Detecting Sandboxes
Microsoft recently discovered a phishing campaign that could avoid automated analysis by detecting security sandboxes (automated analysis). The campaign uses URLs that could spot sandboxes and switch the redirected URL to a legitimate page or website instead of the phishing landing page.
"We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering," said Microsoft.
"The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc."
This method makes sure that only real people or to say potential victims reach the landing page and not security researchers and automated security scans. Thereby reducing their chance of being blocked.
These emails are also very well crafted and obscure - another way to dupe email gateways.
Inserting Custom Sub-domains
Another way these attackers have found to make phishing URLs more legitimate is by inserting custom subdomains for each user with their name and their organization's name.
"This unique subdomain is added to a set of base domains, typically compromised sites," Microsoft explained.
"Notably, the phishing URLs have an extra dot after the TLD, followed by the Base64-encoded email address of the recipient."
"The unique subdomains also mean huge volumes of phishing URLs in this campaign, an attempt at evading detection."
Inverting Images of Webpages
This particular campaign uses inverted images (as the landing page) of the webpage they are trying to imitate. The security defenses receive this page thereby escaping detection.
The phishing kit reverses the inverted page to look like the original (using Cascading Style Sheets (CSS) ) for the user.
Google Ads
A pretty neat trick used by phishing campaigns is by misusing Google Ads and Google Cloud Services, Microsoft Azure, Microsoft Dynamics, and IBM Cloud to host phishing pages that look legitimate and surpass secure email gateways.
