed IT services and therefore want to trust their MSP to handle their cybersecurity too. There are some simple actions you can take in order to check your customers’ current security vulnerabilities, and then bridge these gaps. In this blog post, we will focus on what to consider when securing the customer’s email and other collaboration platforms used to exchange content internally and externally such as OneDrive, Sharepoint, Google Drive, Teams, Zoom and more.
Assess the current security posture
Cyberthreats are constantly evolving (on a daily or even hourly basis) in order to bypass security solutions. With email being the main attack vector for such threats, it’s important to test your customers’ email security and better understand their current gaps. It’s recommended to do this regularly to accurately assess what’s going on. And even more crucial to do it before making any decision related to securing the customer.
The good news is that there are free vulnerability assessment tools that are easy to use. Within less than an hour you can know your customer’s real exposure to cyberthreats. You can start by trying BitDam’s Breach & Attack Simulation (BAS) and BitDam BAS2.0 – Lucky Meter or search for similar tools online.
Protect all collaboration platforms
The most burning need for most SMEs is protecting their email. We believe all organizations should use an Advanced Threat Protection solution for email (as a side note, Microsoft Defender/Office ATP doesn’t perform well when it comes to advanced threats). In addition to email, the risk of cyberthreats being delivered and spread via other collaboration tools is constantly growing. Ideally, you want to use a security solution that protects different channels, but is managed from one place. This will ensure your SME is protected, while reducing overhead and costs on your end.
Considering that many SMEs use Office 365 or G-Suite for all their collaboration needs, or might be using additional tools such as Zoom, Slack or Dropbox, it’s relatively easy to find ONE security solution that covers ALL these tools. This will allow your team to manage the security of all customers and all their collaboration channels from one dashboard in a frictionless manner.
Minimize your team’s overhead
Providing your customers with effective cybersecurity doesn’t have to involve additional overhead. Just like you should select a security solution that helps you secure various collaboration tools at once, you should also choose a solution that makes it easier to manage many customers from one place. Selecting the right product allows you to quickly gather insights and easily take action across the different customers you manage, can save your team many hours, increase productivity, and make your business more competitive.
Being cautious of your team’s time, you should also check the ease of deployment and required maintenance before committing to a specific solution. Assuming that you’re planning to deploy the same security solution among many of your customers, you want to make sure the process is quick and doesn’t require any configuration or changes. It’s best to avoid products that require periodical maintenance or updates. There is just no reason to waste your team’s time on such activities.
Try before you buy
Effective protection does not necessarily mean heavy commitment. In the world of cloud solutions, you can try several products before you engage with one. There are plenty of security tools that offer free trials so you can explore all options to ensure a good fit, and only then make a commitment. For Office 365 clients, the Azure Marketplace is a good place to start from. You can search for Email Protection, OneDrive Protection, Teams Protection and so on, and get a variety of solutions that are ready to install. Many of which offer free trials!
Alert: Microsoft’s email security lets fake Zoom emails in
There is a new phishing email in the neighborhood, and even though it leads to a fake Office 365 login page, Microsoft struggles to detect it and for days now, it keeps bypassing not just the basic Microsoft email security, but also the premium security – Microsoft Defender for Office 365 (also known as Office ATP).
This phishing campaign, which BitDam detected at first encounter last week, started small and after 24 hours was sprayed all over. BitDam ATP first detected this phishing email in the UK on December 2nd. While I’m writing this blog post it has already spread to the US and other countries, targeting organizations of all sizes and from a variety of industries.
As many other phishing attacks aiming to harvest Microsoft users’ credentials, this attack is sent via email. The email looks like an invitation to a Zoom meeting that contains the link to the video conference. The email messages are all identical and look like this:
While the message might not seem identical to the normal Zoom meeting email invitation (it typically includes a ‘Passcode’ rather than ‘PIN’ and doesn’t include the dial in numbers), it may trick the user. Moreover, even if the user is suspicious, he or she is very likely to go on and click the link once they see the URL looks perfectly real.
Clicking the link leads to a fake Microsoft outlook login page. In all the attacks we’ve identified, this page was hosted on various Google services that allow hosting such as googleusercontent.com or Google Storage API. The phishing page looks like this:
We saw different URLs and hosting websites used in this campaign, but all of them led to web pages that look almost the same, trying to phish for Microsoft credentials.
