Alert: Malformed HTML helps phishing emails evade Office ATP

In the past week or two, our team at BitDam observed a spike in phishing emails that use illegal HTML structure in order to get into our customers’ inboxes. BitDam ATP detected and blocked these attack attempts at first encounter, but they did bypass Microsoft Office ATP among other solutions. 

A Real Attack Example 

As many other phishing attacks targeting businesses, this one too aims to get the user’s Microsoft credentials. The HTML email body fools the user to click a link in order to access a document on SharePoint. In this particular case, a financial document. 

sharepoint

Clicking the “open” button would take the victim to a fake SharePoint login page that is used for collecting the credentials once entered.   

So far this looks like any other phishing attempt and you would think most email protections solutions will detect it. So how come it went below the radar of Office ATP? 

The Evasion Technique: Malformed HTML x2

Instead of just using the phishing link as part of the HTML, the attackers inserted the malicious code to the end of the HTML, after the <html> tag. In the below screenshot, you can see that the HTML code frame ends at row 38, while rows 40-60 contain some extra code, which is the malicious script.

 html

Most security solutions miss the second body  which means they would not identify the malicious part of the email in this case. 

The attackers take advantage of the fact that most security products scanning emails wouldn’t scan the code that appears after the closing <html> tag, while browsers will try running the full code. The result – email security products won’t see the malicious part of the email (i.e. the phishing link), but end-users will see it and are likely to click it. 

Moreover, the structure of the javascript malicious code that the attack should run, is incorrect as it contains unclosed rows. This makes it even harder on security engines to run this code and identify that it is malicious. 

To summarize, the attackers are counting on the fact that most security product scanning emails wouldn’t scan the code that appears after the closing <html> tag and even if they would, they won’t be able to run the javascript since the malicious HTML code is malformed.

What Can You Do About It? 

Keep watching out, as phishing attempts continuously become more sophisticated with attackers developing new tricks to evade traditional security tools.  

Be aware that Microsoft’s email security (The basic EOP but also Office ATP) is only effective to some extent and it is recommended to augment it with more sophisticated protection as an additional defense layer. 

And if you aren’t sure how good your current security is, and if it would detect such attacks, you’re welcome to use BitDam BAS2.0 called “Lucky Meter” which uses the latest attacks from the wild in real time to continuously test your security. 

Alert: Error Messages, Double Click and RSS App Help Trick Security Solutions

In the past couple of weeks BitDam ATP detected some interesting phishing attempts that use a combination of several tactics to make it harder for security solutions to detect and block them and fail phishing training methods. As you can imagine…it works, and the leading email security vendors fail to detect these attacks.

An example from the wild

Here is an example of a specific attack that I found particularly interesting:

The original email contains a calendar invitation which looks completely legitimate. The sender nickname was modified per the threat actor desire as can be seen from the EML headers:

 blog

This means that the attackers had full control over the email server. Digging in a bit more, it seems like they created the designated email domain, wildwestdomains.com, for this purpose:

blog

In fact, the domain was created only 3 days before the attack was sent out, as you can see in the following image.In fact, the domain was created only 3 days before the attack was sent out, as you can see in the following image.

blog

Clicking the email attachment in this particular attack it was a calendar invitation), the user gets a fake error message.

office365

Clicking “Retry”, the user is transferred to a website that is local on the filesystem or in an iframe, as you can see in the domain blob on this screenshot:

blog

The local website shows another error message and requests a password. Once the password is entered it is sent to an RSS application and stored there. 

blog

From this point, the attackers hold the users credentials and you can be assured they will take full advantage of that. 

Now, what did we have here?

So why is it so interesting? Each of the elements used in this attack is not new by itself, nor very sophisticated. However, using all of them in one attack which was properly orchestrated makes this attack almost undetectable by email security solutions. Here are the highlights of the tactics used in this attack:

 

  • Brand new email domain – solutions that base their detection on statistical models and reputation tend to trust new email domains as they don’t have any bad reputation yet. Attackers know that and use new email domains to reduce suspicion. 
  • Fake error message – Clicking the link in the message leads to a fake webpage that looks like a Microsoft error message. Security solutions are trained to suspect webpages that ask for credentials when looking for phishing threats. Pages that look like error messages are likely to pass below their radar because they don’t look like a phishing attempt. 
  • Requiring a second click – The webpage that asks users for their password is hidden behind another link. The user reaches it only after clicking the error message on the first webpage, which makes it more difficult for email security solutions to detect that this is a phishing scam (it needs to follow two clicks instead of just one). 
  • Local webpage – The attackers use a local webpage which again, looks less suspicious from an email security solution perspective. Another obstacle for detecting it as a phishing attack.
  • Using RSS – For collecting the passwords, the attackers use an RSS application which makes it look even more legit, helping to bypass email defenses.

 

Based on BitDam’s observations within its customer base worldwide, many security solutions failed to detect this specific attack as well as similar phishing threats that use a combination of these techniques. These attacks remained undetected by other security products for many hours, while BitDam blocked it at first encounter.  

Curious if this threat and newer attacks bypass your email security? You’re welcome to register for BitDam Lucky Meter – the next generation Breach and Attack Simulation which would send you the freshest attacks from the wild or access our malware feed.

Schedule a Demo

Enter your email to get a free trial invitation