Certified security consultants and the best technology tools to mitigate risk. With E-Suite discovery offerings, organizations can have the best of both worlds. User’s credentials being posted to the attacker’s C2 server while the user is redirected to the legitimate Office 365 page Detecting dynamically changing email obfuscation techniques through coordinated threat defense Attackers could use such information, along with usernames and passwords, as their initial entry point for later infiltration attempts. 5.Introduction of a new information-stealing moduleĪ new module was introduced that used hxxps://showipscom/api/geoip/ to fetch the user’s IP address and country data and sent them to a command and control (C2) server. The entire HTML attachment was then encoded using Base64 first, then with a second level of obfuscation using Char coding (delimiter:Comma, Base:10). The link to the JavaScript file was encoded in ASCII while the domain name of the phishing kit URL was encoded in Escape. Meanwhile in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code. Links to the JavaScript files were encoded using ASCII then in Morse code. Meanwhile, the user mail ID and the organization’s logo in the HTML file were encoded in Base64, and the actual JavaScript files were encoded in Escape 3.Use of Morse code The two links to the JavaScript files were encoded together in two steps-first in Base64, then in ASCII. Logo-obtained from third-party sites-and the link to the phishing kit were encoded using Escape 2.Hosting of segments on third-party sites and multiple encoding mechanisms Mecanismos identificados por Microsoft 365 Defender Threat Intelligence Team: 1.Transition from plaintext HTML to encoded segments Obfuscation and encryption mechanisms change every 37 days on average. The change in patterns demonstrates that attackers are aware of the need to change their routines to evade security technologies. From plaintext to Morse code: A timeline of frequently changing attack segment encoding Sample of fake credentials stolen dialog box with a blurred Excel image in the background. In some of the emails, attackers use accented characters in the subject line. The XLS.HTML phishing campaign uses social engineering to craft emails mimicking regular financial-related business transactions, specifically sending what seems to be vendor payment advice. XLS.HTML phishing campaign: Fake payment notices are effective tool for attackers to steal credentials To defend organizations in a fast and cost-effective way, Synergy advisors has launched Email Protection E-Suite Discovery Offering, where certified experts and unique E-Suite and Microsoft solutions provide findings and action plans to protect against the latest threats. Multilayer obfuscation in HTML can likewise evade browser security solutions. Such details enhance a campaign’s social engineering lure and suggest that a prior reconnaissance of a target recipient occurs.Įmail-based attempts include using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. As previously noted by Microsoft Defender Threat Intelligence Team, the campaign components include information about the targets, such as their email address and company logo. This campaign’s primary goal is to harvest usernames, passwords, and-in its more recent iteration-other information like IP address and location, which attackers use as the initial entry point for later infiltration attempts. Instead, they reside in various open directories and are called by encoded scripts. Some of these code segments are not even present in the attachment itself. These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments. Obfuscation and encryption mechanisms change every 37 days on average This Phishing Campaigns exemplifies the modern email threat: Cybercriminals attempt to change tactics as fast as security and protection technologies do. The HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. Modern Phishing Campaigns are sophisticated, evasive, and relentlessly evolving.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |