On Feb 24 the odix team noticed a new phishing campaign which contained an HTML attachment spoofing a Microsoft login page.

Nothing out of the ordinary, Microsoft is the most phished platform…but when investigating the URL behind the phishing page, the url sends the users credentials to a safe links enabled document, this honestly surprised our team.

Initially, we thought that Microsoft has enabled Safe links in HTML documents, but a closer look revealed this isn’t the case.

What did we find?

Safe Links is a feature in Defender for Office 365 that provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.

Safe Links protection for links in email messages is controlled by Safe Links policies. There is no default Safe Links policy, so to get the protection of Safe Links in email messages, you need to create one or more Safe Links policies.

Microsoft Safelinks replaces URLs in the message to the general form:

https://nam01[.]safelinks[.]protection[.]outlook[.]com

One of the Microsoft endpoints used by Safelinks uses the following URL:

https://eur02[.]safelinks[.]protection[.]outlook[.]com

The HTML form that was sent by the attackers, posted the credentials entered by the user to a similar URL containing the user domain name:

http://euro2[.]safelinks[.]protection[.][.]mkanet[.]com[.]br

This URL was most likely crafted to bypass web filtering rules.

As a result, organizations using Safelinks will need to configure their web filters to allow traffic to the safelinks URL for users to be able to use the service. By using a similar URL the attackers are able to take advantage of the allow policy in the web filter meant for safelinks.

We haven’t been able to understand why the phishing URL uses euro2 subdomain (with “o”) while Microsoft uses eur2 as a subdomain (without “o”)

Sent data is eventually forwarded to:

https://interfones[.]mx/sow/wp-includes/js/protectionssouttllookmailauth

This new malware was blocked by FileWall

FileWall™ by odix offers an effective plugin based on its patented algorithm for eliminating malware hidden in files. Instead of trying to detect a known malware and block the file for the user, the FileWall™ service disarms malware and provides a sanitized file for safe usage. FileWall™ provides an effective malware prevention solution against both known and unknown malware attacks and handles all incoming email traffic including internal emails.

The FileWall™ advanced attachment security add-on for Microsoft 365 mail includes:

  • Seamless deployment- one-click service activation
  • Advanced email attachments handling for both internal and external senders.
  • FileWall™ doesn’t harm/change any of Microsoft sender related security capabilities
  • Deep file analysis capabilities (archive, password-protected, etc).

While writing this post we encountered additional email campaigns mimicking the safelinks URL:

http[:]//auh4euro2[.]safelinkzz[.]protection[.]globalchannelnetwork

To learn more about how to protect your email from malware contact the odix team at info@odi-x.com