Not surprisingly, the attackers use various URLs and keep changing them, probably in order to avoid reputation-based engines used by Microsoft and other security controls, which may identify the link after it’s being used for a while or reported as malicious. Unfortunately, in this campaign, some of the URLs were live for 24 hours or more (we didn’t check all of them, but the ones we did were kept live for way too long).
Why is this attack interesting?
It may be hard to believe but we see phishing scams that bypass Office ATP every day. We even see a lot of phishing emails that lead to fake Microsoft webpages which go undetected by Microsoft itself. Unfortunately, this isn’t new either.
So what’s so interesting about this specific campaign? First, its volume. We saw it spreading quickly among our customers that use Microsoft email security worldwide, and Microsoft kept missing it again and again. Secondly, there is a new social engineering angle used here – the attackers could use a clickable button instead of writing the entire URL. They decided to include the URL in the email body, to reduce suspicion as some users wouldn’t click buttons or hyperlinks in unexpected emails. Once the attackers gained the user’s trust early in the ‘journey’, the user is more likely to keep believing and enter the credentials when requested.
Why does Microsoft’s Office ATP miss this attack?
We suspect that Microsoft doesn’t identify this phishing email campaign because Microsoft email defenses are based on statistical models and reputation. As long as the attack is new, and was not widely spread, Microsoft will not detect it. In addition, the constant amendment to the specific URLs used in this campaign, makes it difficult to track it when basing the detection on reputation. Using Google legitimate websites for hosting, makes it even harder.
BitDam, on the other hand, doesn’t base its detection on knowledge about past attacks, which allows BitDam ATP to detect and stop new threats when they’re seen for the first time.
How to avoid such attacks?
The easiest way is to augment the security you get from Microsoft with a dedicated, more advanced email security defense layer that uses a different technological approach and which detects such phishing attacks and other threats that Microsoft tend not to identify when they’re still new.
If you don’t have such a solution in place, it’s recommended to hover the mouse on the link and verify it goes to Zoom website. Many organizations use URL rewrite (i.e. safelinks or urldefense) which prevents users from actually seeing the domain the URL is pointing to. In that case, it is ok to click the link but never enter your Office 365 credentials. If you think about it, why should Zoom need your Office 365 authentication?
And last but not least, if you aren’t sure about a link, you can alway scan it using BitDam online URL scanner and you’ll know if it’s a phishing scam in seconds.
Alert: The new phishing combo trick that bypasses Office ATP
A few weeks ago, BitDam ATP detected an outstanding attack that was sent over email to one of our European customers and easily bypassed Office ATP. We analyzed it and since it was super-targeted, we assumed it’s a one time thing and moved on.
Surprisingly, since then we detected a few other attacks that use the same tactic. That’s when I thought it’s worthwhile to tell you guys about it!
Legitimate Sender and Email Address
It all starts with an email that is sent from a real legitimate email account. Seems like the hacker gained control over a mailbox of a real person. Moreover, in all these instances that we detected, the sender was from an organization that is in constant relationship with the targeted organization. Obviously, the attacker did some research prior to launching the attack. He or she targeted a specific organization and searched for vulnerabilities in the organizations surrounding that target – vendors, clients or service providers. Once such an opening was found, the attacker used it to take over a real email and send messages on behalf of a real user. Since this is a very targeted scam, it is likely that the compromised email owner didn’t even notice that an email that he was not intending to send was sent out of his mailbox.
Hiding Phishing in a Multiple-hop Journey
The next step was luring the receiver to click something. In one of these cases, the receiver was sent a “document” that he was requested to sign using DocuSign. Clicking the DocuSign button took him to a fake DocuSign page hosted on SharePoint, with a button saying “Please proceed here”. Clicking that, the user was transferred to a phishing webpage that looks exactly like a Microsoft login page, asking for the victim’s Microsoft credentials.
In another case, the excuse was “SENDER shared a file with you” using the sender’s real name.
Clicking the ‘open file’ button leads to what looks like a OneDrive webpage, which requires another link to access the document. This link is the phishing URL – taking the victim to a OneDrive login page that asks for username and password.
