Ever since COVID-19 began closing offices and largely restricting people to their homes, cyber adversaries have been having a field day using the pandemic as a launchpad for phishing attacks. Organizations and individuals must be aware of the detective, preventive and protective measures required to safeguard their information assets against these attacks. We have seen a rise in the number of phishing attacks that bypass Office 365 due to the attackers’ use of obfuscation techniques on the credential harvesting website.
These SiteCloak methods bypass Microsoft’s real-time URL-filtering scanners by obfuscating the credential-harvesting page. This behavior is widespread, using a variety of techniques from multiple threat actors.
Attack Summary Overview:
Platform: Microsoft 365 Email
Email Security: Exchange Online Protection and Microsoft Advanced Threat Protection
Targets: All organizations, all sizes
Payload: Malicious Link
Technique: Obfuscation of Credential Harvesting Page
What is a SiteCloak attack?
To identify a malicious URL within an email, Microsoft will follow a link to scan the target page for potential malware or phishing behavior. To combat this, attackers are hiding the intent of the target page by using a variety of obfuscation techniques. This behavior is widespread and utilizes a variety of methods, some more sophisticated than others, borrowed from multiple threat actors. Most of these methods are capable of fooling Microsoft’s scanners.
In most cases, the target page turns out to be a credential harvesting site, but because these techniques are now in widespread use by several organizations, they are independent of the purpose of the page. If the user is not vigilant and provides their credentials, the user account is compromised.
Why are SiteCloak methods effective?
- Concealed Page Intent: Microsoft URL filters are unable to determine the intent of an obfuscated page, so a malicious email is allowed to reach the user inbox.
- Multiple Vulnerabilities: While categorized as a single method, attackers are using a variety of obfuscation techniques, meaning there is no single vulnerability to close. Even simple techniques are successful today, but while these are eventually caught, more advanced methods continue to remain effective.
- Multiple Actors: Page obfuscation is now in use by multiple actors. The techniques are typical of email obfuscation, and many of them are old, so there is no direct link between a threat actor and their methodology.
What can you do?
- Use a Password Manager: The best defense against most credential harvesting attacks is the use of a password manager. Most are free, and none can be fooled into entering a password into a malicious site, no matter how authentic it seems. You should never actually know your password.
- Enable Multi-factor Authentication: MFA renders a username/password pair useless to an attacker.
These techniques are in use by a large number of threat organizations, so their methods vary widely.
- Basic SiteCloak Obfuscation: ZeroFont
The rendered page is fairly advanced in that it does not ask the user to enter their email address, as it is encoded in the URL. It also asks for the password twice before redirecting the user to a real outlook.com page. Not only does this error-check the password for the attackers, but it also leaves the user the user with no hint that they entered their password on a fake site.
How SonicWall Can Help
SonicWall Cloud App Security can identify SiteCloak-obfuscated websites, because the web-rendering and scanning engines utilize the same indicators of attack discovered by the email-rendering and scanning filters. With CAS Protection enabled, the attacks are prevented from ever reaching your inbox, making email more secure and reliable.
To learn more about SonicWall Cloud App Security, click here.