Researchers have spotted a new creative Office 365 phishing campaign that has been inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by security solutions that scans the web for phishing sites and scams
The bot avoidance mechanism has been deployed on multiple phishing websites designed to steal Office 365 credentials.
The phishing kit that use this trick automatically reverts the backgrounds using Cascading Style Sheets (CSS) to make them look just like the backgrounds of legitimate Office 365 login pages.
While phishing detection web crawlers are served the inverted image, the potential victims are redirected to one of these phishing landing pages that will see the original background instead of the inverted one.
Summarizing, the phishing kit displays different versions of the same phishing landing page to victims and scanning engines.
“However, a victim visiting the website would likely recognize that the inverted picture is illegitimate and exit the website. As a result, the threat actor has stored the inverted image and, within the index.php code, has used a CSS method to revert the color of the image to its original state.” continues the analysis. “This approach results in the final website’s appearing legitimate to users who visit, while crawlers and scanning engines are highly unlikely to detect the image as being an inverted copy of the Office 365 background.”