Phishers have a toy chest of tricks when it comes to building email campaigns. Oftentimes, what you read in the email body is represented by deceptive coding techniques that are imperceptible to the human eye. For example, what you read as the letter "a" in apple can be written as A. Your mail reader automatically converts this code to the letter "a". Not all antiphish solutions can account for these tricks. One of these tricks is known as Quoted-Printable.
Quoted-printable is an encoding system typically used in email. Essentially, it allows non-ASCII characters to be represented as ASCII for email transportation.
It means that 8-bit text, like foreign characters, can be turned into 7-bit text, making it readable by humans. This is similar to the base64 encoding method.
Like hackers have done with base64 in the baseStriker attack, they are now using Quoted-Printable in the source code to bypass scanners and send credential harvesting notifications.
Starting in February 2022, Avanan researchers have found that hackers are encoding links with Quoted-Printable to bypass scanners and fool it into thinking the link is legitimate. In this attack brief, Avanan will analyze how threat actors are using Quoted-Printable to get credential harvesting attacks into the inbox.
Attack
In this attack, hackers are using Quoted-Printable encoding to wrap links and hide the malicious content.
To the email scanners, the “equal” sign at the end of the string hides the full URL, meaning scanners can’t test the entire link. Because of that, they can’t see that the URL is malicious.
When the user clicks on the link, which appears normal to the end-user, they are directed to a credential harvesting page.
- Vector: Email
- Type: Credential Harvesting
- Techniques: Quoted-Printable Encoding
- Target: Any end-user
In this attack, threat actors are encoding links using Quoted-Printable encoding.
Email Example #1
The email appears to the end-user as a notification to reset the password. There are some inconsistencies, particularly with the date of the email (Feb. 27) and the date in the email body (March 1).
Email Example #2
In the source code, here’s how they use Quoted-Printable:
<a href=3D" http://xx.xx.xx.org.za/microupdate?=3Dvic.tim@xx.com" style=3D"c=
The phrase "=3D" is an obscure method of writing the equals sign in the Quoted-Printable system. Really, what the phisher's goal is is to make sure their payload (i.e., the malicious URL) doesn't get detected by your antiphishing solution. They know your mail reader can understand Quoted-Printable, but they are hoping your cybersecurity solution doesn't.
Techniques
In this attack, hackers are using Quoted-Printable as a way to obfuscate their links, hiding the malicious nature so that it ends up in the inbox.
Obfuscation attacks are all over. They run the gamut. We’ve seen hackers use a meta refresh to redirect the end-user; get past Microsoft SafeLinks with ZeroFont and unescape commands; utilize the redirection BDO tag as well as the display none tag; among others. There are a nearly limitless amount of ways to represent characters in HTML, from entity names to hex and dec expressions. Phishers can intermix any number of systems as a way toward obfuscation.
The idea is to blind anti-phishing scanners so that they can’t see the danger. This allows the end-goal, in this case, credential harvesting sites, to more easily make the inbox. And since users can’t see the obfuscation, they are more likely to click.
The =3D is an antiquated way of expressing an equal sign in HTML encoding. In general, there are plenty of Quoted-Printable flags. This can be used to show, for example, accented characters in foreign-language emails, making this a particularly powerful way for hackers to bypass scanners in multiple languages.
What ends up happening is that hackers find vulnerabilities that obfuscation can take advantage of; security systems, like Microsoft or Google, will patch it. And then the hackers will find another. On and on it goes.
Caught in the middle are end-users, who will receive these emails and are none the wiser to the trickery going on behind the scenes.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Detecting obfuscation attacks can be very difficult, so it’s important to implement a multi-tiered security solution, combining advanced AI and ML, as well as static layers like domain and sender reputation
- Implement a security architecture that relies on more than one factor to block email
- To the end-user, this email looks like a standard request from their IT department. The email is designed to fool both Natural Language Processing and human eyes. For a user to spot this attack, they should rely on their phishing training. They’ll notice the mismatched dates between the subject line and the body, as well as a sender address that doesn’t match.
