In this tutorial, we will examine how hackers, nation-state actors, and cybercriminals use percent-encoding to deceive and bypass secure email gateways implemented by companies.
Adversaries capitalize on Google’s expertise to decode the encoded URL data on the fly, and they will deploy various tactics to conceal the actual destination of the payload.
The malicious phishing email arises from a compromised email address of a renowned corporation, notifying recipients that there is a new invoice pending payment.
We can see that the email contains an embedded yellow hyperlink button where deceived victims may click to examine the invoice.
Evidently, an employee who has not been adequately trained in detecting phishing emails may not be able to distinguish between the real destination and fake destination of the hyperlink.
Even secure email gateways might not be able to distinguish between real and fake destinations of the hyperlink if the attacker was well prepared.
A close examination of the embedded hyperlink reveals that Google is being deployed to redirect the recipient to the final destination of the malicious payload.
The beginning of the URL (“
The highlighted red string serves as the payload which denotes an encoded string (Percent-encoding). Bear in mind that percent-encoding replaces ASCII characters with a ‘%‘ succeeded by two hexadecimal digits.
The majority of modern web browsers will acknowledge URLs that include hexadecimal character representations and will automatically proceed to decode them back into ASCII on the fly without requiring any sort of interaction from the user.
Once potential victims click on the hyperlink inside the malicious email, they will be redirected through their web browsers to Google for purposes of querying the encoded string. Therefore, this is acknowledged as a URL to redirect the victim to the last destination of the malicious payload.
As we can observe, hackers and cybercriminals find this method to be useful and sufficient in reassuring that their malicious payloads are successfully delivered to their targets. Hence, this method is sufficient for deceiving fundamental URL and domain checks by secure email gateways.
Furthermore, we can perceive that the phishing web page is just a façade of the Office 365 login portal page and hopes to steal enterprise users’ private credentials.
Adversaries enjoy taking advantage of Office 365 since they understand that many enterprises nowadays are dependent on Office 365.