How to fight delayed phishing

Phishing links in e-mails to company employees often become active after initial scanning. But they still can and must be caught.

Phishing has long been a major attack vector on corporate networks. It’s no surprise, then, that everyone and everything, from e-mail providers to mail gateways and even browsers, use antiphishing filters and malicious address scanners. Therefore, cybercriminals are constantly inventing new, and refining old, circumvention methods. One such method is delayed phishing.

What is delayed phishing?

Delayed phishing is an attempt to lure a victim to a malicious or fake site using a technique known as Post-Delivery Weaponized URL. As the name suggests, the technique essentially replaces online content with a malicious version after the delivery of an e-mail linking to it. In other words, the potential victim receives an e-mail with a link that points either nowhere or to a legitimate resource that may already be compromised but that at that point has no malicious content. As a result, the message sails through any filters. The protection algorithms find the URL in the text, scan the linked site, see nothing dangerous there, and allow the message through.

At some point after delivery (always after the message is delivered, and ideally before it is read), the cybercriminals change the site to which the message links or activate malicious content on a previously harmless page. The ruse could be anything — from an imitated banking site to a browser exploit that attempts to drop malware on the victim’s computer. But in about 80% of cases, it’s a phishing site.

How does it fool antiphishing algorithms?

Cybercriminals use one of three means to get their messages past filters.

  • Use of a simple link. In this type of attack, the perpetrators control the target site, which they either created from scratch or hacked and hijacked. Cybercriminals prefer the latter, which tend to have a positive reputation, something security algorithms like. At the time of delivery, the link leads to either a meaningless stub or (more commonly) a page with an error 404 message.
  • The short-link switcheroo. Plenty of online tools enable anyone to turn a long URL into a short one. Short links make life easier for users; in effect, a short, easy-to-remember link expands into a large one. In other words, it triggers a simple redirect. With some services, you can change content hidden behind a short link, a loophole attackers exploit. At the time of message delivery, the URL points to a legitimate site, but after a while they change it to a malicious one.
  • Including a randomized and short link. Some link-shortening tools allow probabilistic redirection. That is, the link has a 50% chance of leading to and a 50% chance of opening a phishing site. The possibility of landing on a legitimate site apparently can confuse crawlers (programs for automatic information collection).

When do the links become malicious?

Attackers usually operate on the assumption that their victim is a normal worker who sleeps at night. Therefore, delayed phishing messages are sent after midnight (in the victim’s time zone), and become malicious a few hours later, closer to dawn. Looking at the statistics of antiphishing triggers, we see a peak around 7–10 am, when coffee-fueled users click on links that were benign when sent but are now malicious.

Don’t sleep on spear-phishing, either. If cybercriminals find a specific person to attack, they can study their victim’s daily routine and activate the malicious link depending on when that person checks mail.

How to spot delayed phishing

Ideally, we need to prevent the phishing link from getting to the user, so rescanning the inbox would seem to be the best strategy. In some cases, that is doable: for example, if your organization uses a Microsoft Exchange mail server.

As of this September, Kaspersky Security for Microsoft Exchange Server supports mail server integration through the native API, which permits the rescanning of messages already in mailboxes. A suitably configured scan time ensures detection of delayed phishing attempts without creating an additional load on the server at peak mail time.

Our solution additionally lets you monitor internal mail (which does not pass through the mail security gateway, and hence goes unseen by its filters and scanning engines), as well as implement more complex content-filtering rules. In especially dangerous cases of business email compromise (BEC), whereby hackers gain access to a corporate mail account, the ability to rescan the contents of mailboxes and control internal correspondence takes on particular importance.

Kaspersky Security for Microsoft Exchange Server is included in our Kaspersky Security for Mail Servers and Kaspersky Total Security for Business solutions.