Rhino Security Labs vs Link Scanners

Rhino Security Labs performed an eye-opening test: use publicly known IP addresses of link scanners to send them to good sites and send everyone else to bad sites. What happened? “We have observed that by redirecting traffic from [Microsoft’s] Exchange Online Protection’s [IP address] ranges away from our landing pages and onto a valid URL on our target organization’s domain, our success rates were high while detection remained low.”

The researchers noted that this successful attack was very easy to implement since “Microsoft publishes the full list of EOP IP ranges at this page or via API.” In other words, popular Link Scanning companies tell hackers which IP addresses to send to good sites; making the attack almost effortless.

Rhino Security Labs also noted that tools are freely available to download, so that any hacker can use this technique to not only bypass Link Scanners, but also bypass Sandbox and other security services too. One tool in particular is called mkhtaccess_red.

Bottom Line: Rhino Security Labs demonstrated that this attack not only consistently succeeds in bypassing popular security services, but it’s also surprisingly easy to do – with ready-made tools to boot.