Cybersecurity researchers have disclosed particulars of a brand new phishing marketing campaign that conceals malicious payloads by abusing hyperlink wrapping companies from Proofpoint and Intermedia to bypass defenses.
“Hyperlink wrapping is designed by distributors like Proofpoint to guard customers by routing all clicked URLs via a scanning service, permitting them to dam recognized malicious locations in the meanwhile of click on,” the Cloudflare E-mail Safety crew mentioned.
“Whereas that is efficient towards recognized threats, assaults can nonetheless succeed if the wrapped hyperlink hasn’t been flagged by the scanner at click on time.”
The exercise, noticed over the past two months, as soon as once more illustrates how menace actors discover alternative ways to leverage respectable options and trusted instruments to their benefit and carry out malicious actions, on this case, redirecting victims to Microsoft 365 phishing pages.
It is noteworthy that the abuse of hyperlink wrapping includes the attackers gaining unauthorized entry to electronic mail accounts that already use the characteristic inside a company, in order that any electronic mail message containing a malicious URL despatched from that account is mechanically rewritten with the wrapped hyperlink (e.g., urldefense.proofpoint[.]com/v2/url?u=<malicious_website>).
One other vital side issues what Cloudflare calls “multi-tiered redirect abuse,” through which the menace actors first cloak their malicious hyperlinks utilizing a URL shortening service like Bitly, after which ship the shortened hyperlink in an electronic mail message through a Proofpoint-secured account, inflicting it to be obscured a second time.
This conduct successfully creates a redirection chain, the place the URL passes via two ranges of obfuscation – Bitly and Proofpoint’s URL Protection – earlier than taking the sufferer to the phishing web page.
Within the assaults noticed by the net infrastructure firm, the phishing messages masquerade as voicemail notifications, urging recipients to click on on a hyperlink to hearken to them, finally directing them to a bogus Microsoft 365 phishing web page designed to seize their credentials.
Alternate an infection chains make use of the identical method in emails that notify customers of a supposed doc acquired on Microsoft Groups and trick them into clicking on booby-trapped hyperlinks.
A 3rd variation of those assaults impersonates Groups in emails, claiming that they’ve unread messages and that they’ll click on on the “Reply in Groups” button embedded within the messages to redirect them to credential harvesting pages.
“By cloaking malicious locations with respectable urldefense[.]proofpoint[.]com and url[.]emailprotection URLs, these phishing campaigns’ abuse of trusted hyperlink wrapping companies considerably will increase the chance of a profitable assault,” Cloudflare mentioned.
When contacted by The Hacker Information for remark, Proofpoint mentioned it is conscious of menace actors abusing URL redirects and URL safety in ongoing phishing campaigns, and that it is a method the corporate has noticed from a number of safety service suppliers who present comparable electronic mail safety or URL rewrite options, comparable to Cisco and Sophos.
The enterprise safety agency additionally famous that it flags these campaigns through its behavioral synthetic intelligence (AI) detection engine, and messages bearing such URLs are discarded and the ultimate URLs on the finish of the redirect chain are blocked to stop exploitation.
“In these campaigns, a menace actor can both abuse an open redirect to hyperlink to a rewritten URL, or compromise an electronic mail account that belongs to somebody with some kind of electronic mail safety,” Proofpoint menace researchers mentioned.
“Then, they ship an electronic mail with a phishing hyperlink to the account they’ve compromised. The safety service rewrites the URL, and the menace actor makes positive the hyperlink shouldn’t be blocked. Then, the menace actor will take the rewritten URL and embody it in numerous redirect chains.”
“Every time menace actors select to make use of a re-written URL from any safety service, together with Proofpoint, it implies that as quickly because the safety service blocks the ultimate URL, the whole assault chain will likely be blocked for each recipient of the marketing campaign, whether or not the recipient was a buyer of the safety service or not.”
The event comes amid a spike in phishing assaults that weaponize Scalable Vector Graphics (SVG) information to get round conventional anti-spam and anti-phishing protections and provoke multi-stage malware infections.
“In contrast to JPEG or PNG information, SVG information are written in XML and help JavaScript and HTML code,” the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) mentioned final month. “They will comprise scripts, hyperlinks, and interactive components, which could be exploited by embedding malicious code inside innocent SVG information.”
Phishing campaigns have additionally been noticed embedding pretend Zoom videoconferencing hyperlinks in emails that, when clicked, set off a redirection chain to a pretend web page that mimics a realistic-looking interface, after which they’re served a “assembly connection timed out” message and brought to a phishing web page that prompts them to enter their credentials to rejoin the assembly.
“Sadly, as a substitute of ‘rejoining,’ the sufferer’s credentials together with their IP deal with, nation, and area are exfiltrated through Telegram, a messaging app infamous for ‘safe, encrypted communications,’ and inevitably despatched to the menace actor,” Cofense mentioned in a current report.
(The story was up to date after publication to incorporate a response from Proofpoint.)
