Avanan researchers have uncovered vulnerabilities in both Microsoft ATP and Proofpoint. In this vulnerability, links in the email body can pass scanners uninspected, as if there is no link at all; however, these links are active and interactive on most common email clients.
There are two methods behind this. This first method is gluing non-alphanumeric characters to the URL.
Instead of a URL like this: https://www.example.com
Hackers are sending a URL like this: 1)example.com
By doing this, they are “gluing” a non-alphanumeric character to the URL, which confuses scanners into thinking there is no URL at all. That means these links are not scanned. Any link, good or bad, goes straight into the inbox without any protection layer being activated.
Once the malicious link enters the inbox, the hackers then take advantage of what we speculate is a vulnerability in the LINKIFY tool, leading to these attacks.
In the last decade, most email clients have added a feature that makes plain text links clickable. For example, if typing “www.google.com” in a plain text message, the email client automatically converts it to a URL so the end-user can simply click on it. Otherwise, the end-user would have to highlight, copy and then paste into a browser. Behind the scenes, the email client is scanning all the text in an email, looking for anything that seems to be a URL.
Every email client, such as Gmail, Apple Mail or Outlook, has static rulesets that say, “this looks like a URL; we’ll turn it into a clickable link.”
Quickly, bad actors realized they could create a plain text email with no URLs, and the email clients would convert that plain text into a clickable link. Because the email had zero URLs, scanners would let them fly through.
This attack takes advantage of the LINKIFY tool. LINKIFY converts plain text into a clickable link. Not every email client does it the same way. Here’s an example (desktop Outlook):
You’ll see that the email client converted some text into links, but not all.
On mobile, however, the links are different:
The example of hackingsite.biz is instructive. You’ll see that on the desktop Outlook client, the link doesn’t appear. In mobile Outlook, however, it will. Depending on the client, the outcome is different.
In sum, it is just a bunch of plain text in a boring email with no URLs. (www.apple.com is not a true URL.) It’s sent through to the inbox with no suspicious warning and no safe-link wrap. The email client, however, has a slightly different rule set about what looks like a URL and converts it to a clickable link. In fact, the very same plain text may or may not convert to a link depending on which email client you are using, as every email client operates slightly differently.
The attacks described by Avanan today, first discovered in October 2021, are based upon finding a string of plain text that’s actually a combination of hidden and visible characters so that it does not look like a URL to filters, yet the same combination of characters will be considered as a link to popular email clients. These links are undetected and, as a result, not wrapped, meaning there’s no protection from the email scanner.
We speculate that there’s a vulnerability in the LINKIFY tool that’s leading to these attacks.
We’ve already seen this attack spread in the wild, and users are not protected. In this attack brief, Avanan will analyze the company’s most recent discovery of a new malformed link attack.
Attack
In this attack, hackers are using malformed links that seem hidden to the email scanners.
- Vector: Email
- Type: Malware
- Techniques: SLINKIFY, Malformed Links, non-alphanumeric characters
- Target: Microsoft ATP, Proofpoint Users
In this attack, hackers send harmless-looking links. Missing in the URL is the “https://”. Instead, there’s a non-alphanumeric character “glued” to the front of the link. (Glued means no space in between.) By doing this, hackers are taking advantage of how Microsoft and Proofpoint use the LINKIFY tool. The scanners never see the URLs, and thus never scan them.
Email Example #1
In this email, hackers present an email with two URLs. In this case, both links are malformed with the glued character and were not wrapped by URL protection.
This email showcases two links, both of which are non-standard and thus non-wrapped.
Email Example #2
Here, you’ll see how the links are treated by URL defenses. One is wrapped and protected:
The other, however, is not wrapped:
Techniques
In this email attack, hackers took advantage of a vulnerability in Proofpoint and Microsoft ATP. Microsoft and other scanners use a version of the LINKIFY tool, which takes a piece of text and regular expressions, and turns all the regex matches in the text into clickable links. In this email, Microsoft and Proofpoint’s version of LINKIFY does not see this link. Because it never saw a link, it can’t test it or wrap it. One way hackers can do this is by gluing a non-alphanumeric character to the link. In doing so, hackers can send credential harvesting attacks without being detected.
However, to the end-user, the links look no different. In this way, the end-user has no way of knowing if a link is malicious or not. That is because the attackers are relying on the email client to make the text clickable. Consider: Technically, www.thisisaphishingsite.com is not a URL. However, if you type thisisaphishingsite.com in a message, it often becomes clickable. Hackers have found a way to create a web address that looks like a URL to the email client, but looks different to Microsoft scanners. Users are not protected against this, except on the desktop Outlook client, where the links are not clickable. The links are clickable, however, on Mac (iOS) and mobile Outlook and mobile Gmail.
In general, emails without links tend to have better deliverability by these security tools. So, the links are not only injected into a plain text email, but the email itself has a higher chance of getting through to the inbox.
In short, the mail server and mail client are not in sync in terms of supported URL formats, causing the vulnerability.
Best Practices: Guidance and Recommendations
In order to guard against these attacks, security professionals can do the following:
- Add an advanced security layer to your email, to filter emails based on the more advanced algorithm than what the default security provides
- Add a Mail Security Orchestration Automation and Response platform (M-SOAR) to quickly eliminate such attacks in case they make it through
- Scan all links, including non-standard and malformed versions