A new threat tactic is being used to determine if sandbox environments are being used…
In the past few months, Microsoft Office 365 phishing campaigns have evolved drastically, using innovative tricks like inverted login pages, sub-domains, and pre-detecting sandboxes to evade detection. Some of these notorious but ingenious tricks observed by security researchers are:
Microsoft recently discovered a phishing campaign that could avoid automated analysis by detecting security sandboxes (automated analysis). The campaign uses URLs that could spot sandboxes and switch the redirected URL to a legitimate page or website instead of the phishing landing page.
“We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defence evasion and social engineering,” said Microsoft. “The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc.”
This method makes sure that only real people or potential victims reach the landing page and not security researchers and automated security scans. Thereby reducing their chance of being blocked. These emails are also very well crafted and obscure – another way to dupe email gateways.
Inserting Custom Sub-domains
Another way these attackers have found to make phishing URLs more legitimate is by inserting custom subdomains for each user with their name and their organization’s name.
“This unique subdomain is added to a set of base domains, typically compromised sites,” Microsoft explained. “Notably, the phishing URLs have an extra dot after the TLD, followed by the Base64-encoded email address of the recipient. The unique subdomains also mean huge volumes of phishing URLs in this campaign, an attempt at evading detection.”
Inverting Images of Webpages
This particular campaign uses inverted images (as the landing page) of the webpage they are trying to imitate. The security defences receive this page thereby escaping detection. The phishing kit reverses the inverted page to look like the original (using Cascading Style Sheets (CSS) ) for the user.
A pretty neat trick used by phishing campaigns is by misusing Google Ads and Google Cloud Services, Microsoft Azure, Microsoft Dynamics, and IBM Cloud to host phishing pages that look legitimate and surpass secure email gateways.
It’s advised beefing up security awareness training to help users be aware of the potential dangers around phishing emails. Users need to understand the dangers and potential costs of opening and acting on the content of these emails.
With thanks to the Cyber Defence Alliance and E Hacking News. The full story is here: https://www.ehackingnews.com/2020/11/phishing-campaigns-evolving-rapidly.html
Free Phishing Security Test
Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.
Here’s how it works:
- Immediately start your test for up to 100 users (no need to talk to anyone)
- Select from 20+ languages and customize the phishing test template based on your environment
- Choose the landing page your users see after they click
- Show users which red flags they missed, or a 404 page
- Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
- See how your organization compares to others in your industry
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW