NoRelationship phishing attack dances around Microsoft Office 365 email filters

Updated: Small changes to relationship files manage to foil scans for malicious links.
Written by Charlie Osborne, Contributing Writer

Researchers have described a new phishing attack which is able to bypass Microsoft malicious file filters.

On Tuesday, cybersecurity firm Avanan said the attack, dubbed NoRelationship, uses a link parsing weakness in email scanning products to hide malicious links.

First detected just before Valentine's Day, NoRelationship is able to circumvent Microsoft's Exchange Online Protection (EOP) URL filters, which scan Office documents including .docx, .xlsx, and .pptx to warn users when malicious content is detected.

The NoRelationship phishing attack includes a .docx attachment containing a malicious link which leads to credential harvesting login pages.

This is a very common technique used by scammers, but in order to circumvent security and protections which are often effective, the attackers behind the scheme deleted external links from a relationship file -- xml.rels -- which is a genuine file that lists links included in an attachment.

See also: Key takeaways from damning UK report on Facebook's world of "digital gangsters"

Link parsers used in scanning software do not always scan full documents to ascertain their risk levels. Instead, they often rely on xml.rels files to list external links found in a document which can then be checked against known malicious links contained in threat databases.

By deleting the external link entries, this caused Microsoft EOP to fail to detect the phishing attempt.

According to Avanan, the bypass technique is not only effective on Microsoft's default Office 365 security. ProofPoint and F-Secure scanners also failed to find the malicious links used in NoRelationship.

CNET: Facebook faces questions from lawmakers about privacy of health groups

However, Microsoft Advanced Threat Protection (ATP) and Mimecast's link parsers are both able to detect the malicious files used in this attack.

"Like the index of a book, the relationship file lists the essential of the parts of the document -- external links and images, or internal document components, like font tables," the researchers say. "Sometimes, key terms might not be included in the index, but they are still in the book. In this attack, hackers deleted the external links from the relationship file to bypass link parsers that only read the index rather than the "book.""

The team says there is likely no means to resolve this issue beyond making sure email scanners tackle full documents, rather than just relationship files.

Update 9.11 GMT: A Microsoft spokesperson said, "Anti-phishing filters found in Office 365 are not fooled by the technique described in this marketing report. Office 365 uses a multi-layered filtering solution to combat email-based phishing."

TechRepublic: The year 2018 was the second most active year on record for data breaches, report says

Last month, researchers published a tool called Modlishka which is a reverse proxy able to automate phishing attacks and circumvent two-factor authentication (2FA).

The penetration testing tool, if used for malicious purposes, is able to sit between users and target websites in order to record communication streams as well as collect 2FA tokens in real-time.

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards