By Dylan Main, Cofense Phishing Defense Center
In an ever-changing threat landscape, where AI and automation are being leveraged to not only detect but stop malicious campaigns, how does an attack that seems rudimentary become effective? By understanding how these tools work and by using social engineering, TAs (Threat Actors) can circumvent automation and gain access to company infrastructure with modest effort.
The Cofense Phishing Defense Center (PDC) has identified credential phishing campaigns bypassing SEG (Secure Email Gateway) protected environments by removing URL protocols (http/https) from embedded links within email attacks. While this tactic seems basic, its simplicity could be an effective method for TAs to push their campaigns without fear of being caught by a security vendor or automation whose tools only look for standard browser protocol formats.
Figure 1: Email Body
The body of the email shown in Figure 1 appears to be a response to an earlier email where the sender, in this case, the threat actor, has shared a document with the recipient and needs them to visit their fake SharePoint to review it. The use of SharePoint URLs is a method often used to add validity to an email in hopes the recipient is more inclined to interact with a link, as it is a widely used document-sharing platform. Instead of a standard hyperlink or button, the TA has added the URL as plain text, requiring the user to copy and paste it into their browser to access it.
Figure 2: Captcha
Upon copying the URL into a browser, the recipient will be redirected to a fake CAPTCHA page. As CAPTCHA verifications are commonplace to access many sites, TAs tend to use them as a social engineering technique to masquerade as an added form of legitimacy to bypass human response and automated solutions.
Figure 3: Phishing Page
Once the user “verifies” they are human, they are then sent to a page that looks like Microsoft Outlook’s login page, when in fact this is a parody created by the TA to look like the authentic website. This is another façade, this time used to trick the employee into entering their Outlook credentials, which could give the threat actor access to company infrastructure and data. Microsoft, being one of the top business email providers in the world, is a constant target for credential phishing campaigns such as this.
While this method does not outwardly seem like a sophisticated attack, it is an example of another approach Threat Actors are using to adapt to new defensive strategies. With knowledge of the target and an understanding of new methodologies, these campaigns can evade security tools and automated solutions, proving that the best method of defense is a combination of human-vetted appliances and hands-on analysis. Cofense Managed Phishing Threat Detection and Response (MPDR) solutions can provide both elements to prevent these types of attacks from stealing employee credentials and prevent unwanted exfiltration or compromise of company infrastructure. Contact us today to learn more about our MPDR platform.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding the circumvention of end-point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.