Key Points
- Threat actors utilizing HTML tag obfuscation to evade email security detection
- CSS styling techniques render malicious content evading security solutions while appearing legitimate to end users
- Brand impersonation campaigns leveraging Microsoft copyright obfuscation
Campaign Overview
The Mimecast Threat Research team has identified a sophisticated HTML obfuscation technique employed by threat actors to evade email security detection systems. This method leverages the legitimate HTML <bdo> (Bi-Directional Override) and <cite> tags in combination with CSS styling to hide malicious content within seemingly legitimate email communications. This obfuscation technique represents an evolution in email-based evasion methods, demonstrating threat actors' continued adaptation to security controls. By exploiting the legitimate functionality of HTML tags designed for text formatting and citation purposes, attackers can embed hidden content that bypasses traditional content-based detection while maintaining the visual appearance of legitimate communications.
Technical Analysis
BDO Tag Exploitation
The <bdo> tag is traditionally designed to control text direction in HTML documents, specifically handling right-to-left (RTL) and left-to-right (LTR) text formatting through the dir attribute. However, threat actors are exploiting this tag without proper directional values, instead using it as a container for obfuscated content.
Please click here to read the entire article.
We welcome your questions; please ask them by posting a comment below.
Dimakatso Makinta
