Researchers at WMC Global have spotted a new creative Office 365 phishing campaign that has been inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by security solutions that scans the web for phishing sites.
The bot avoidance mechanism has been deployed on multiple phishing websites designed to steal Office 365 credentials.
WMC Global researchers observed this technique was implemented in a phishing kit developed by a threat actor that is selling it to multiple users.
“Because image recognition software is improving and becoming more accurate, this new technique aims to deceive scanning engines by inverting the colors of the image, causing the image hash to differ from the original. This technique can hinder the software’s ability to flag this image altogether.” reads the analysis published by WMC Global.
The phishing kit that use this trick automatically reverts the backgrounds using Cascading Style Sheets (CSS) to make them look just like the backgrounds of legitimate Office 365 login pages.
While phishing detection web crawlers are served the inverted image, the potential victims are redirected to one of these phishing landing pages that will see the original background instead of the inverted one.
Summarizing, the phishing kit displays different versions of the same phishing landing page to victims and scanning engines.
“However, a victim visiting the website would likely recognize that the inverted picture is illegitimate and exit the website. As a result, the threat actor has stored the inverted image and, within the index.php code, has used a CSS method to revert the color of the image to its original state.” continues the analysis. “This approach results in the final website’s appearing legitimate to users who visit, while crawlers and scanning engines are highly unlikely to detect the image as being an inverted copy of the Office 365 background.”
Recently experts observed other phishing campaigns aimed at Office 365 users that were using innovative techniques, such as leveraging public cloud services Google Cloud Services to host the phishing landing pages.
(SecurityAffairs – hacking, Office 365)