The first hop in all these attacks was hosted on SharePoint, which makes them more reliable and helps them to evade both email security and suspicious users.
Why are these attacks so dangerous?
These targeted attacks are extremely dangerous from two main reasons:
Office ATP misses them. Even though BitDam ATP stopped them, they are proven to bypass Office ATP as well as other email security solutions. Why? First, since these attacks are very targeted and unique, they go below the radar of statistic-based security solutions. Secondly, because the phishing link is hidden behind several steps (a few clicks are required before getting to the phishing URL), and most security solutions fail to follow all these steps when scanning emails.
They look very real! Sent from a real person’s mailbox, who the victim is in touch with, going through several web pages that all look legit and asking to login in order to access a file. All that looks like a normal and legit journey to access a file that someone you work with sent you. None of this is out of context so there is no reason the receiver will be suspicious.
The main thing that makes these attacks so unique and successful is the trick they are using in order to evade anti-phishing solutions. Combining multiple hops while counting on the user’s behavior to move from one hop to another, makes it almost impossible for email security solutions to identify that there is a phishing URL hiding there.
This, combined with the fact that these attacks are used rarely and are very targeted, turns them to undetectable by security solutions that base their verdict on statistical and machine learning models such as Office ATP and Proofpoint TAP. Using a different scanning approach that is 100% attack agnostic and doesn’t rely on knowledge of other threats, BitDam detects these attacks.
The Benefits of Targeted Attacks
In our video series ‘Get into The Phisher’s Mind’ which covers the decisions hackers have to make when they plan a phishing scam, we discussed spraying vs. cherry-picking. As you can easily tell, the attackers in these cases chose to go cherry-picking and tailored the attack to their specific target.
The cost for the attackers creating such a focused scam is clear – higher investment per attack. So why would they do that? The reason is that using such a targeted method, these attacks go below the radar of reputation and statistic-based detection engines which dramatically reduce their chances to be caught. Since many organizations these days still count on Office ATP as their main email protection, it’s safe to assume that the attack will reach the victim’s mailbox and he or she will be tricked.
The bottom line is that no matter how educated the receiver of these attacks is about phishing, the chances to realize that this is a phishing scam are very low. In addition, the commonly used anti-phishing solutions are struggling to detect these multiple-hop phishing attacks, especially if they are rare or targeted, so the risk is high.
What Can Be Done?
Trying to finish this post with a positive tone, I would encourage you to test your email security against the newest and most sophisticated threats that are out there, and would offer to protect your email and other collaboration tools using an advanced solution like BitDam’s. You can register for a free trial and see how effective it is on your own.
An old threat has resurfaced, and in its latest guise, it has been able to consistently bypass Office ATP security measures.
For over six months now we’ve seen this method of attack actively using Excel4Macro to deliver dangerous malware – including hundreds of such attacks in the U.S in the past few weeks. These attacks keep coming, and at BitDam we’ve noted more than 500 unique incidents within the past two weeks of October.
It’s not just Microsoft Office ATP that’s missing this threat – other advanced email solutions are being bypassed over and over again.
The malware in question is called zLoader. In this piece, we’ll look at it in more detail, including the steps you can take to ensure you’re safe from this type of attack.
zLoader is back
zLoader is a variant of the Zeus banking malware, which was first spotted in the wild in 2006. It is deployed onto a victim’s infrastructure through Office macros, and is then able to steal passwords, make financial transactions and exfiltrate sensitive data.
This latest version of zLoader includes numerous evasion and obfuscation techniques. For example, it does not fetch the payload unless certain criteria are met, like a sound card being present. This, along with other techniques such as junk code and encrypted strings, have helped this campaign to be so successful.
What does it actually look like?
This Excel4Macro attack, as the name suggests, takes advantage of Excel macros – essentially an automated set of actions.
Initially the user is presented with an Excel spreadsheet that attempts to convince them to “enable editing” and “enable content” and thus circumvent default Microsoft security features. To do this, various ploys are used: from “download this invoice” to “a family member has been exposed to COVID-19”.
