NoRelationship phishing attack bypasses Microsoft’s Exchange Online Protection URL filters

• Researchers detected a new phishing attack that bypasses Microsoft’s Exchange Online Protection (EOP) URL filters which scans Microsoft Office documents.
• The attackers behind the ‘NoRelationship’ phishing campaign deleted external links from a relationship (xml.rels) file which is a legitimate file that lists all links included in an attachment.

Researchers from Avanan detected a new phishing attack dubbed ‘NoRelationship’ that bypasses Microsoft’s Exchange Online Protection (EOP) URL filters which scans Microsoft Office documents such as Word (.docx), Excel (.xlsx), and PowerPoint (.pptx).

Deleting external links from a relationship file

• The phishing emails included a .docx attachment containing a malicious link.
• Upon opening the malicious attachment, users will be redirected to a credential harvesting login page.
• The attackers behind the ‘NoRelationship’ phishing campaign deleted external links from a relationship (xml.rels) file which is a legitimate file that lists all links included in an attachment.
• Deleting external links lead to Microsoft’s Exchange Online Protection filters not detecting the malicious URL.

Link parsers do not scan the full document instead rely on a relationship (xml.rels) file. Since attackers removed the external links from the relationship (xml.rels), link parses which relies on relationship (xml.rels) file failed to detect the malicious URL.

Link Parsers scans only relationship files

Researchers noted that while scanning attachments for malicious content, most filters will scan the document for external links and compare them to a database of malicious sites. However, link parsers scan only the relationship (xml.rels) file which contains a list of all URLs within a document. Attackers are taking advantage of this loophole and are deleting external links from the relationship file so that link parsers do not detect malicious URLs.

“If, for some reason, the document contains URL links that are not included in the xmls.rels file, these parses will not see them, even though they are still active and clickable within the document. The hackers are deleting the URLs from the relationship files so that the parsers do not see them,” researchers said.

Scan full document - the only solution

Avanan researchers noted that not only Microsoft’s Exchange Online Protection failed to detect the phishing attempt, Proofpoint and F-Secure scanners also failed to detect the malicious links used in NoRelationship phishing campaign.

Researchers further noted that the only way to detect malicious files used in such attacks is by ensuring that email scanners scan full documents instead of just relationship files.

“None of these hyperlinks should have gone undetected, because the URLs are known to be malicious. By removing the malicious links from the document.xml.rels relationship file, hackers confused link parsers that only scan the relationship file for external links. It seems there are no shortcuts to be had in email scanning. The only solution is to scan the entire file,” Avanan researchers said in a blog.