A sophisticated new scam is fooling even security-aware users. Attackers are committing account-based credential theft using advanced phishing techniques. These obfuscation-driven techniques leverage HTML smuggling, link wrapping, and multi-tiered redirects to push users to phishing pages that harvest personal data.
The New Face of Phishing
Like most phishing scams, the chain of events begins with an email. It could be a fake invoice, a renewal notice, or a message that appears to come from a trusted tool, like Microsoft Teams. Clicking a link in the email kicks off a chain of diversionary moves designed to evade detection both by savvy users and by security software.
After clicking, the user is eventually directed to a highly convincing credential harvesting page, frequently a dupe of Microsoft 365. These pages are sometimes even gated by CAPTCHAs to heighten the feeling of trust and undermine caution.
In one scenario, the phish initially masquerades as a link to a voicemail message. When users click on the link, they are directed to a bogus Microsoft 365 page that captures their entered login credentials.
Other iterations of this attack method present as documents posted in Teams or messages sent to notify users of unread messages in Teams. The links to the document or to “Reply in Teams” are actually redirects to more phishing pages.
HTML Smuggling
As fake emails become more realistic, convincing users to click is more and more likely. The next hurdle for attackers is duping email security software. Enter HTML smuggling.
This technique exploits blob URLs and JavaScript to create malicious files inside the browser. Creating the file in a browser makes it easier to circumvent traditional defenses like scanners and endpoint protections.
HTML smuggling is effective because the payloads never transit external storage. Because they’re generated locally, they’re less visible and harder to trace.
Link Wrapping Abuse
Security vendors like Proofpoint wrap links for security scanning. Typically, link wrapping protects users by routing clicked URLs through a scanning service that blocks known malicious destinations.
To abuse link wrapping, attackers must first gain unauthorized access to email accounts connected to the feature. Then any email sent from that account can contain a malicious URL that is disguised by a wrapped link.
Recipients trust the wrapped link (because it’s been through security scanning) and assume it’s safe. But clicking through lands them, once again, on a carefully crafted phishing page.
Proofpoint has acknowledged the abuse and is rolling out countermeasures, but attackers are adapting quickly. Integrating behavioral artificial intelligence detection to discard such URLs could be the key to getting ahead of bad actors.
Multi-Tiered Redirects
Similar to link wrapping abuse, some threat actors are using multi-tiered redirects to hide their malicious URLs. They first use a URL shortening service (like Bitly). Then they send that link via a Proofpoint secured account which uses link wrapping to obscure it further.
With multiple redirects stacked, users can’t verify authenticity simply by hovering over URLs. Even after being conscientious and reviewing the link, they are likely to stumble onto a phishing page.
Why These Tactics Work
These advanced phishing attacks are exploiting trust in legitimate services like Proofpoint and Microsoft. By using familiar interaction cues like CAPTCHA, “Reply in Teams,” and voicemail links, they immediately seem trustworthy.
The obfuscation element bypasses common user training. Hovering over links and checking for spelling errors doesn’t matter when links are shortened, wrapped, or made to appear completely normal.
How to Mitigate
As exhausting as these new forms of attack can be, there are ways to reduce the risks to your organization.
- Block multi-tiered phishing chains by enforcing strict rules about where links clicked in applications can redirect.
- Patch and update software regularly to reduce vulnerabilities exploited by smuggled payloads.
- Adopt advanced email security with machine learning to detect wrapped link abuse.
- Train employees to question even “trusted” cues like CAPTCHA and wrapped links.
The Arms Race Continues
Attackers adapt as defenders improve. Organizations must continually spread awareness and upgrade defenses as account-based credential theft goes mainstream.
Credential theft is no longer just about spotting typos or fake senders. Today’s phishing is highly professional, multi-layered, and designed to trick even the vigilant.
If you need help mitigating the risks of advanced phishing attacks, reach out to Asylas at 615-622-4591 or email info@asylas.com. Or complete our contact form.