Varying degrees of sophistication are employed. What follows is a relatively simple example. Note the ruse and the calls to action.
As you can see, there is another sheet or tab present. If one were to open it up and search for non-empty cells, the Excel4Macro attack would be immediately visible. Here’s a sample of it:
This threat however, is constantly evolving. The way it is being used now is more complex and sophisticated than ever before, with the threat actors finding increasingly devious ways to obfuscate the Excel4Macro element of the attack.
Not content with stopping there, they are now even using new functions of Excel4Macro to evade current Office ATP detection techniques, fetch the zLoader malware from a remote server, and run it on the victim’s machine.
Analysis and protective measures
Based on testing using BitDam’s BAS2.0, these attacks are not being detected by Office ATP, even a full 48 hours after the first time that Office ATP has encountered them.
To assess your organization’s current vulnerability to zLoader and other real-world, real-time malware and phishing attacks, BitDam provides a range of tools to gauge your current risk profile and protect against the latest threats.
When it comes to assessment tools, BitDam offers incredible functionality and coverage with BAS and BAS2.0.
And for comprehensive advanced threat protection against the latest and evolving threats, try BitDam ATP for the Enterprise or SMEs.
Norman McKeown, LSH Auto UK on BitDam Office365 Email, OneDrive and MS Teams
Norman McKeown, LSH Auto UK on BitDam Office365 email, OneDrive and MS Teams
We’ve interviewed Norman McKeown, LSH Auto UK Head of Information Technology about his experience with BitDam’s Advanced Threat Protection (ATP). LSH Auto is the largest Mercedes Benz dealerships in the UK.
Here is the result in video and text:
Q: How did the COVID-19 pandemic present new challenges for LSH Auto? Collaborating digitally was maybe not as big a piece of the puzzle previously?
A: Yeah. COVID-19, I think for a lot of organizations, certainly ours, came out of the blue and came on very quickly. Being an automobile organization, a car company, we are quite old-fashioned in the way we do a lot of things. Digital collaboration, remote working, was not normal practice for our business. When COVID-19 hit we had to figure out how can we keep certain areas of the business trading whilst working remotely? It was a whole new level of collaboration, a whole new level of data protection. A whole new level of information transfer that we had not previously done as an organization or indeed as an industry before. The biggest challenge was how could we quickly convert to that mode of working while still keeping our systems secure, keeping our users secure, and as I say, keeping our customers’ information secure. It was a very, very quick and rapid change of use of technology for us as a group.
Q: As you were evaluating potential solutions, why did LSH Auto ultimately decide to invest in BitDam?
A: BitDam came to my attention as a relatively new organization. But their approach to, initially email security, which was the first area I was looking at, was a very different approach to what I’d seen with some of the other ATP companies that I was dealing with. The big wins for me was their ease of integration. Setting it up couldn’t have been simpler. I didn’t have to change my users where I was working. They carry on working as normal. But also the ability to react whenever new threats came out. The ability to react and ensure that we were protected against those threats was one of the biggest wins for me that meant I didn’t have to think about speaking to my ATP company to say, “This new threat is available, can you help protect us against it?” BitDam were already ahead of the curve and quite often protecting me before I’d even had a chance to talk to them about it.
Q: Now moving on to more of the results that you see now that you’re partnering with BitDam. From a high level, what are the results been? What does BitDam enable for LSH Auto?
A: Since we’ve implemented BitDam, we’ve seen a significant drop in the number of phishing emails and rogue emails that have come into our system, into our users’ inboxes. For me, with a very small IT department to support the group, it’s great having BitDam on board because by the time we’ve received the notification, we know that this batch has already been dealt with and handled and it’s an awareness notification for us. Seeing what has made through our first level of defense and having BitDam as our second level of defense and since expanded from just the email into OneDrive, into Teams, into SmartLink scanning, means that I know my users are secure and that very, very little rogue data gets through us to my users’ inbox. That has made my life a lot easier, of almost not having to think about it from that respect.
Q: What would you say the number one biggest benefit of BitDam has been??
