Attackers defeat SEGs using… SEGs

Email security tools such as Secure Email Gateways (SEGs) often encode URLs that are embedded in emails. This enables the security appliance to scan the URL before the recipient visits the website.

But when SEGs detect URLs in emails that have already been SEG encoded they don't scan the URL. A new report from Cofense reveals that threat actors are making use of this to avoid detection.

This has been going on for some time, but the second quarter of this year, and May in particular, saw an increase in threat actors taking advantage of SEG encoding of malicious URLs before sending them to victims.

The four tools most commonly seen in use by threat actors to encode URLs and bypass SEGs in Q2 2024 are: VIPRE Email Security, BitDefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection. Email campaigns using these tools to bypass SEGs have been seen in environments protected by everything from Proofpoint to Microsoft ATP.

DocuSign and Microsoft are the spoofed brands most often seen in these phishing campaigns. Common themes include content requiring a signature and voicemail or withheld email notifications.

The report notes that, "Because of how these campaigns are constructed, namely the fact that threat actors are abusing legitimate functions of security appliances, SEGs of all types have difficulty catching them. The easiest way to prevent them would be to tune SEGs to be suspicious of all embedded URLs and to scan them regardless of the apparent domain name. That said, few SEGs provide that option. In fact, there are very few automated steps that can be taken to prevent these campaigns."

Cofense says that employees need to be trained to be aware of things like sender addresses as those emails spotted by the research all had a 'From' address that didn't match up to the contents of the email.

You can see more detail of the attacks on the Cofense blog.

Image credit: suebsiri/depositphotos.com