This attack has been bypassing security systems for seven years:
- 2012: Researchers noted, “Dynamic malicious redirection and detection of cloaking are still open issues.”
- 2015: Security Intelligence by Qing Li, detailed how this attack successfully bypasses link scanning security (page 108).
- 2017: A security blog detailed how Microsoft’s Safe Links is bypassed via this attack (see Bypass Method #2).
- 2018: Crypton Security was hired to audit Microsoft’s email protection. Their testing confirmed that using this vulnerability “an attacker could simply block or redirect requests from the Microsoft ATP Safe Links service infrastructure. Microsoft makes the ATP Safe Link IP ranges available online. An attacker needs only to block those IP ranges…”.
- 2019: Rhino Security Labs documents that this attack is just as effective today.
Rhino Security Labs tested the current vulnerability of Microsoft’s service. The publicly known IP addresses for Microsoft’s scanners were sent to good sites; all other IP addresses were sent to phishing sites. On February 19, 2019, the researchers reported, “our success rates were high while detection remained low.”
As if the history of this attack wasn’t bad enough, it only continued to worsen. Today, a free, downloadable tool fully automates this attack on behalf of novice hackers. Now anyone can bypass your email security whenever they want.
Rhino Security Labs reports that this tool, called mkhtaccess_red, can effectively “bypass known sandbox and threat protection providers.” This tool regularly updates its list of IP addresses to bypass security services from Microsoft, Proofpoint, Forcepoint, Fortigate, McAfee, zScaler, Mimecast, Barracuda, ScanSafe by Cisco, and more.
Incredibly, evading leading email security providers is now as easy as 1-2-3:
- Set up a phishing site.
- Download the tool.
- Tell the tool the good destination to use for sandboxes and link scanners.
That’s it. When sandboxes and link scanners visit the site, they will only experience the good destination. Everyone else will get the phishing site. With downloadable tools, any phishing site can install effective evasion literally in seconds.