Threat actors are abusing an open-source anti-automation toolkit (Predator) to thwart bot-detection in phishing campaigns. They rely on compromised email accounts, frequent URL-pattern changes, and redirection to legitimate pages to evade security controls while impersonating brands like American Express and Microsoft 365.
Keypoints
- The attack begins with phishing emails delivered from compromised accounts, with templates changing to impersonate different brands and create urgency.
- attackers use a legitimate red-teaming tool (Predator) to detect automation and evade URL content scanning, redirecting to legitimate sites when automation is detected.
- Phishing pages employ obfuscated and hex-encoded code (isBot and related functions) to frustrate analysis and detection.
- Invisible/hidden links and empty href attributes are used to probe for automation tools while remaining hidden to human readers.
- Campaigns span multiple brands (e.g., American Express, Microsoft 365, OneDrive) with rapidly changing URL patterns to avoid pattern-based defenses.
- Trellix highlights a phishing-bot-evasion rule (Phishing_Bot_Evasion) as part of its product coverage against these campaigns.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link β The attack starts with a phishing email containing malicious links. Quote: βThe attack starts with a phishing email containing malicious links.β
- [T1204.002] User Execution: Malicious Link β The victim clicks a malicious link that triggers further evasion and redirection. Quote: βOnce the victim clicks on a malicious link, evasion code checks for possible bot/crawler/automation.β
- [T1078] Valid Accounts β Samples originate from compromised email accounts used to conduct campaigns. Quote: βAll samples we have checked have originated from compromised email accounts.β
- [T1562.001] Impair Defenses β Evasion techniques to avoid URL-content scanning and detection. Quote: βevasion techniques to avoid scanning of URL content.β
- [T1027] Obfuscated/Encrypted Files or Information β Code is highly obfuscated with hex strings in isBot() functions. Quote: βThere are four functions which are highly obfuscated with hex strings.β
Indicators of Compromise
- [URL] ever-changing URL patterns used by attackers β u29421114.ct.sendgrid.net/ls/click?upn=e94YjHb22mXQExZeqifeFl1jcmssiC-2Bt12dCq-2FC-2B0vGfntvJQRpI0UhFwvn-2BptFK1nJKJNYWovH2Fn0kFMZ7LW9HeSvBsycWiCS2e4DyCGMi4mqRJj-2FnDOJddSOGYimMbNWt_RTDQb-2BhtsIfNiUEWbcIZ3tj5ZqpiJX1igf-2BE5jeDjF6qRwcWCkJ1V-2BbcTddk4l-2FfyH-2BJ5n4wDxapd8wiOWZU3UlLzJoagpMNtk4SEC4-2BM6zaVaqlYbamNRfL4iCCoxaNPhpxj-2FzLhNkNEaBzdOz-2FfYspPyhzQQXWkNKyMwQBTWa0i9dwVZWZWmW4wV6f4p4xxc3-2FMj1KA-2B1VSERCmQ-2Bl3ESVU8CmonAO7pn-2F-2BIbU0QE-3D; and ipfs.io/ipfs/QmWjcYbGL1ek5djYTCe6VU52T7Xd6MSjrrra8zqr88U2Yp
- [URL] other bot-detection indicators β hxxps://698619018.cprecnepal.org/yitixoxufdrv/doicililios/fpZnDg//; https://1612579504.universalimage.org/zilbanitewed/yitukiniki/QgkcbB/