A: I’d say the ease of deployment has to be the biggest win for me as head of IT and for us as an organization. Looking at solutions that would involve changing the way users operate, there’s a human element in that. Where they risk forgetting to use the secure route. Forgetting to click on the secure button. With BitDam, we were able to deploy it centrally from the IT division in a very quick period of time. Our users carry on as they normally do. They don’t have to think about it. They don’t have to think about system security. It just integrates seamlessly with Office 365 platform and scans everything in the background. Definitely for us, one of the biggest wins is we could roll it out with essentially no user training.
Q: How does BitDam, for OneDrive and Teams, helped you to address some of those challenges that you spoke of earlier with collaborating remotely?
A: We’ve originally deployed BitDam against our email client, we’ve since expanded the protection to cover our OneDrive and our Teams portions of Office 365. This was actually done prior to COVID, really causing an issue in the UK. But for us it meant we were in a really strong position to bring the company into a digital world and digital collaboration. It meant we could securely share business information, financial information, customer information. Knowing that we had this level of protection in our system, that should any attack try to come in, we had this level of protection that could stop that from compromising our data and ultimately compromising our customers’ information. It made life an awful lot easier for us moving to the new world of remote working.
Q: Has BitDam ATP caught threats that have been missed by Microsoft Office ATP?
A: One of the reasons why I wanted to look for an additional ATP program was I was seeing a number of threats coming through our Microsoft Office ATP program. Whilst it was picking up a large number, I still had a significant number of threats coming through and reaching the users’ mailboxes. Some of which were easy to spot, some, even for me as a seasoned professional in IT, took quite a bit of analysis to determine, was it a phishing email or was it a genuine one? Once we introduced the BitDam platform as a second line of defense, we then noticed that those that were coming through and bypassing the Microsoft ATP were then being picked up by the BitDam platform and stopping reaching our end users’ mailboxes and our end users’ OneDrives, which really give us that extra added level of security that we were looking for.
Our researchers recently observed a new trend in phishing email campaigns that is worth sharing here. We all know how almost 20% of the phishing emails out there are faking Microsoft login pages, aiming to steal Office 365 credentials. Some of you may even be careful when getting an email that links to a Microsoft login webpage, suspecting it might be a phishing scam. You’re definitely right about this one! But, would you ever suspect a Microsoft login page that uses your corporate logo, branding and URL? This is what hackers started doing recently, to fool both end-users and email security engines.
The New Way of Stealing Office 365 Credentials
Traditionally, phishing attacks that lure users into entering their Microsoft credentials use fake generic O365 login-pages with a Microsoft logo that look like this one:
The new method includes the following elements that, together, make it almost impossible to notice that this is not the real brand’s login page:
1. The targeted organization’s logo. The organization’s logo is injected into the O365 login page. Not only that this helps the fake page look more real to users, it also makes it harder for phishing detection engines that are based on reputation or image analysis to detect it. The fake login page would look like this:
2. The targeted organization’s domain URL in the link the user sees (it will later on redirect to the phishing URL). The majority of phishing attacks use an original URL that redirects to the malicious URL. This is done as a basic technique to bypass phishing detection engines as well as suspicious users. In these tailored attacks, the hackers use the organization’s name in an original URL so it contains the domain name of the targeted organization. As you can see in the screenshot, they typically insert the victim’s organization name in the beginning of the URL so that’s what the users see when they hover over the link or click it. This way, they are less likely to think it is ungenuine.
3. The target organization’s branding or look and feel in the background. In case the two techniques that I described above are not convincing enough, some attackers take it to the next level and use a background that fits the victim’s branding. This could be some kind of an image or a branded background that is available online.
4-fold Increase in The Prevalence of Such Attacks
In the past couple of months, we noticed a dramatic increase in the prevalence of these attacks among BitDam customers. In fact, the prevalence of such attacks in August was more than 400% of the prevalence in July. The trend continued in September with an additional slight increase and keeps going on as I write this post. This implies that these campaigns use some kind of automated tools that were published recently.
We detected these tailored Office 365 phishing attacks in organizations of all sizes, including both small businesses of a few dozens of users and large corporates. This strengthens our assumption that faking these login pages is automated and that there are new phishing kits that allow using the above techniques easily.
