The Latest SonicWall News
Product and Solution Information, Press Releases, Announcements
SiteCloak Page Obfuscation Techniques Leading to Greater Number of Missed Phishing Attacks | |
Posted: Wed Sep 23, 2020 02:44:35 PM | |
by Vishnu Chandra Pandey Ever since COVID-19 began closing offices and largely restricting people to their homes, cyber adversaries have been having a field day using the pandemic as a launchpad for phishing attacks. Organizations and individuals must be aware of the detective, preventive and protective measures required to safeguard their information assets against these attacks. We have seen a rise in the number of phishing attacks that bypass Office 365 due to the attackers use of obfuscation techniques on the credential harvesting website. These SiteCloak methods bypass Microsofts real-time URL-filtering scanners by obfuscating the credential-harvesting page. This behavior is widespread, using a variety of techniques from multiple threat actors. Attack Summary Overview: Platform: Microsoft 365 Email Email Security: Exchange Online Protection and Microsoft Advanced Threat Protection Targets: All organizations, all sizes Payload: Malicious Link Technique: Obfuscation of Credential Harvesting Page What is a SiteCloak attack?To identify a malicious URL within an email, Microsoft will follow a link to scan the target page for potential malware or phishing behavior. To combat this, attackers are hiding the intent of the target page by using a variety of obfuscation techniques. This behavior is widespread and utilizes a variety of methods, some more sophisticated than others, borrowed from multiple threat actors. Most of these methods are capable of fooling Microsofts scanners. In most cases, the target page turns out to be a credential harvesting site, but because these techniques are now in widespread use by several organizations, they are independent of the purpose of the page. If the user is not vigilant and provides their credentials, the user account is compromised. Why are SiteCloak methods effective?
What can you do?
Attack examplesThese techniques are in use by a large number of threat organizations, so their methods vary widely.
In the simplest version of the attack, the credential harvesting page uses the same ZeroFont technique that was once a popular method to bypass Microsofts email scanners. Even old techniques can successfully fool the website scanner.
The unescaped command is another JavaScript function that reads the html_encoder_data to render the malicious web page. The rendered page is fairly advanced in that it does not ask the user to enter their email address, as it is encoded in the URL. It also asks for the password twice before redirecting the user to a real outlook.com page. Not only does this error-check the password for the attackers, but it also leaves the user the user with no hint that they entered their password on a fake site. How SonicWall Can HelpSonicWall Cloud App Security can identify SiteCloak-obfuscated websites, because the web-rendering and scanning engines utilize the same indicators of attack discovered by the email-rendering and scanning filters. With CAS Protection enabled, the attacks are prevented from ever reaching your inbox, making email more secure and reliable. |