What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Nov 21, 2022
ProxyNotShell Exploit Released
THE THREAT eSentire is aware of public Proof-of-Concept (PoC) exploit code for the ProxyNotShell Exchange vulnerabilities (CVE-2022-41040 [CVSS:8.8], CVE-2022-41082 [CVSS:8.0]). The publication of…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Nov 07, 2022
Global Cybersecurity Leader eSentire Partners with InfoTrust to Deliver 24/7 Multi-Signal MDR and IR Services Across Australia
Waterloo, ON and Sydney, Australia – November 9, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced it has expanded its presence in Australia via a strategic partnership with InfoTrust. InfoTrust is a leading specialized cybersecurity provider that combines next-generation security controls, with the InfoTrust “Connective Tissue” of customer success,…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Jul 12, 2019

Threat actors using HEX encoded links to bypass phishing defenses

4 minutes read
Speak With A Security Expert Now

Overview:

Recently eSentire Threat Intelligence observed an increase in credential phishing pages hosted on Microsoft Cloud Services. Leveraging services such as Azure Blob Storage or SharePoint for phishing is not new and has been reported previously. Recent observations from our customer base in July 2019 indicate that attackers continue to see success in leveraging these services and are expending effort to circumvent email filtering by HEX encoding links (likely a response to increased scrutiny on these services).

Earlier this week, eSentire posted a security advisory for our customers on this new technique, and this blog post will aim to provide a more in-depth technical exploration of the use of HEX encoding to bypass traditional anti-phishing defenses.

Technical Review:

Use of Microsoft Cloud Services

Hosting phishing pages on cloud services provides significant advantages with relatively low effort/costs. A basic WordPress site on Azure Blog Storage can be built relatively quickly and provides a valid TLS certificate and domain for credential harvesting.

Similarities to BaseStriker

This HEX encoding of links does bear similarities to the previously disclosed ‘BaseStriker’ method for bypassing advanced security controls like ATP or Safe Links by abusing the <base> URL tag.

In this new example, however, the attackers have defined the HEX encoded malicious link within the <base href> within the message body, and then combining the user specific information from the <a href> link also within the message body.

HEX Encoding

While observed use of the aforementioned cloud services has gone on for some time, the use of HEX encoding presents a relatively low-effort obfuscation method and is likely a response to increased scrutiny. Once a new method is seized upon by attackers, it's common for them to try and squeeze as much out of it as possible to try and extend its shelf-life. From an attacker's perspective, it's often easier to adapt than it is to start fresh (PowerShell execution techniques are an excellent example of this).

The phishing campaign observed by eSentire leads the user to believe that server errors are delaying message delivery and attempts to prompt the user to click on 'Review Message'.

[image src="/assets/Figure1.png" id="2303" width="701" height="435" class="center ss-htmleditorfield-file image" title="Figure1"]

Looking closer at the email, and what makes this event slightly different than previously observed campaigns that utilize Microsoft Cloud Services is the use of URL HEX encoding within the message body - presumably being used to circumvent URL content-based filtering, link filtering etc. An example from the message header is displayed below.

[image src="/assets/Figure2.png" id="2304" width="695" height="114" class="center ss-htmleditorfield-file image" title="Figure2"]

If a user were to follow the link within the 'Review Message' link contained within the email message (Figure 1) – they would be presented with a very convincing phishing page that impersonates a Microsoft Office 365 login page. The 'Review Message' link contained within the phishing email will also pass the phished email addresses, along with the phishing link (e.g. the target users email address will be pre-populated in the Office phishing site). An example of the function that provides the mechanism is highlighted below.

[image src="/assets/Figure3.png" id="2305" width="739" height="60" class="leftAlone ss-htmleditorfield-file image" title="Figure3"]

Again, if the link is followed, the following phishing site that is impersonating the legitimate Office 365 Login page is presented, along with the passed target user/email address – the below figure is the resulting landing page.

[image src="/assets/Figure4.png" id="2306" width="1027" height="350" class="center ss-htmleditorfield-file image" title="Figure4"]

When a targeted user falls victim to this phishing site, there is a JavaScript function contained within the phishing page that will relay the pre-populated email address, and the entered password to a target domain of the attacker's choice. In this example, the content of the 'sendmails()' script is displayed below.

[image src="/assets/Figure5.png" id="2307" width="900" height="374" class="center ss-htmleditorfield-file image" title="Figure5"]

Bypassing a Leading Email Protection Provider

After initial observation, eSentire notified our email protection provider about the HEX encoded link technique, and at the time of publication of this blog they are still developing a preventative measure. To further validate this finding with our email protection provider, a simple proof of concept was created to highlight the lack of scanning for HEX encoded URL’s within the <base href> field.

[image src="/assets/Figure6.png" id="2308" width="1460" height="547" class="center ss-htmleditorfield-file image" title="Figure6"]

The resulting test email was then successfully delivered without any link scanning.

[image src="/assets/Figure7.png" id="2309" width="849" height="531" class="center ss-htmleditorfield-file image" title="Figure7"]

Also, for comparison a screenshot highlighting that link scanning successfully detecting the previously mentioned BaseStriker method described here.

[image src="/assets/Figure8.png" id="2310" width="1125" height="614" class="center ss-htmleditorfield-file image" title="Figure8"]

Additional Observations

Recommendations

As with any login portal, users need to ensure they are on the correct page. This example utilizes a legitimate (*.blob.core.windows.net / *.azurewebsites.net) certificate, so detection can be a little tricky from an end-user perspective, but also lacks organization-specific branding. Here are some steps you can follow to protect yourself from these types of attacks:

View Most Recent Blogs
eSentire Threat Intel
eSentire Threat Intel Threat Intelligence Research Group