Office 365 Image Evades Text Analysis in Credential Phishing Attack

As email security platforms become increasingly adept at preventing attacks, threat actors find new ways to bypass systems. A relatively new version of this is to create an email as a single image file, with an accompanying credential phishing link wrapping the image.

In this email, the attacker has created an Office 365 confirmation email that asks users to click a link in order to keep their current password. While this is not an uncommon approach, what makes it unique is that the entire email is simply an image that uses an anchor link to forward the recipient to an Office 365 credential phishing page. To add additional legitimacy, and to prevent automated solutions from analyzing the webpage, a captcha is added before the user can enter their login credentials. 

Presenting the email as only an image and adding a captcha prevents traditional email security solutions from inspecting the content of the email. In addition, the URL within the attachment is one that has not been previously detected the threat intelligence, allowing it to bypass traditional tools that rely on known bad indicators.  

A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis, a cloud email security platform understands when an email may be malicious. 

This email relies on brand recognition and urgency to trick users into clicking the link—even if just to see what the document contains. Once an employee enters their Outlook credentials, attackers have full access to the email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.