Trellix Email Security has revealed a sophisticated evasion tactic employed by attackers, leveraging the foundational security mechanism of caching. In this novel approach, attackers initiate their assault with seemingly harmless URLs embedded in emails, often disguised as familiar links like OneDrive documents. During security analysis, these URLs lead to well-established websites like Google or Microsoft, earning a cached “safe” verdict from security engines. However, in the final phase, the attackers modify the link within the URL to redirect it to a malicious payload, taking advantage of the cached “safe” status to bypass subsequent security scrutiny and reach the recipient’s inbox.
This innovative attack strategy demonstrates the adaptability of cybercriminals, utilizing various tools in their arsenal, including geofencing to evade detection in specific regions, captcha bypass to circumvent automated defenses, IP evasion to shield against blacklisting, and QR code phishing for obscurity in traditional email security filters. The attackers exploit the trust associated with widely recognized domains to deceive security systems and manipulate the caching mechanism’s reliance on previously analyzed URLs.
Caching, a process of temporarily storing analysis results for URLs, is a critical component of security systems for optimizing performance. However, this tactic exposes a vulnerability in the caching mechanism, allowing attackers to manipulate the trust established during the analysis of seemingly benign links. Trellix Email Security’s discovery highlights the need for cybersecurity professionals to understand and address the intricate manipulation of caching mechanisms to enhance mitigation strategies and stay ahead in the ongoing battle against evolving cyber threats.
