Your email security has a vulnerability that hackers are exploiting right now to deliver phishing links straight to your inboxes. This attack is currently bypassing all email security filters.
Currently circulating phishing links trick your security analyzers by sending them to safe sites while sending you and your employees to malicious sites. After your security system correctly identifies that it’s visiting a good site, it hands control back to the phishing link so that it takes you to a malicious site.
Hackers have been using this technique to bypass your security for seven years.
- 2012: Researchers noted, “Dynamic malicious redirection and detection of cloaking are still open issues.”
- 2015: Security Intelligence by Qing Li, detailed how this attack successfully bypasses security by Google and others (page 108).
- 2017: A security blog detailed how Microsoft’s Safe Links is fully bypassed via this attack (see Bypass Method #2).
- 2018: Crypton Security reported that the attack continued to be an open issue.
- 2019: Rhino Security Labs documents that this attack is just as effective today.
Rhino Security Labs tested the current vulnerability of Microsoft’s service. The publicly known IP addresses for Microsoft’s scanners were sent to good sites; all other IP addresses were sent to phishing sites. On February 19, 2019, the researchers reported, “our success rates were high while detection remained low.”
Perhaps you’re curious why you’ve never been told about a well-documented, widely-used attack that routinely delivers phishing links straight to your inboxes. This is where the history takes an even more unfortunate turn:
- January 2017: Emtunc’s security blog filed an official pre-publication report with Microsoft regarding this attack.
- February 2017: Microsoft asked the blog to delay publishing the attack.
- March 2017: Microsoft decided that consistently bypassing its security via dynamic urls isn’t due to a software bug; therefore Microsoft officially closed the case without fixing the gaping hole nor warning its customers about it.
The blog’s author understood Microsoft to basically be saying that the ability for these attacks to effortlessly bypass all security was a feature, not a bug. Sadly, we’re not kidding. Based on Microsoft’s response, the blog author wrote:
“With this technique, an attacker could simply block or re-direct requests from the Exchange Online Protection infrastructure – yup, it’s as simple as that. It’s less of a vulnerability and more of a non-ideal configuration.“
It’s essential to note this attack bypasses all of Microsoft’s security mechanisms. Microsoft keeps selling a security service that it knows is being bypassed in its entirety by design for years; while never informing would-be customers about it.
More Bad News
As if the history of this attack wasn’t bad enough, it only continued to worsen. Rhino Security Labs reports on a free, downloadable tool recently released that fully automates this attack on behalf of non-technical attackers. Now anyone can bypass your email security whenever they want.
Rhino Security Labs reports that this tool, called mkhtaccess_red, can effectively “bypass known sandbox and threat protection providers.” This tool regularly updates its list of IP addresses to ensure that it evades all popular link scanners, sandboxes, and threat protection services (including Microsoft, Proofpoint, Forcepoint, Fortigate, McAfee, zScaler, Mimecast, Barracuda, ScanSafe by Cisco, and many more).
Incredibly, evading virtually all email security is now as easy as 1-2-3:
- Set up a phishing site.
- Install mkhtaccess_red.
- Tell mkhtaccess_red the good destination to use for sandboxes and link scanners.
That’s it. When sandboxes and link scanners visit the site, they will only experience the good destination. Everyone else will get the phishing site. With downloadable tools, any phishing site can install effective evasion literally in seconds.
Bottom Line: This is a security worst-case scenario. This attack consistently bypasses the most widely used security systems in their entirety; is instantly accessible to even the least-savvy hacker; and your cybersecurity vendors don’t tell you about it because it basically invalidates all of their security in one fell swoop. This is one attack vector you and your company must eliminate now.
This has been the seven-year paradox: phishing links can consistently send scanners to good sites and send everyone else to bad sites. Cybersecurity vendors continued selling services they knew were effortlessly bypassed because the paradox seemed inescapable. Sadly, companies continued buying services without ever being told that these services were effortlessly being bypassed by a well-known, widely-used attack.
Our founder, cybersecurity inventor Michael Wood, sought a way to break free of this paradox. One day, a profoundly elegant epiphany struck. “Simply don’t hand control back to the phishing link after the analysis is over. Take people straight to the final destination – even if the final destination is just a decoy.” With that epiphany, the problem was finally solved. The exploit that eluded the cybersecurity industry for seven years could finally be ended once and for all.
Michael Wood, our founder, used this epiphany to design PhishViewer (US Patent #10,320,746) – the only anti-phishing technology that doesn’t hand your fate back to the phishing link after analysis is done. See one-minute video below.
PhishViewer ingeniously turns the tables on the seven-year exploit. When a malicious link tricks PhishViewer by showing a safe site; PhishViewer tricks the malicious link by taking you straight to that site. This is the key to blocking phishing links – every single time.
You can see how PhishViewer protects you against threats that no other email security service can. Click the button below to access a cached copy of a real-world email (recipient’s name has been redacted):
Click any link in this email. Notice that your security scanner would see that the path ends at Liberty Mutual, and therefore would hand control back to the original link (which may or may not send you down the same path).
In stark contrast, PhishViewer takes you straight to Liberty Mutual, bypassing the possibility of an exploit 100%. With PhishViewer, this all-too-common problem is truly solved.
Take Action Now
If you want to stop phishing links, you must use PhishViewer. Every day that you wait is another day that phishing emails are reaching your mailbox, and the mailboxes of your employees. This is one of the few attack warnings that truly needs your immediate attention.
Free Trial Available Now
Note: Hackers employ this same concept to bypass scanning done by the end-point device itself. In the near future, we will provide an article on the variations used to bypass end-point based scanning. For brevity, we have focused on external link scanners given their widespread implementation and use.