Getting User to Copy/Paste Links

12 Febuary 2025

By Mimecast Threat Research Team

Campaign Flow

To evade detection by security solutions, threat actors are now encouraging users to interact with malformed links via a copy and paste from email into their browsers. Mimecast Threat Researchers have identified that these lures often feature a button with a broken link accompanied by this text, "If the event that the provided link does not function as expected, please copy the following link and paste it into your browser’s address bar.” The email uses the common payment file share lure to trick users into interacting with the email. However, where the user would normally click on the ‘View File’ button this has purposely made unclickable, so the user is required to interact with the link at the bottom of the email.

The link is presented as plain text, not an active hyperlink (<a href>), so it may not be immediately flagged by security filters scanning for malicious URLs. As the user is encouraged to manually copy and paste, it bypasses automated link analysis tools within email security platforms. The URL includes trusted domains such as sharepoint.com to lend an air of credibility. However, it's followed by an unrelated malicious domain: hoteis-em-gramado[.]com.

The link tends to be lengthy in size with several obfuscation and base64 encoding which would be hard for the user to determine if it is suspicious. Decoding the base64 there appears to be additional parameters that have been hidden;

sv=o365_1_sp&rand=ajk3WHM=&uid=USER27092024U07092722

sv=o365_1_sp: Likely signifies the service or platform being spoofed. Here, it seems to indicate "Office 365 SharePoint" (o365_1_sp).

rand=ajk3WHM=: Appears to be a randomly generated value, possibly to create unique URLs for tracking purposes. Random strings like this can act as a session or tracking ID for the attackers to identify the victim.

uid=USER27092024U070927227: Likely a user identifier (uid), which could correspond to a specific target in the phishing campaign. The date-like pattern (27092024) might encode the timestamp of when the email or phishing link was generated.

Once the user copies and pastes the link into their browser will add in the missing ‘http://’ data to fully form the link and they will be redirected to a credential harvesting page which contains some form of files.

The campaign activity shows significant spike in late October, with continued sporadic activity in November.

Tactics Techniques and Procedures:

T1204.001 - User Execution: Malicious Link
T1598.002 - Phishing for Information
T1566.002 - Spear Phishing Link
T1071.001 - Application Layer Protocol: Web Protocols (HTTP/HTTPS)
T1586.002 - Compromise Accounts: Email Accounts
T1588.006 - Obtain Capabilities: Web Services
T1027 - Obfuscated Files or Information

Mimecast Protection

We have identified several attributes in the campaigns which have been added to our detection capabilities.

Targeting:

US, Predominantly Legal, Retail and Manufacturing

IOCs:

Subjects:

Payment Advice_Have2020 __[MSG-ID-8284766044wzdjjatjmcvlzp]
Lisa shared "Payment Detail Report"
Finance Department Notice: Recent Supplier Payment Transmissions
Settlement Confirmation on 23/10/24

URL’s:

hoteis-em-gramado[.]com

Recommendations

• Ensure you have an URL Protect policy is set to protect the organization.
• Search through your URL Protect logs to determine if any of the abused services have been accessed by your users.
• Search through your email receipt logs to determine if any of matching subjects have been delivered to your users.
• Educate end users around the continued trend of legitimate tools being used in malicious campaigns.