Application security, Malware, Phishing, Threat Management

Scammers imitate Windows logo with HTML tables to slip through email gateways

A recently discovered phishing scam that convincingly impersonates the Microsoft Windows logo with an HTML table serves as a new reminder of how social engineers can abuse various elements in emails to fool both human recipients and certain security solutions.

The scheme first began to emerge late last year into January and involves using a table to build a 2x2 grid of cells, and then filling them in with colors to make the table look just like the iconic Windows logo. The presence of this fraudulent, yet authentic-looking logo lends extra credibility to phishing emails, and according to Inky they can fool some standard Secure Email Gateways that tend to overlook the presence of tables as a suspicious element.

“This new tactic most likely originated in a single phishing kit and is now adopted in multiple kits,” said Bukar Alibe, cyber security analyst at Inky.

Jeremy Ventura, senior security engineer at Mimecast, called the new phenomenon “a modern form of brand impersonation” that is missed by traditional solutions because “they aren’t developed to look for more sophisticated techniques.”

While this specific scam may be new, it’s just the latest phishing tactic to incorporate HTML tables. For instance, “previously HTML tables were abused by using combinations of black and white cells to create graphics that look like URLs. This is no longer used because it looks visually different and suspicious when compared to a regular hyperlink,” said Alibe noted.

Another related technique used to bypass text filters is to create a table, erase all borders from it, configure it to bunch the various data cells together, and then add portions of text to the individual cells to make it look like regular text.

“Attackers… break up malicious words and place parts of the word in different adjacent cells,” said Alibe. “For example, a bitcoin filter can be thwarted by placing ‘bi,’ ‘tco,’ and ‘in’ in different cells. This makes it readable for humans and obfuscated for unsophisticated scanners.”

In this latest campaign, Inky found a series of emails using the fake Microsoft logo in an attempt to get recipients to click a malicious link, open a weaponized attachment or call a scam phone number “where an evil operative tries to extract personal and financial information,” the report states.

Examples of these phishes included a fake new fax notification from SharePoint, featuring a link that used an open redirect to take victims to a compromised web development tool site, where malicious content was injected into their computer. Other lures included a fake Office 365 email with a phone password expiration a phony voicemail notification. The attack mechanism, a malicious link, was concealed in an HTML attachment. 

A SharePoint-themed phishing email featuring a fake Windows logo.

The campaign also leveraged other well-worn techniques, including “open redirects, abused cloud sites, booby trapped HTML attachments, hijacked email marketing campaign tools, and zero-font character stuffing.”

Roy Rotem, Avanan co-founder and head of data science, confirmed the presence of these fake Microsoft logo attacks, noting that “we’re starting to see an increase this year.”

“These attacks creatively use HTML and CSS to impersonate logos, brands and more,” Rotem explained. “We see tons of obfuscation methods against Office 365, and many of them are also successful against traditional, legacy email gateways. These attacks are interesting because you can’t rely on the HTML/CSS static analysis that traditional solutions use.”

Fortunately, businesses equipped with more advanced, modern email security solutions – particularly those with machine learning and/or computer vision – should be able to identify the fake logo and deflect this attack.

“In this case, a machine would see an HTML table, but computer vision would surface that this supposed table is trying to be a Microsoft logo,” the report says. “With that knowledge, the detection system can check to see whether the sender really is Microsoft.” 

Rotem described an effective process to defend against such obfuscation attacks: “render the HTML email body in a sandbox, and perform image analysis… and apply cognitive AI models to find similarities and impersonation attempts. By using headless browsers, you can safely render the page and apply AI image-recognition models to determine if there is any impersonation on the page. This security layer is not just effective against this specific attack, but against a wide range of obfuscation attempts in the HTML of the email.”

“The best way for companies to spot HTML tables and other such tricks is to optimally balance technology and people," concluded Ventura. "From a technology standpoint, organizations need sophisticated solutions that can rewrite URLs, scan for malicious attachments and provide dynamic banners for human visibility. However, at the end of the day, the technology is only as good as the humans consuming it. For this reason, prioritizing in-depth security awareness training is critical in the battle against sophisticated threats.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.