Attackers proceed to use URL rewriting to cover their phishing hyperlinks from e mail safety filters, in response to researchers at Irregular Safety.
URL rewriting is a safety approach utilized by many e mail safety platforms to investigate hyperlinks in emails to confirm their security earlier than customers are allowed to click on on them. Nonetheless, this system may also be abused to masks the unique phishing hyperlink.
“In step one of the assault, the menace actor compromises an e mail account belonging to a buyer of an e mail safety resolution that leverages URL rewriting (not the goal of the particular e mail assault introduced hereafter),” the researchers write.
“The menace actor then sends an e mail to that very same compromised account containing a novel URL, which can get rewritten fairly than blocked. When the menace actor has that rewritten URL, a brand new e mail is distributed from the compromised account to the menace actor’s subsequent victims containing that rewritten URL.”
This new e mail impersonates a Microsoft safety alert informing the consumer {that a} malicious hyperlink was blocked. The e-mail accommodates a hyperlink to view particulars concerning the alert.
“As a result of this message originates from a official account, passes e mail authentication, and accommodates a novel, rewritten URL from a official safety management, the sufferer’s safe e mail gateway (SEG) delivers the message and rewrites the already-rewritten URL,” Irregular says.
If the consumer clicks the hyperlink, they’ll be despatched to a web site that makes an attempt to trick them into putting in an OAuth app that provides the attacker entry to their Microsoft 365 account.
“[T]he consumer is redirected to a different web site and should clear up a CAPTCHA. After this, they’re prompted to permit the set up of an OAuth utility,” the researchers write. “This grants the attacker permission to entry their M365 account. As a substitute of a standard phishing assault, the consumer unknowingly installs an add-on that provides the attacker ongoing entry to the account, even when the consumer modifications their password. The one solution to cease this entry is by eradicating the add-on from the account.”
KnowBe4 empowers your workforce to make smarter safety choices on daily basis. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human threat.
Irregular Safety has the story.