SiteCloak Page Obfuscation Techniques Leading to Greater Number of Missed Phishing Attacks


Ever since COVID-19 began closing offices and largely restricting people to their homes, cyber adversaries have been having a field day using the pandemic as a launchpad for phishing attacks. Organizations and individuals must be aware of the detective, preventive and protective measures required to safeguard their information assets against these attacks. We have seen a rise in the number of phishing attacks that bypass Office 365 due to the attackers’ use of obfuscation techniques on the credential harvesting website.

These SiteCloak methods bypass Microsoft’s real-time URL-filtering scanners by obfuscating the credential-harvesting page. This behavior is widespread, using a variety of techniques from multiple threat actors.

Attack Summary Overview:

Platform: Microsoft 365 Email

Email Security: Exchange Online Protection and Microsoft Advanced Threat Protection

Targets: All organizations, all sizes

Payload: Malicious Link

Technique: Obfuscation of Credential Harvesting Page

What is a SiteCloak attack?

To identify a malicious URL within an email, Microsoft will follow a link to scan the target page for potential malware or phishing behavior. To combat this, attackers are hiding the intent of the target page by using a variety of obfuscation techniques. This behavior is widespread and utilizes a variety of methods, some more sophisticated than others, borrowed from multiple threat actors. Most of these methods are capable of fooling Microsoft’s scanners.

In most cases, the target page turns out to be a credential harvesting site, but because these techniques are now in widespread use by several organizations, they are independent of the purpose of the page. If the user is not vigilant and provides their credentials, the user account is compromised.

Why are SiteCloak methods effective?

  • Concealed Page Intent: Microsoft URL filters are unable to determine the intent of an obfuscated page, so a malicious email is allowed to reach the user inbox.
  • Multiple Vulnerabilities: While categorized as a single method, attackers are using a variety of obfuscation techniques, meaning there is no single vulnerability to close. Even simple techniques are successful today, but while these are eventually caught, more advanced methods continue to remain effective.
  • Multiple Actors: Page obfuscation is now in use by multiple actors. The techniques are typical of email obfuscation, and many of them are old, so there is no direct link between a threat actor and their methodology.

What can you do?

  • Use a Password Manager: The best defense against most credential harvesting attacks is the use of a password manager. Most are free, and none can be fooled into entering a password into a malicious site, no matter how authentic it seems. You should never actually know your password.
  • Enable Multi-factor Authentication: MFA renders a username/password pair useless to an attacker.

Attack examples

These techniques are in use by a large number of threat organizations, so their methods vary widely.

  • Basic SiteCloak Obfuscation: ZeroFont
    In the simplest version of the attack, the credential harvesting page uses the same ZeroFont technique that was once a popular method to bypass Microsoft’s email scanners. Even old techniques can successfully fool the website scanner.
  • Advanced SiteCloak Obfuscation: JavaScript EncodingIn more advanced methods, the webpage is encoded using multiple layers of JavaScript obfuscation.
    The “unescaped” command is another JavaScript function that reads the ‘html_encoder_data’ to render the malicious web page.

    The rendered page is fairly advanced in that it does not ask the user to enter their email address, as it is encoded in the URL. It also asks for the password twice before redirecting the user to a real page. Not only does this error-check the password for the attackers, but it also leaves the user the user with no hint that they entered their password on a fake site.

How SonicWall Can Help

SonicWall Cloud App Security can identify SiteCloak-obfuscated websites, because the web-rendering and scanning engines utilize the same indicators of attack discovered by the email-rendering and scanning filters. With CAS Protection enabled, the attacks are prevented from ever reaching your inbox, making email more secure and reliable.

To learn more about SonicWall Cloud App Security, click here.

SonicWall Staff