September 20, 2022

One Phishing Email, Multiple Evasion Techniques

By Yuval Ezuz
PhishingSaaS BackupDatto SaaS DefenseDatto SaaS Protection

With organizations using increasingly more security products to protect their email from malicious messages, attachments and links, phishing attempts have had to become more sophisticated. This is an ongoing process in which attackers develop new techniques that help them evade email security solutions to reach their end-user targets.

We have recently come across a phishing email caught by Datto SaaS Defense which utilized multiple evasion techniques, each targeting a different detection mechanism. These techniques, when combined together, allowed it to bypass many email security solutions.

In this blog post, I will take you through the different evasion techniques used in this attack, explain why they help the attack go undetected and suggest how they could be identified.

The attack and its evasion techniques

The email itself lures the user to click a link by informing them that their Office 365 password is about to expire. The user clicks the link in order to update their password and reach this fake Microsoft login webpage: 

Take a careful look at this webpage. There are several evasion techniques that make this page look unsuspicious to email security solutions.

Favicon evasion

The favicon (the icon on the browser tab) is a bit different than the actual Microsoft favicon. The attacker switched the red and the yellow tiles and used white instead of black for the border. 

On the left: the fake Microsoft favicon; on the right: the real Microsoft favicon

This could cause template matching errors (a method used by security solutions to identify phishing webpages), especially if not using grayscale when comparing. Thus, it helps this attack evade phishing detection engines.

Logo evasion

The Microsoft logo used in the fake login webpage is slightly different from the original Microsoft logo. As you can see in the image, the attacker used a similar but not identical font as well as bold letters. 

On the left: the fake logo; on the right: the real Microsoft logo

This could cause errors in template matching assuming the Microsoft text is included in the template. Further increasing the chances that this attack will be missed by phishing detection engines.

Form evasion

The page might look like it contains a regular form, but it doesn’t use the actual <form> tag in HTML as a legitimate Microsoft website would. The attackers created the ‘form’ using <div> tags and CSS to look exactly the same, as you can see in the following HTML code.

Many phishing detection engines would scan the HTML looking for a <form> tag in order to investigate the form and reveal credential theft attempts. The fact that the form looks like a legitimate form makes the page unsuspicious to victims. The fact there is no <form> tag in the HTML prevents phishing detection engines from identifying the illegitimate form. 

Using < div > instead of a form

Suspicious text in images

Some phishing detection engines scan the webpage for fields that ask for the user’s password (typically variations of the phrase ‘enter password’). They then investigate these fields to check if they are legitimate.

In this phishing webpage, the attackers used images of the text instead of the actual text whenever the word password was written.

This is one example out of 3 on the same phishing webpage where an image of the text ‘enter password’ is used instead of using a text format. The same was done for the password ‘placeholder’ and the ‘forgot my password’ text – both are images.

This method may allow the attack to bypass email security solutions that scan the webpage for phishing attempts, as the detection engine doesn’t recognize the word ‘password’ and thus doesn’t suspect the page to be used for credential harvesting.

Input field in disguise

Another technique that phishing detection engines may use is scanning the HTML for input fields, indicating that this might be a credential theft attempt. In this case, the attackers hid the input field by creating an empty div with a background image showing the word password. This is another tactic helping this email attack to bypass email security solutions. 

An empty div with a background image of the word ‘password’.

The following screenshot shows that the ‘Input’ field is actually an empty div (with the id of ‘spinput’):

The < div > is empty

Once the user clicks this div, a new div is created with the id of ‘inpfield’. This div acts as a text input field to which the user can enter their password.

The < div > is not empty anymore

To make this look real to the user, there is a placeholder with the word ‘password’. To evade detection, the attackers added “­$shy” in between the letters of the word ‘password’. This way, detection engines wouldn’t find the word ‘password’. This is a soft hyphen that is invisible in HTML so the user won’t suspect a thing.

Looking carefully, one may notice that the word password in the ‘input’ field has changed after clicking it from an image to a placeholder. This is how it looks after clicking the fake password field:

The password placeholder after clicking it

Usually, when legitimate webpages use a password field, they use <input> with type password to make the black dots that won’t show the text in the field. In this case, the text is inside the <div> and a JavaScript code is changing the values to be those black dots that the user sees. 

The text is inside the < div > and the values are changed to black dots.

What can you do about it?

Phishing is expected to keep evolving and security solutions will have to keep up the pace to prevent phishing attacks from evading their detection engines.

While most email security solutions depend on data from known phishing attempts, Datto SaaS Defense takes a data-independent approach. Datto SaaS Defense detects brand new and unknown phishing threats that other solutions miss by analyzing the composition of a safe email, URL and webpage instead of scanning for known phishing techniques. This is why this particular attack (as well as many others) was stopped by Datto SaaS Defense but bypassed other email security solutions.  

If you’re interested in learning more register for our webinar.

Suggested Next Reads