NoRelationship MS Office Phishing Attack Bypasses URL Filters

New York based Avanan identified a new phishing outbreak, The NoRelationship Attack, that bypasses Office 365 email attachment security, which scan Office documents like Word (.docx), Excel (.xlsx), and PowerPoint (.pptx).

Avanan, which delivers a cloud security platform, described how the phishing attack bypasses Exchange Online Protection URL filters. The attack emails include a .docx attachment containing a malicious link that leads to a credential harvesting login page. Link parsers not scanning the full document, but instead depending on a relationship file for the list of links included in the attachment, fail to identify the malicious URL.

“Like the index of a book, the relationship file lists the essential of the parts of the document — external links and images, or internal document components, like font tables,” Yoav Nathaniel, cloud security expert at Avanan, wrote in a blog. He added, “Sometimes, key terms might not be included in the index, but they are still in the book. In this attack, hackers deleted the external links from the relationship file to bypass link parsers that only read the index rather than the book.’”

Nathaniel explained Office open XML files are the default format for all Office applications. Office documents consist of several XML files that include all the font, image, formatting, and object information making up the document.

When scanning attachments for harmful content, most email filters examine the document for external web links and compare them to a malicious sites database or trail the links and evaluate their target.

“Many parsers, however, take a shortcut and only look at the document.xmls.rels file, which typically contains a list of al the URLs that are within the full document,” Nathaniel noted. “If, for some reason, the document contains URL links that are not included in the xmls.rels file, these parsers will not see them, even though they are still active and clickable within the document. The hackers are deleting the URLs from the relationship files so that the parsers do not see them.”

Avanan detected the NoRelationship Attack right before Valentine’s day. The firm concluded none of the hyperlinks should have gone undetected, because the URLs are known to be malicious. “By removing the malicious links from the document.xml.rels relationship file, hackers confused link parsers that only scan the relationship file for external links. It seems there are no shortcuts to be had in email scanning. The only solution is to scan the entire file,” Nathaniel suggested.

In a separate alert, the San Diego, Calif.-based Identity Theft Resource Center warned of a new type of identity robbery called formjacking. “Basically, it’s code on a website that steals important information from consumers. The purchase you made is valid and goes through as normal, which makes this identity crime all the more stealth.”

The ITRC said formjacking can be difficult to detect and it affects over 4,000 websites every month. “With the prevalence of purchasing online, shoppers need to beware of this practice! It’s easy to become a victim because the purchase seems legit and everything proceeds normally.” That is because small and medium-sized businesses are still the biggest targets of formjacking and need to confirm they are taking the necessary precautions and security practices to thwart theft efforts.

The ITRC also suggested “Check your bank statements regularly for any unauthorized use especially if you recently purchased from a compromised website like British Airways and Ticketmaster.” In addition, businesses operating a website where consumers enter personal information, need to assure they are taking all of the necessary steps to protect them.