[BreachExchange] Phishers’ new trick for bypassing email URL filters

[Destry Winant]

https://www.helpnetsecurity.com/2019/02/20/phishers-new-trick-for-bypassing-email-url-filters/

The trick has been spotted being used in a email spam campaign aimed
at leading victims to a credential harvesting login page.

Why does this approach work?

“Office documents (.docx, .xlsx, .pptx) are made up of a number of XML
files that include all the font, image, formatting, and object
information which make up the document,” Avanan researchers explain.

The xml.rels file maps relationships within these files and with
resources outside of the them. When the document includes web links,
they are added to this file.

When scanning attachments for malicious content, most email filters
scan the document for external web links and compare them to a
database of malicious sites or follow the links and evaluate their
target themselves. But, unfortunately, some skip that step and check
only the contents of the associated relationship file.

“If, for some reason, the document contains URL links that are not
included in the xmls.rels file, these parses will not see them, even
though they are still active and clickable within the document,” the
researchers explained.

Who may be affected?

Users whose email inboxes are protected by Microsoft Exchange Online
Protection (EOP), ProofPoint and F-Secure are vulnerable to this
so-called NoRelationship attack, while those shielded by Microsoft
Advanced Threat Protection (ATP), Mimecast and Avanan are not.

“It seems there are no shortcuts to be had in email scanning,” the
researchers noted. “The only solution is to scan the entire file.”