Email security uses URL rewriting to alter every URL it finds in an email body or attachments in order to direct user clicks to a security server or checkpoint for analysis against known threat databases, organization set policies, and verifying its safety before redirecting it to the intended destination.
In this blog, I will share with you some techniques that attackers use to bypass Email security to deliver their Phishing web pages.
Technique 1 – Dynamic URL generation
This technique uses HTML/JS to generate URL dynamically and obfuscate the URL by splitting it into different parts and concatenating, making it less obvious to email security engines that just inspect the url found in static code.
<!DOCTYPE html>
<body>
<a id="dynamic-link" href="#" target="_blank">Click here to open the link</a>
<script>
document.addEventListener('DOMContentLoaded', function() {
var notaurlyet= 'example';
var iamincompletewithout = ".com";
var iamurl= "htt"+"ps://"+notaurlyet + iamincompletewithout;
document.getElementById('dynamic-link').href = iamurl;
});
</script>
</body>
</html>When the .HTML file is attached to an email and passes through the email security, the links in the attachments aren’t re-written as the email security that looks for url in static code doesn’t encounter a url. Hence, making the URL click bypass the email security check.
Technique 2 – Encoding
This technique uses bas64 encoded URL to obfuscate the presence of url. So, email security that only rewrites url from static code, will not identify the url set by javascript upon document load.
<!DOCTYPE html>
<body>
<a id="dynamic-link" href="#" target="_blank">Click here to open the link</a>
<script>
document.addEventListener('DOMContentLoaded', function() {
var notaurlyet= 'example';
var iamincompletewithout = ".com";
var iamurl= "htt"+"ps://"+notaurlyet + iamincompletewithout;
document.getElementById('dynamic-link').href = iamurl;
});
</script>
</body>
</html>
Leave a Reply