Alert: The new phishing combo trick that bypasses Office ATP

A few weeks ago, BitDam ATP detected an outstanding attack that was sent over email to one of our European customers and easily bypassed Office ATP. We analyzed it and since it was super-targeted, we assumed it’s a one time thing and moved on. 

Surprisingly, since then we detected a few other attacks that use the same tactic. That’s when I thought it’s worthwhile to tell you guys about it!

Legitimate Sender and Email Address 

It all starts with an email that is sent from a real legitimate email account. Seems like the hacker gained control over a mailbox of a real person. Moreover, in all these instances that we detected, the sender was from an organization that is in constant relationship with the targeted organization. Obviously, the attacker did some research prior to launching the attack. He or she targeted a specific organization and searched for vulnerabilities in the organizations surrounding that target – vendors, clients or service providers. Once such an opening was found, the attacker used it to take over a real email and send messages on behalf of a real user. Since this is a very targeted scam, it is likely that the compromised email owner didn’t even notice that an email that he was not intending to send was sent out of his mailbox. 

Hiding Phishing in a Multiple-hop Journey  

The next step was luring the receiver to click something. In one of these cases, the receiver was sent a “document” that he was requested to sign using DocuSign. Clicking the DocuSign button took him to a fake DocuSign page hosted on SharePoint, with a button saying “Please proceed here”. Clicking that, the user was transferred to a phishing webpage that looks exactly like a Microsoft login page, asking for the victim’s Microsoft credentials.   

In another case, the excuse was “SENDER shared a file with you” using the sender’s real name.

Clicking the ‘open file’ button leads to what looks like a OneDrive webpage, which requires another link to access the document. This link is the phishing URL – taking the victim to a OneDrive login page that asks for username and password.  

The first hop in all these attacks was hosted on SharePoint, which makes them more reliable and helps them to evade both email security and suspicious users. 

Why are these attacks so dangerous? 

These targeted attacks are extremely dangerous from two main reasons:

  1. Office ATP misses them. Even though BitDam ATP stopped them, they are proven to bypass Office ATP as well as other email security solutions. Why? First, since these attacks are very targeted and unique, they go below the radar of statistic-based security solutions. Secondly, because the phishing link is hidden behind several steps (a few clicks are required before getting to the phishing URL), and most security solutions fail to follow all these steps when scanning emails.  
  2. They look very real! Sent from a real person’s mailbox, who the victim is in touch with, going through several web pages that all look legit and asking to login in order to access a file. All that looks like a normal and legit journey to access a file that someone you work with sent you. None of this is out of context so there is no reason the receiver will be suspicious. 

The main thing that makes these attacks so unique and successful is the trick they are using in order to evade anti-phishing solutions. Combining multiple hops while counting on the user’s behavior to move from one hop to another, makes it almost impossible for email security solutions to identify that there is a phishing URL hiding there. 

This, combined with the fact that these attacks are used rarely and are very targeted, turns them to undetectable by security solutions that base their verdict on statistical and machine learning models such as Office ATP and Proofpoint TAP. Using a different scanning approach that is 100% attack agnostic and doesn’t rely on knowledge of other threats, BitDam detects these attacks. 

The Benefits of Targeted Attacks

In our video series ‘Get into The Phisher’s Mind’ which covers the decisions hackers have to make when they plan a phishing scam, we discussed spraying vs. cherry-picking. As you can easily tell, the attackers in these cases chose to go cherry-picking and tailored the attack to their specific target. 

The cost for the attackers creating such a focused scam is clear – higher investment per attack.  So why would they do that? The reason is that using such a targeted method, these attacks go below the radar of reputation and statistic-based detection engines which dramatically reduce their chances to be caught. Since many organizations these days still count on Office ATP as their main email protection, it’s safe to assume that the attack will reach the victim’s mailbox and he or she will be tricked.   

The bottom line is that no matter how educated the receiver of these attacks is about phishing, the chances to realize that this is a phishing scam are very low. In addition, the commonly used anti-phishing solutions are struggling to detect these multiple-hop phishing attacks, especially if they are rare or targeted, so the risk is high. 

What Can Be Done?

Trying to finish this post with a positive tone, I would encourage you to test your email security against the newest and most sophisticated threats that are out there, and would offer to protect your email and other collaboration tools using an advanced solution like BitDam’s. You can register for a free trial and see how effective it is on your own.  


Alert: Excel4Macro attacks bypass Office ATP

An old threat has resurfaced, and in its latest guise, it has been able to consistently bypass Office ATP security measures. 

For over six months now we’ve seen this method of attack actively using Excel4Macro to deliver dangerous malware – including hundreds of such attacks in the U.S in the past few weeks. These attacks keep coming, and at BitDam we’ve noted more than 500 unique incidents within the past two weeks of October. 

It’s not just Microsoft Office ATP that’s missing this threat – other advanced email solutions are being bypassed over and over again.

The malware in question is called zLoader. In this piece, we’ll look at it in more detail, including the steps you can take to ensure you’re safe from this type of attack. 

zLoader is back

zLoader is a variant of the Zeus banking malware, which was first spotted in the wild in 2006. It is deployed onto a victim’s infrastructure through Office macros, and is then able to steal passwords, make financial transactions and exfiltrate sensitive data.

This latest version of zLoader includes numerous evasion and obfuscation techniques. For example, it does not fetch the payload unless certain criteria are met, like a sound card being present. This, along with other techniques such as junk code and encrypted strings, have helped this campaign to be so successful.

What does it actually look like?

This Excel4Macro attack, as the name suggests, takes advantage of Excel macros – essentially an automated set of actions. 