The emails that lure victims into clicking the link that would take them to their Office 365 account vary as well. Many of them include a notification saying that there is a voice message waiting for them, some use the excuse of Office 365 password expiration, some say that you’ve failed to receive a message from tax authorities and so on. If victims take the bait and click the link, they are then redirected to what looks like their organization’s Office 365 login page but is actually a phishing page aiming to steal their credentials.
Phishing scammers’ lives are much easier these days. In the past, bad actors had to work hard in order to build such a customized phishing attack, and these were typically saved for the big fish. Nowadays, all they need is to search online for the newest toolkits and they can spray it all over.
Unfortunately, this makes the lives of both the organizations aiming to protect their employees and assets, and the security vendors that help them doing so, much more difficult. In order to protect from such threats, as well as other emerging phishing techniques, organizations need to make sure their email security can protect from any phishing attack and technique, even the ones that are yet not known or commonly used. In these cases, reputation-based security solutions or the ones based on signatures, would not help, as these attacks are customised per organization and can’t be updated at the needed pace. Thanks to its unique attack-agnostic approach, BitDam ATP detected these threats at first encounter, when they’ve just emerged and without any changes to its detection mechanism.
While BitDam ATP identified these phishing attacks and blocked them before they reached the users’ mailboxes, the phishing method described in this post is going below the radar of most Advanced Threat Protection solutions, including Microsoft’s Office ATP. I recommend testing your email security against these attacks as well as others to better understand your security posture. You may do this using Breach & Attack Simulation tools such as BitDam Lucky Meter.
Traditional Breach And Attack Simulation Is Outdated – Here’s Why
Just glancing at the headlines, it’s easy to see that phishing, fraud, and ransomware campaigns are on the rise. This has been driven by numerous factors, including the availability of “phishing kits” available for purchase on the dark web. Malicious actors are getting more sophisticated and are targeting companies of all sizes and in any industry. So how do you keep your organization safe?
Assessing Strengths and Weaknesses
A great place to start is with understanding your current security posture. Where are your weaknesses? What areas need to be shored up? Finding and evaluating your gaps and vulnerabilities is the first step in keeping your data, users, and network safe. Running tests – including an email security test, malware test, and phishing test – is an important way to gain insights into your vulnerabilities.
Pen Testing to Find Answers
This is where pen testing (penetration testing) is often used. Generally speaking, pen testing comprises a single test that is built from artificial attack samples.
However, this approach has a number of drawbacks. Artificial attacks just do not provide the same assurance or insights as the real thing. Your current architecture might cope just fine with artificial incursions but might fail when it comes to the real thing.
Pen testing is therefore increasingly being replaced by Breach and Attack Simulation (BAS) tools.
Breach and Attack Simulation (BAS)
BAS tools provide an ongoing evaluation of your organization’s security posture. The promise of BAS was enticing: the ability to simulate real attacks that are updated based on attack trends and threat popularity. This has led to a market for BAS tools that is growing rapidly.
As great as BAS is, there remains a difficulty – one that could mean the difference between successfully thwarting a cyber attack, or falling victim to such an attack.
BAS solutions still use artificial attacks, and thus cannot effectively tell you how your security stack will deal with a real-world, live threat. Threats are simulated based on those seen in the wild, but by definition these are still simulated, a reflection of the real attack.
Preparing for the next threat
There is a dangerous time lag from when a new attack is released until it is incorporated into BAS solutions. With malicious actors constantly changing tactics – including automating threats to mutate and evade security solutions – ideally, you would want to test your system against real attacks, those seen in the wild in real-time. Knowing that your organization’s security posture can deal with yesterday’s attacks just doesn’t cut it anymore.
A key challenge is that risk is highest when a threat or a new attack technique is released for the first time, before your security solutions have come to recognize and deal with the threat. By this time, new threats will already be targeting your organization. It’s an issue of speed, and tools that can give you answers in real-time about how you’re dealing with the latest threats are critical.
There’s an acute need for vulnerability assessment tools that use real, live threats – rather than old or simulated ones.
With BAS 2.0, BitDam has launched its new generation of BAS solutions that are the answer organizations have been looking for.
Take BitDam Lucky Meter, or BAS2.0. Lucky Meter uses the freshest in-the-wild malware and phishing threats to continuously test your email defenses, empowering you to assess your organization’s defenses against malware – in real-time. The ability to run an email security test, malware test, or phishing test using real and ongoing attacks is priceless.
BitDam Lucky Meter sends real attacks of all types from the wild, as they materialize. This is done constantly while ensuring the testing is non-intrusive. BitDam Lucky Meter offers a continuously updated dashboard showing which threats bypassed your current security and which were blocked. Critically, it also shows the amount of time your system was exposed to each threat – the Time To Detect or TTD – which is often a more important indicator than the miss rate or rate of detection.
In summary, we’ve moved from Pentesting to BAS, and finally to the real thing: a way to continuously assess your security against the latest attacks seen in the wild, in real-time.
Aiming to decrease the chances of being detected and gaining more time before their phishing scam is exposed and blocked by response organizations, attackers use multiple evasion techniques. And they continue to be creative about it!
Tracking these techniques closely, we see a variety of them. Here are a few evasion techniques that help phishing attacks bypass security solutions:
Mobile only – The link directs to the malicious webpage only if browsing from mobile devices, leveraging the fact that mobile devices are less secure than desktops and that users may pay less attention when browsing from their mobile.
Timers before redirecting – the attack waits a few seconds before redirecting to the malicious link in order to evade security solutions that run for a limited timeframe.
Button automation – the redirection to the malicious page is done only following clicking a button which verifies that the user is a real person. Security solutions don’t click it and therefore don’t “get to see” the malicious page and can’t detect the link as malicious.
Captcha defender – just like the simple button automation, the victim is redirected to the malicious URL only after clicking a captcha or a reCAPTCHA and being identified as a real person. Here again – if the security tool can’t access the malicious page, it definitely can’t detect it as malicious.
These techniques and others reduce security solutions’ effectiveness making it almost impossible to prevent phishing attacks.
Evade with a click of a captcha
In the past couple of weeks our researchers identified a drastic increase in the number of attacks using a captcha defender to go through security tools. And guess what, these phishing attacks indeed bypassed leading Secure Email Gateway (SEG) solutions and even Advanced Threat Protection products including Office ATP and Proofpoint TAP.
The prevalence of this technique seen among BitDam’s customers grew by hundreds of percentages in the past couple of weeks, compared to the previous two weeks. Scanning all attacks from various feeds, we’ve observed the same trend in these feeds as well, driving us to the conclusion that this was added to popular phishing kits.
It starts with what seems like an innocent email. Here is one example for a subject line: “New Sharedfile Received for BRAND“. Opening the email, it looks like the email contains several attachments and the user is requested to click a button to view them saying “BRAND uses Outlook Files to share documents securely”. Clicking it would lead to a captcha page that looks like this:
The next page would be the actual phishing URL. For example:
By now, you are probably wondering how common this technique is and who are the target victims. So…it is more common than you would imagine. We saw it targeting most of our customers which range from small and medium businesses to enterprises with many thousands of users from various industries and locations. This evasion technique was used in phishing attempts in Europe, North America and The Middle East. The attacks were almost always delivered via email.
Perhaps the most interesting thing about the attacks that BitDam prevented among its customer base was that all of them were leading to fake Microsoft login pages. As you can see in these screenshots, they varied in their graphics, but Microsoft remains the number one target with hackers desiring to steal Microsoft user credentials.
What can we do about it?
Assuming you don’t want to be the next victim, I would start by checking if your email security vendor detects such attacks. You can simply register to BitDam Lucky Meter which will send you the most recent phishing (and malware) attacks as soon as they are released to the wild, and provide you with a simple dashboard so you can easily know what bypassed your current email security. BTW – it’s totally free.
Of course, you should never enter your credentials to unknown websites, but that tip is pretty outdated. Everyone knows they shouldn’t click suspicious links but somehow there are more successful phishing scams every day. This means someone does click them, right?
However, if you do come across a URL that you aren’t sure about and would like to scan for phishing before going on, you can always use this online phishing scanner that will give you a verdict in no time, letting you know if the link is a phishing scam.
BitDam’s mission is to secure enterprise communications across all collaboration tools. We protect organizations from advanced threats hidden in files and links regardless of the threat type and delivery method.