Copy1: Phishing Attack Evading All Email Security

Your email security has a vulnerability that hackers are exploiting right now to deliver phishing links straight to your inboxes. This attack is currently bypassing all email security filters.

The Attack

Currently circulating phishing links trick your security analyzers by sending them to safe sites while sending you and your employees to malicious sites. After your security system correctly identifies that it’s visiting a good site, it hands control back to the phishing link so that it takes you to a malicious site.

Hackers have been using this technique to bypass your security for seven years.

Rhino Security Labs tested the current vulnerability of Microsoft’s service. The publicly known IP addresses for Microsoft’s scanners were sent to good sites; all other IP addresses were sent to phishing sites. On February 19, 2019, the researchers reported, “our success rates were high while detection remained low.”


Perhaps you’re curious why you’ve never been told about a well-documented, widely-used attack that routinely delivers phishing links straight to your inboxes. This is where the history takes an even more unfortunate turn:

The blog’s author understood Microsoft to basically be saying that the ability for these attacks to effortlessly bypass all security was a feature, not a bug. Sadly, we’re not kidding. Based on Microsoft’s response, the blog author wrote:

“With this technique, an attacker could simply block or re-direct requests from the Exchange Online Protection infrastructure – yup, it’s as simple as that. It’s less of a vulnerability and more of a non-ideal configuration.

It’s essential to note this attack bypasses all of Microsoft’s security mechanisms. Microsoft keeps selling a security service that it knows is being bypassed in its entirety by design for years; while never informing would-be customers about it.

More Bad News

As if the history of this attack wasn’t bad enough, it only continued to worsen. Rhino Security Labs reports on a free, downloadable tool recently released that fully automates this attack on behalf of non-technical attackers. Now anyone can bypass your email security whenever they want.

Rhino Security Labs reports that this tool, called mkhtaccess_red, can effectively “bypass known sandbox and threat protection providers.” This tool regularly updates its list of IP addresses to ensure that it evades all popular link scanners, sandboxes, and threat protection services (including Microsoft, Proofpoint, Forcepoint, Fortigate, McAfee, zScaler, Mimecast, Barracuda, ScanSafe by Cisco, and many more).

Incredibly, evading virtually all email security is now as easy as 1-2-3:

  1. Set up a phishing site.
  2. Install mkhtaccess_red.
  3. Tell mkhtaccess_red the good destination to use for sandboxes and link scanners.

That’s it. When sandboxes and link scanners visit the site, they will only experience the good destination. Everyone else will get the phishing site. With downloadable tools, any phishing site can install effective evasion literally in seconds.

Bottom Line: This is a security worst-case scenario. This attack consistently bypasses the most widely used security systems in their entirety; is instantly accessible to even the least-savvy hacker; and your cybersecurity vendors don’t tell you about it because it basically invalidates all of their security in one fell swoop. This is one attack vector you and your company must eliminate now.

Patented Solution

This has been the seven-year paradox: phishing links can consistently send scanners to good sites and send everyone else to bad sites. Cybersecurity vendors continued selling services they knew were effortlessly bypassed because the paradox seemed inescapable. Sadly, companies continued buying services without ever being told that these services were effortlessly being bypassed by a well-known, widely-used attack.

Our founder, cybersecurity inventor Michael Wood, sought a way to break free of this paradox. One day, a profoundly elegant epiphany struck. “Simply don’t hand control back to the phishing link after the analysis is over. Take people straight to the final destination – even if the final destination is just a decoy.” With that epiphany, the problem was finally solved. The exploit that eluded the cybersecurity industry for seven years could finally be ended once and for all.

Michael Wood, our founder, used this epiphany to design PhishViewer (US Patent #10,320,746) – the only anti-phishing technology that doesn’t hand your fate back to the phishing link after analysis is done. See one-minute video below.

PhishViewer ingeniously turns the tables on the seven-year exploit. When a malicious link tricks PhishViewer by showing a safe site; PhishViewer tricks the malicious link by taking you straight to that site. This is the key to blocking phishing links – every single time.


You can see how PhishViewer protects you against threats that no other email security service can. Click the button below to access a cached copy of a real-world email (recipient’s name has been redacted):

Click any link in this email. Notice that your security scanner would see that the path ends at Liberty Mutual, and therefore would hand control back to the original link (which may or may not send you down the same path).

In stark contrast, PhishViewer takes you straight to Liberty Mutual, bypassing the possibility of an exploit 100%. With PhishViewer, this all-too-common problem is truly solved.

Take Action Now

If you want to stop phishing links, you must use PhishViewer. Every day that you wait is another day that phishing emails are reaching your mailbox, and the mailboxes of your employees. This is one of the few attack warnings that truly needs your immediate attention.

Free Trial Available Now

Note: Hackers employ this same concept to bypass scanning done by the end-point device itself. In the near future, we will provide an article on the variations used to bypass end-point based scanning. For brevity, we have focused on external link scanners given their widespread implementation and use.