Overview.

What happens if you take a pinch of social engineering, a grain of evasion, and throw some anonymization techniques into the mix? Well, a perfect recipe for phishing is produced.

In this blog, we will show a simple, but great example of how attackers can steal credentials. Based on our experience, this kind of attack often acts as the first stage of a more sophisticated attack that would typically include spoofing or even an account takeover (ATO) of a “trusted” user.

It is important to note that the example below is just one of a large-scale campaign intercepted by Perception Point, that targeted multiple organizations and end-users.

Ingredient #1 – Social engineering.

The first part of the attack is impersonation. By using social engineering techniques, the attacker tries to lure the end-user to click on the “access voice” button, which is really a malicious link. The attack includes an impersonation to Office 365, using the company’s logo and relevant color palette.

Ingredient #2 – Anonymization.

As an added touch, the attacker uses the exact right amount of anonymization – the balance between making the attack widespread, but still appear targeted or specific to the victim. As can be seen in the IOCs structure below the attacker weaves the recipient name and organization domain (which are easily obtained from the recipient address) into the email subject and in the “from” header. This makes the attack appear more authoritative and real enough, to not raise the end-user’s suspicion.

• Subject: [organization domain] [recipient name mailbox] [time stamp]
• From: [organization domain] [recipient name mailbox] [some-mailbox@some-domain]

It’s important to note that the attacker chose not to spoof the specific organization’s brand and addresses in order to remain undetected, using 9 different email domains and 8 different IPs (all unknown by reputation mechanisms).

Ingredient #3 – NLP Evasion.

On top of the “ingredients” above, another more unique technique is used in this attack, which hides in the body of the email itself. Following the malicious link, a scroll down to the bottom of the email, a new text is uncovered – a huge bulk of automatically generated text, in more than one language. The purpose of this is clear – evade NLP-based methods of email detection. This technique is highly useful to avoid email security vendors, as they do not analyze the context of the email body correctly to determine whether the email is malicious or not.

The Payload.

In the case that the user clicks on the malicious link, he would be redirected to a fake Office 365 login page (that looks extremely real) and is used to steal credentials. The attacker uses a redirect mechanism to ensure that the attack is not blocked by reputation-based anti-phishing engines.

Perception Point.

Perception Point’s service prevented this attack using advanced anti-phishing algorithms. This engine can detect even the most evasive phishing attempts. Our algorithms use dynamic scanning – we don’t rely on IP, sender, or domain reputation to decide whether a link is clean or not. By actively surfing to the website, the service can identify the malicious activity and prevent it, making the attempt to phish credentials useless.