Phishing attacks are evolving constantly as threat actors discover new ways to attack Internet users and steal passwords and other sensitive data. One common strategy is to use legitimate services, for instance official PayPal emails, to deliver the malicious content to users.
Engineers at Cloudflare's Email Security team discovered a new phishing attack that abuses Enterprise-grade cybersecurity services in its attacks. Services like Proofpoint or Intermedia use link-wrapping techniques to route URLs through a scanning service. This enables them to block known malicious URLs at the moment the user clicks on the link.
The method works well against known malicious URLs, as actions are blocked by the cybersecurity service in that case. However, threat actors discovered that they can abuse the system, if malicious URLs are not yet known to the cybersecurity service. In other words, even though the link is wrapped and checked by a cybersecurity service, it is not blocked, as it is not yet flagged as malicious.
The attack relies on compromised accounts that are already protected by a link-wrapping cybersecurity service. Cloudflare suggests that the attackers create link-wrapped emails with malicious URLs using these accounts. A link shortening service is used furthermore for additional obfuscation.
Proofpoint or Intermedia wrap the links using their own legitimate addresses. The main idea behind the scheme is to fool security systems and prevent common defensive strategies, such as blocking URL threats on the domain level.
Users who click on these links, assuming that they are protected through the cybersecurity service, land on phishing websites, according to Cloudflare. The attack that Cloudflare observed targeted Microsoft 365 accounts and used fake phishing websites that looked like the real Microsoft website.
However, the URL of the phishing website is not associated with Microsoft. The URL remains one of the best options to detect the majority of phishing attacks outright.
Cloudflare notes that the use of trusted link wrapping services enhances the chance of successful exploits. It can lead to higher click-through rates.
Cloudflare published information about resources that the threat actors used in the attacks. This includes addresses and email detection fingerprints.
Now You: Have you encountered phishing attacks recently? Do you use specific security tools against phishing? Feel free to leave a comment down below.
Thank you for being a Ghacks reader. The post New Phishing campaign hides malicious links in Proofpoint and Intermedia link wrappers appeared first on gHacks Technology News.
0 Commentaires