Cybercriminals are attempting to sneak malicious hyperlinks past certain email defenses by exploiting how email clients and email security solutions convert plaintext into links.
Researchers from Avanan believe this technique, which it discovered in recent weeks and subsequently dubbed Slinkify, is a novel one that has not been publicly documented before. According to an Avanan report that was shared in advance exclusively with SC Media, the tactic manages to successfully bypass protections from both Proofpoint and Microsoft APT.
“The security layer doesn't see that there's a link, but to the end user it's actually presented as a clickable link,” said Gil Friedrich, vice president of email security at Check Point Software Technology, which acquired Avanan earlier this year. (Friedrich co-founded Avanan and was previously its CEO.)
Friedrich said Avanan decided to alert the public today and forego a coordinated disclosure with Proofpoint and Microsoft because its researchers have already observed the Slinkify technique being used in the wild – thus increasing the urgency of sharing the news with the public. However, on Tuesday, SC Media reached out to Proofpoint and Microsoft on behalf of Avanan, which agreed to make details available to the two companies shortly in advance of publication.
“The hackers already know about this. So we don't feel like we're exposing anything the hackers don't know,” said Friedrich, who noted that Avanan found evidence of this technique being used as far back as early October.
How Slinkify works
In many cases, cybercriminals try to avoid placing malicious links inside their phishing emails because cyber defenses often identify and block them to prevent users from being victimized. Alternatively, adversaries can instead try to obfuscate the links within the emails, so they can’t be successfully scanned. Slinkify accomplishes the latter largely through abusing a tool called Linkify.
Here’s how it works: various email services scan email communications for any content or characters that looks like a URL (e.g. apple.com). They then, through Linkify or similar services, sometimes convert that plaintext into an actual clickable link for the convenience of the email recipient.
Apparently, scammers have come to realize that some email clients are more generous than others in terms of converting certain text into links. For instance, the mobile Gmail email client will convert text such as apple.biz and apple.io into links, while desktop Gmail will not. For mobile Gmail users, this can potentially present a problem if any links lead to a malicious website created by attackers. Likewise, this problem also extends to iOS and mobile Outlook email, which also have less stringent standards for converting text to links, Avanan reports.
The hope is that email protection solutions will block such attempts by scanning email content, identifying suspicious links and then taking other actions such as wrapping and URL rewriting. But according to Friedrich, some of these links do manage to slip through when the email client’s plaintext-to-link conversion rules differ from an email security solution’s rules.
Making matters worse, adversaries are also crafting harmless-looking, yet malformed links by eliminating the “https://” in the URL, and then appending a hidden, zero-width, non-alphanumeric character (such as a parenthesis symbol) to the front of the link.
“The parser of Linkify basically jumps over [the special character]; there's no indication there to tell if it's a link,” Friedrich told SC Media.
Bottom line: “By doing this, hackers are taking advantage of how Microsoft and Proofpoint use the Linkify tool,” the report explains. “Microsoft and other scanners use a version of the Linkify tool, which takes a piece of text and regular expressions, and turns all the regex matches in the text into clickable links. In this email, Microsoft and Proofpoint’s version[s] of Linkify [do] not see this link.” And therefore the protection is bypassed.
One example that Avanan found involves an email written in German language. “Good day! I'm sending you a record with a thorough explanation of the last problem. Please check here,” says the email, translated into English. The two links directly below the context are malformed and this non-wrapped. A second example, written in English, says “Please see the documents,” along with two links that purport to be related to Facebook. In both cases, it is not clear what the attackers' ultimate movitation was.
Proofpoint offered the following statement: “While we appreciate Check Point’s efforts to track adversary tactics for the benefit of the community, these findings were not responsibly disclosed to us per industry norms, and so we have not been able to reproduce them. Assuming the findings are correct, we would consider this a bypass of one detection technique and not a vulnerability. Because we often see these manipulations, we leverage an extensive detection ensemble that goes well beyond URL rewriting, and this technique by itself would not necessarily have a noticeable impact on our solution’s efficacy.”
Microsoft has yet to issue a comment.
To guard against these attacks, Avanan recommends that organizations add advanced security layers and advanced algorithms to their emails, implement a Mail Security Orchestration Automation and Response platform (M-SOAR), and scan all links – even non-standard and malformed versions.