Researchers from Avanan detected a new phishing attack dubbed ‘NoRelationship’ that bypasses Microsoft’s Exchange Online Protection (EOP) URL filters which scans Microsoft Office documents such as Word (.docx), Excel (.xlsx), and PowerPoint (.pptx).
Deleting external links from a relationship file
Link parsers do not scan the full document instead rely on a relationship (xml.rels) file. Since attackers removed the external links from the relationship (xml.rels), link parses which relies on relationship (xml.rels) file failed to detect the malicious URL.
Link Parsers scans only relationship files
Researchers noted that while scanning attachments for malicious content, most filters will scan the document for external links and compare them to a database of malicious sites. However, link parsers scan only the relationship (xml.rels) file which contains a list of all URLs within a document. Attackers are taking advantage of this loophole and are deleting external links from the relationship file so that link parsers do not detect malicious URLs.
“If, for some reason, the document contains URL links that are not included in the xmls.rels file, these parses will not see them, even though they are still active and clickable within the document. The hackers are deleting the URLs from the relationship files so that the parsers do not see them,” researchers said.
Scan full document - the only solution
Avanan researchers noted that not only Microsoft’s Exchange Online Protection failed to detect the phishing attempt, Proofpoint and F-Secure scanners also failed to detect the malicious links used in NoRelationship phishing campaign.
Researchers further noted that the only way to detect malicious files used in such attacks is by ensuring that email scanners scan full documents instead of just relationship files.
“None of these hyperlinks should have gone undetected, because the URLs are known to be malicious. By removing the malicious links from the document.xml.rels relationship file, hackers confused link parsers that only scan the relationship file for external links. It seems there are no shortcuts to be had in email scanning. The only solution is to scan the entire file,” Avanan researchers said in a blog.