Initially the user is presented with an Excel spreadsheet that attempts to convince them to “enable editing” and “enable content” and thus circumvent default Microsoft security features. To do this, various ploys are used: from “download this invoice” to “a family member has been exposed to COVID-19”. 

Varying degrees of sophistication are employed. What follows is a relatively simple example. Note the ruse and the calls to action.

As you can see, there is another sheet or tab present. If one were to open it up and search for non-empty cells, the Excel4Macro attack would be immediately visible. Here’s a sample of it:

We’ve seen this before

The Excel4macro attack method is not new. In fact, we wrote about it earlier this year, mentioning that these attacks typically bypass Office ATP; and much has been written about attacks using malicious Excel macros.

This threat however, is constantly evolving. The way it is being used now is more complex and sophisticated than ever before, with the threat actors finding increasingly devious ways to obfuscate the Excel4Macro element of the attack.

Not content with stopping there, they are now even using new functions of Excel4Macro to evade current Office ATP detection techniques, fetch the zLoader malware from a remote server, and run it on the victim’s machine.

Analysis and protective measures

Based on testing using BitDam’s BAS2.0, these attacks are not being detected by Office ATP, even a full 48 hours after the first time that Office ATP has encountered them.

To assess your organization’s current vulnerability to zLoader and other real-world, real-time malware and phishing attacks, BitDam provides a range of tools to gauge your current risk profile and protect against the latest threats.

When it comes to assessment tools, BitDam offers incredible functionality and coverage with BAS and BAS2.0

And for comprehensive advanced threat protection against the latest and evolving threats, try BitDam ATP for the Enterprise or SMEs

Alert: Tailored Office 365 Phishing Attacks

Our researchers recently observed a new trend in phishing email campaigns that is worth sharing here. We all know how almost 20% of the phishing emails out there are faking Microsoft login pages, aiming to steal Office 365 credentials. Some of you may even be careful when getting an email that links to a Microsoft login webpage, suspecting it might be a phishing scam. You’re definitely right about this one! But, would you ever suspect a Microsoft login page that uses your corporate logo, branding and URL? This is what hackers started doing recently, to fool both end-users and email security engines.  


The New Way of Stealing Office 365 Credentials

Traditionally, phishing attacks that lure users into entering their Microsoft credentials use fake generic O365 login-pages with a Microsoft logo that look like this one:


The new method includes the following elements that, together, make it almost impossible to notice that this is not the real brand’s login page: 

1. The targeted organization’s logo. The organization’s logo is injected into the O365 login page. Not only that this helps the fake page look more real to users, it also makes it harder for phishing detection engines that are based on reputation or image analysis  to detect it. The fake login page would look like this:

2. The targeted organization’s domain URL in the link the user sees (it will later on redirect to the phishing URL). The majority of phishing attacks use an original URL that redirects to the malicious URL. This is done as a basic technique to bypass phishing detection engines as well as suspicious users. In these tailored attacks, the hackers use the organization’s name in an original URL so it contains the domain name of the targeted organization. As you can see in the screenshot, they typically insert the victim’s organization name in the beginning of the URL so that’s what the users see when they hover over the link or click it. This way, they are less likely to think it is ungenuine.


3. The target organization’s branding or look and feel in the background. In case the two techniques that I described above are not convincing enough, some attackers take it to the next level and use a background that fits the victim’s branding. This could be some kind of an image or a branded background that is available online.  


4-fold Increase in The Prevalence of Such Attacks

In the past couple of months, we noticed a dramatic increase in the prevalence of these attacks among BitDam customers. In fact, the prevalence of such attacks in August was more than 400% of the prevalence in July. The trend continued in September with an additional slight increase and keeps going on as I write this post. This implies that these campaigns use some kind of automated tools that were published recently.

We detected these tailored Office 365 phishing attacks in organizations of all sizes, including both small businesses of a few dozens of users and large corporates. This strengthens our assumption that faking these login pages is automated and that there are new phishing kits that allow using the above techniques easily.  

The emails that lure victims into clicking the link that would take them to their Office 365 account vary as well. Many of them include a notification saying that there is a voice message waiting for them, some use the excuse of Office 365 password expiration, some say that you’ve failed to receive a message from tax authorities and so on. If victims take the bait and click the link, they are then redirected to what looks like their organization’s Office 365 login page but is actually a phishing page aiming to steal their credentials.


Phishing scammers’ lives are much easier these days. In the past, bad actors had to work hard in order to build such a customized phishing attack, and these were typically saved for the big fish. Nowadays, all they need is to search online for the newest toolkits and they can spray it all over.

Unfortunately, this makes the lives of both the organizations aiming to protect their employees and assets, and the security vendors that help them doing so, much more difficult. In order to protect from such threats, as well as other emerging phishing techniques, organizations need to make sure their email security can protect from any phishing attack and technique, even the ones that are yet not known or commonly used. In these cases, reputation-based security solutions or the ones based on signatures, would not help, as these attacks are customised per organization and can’t be updated at the needed pace. Thanks to its unique attack-agnostic approach, BitDam ATP detected these threats at first encounter, when they’ve just emerged and without any changes to its detection mechanism.  

While BitDam ATP identified these phishing attacks and blocked them before they reached the users’ mailboxes, the phishing method described in this post is going below the radar of most Advanced Threat Protection solutions, including Microsoft’s Office ATP. I recommend testing your email security against these attacks as well as others to better understand your security posture. You may do this using Breach & Attack Simulation tools such as BitDam Lucky Meter

If you found this blog post interesting, you might also like my previous alert on the use of CAPTCHA as a phishing evasion technique

*The images in this blog post are illustrated and are not related to any attacks. 

Schedule a Demo

Enter your email to get a free trial invitation