A Brand-New Phishing Trick
 

A Recap on Phishing

Phishing is one of the oldest forms of email attack, but it is still one of the most commonly used attack methods employed by cybercriminals today. In a phishing attack, bad actors spam users with emails that promise prizes, threaten account suspension, or create some other type of urgent situation, and then ask the email recipient to click on a link or download a malicious attachment in order to remedy the problem or claim their prize.

There are a number of email security technology solutions organizations can deploy in order to prevent most emails like this from ever reaching the inboxes of their team members. Also, thanks to cybersecurity awareness training and general working knowledge of cyberattacks, even if a technology solution fails and a malicious email is delivered, today’s users are more likely to spot these types of attacks, refrain from clicking on the links or opening the attachments, and promptly alert their organization’s security team to the potential attack.

But, despite technological advances and the success of cybersecurity awareness training, sometimes even the most on-guard team members get busy, get distracted, or are simply trying to move too fast and still manage to click on a malicious link or open a malicious file. This human error is why cyberattacks are still finding success.

And it is this success that continually keeps threat actors looking for new ways to trick even the most suspecting of users into download malware or inadvertently furnish cybercriminals with highly sensitive login credentials.

A Brand-New Type of Phishing Attack

The Mimecast team has recently learned of the efforts of one such group of threat actors and a new form of phishing attack they have developed that attempts to take advantage of a not-so-well-known disparity between how web browsers and email programs read web domains. This is a brand-new way for attackers to sneak malicious links into email inboxes.

Identified in a report by Perception Point, this slight but key difference in how web browsers and email programs read URLs allows attackers to craft a link using the @ symbol so that it is interpreted as a comment by email security filters and as a legitimate URL by web browsers. For example, https[://]abc123@www[.]threatpost.com. This new attack method allows phishing emails with this new type of link to successfully bypass many forms of email security.

As reported by Threatpost, “Perception Point’s incident response (IR) team flagged a hastily-designed phishing email trying to pass itself off as a Microsoft notice.” The notice informed the email recipient they had five new held messages and then directed them to follow a “Personal Portal” hyperlink.

That hyperlink then took the recipient to a malicious website that was designed to look just like an Outlook login page. And even though the actual domain name of the website was “storageapi.fleek.co,” followed by a long series of random characters, users not paying attention or moving too quickly may have entered their Outlook login credentials into this malicious site. Those credentials then would have ended up in the hands of the cybercriminals responsible for this ruse.

What We Know About This New Attack Method

This brand-new style of phishing originated in Japan and according to an email sent by Motti Elloul, vice president of customer success and incident response at Perception Point, to Threatpost, went after a wide range of targets, including telecom, web services, and financial organizations. Threatpost reported that none of the emails tricked any of the users into actually providing their Outlook login credentials. However, just because this one attack failed, it does not mean that this attack method will not be replicated time and time again in the near future by other threat actors to attack other organizations.

Upon investigation, researchers discovered that the key to the success of this phishing attack bypassing most modern email security tools was the link in the email. Some web browsers will allow a user to enter authentication information in the URL field in the browser. For example, http(s)://username[:]password[@]server/resource[.]ext. Other browsers will simply ignore any information entered before the @ symbol and just direct the user to the URL following the @ symbol. For example, https[://]abc123@www[.]threatpost.com. In either case, the browser will send the user to whatever URL appears after the @ symbol. This means all attackers have to do to get users to their malicious site instead of the real Outlook login site is put their URL in the link after the @ symbol. For example, https[://]outlook.live.com/owa/@www[.]candcserver.com.

Microsoft removed this functionality from Internet Explorer in January 2022. Unfortunately, however, many other web browsers still have this functionality. And the main problem is that many of the email security programs organizations are using are not flagging these malicious URLs that use this @-symbol-in-the-middle method because they read the copy following the @ as a comment, not as a URL.

Mimecast URL Protect Can Stop These Attacks

Fortunately, for Mimecast customers, our TTP URL protect feature correctly identifies the URL following the @ symbol and will perform a scan if a user clicks on it, preventing them from accessing the phishing page if malicious behavior is detected. So, even if a team member might not recognize the potentially malicious URL in the phishing email, Mimecast technology can stop the attack in its tracks and prevent the malicious page from being accessed.

To learn more or schedule a demo, visit the Mimecast URL Protect page.