Researchers from cloud security company Avanan have reported finding two ways that phishers are evading Microsoft Office 365 Security protections: one using "hexidecimal escape characters" to conceal coding and links, and the other by compromising SharePoint files.
The first method involves emails with an HTML attachment that contain a small excerpt of JavaScript that is obscured in hexadecimal escape characters. "Therefore, no links are visible, but when opened, it presents a locally-generated phishing page with login instructions," the company explains in an Aug. 24 blog post.
In one recent example, Avanan came across a phishing email, purportedly sent by PayPal, that displayed a fraudulent login page, asking for account information such as name, address, phone number and password. By entering the information and clicking a submit button, the recipient unknowingly transmits his or her information to the cybercriminals.
Avanan reports that these emails are good at evading detection because their malicious links are hidden, the fake login-page is locally produced, and sandbox technologies generally don't consider HTML files with a submit button as suspicious.
According to a second Avanan blog post, the attack that abuses SharePoint generally involves an email that leverages "a genuine invoice from a commonly used online site, with a publicly open link to Office 365 SharePoint," which is a web-based, collaborative platform for Microsoft Office users. Clicking the link executes a JavaScript-based file that infects the endpoint.
Avanan claims that the phishing emails elude detection because Microsoft assumes SharePoint files are safe, as Microsoft originally developed the application. "Most people would assume that files on SharePoint and OneDrive would be scanned for malware, but the fact is that the scanning tools Microsoft uses for Office 365 are not used for files within SharePoint and OneDrive files. Even if the malware is identified once, the same file in a different location in SharePoint will not be blocked," Avanan has reported.
“We disagree with Avanan's claims," said a Microsoft spokesperson in a statement emailed to SC Media. "Microsoft's filters do not rely on the specific techniques described in the vendor post, and our solutions regularly detect and flag these kinds of attacks. In addition, we always encourage customers to use caution when clicking on links and opening emails from unknown senders.”
Avanan suspects that Chinese cybercriminals may be behind the SharePoint operation, due to use of a malicious domain that was registered this week from China.
