Phishing

Five techniques to bypass Office 365 protections used in real phishing campaigns

Pierluigi Paganini
July 2, 2018 by
Pierluigi Paganini

In the last couple of years, crooks devised several techniques to bypass anti-phishing filters, let's analyze them to understand the way threat actors used them to bypass Office 365 protections.

Zerofont phishing attack can bypass Office 365 protections

According to cloud security firm Avanan, Cybercriminals are using a new technique that involves manipulating font sizes to bypass Office 365 protections.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

One of the detection mechanisms implemented by Microsoft in Office 365 leverages the natural language processing for the identification of the content of the email messages associated with malicious campaigns.

For example, an email including the words "Apple" or "Microsoft" that are not sent from legitimate domains, or messages referencing user accounts, password resets or financial requests are flagged as malicious.

The researchers from Avanan have recently discovered phishing campaigns using emails in which some of the content is set to be displayed with zero-size font using <span style=" FONT-SIZE: 0px">, for this reason, they dubbed the technique ZeroFont.

"Recently, we have been seeing a number of phishing attacks using a simple strategy to get their blatant email spoofs past Microsoft's phishing scans. The tactic, which we are calling ZeroFont, involves inserting hidden words with a font size of zero that are invisible to the recipient in order to fool Microsoft's natural language processing," reads the analysis published by Avanan.

The content of the email is composed to be a phishing message, but Microsoft's filters are not able to detect it because the attackers have introduced a font size text that alters the text making it harmless to the security mechanisms.

Figure 1 - FontZero email

Summarizing, while the user sees a classic phishing content like this:

Microsoft's filter will see the overall text including words written with "FONT-SIZE: 0px" attribute. This text, of course, doesn't appear as a malicious content if analyzed with natural language processing:

"Microsoft can not identify this as a spoofing email because it cannot see the word 'Microsoft' in the un-emulated version. Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user," Avanan's Yoav Nathaniel said in a blog post.

Natural language processing is essential to prevent phishing attacks, but a technique like ZeroFont demonstrated that attackers could bypass filters with a trick.

baseStriker attack technique allows bypassing Microsoft Office 365 anti-phishing filter

Researchers at cloud security company Avanan discovered in May a technique, dubbed baseStriker that was used by attackers to bypass the Safe Links security feature implemented in Microsoft Office 365.

The Safe Links feature is designed by Microsoft to protect Office users from malicious codes and phishing attacks; it is part of Microsoft's Advanced Threat Protection (ATP).

Beginning in late October 2017, ATP Safe Links protection is being extended to apply to web addresses (URLs) in email as well as URLs in Office 365 ProPlus documents, such as Word, Excel, PowerPoint on Windows, iOS, and Android devices, and Visio files on Windows.

The security feature works by replacing all URLs in an incoming email with Microsoft-owned secure URLs.

When the user clicks on a link included in an incoming email, it first redirects the user to a domain owned by Microsoft and used to checks the original URL for anything suspicious. If the scan detects suspicious activity, it then warns users. Otherwise, the user is redirected to the original link.

BaseStriker attack technique leverages the <base> URL tag in the header of an HTML email to split and disguise a malicious link.

"The name baseStriker refers to the method hackers use to take advantage of this vulnerability: splitting and disguising a malicious link using a tag called the <base> URL tag," reads the analysis published by Avanan.

"The attack sends a malicious link, that would ordinarily be blocked by Microsoft, past their security filters by splitting the URL into two snippets of HTML: a base tag and a regular href tag."

The following image shows a traditional phishing link that is blocked by the filter because the URL is classified as malicious and a link that is split using the BaseStriker attack technique.

Figure 2 - Link split with the BaseStriker attack technique

Tests of the baseStriker attack technique demonstrated that Office 365 users were vulnerable.

"We have tested the vulnerability on several configurations and found that anyone using Office 365 in any configuration is vulnerable. If you are using Gmail, you don't have this issue. If you are protecting Office 365 with Mimecast, you are secure. Proofpoint is also vulnerable – if you are using Proofpoint you also have this problem," continues the post.

Gmail users and users protecting their Office 365 with Mimecast were not vulnerable to the attack. Meanwhile, Proofpoint was affected by the issue at the time of its discovery.

I am using:  Am I Vulnerable to baseStriker?

Office 365  Yes – you are vulnerable

Office 365 with ATP and Safelinks  Yes – you are vulnerable

Office 365 with Proofpoint MTA  Yes – you are vulnerable

Office 365 with Mimecast MTA  No – you are safe

Gmail  No – you are safe

Gmail with Proofpoint MTA  We are still in testing and will be updated soon

Gmail with Mimecast MTA  No – you are safe

Other configurations not here?  Contact us if you want us to help you test it

Threat actors are using the baseStriker attack to conduct phishing campaigns; the technique could be used to distribute malware.

Avanan reported the baseStriker attack technique to both Microsoft and Proofpoint.

Unicode-based phishing

On August 2017, researchers from Avanan discovered a large-scale phishing campaign against Office 365 leveraging on the use of special characters in the subject of the emails to bypass security measures implemented by Microsoft.

