O365 Phishing with Image inversion

Researchers have spotted a new creative Office 365 phishing campaign that has been inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by security solutions that scans the web for phishing sites and scams

The bot avoidance mechanism has been deployed on multiple phishing websites designed to steal Office 365 credentials. 

phishing Office 365 1.png
phishing Office 365 2.png

The phishing kit that use this trick automatically reverts the backgrounds using Cascading Style Sheets (CSS) to make them look just like the backgrounds of legitimate Office 365 login pages.

While phishing detection web crawlers are served the inverted image, the potential victims are redirected to one of these phishing landing pages that will see the original background instead of the inverted one.

Summarizing, the phishing kit displays different versions of the same phishing landing page to victims and scanning engines.

“However, a victim visiting the website would likely recognize that the inverted picture is illegitimate and exit the website. As a result, the threat actor has stored the inverted image and, within the index.php code, has used a CSS method to revert the color of the image to its original state.” continues the analysis. “This approach results in the final website’s appearing legitimate to users who visit, while crawlers and scanning engines are highly unlikely to detect the image as being an inverted copy of the Office 365 background.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s