Blox Tales #5: Credential Theft Using Symantec URL Rewriting

Arjun Sambamoorthy
Threat Research /
Blox Tales #5: Credential Theft Using Symantec URL Rewriting

Each Blox Tale will take a look at a targeted email attack, outline why it made its way into an inbox, and highlight how Armorblox was able to detect the attack. In this blog, we’ll focus on an email that hid a zero-day phishing site behind multiple redirects, including one created using Symantec’s Click-time URL Protection tool for URL rewriting.

The Attack

A few days ago, we saw a unique credential phishing email attempt to land in a customer inbox. The email was sent to an employee that focuses on real estate projects and included a link to a PDF that seemed to contain bid details for an upcoming building project. Clicking the link led victims through multiple redirects, including one created using Symantec’s Click Time Protection. The redirects culminated at a page that asked for login details. All pages were created to resemble legitimate OneDrive and Adobe pages in an attempt to pass the targets’ eye tests.

An anonymized transcript of the initial email is given below:


Fig: Redacted copy of the initial email that was targeted towards an employee working on real estate projects.

Why The Attack Got Through

This email got past existing Office 365 security controls because it didn’t follow the tenets of more traditional phishing attacks.

1. Leverages Symantec URL rewriting

The attackers leveraged Symantec’s Click-time URL Protection to rewrite the URL that hid the final phishing site. This created a total of five redirects in the URL chain, helping to obfuscate the final phishing site from existing security controls. The email footer also contained language highlighting that it had been scanned by the Symantec email security cloud service, lulling users into a false sense of security.

The attacker created a new domain for the final phishing site, so it got past any EOP filters that were created to block known bad links. The link in the email led to multiple webpages that were painstakingly made to resemble legitimate Microsoft and Adobe pages. Screenshots of all lookalike pages are given below:


Fig: Lookalike page priming users to enter their Office 365 login details in the next page.


Fig: The final phishing site shows a blurred PDF in the background and asks users to enter their login credentials to access the document.

Both these pages would pass most eye tests during busy mornings, with people happily assuming them to be legitimate Microsoft or Adobe pages. A closer look at the domains reveal that these are lookalike pages. For instance, the master domain of the final page is ‘misconductwcowe[.]ru’, which is clearly not an Adobe-hosted URL.

The only other redirect in this link chain was hosted on ‘dracoon[.]team’. Dracoon is a legitimate German company focusing on enterprise file sharing, so this webpage also got past any filter that was set up to block known bad links.

3. Adobe/Microsoft misdirection

The attack interweaves multiple brand impersonations - Adobe and Microsoft - in its URL redirect chain. While the penultimate link primes users to enter their Office 365 credentials to access the document, the final page looks like an Adobe page. This misdirection fulfills two aims for the adversaries:

  • This attack gets past any credential phishing detection that’s heavily based on computer vision techniques.
  • Since targets can get confused and enter either Office 365 or Adobe Online credentials, both sets of data are open for harvesting.

4. Socially engineered

Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response. The email contains details about a real estate bid and was sent to an employee that deals with real estate projects, immediately lending it relevance in the target’s inbox. The email body triggers a sense of urgency by mentioning an expiry date for the bid. The email also aims to induce a sense of authority and security by including lots of text on how the email contents are protected by OneDrive and Symantec. Finally, the email has a clear call to action by requesting the target to download the PDF, sending them down the path to compromise.

How Armorblox Detected The Attack

Armorblox was able to detect the email attack based on the following insights:

1. Language, intent, and tone

Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email body and detected that there was an unusual request made in the email (which is a common trait in business email compromise attacks). The models also detected a sense of urgency in the email body.

2. Low communication history

Armorblox detected that the sender email in question had a low communication history with the victim’s email account. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.

3. Low domain frequency

Armorblox ML models have three tiers - a global model, an organization-specific model, and a mailbox-specific model. While the mailbox-specific model was able to detect low communication history between the sender and the receiver, the organization-specific model detected that the attacker’s domain had not communicated with the target company as a whole.

Armorblox was able to follow the credential phishing link to its source and identify the unusual sequence of pages as well as the lookalike/disreputable domains.

Based on the insights above, along with many other detection signals, Armorblox flagged the email as a social engineering threat. The email was automatically quarantined based on predetermined remediation actions for the social engineering detection category.

Stay tuned for more Blox Tales! If you’re interested to learn about Armorblox, you can schedule a demo with one of our email security experts.

To learn how Armorblox augments native Office 365 email security, download our whitepaper below.

Get Whitepaper

Read This Next