The malicious messages posed as Dropbox file share email, each message in the campaign used different links, all leading to a fake Dropbox login page.

The URL appeared as genuine, but a close look revealed a small change - a dot above the 'ȯ.'

The email subject looks like this:

Attached Via Dropbox - (Account_liquidation.Pdf)

Here's an example of where the link in the email leads to:

Figure 3 - Fake Dropbox landing page

The use of special characters in the subject of the email allowed the attackers to bypass Microsoft's built-in security.

Office 365 security bypassed using hexadecimal escape characters

On August 2017, experts at Avanan uncovered another variant of a phishing attack against Office 365 users leveraging a type of character encoding called "Hexadecimal Escape Characters." Phishing messages used an HTML attachment with a JavaScript snippet, and the content is encoded through hexadecimal escape characters, this means that no links were visible before opening the message. Once the users opened the phishing email, it presented a locally-generated phishing page with login instructions.

The following image shows an example of a fake PayPal login page used in several attacks observed by the expert.

Figure 4 - Hexadecimal Escape Characters attack

Below the JavaScript used by attackers that is obscured in hexadecimal escape characters:

Figure 5 - Javascript used in Hexadecimal Escape Characters attack

The recipient sees a message sent by a popular service, let's say from PayPal, then the victim clicks on what looks like a link, but it actually points to a local file. The 'link' opens the PayPal login page, tech-savvy users will notice in the address bar the word 'file' instead 'https,' but many unaware users will not notice it. Once the victim provides it credentials, they will be sent to the attackers.

"There are several factors in this attack that make it unique, allowing it to bypass most security tools– including Microsoft's Office 365 default security–but also some other more advanced sandboxing technologies including Microsoft's Advance Threat Protection," states the alert published by Avanan.

"1. Scanning this file with most antiviruses and emulating the file in a number of sandboxes (including Microsoft's ATP) failed to find it as malicious. This is because it has no known signature, and no active content (macro, etc). It also has no apparent links - those are obscured and not easy to extract.

"2. Even when rendered in Microsoft's ATP or another sandbox, it may expose the links, but most sandboxing technologies do not follow those links. They just don't consider an HTML file with a form and a submit button as malicious. It is not considered 'active' code. As a result, the attachment is not found to be malicious when scanned.

"3. The email body itself has no links (as the link is in the attachment) - therefore, any of the 'safe-link' methods (replacing the URLs with proxy-links) that Microsoft and other email security vendors like Proofpoint or Mimecast are rendered useless.

"4. The fake "login" screen is local. Firewalls or browser plugins that use URL reputation for IPs and domains are completely blind to this because it isn't going to the internet to fetch the page, it is local. Same applies to any DNS based security, like OpenDNS from Cisco and similar tools."

Phishing campaign on Office 365 business users leverages Punycode

Another phishing attack technique used by crooks in the wild leverages Punycode to avoid detection of Microsoft's default security and desktop email filters.

The technique was first observed in phishing campaigns at the end of 2016 when hackers exploited a bug in Office 365 defense systems to deceive victims.

Punycode is a method added to the Domain Name System (DNS) to support non-ASCII characters within a web URL.

Back in December 2016, security researchers from Avanan security firm discovered of a phishing campaign that aimed to steal Office 365 credentials and abuses a vulnerability in how Office 365 anti-phishing and URL-reputation security layers deal with Punycode.

Hackers are always interested in targeting Office 365 because it is a corporate email solution.

"Avanan's cloud security researchers uncovered a new attack method against Office 365 business email that goes undetected by Microsoft's Office 365 default security and bypasses desktop email filters," states a blog post published by Avanan."The attack includes a phishing scheme to steal Office 365 credentials, and leverages what appears to be a vulnerability in how Office 365 anti-phishing and URL-reputation security layers translate Punycode."

Punycode was already exploited in past attacks to trick victims into clicking links that looked legitimate, but crooks behind the campaign spotted in 2016 used it to bypass the Office 365 anti-phishing filters and email phishing protection systems.

The attack was possible due to a bug in the Office 365 phishing filters.

"What makes this attack different is that instead of fooling the user, it was designed to fool the anti-phishing filters found in Office 365 and other email phishing protection systems. Hackers have identified a gap in the Office 365 phishing filters and are starting to leverage it in order to compromise accounts," continues the analysis.

The phishing campaign uncovered by Avanan leveraged on fake FedEx emails that URLs that appear to be legitimate.

Leveraging on the vulnerability in the phish-detection engine, the URL was resolving to two different domains, one followed by the malware protection filter and the second one followed by the browser when the user clicks on it.

The legitimate and safe URL was the one followed by protection systems implemented in Office 365, while the malicious one was followed by the browser redirecting the victims to a bogus domain.

"What makes this attack nefarious is that by using Punycode and a flaw in the phish-detection engine, the URL actually goes to TWO different sites, one followed by the malware protection filter and the other followed by the end-user's browser when he or she clicks on it," states the analysis.

Figure 6 - PunyCode phishing attack

The experts discovered that Office 365's default security systems check domain reputation by analyzing it as plain ASCII.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Sources

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.