Hackers, nation-state actors, and cybercriminals have been utilizing services like SharePoint and Azure Blob Storage to phish users in corporate environments and small businesses.
Notably, threat actors have been able to successfully take advantage of such services in recent phishing campaigns by utilizing Microsoft cloud services to host Office 365 phishing pages.
Attackers deploy HEX encoding links to bypass conventional anti-phishing email filtering defences.
Obfuscation methods can bypass link inspection or content filtering in some instances. Attackers know that the methods they utilize increase the probability of successful delivery and the observed legitimacy of the tailored phishing page.
Threat actors recognize that hosting phishing pages on cloud services offer substantial benefits with comparatively low expenses and efforts.
Hackers have specified the HEX encoded malicious link inside the <base href> message body and then amalgamating the user-specific information from the <a href> link also inside the message body.
In this tutorial, we will analyze how potential victims are fooled by convincing phishing emails that state that servers errors are delaying message delivery. The phishing email tries to prompt the victim to follow the link inside the email message by clicking on it.
The HEX Encoding technique discussed in the subsequent section permits hackers to bypass Microsoft Office 365 Advanced Threat Protection, which serves as a cloud-based email filtering service that assists in defending companies from dangerous unknown malware and viruses.
Microsoft Office 365 Advanced Threat Protection supplies strong zero-day protection and includes advanced features like Safe Links to protect companies from pernicious links in real-time.
Phishing Users With HEX Encoded Links
We can see that the deployment of URL HEX encoding inside the message body is supposedly being deployed to bypass URL content-based filtering and other defences.
In the event that the victim clicked on the link embedded inside the “Review Message” link of the email message, the user will be shown an extremely compelling phishing web page that imitates a Microsoft Office 365 login page.
Moreover, the phishing email message comprises the “Review Message” link which will pass the phished email addresses together with the phishing link. Note that the targeted victim’s email address will already be populated in the Office phishing website.
Thus, provided that the user actually is fooled into clicking on the link provided by the attacker, the subsequent phishing website that is masquerading as the legitimate Office 365 Login web page is shown to the affected victim in conjunction with the targeted victim’s email address.
If the targeted victim does get tricked into entering their password for their email address, the phishing web page will transmit the already populated email and entered
Proof of Concept
The ensuing test email was not merely effectively delivered, but also received without any link scanning involved.
Users have to make sure that they are on the proper web page. The illustration deploys a legitimate certificate (*.blob.core.windows.net | *.azurewebsites.net). Therefore, discovery by the user may be rather complicated. Interestingly, there is no particular company branding.
Users in organizations should report any suspicious emails and refrain from clicking on the links inside the emails.
Organizations ought to deploy Multifactor authentication (MFA) and ensure that their employees are adequately prepared for handling suspicious emails.