Skip to content

Phishing campaign exploits Symantec URL Protection to cover its tracks

The email also claims to have been scanned by Symantec email security, according to security provider Armorblox.

Spammers and scammers typically try to obfuscate and legitimize their malicious content in an effort to better trick people. That’s especially true with phishing emails that attempt to hide the source of their deceptive landing pages and spoof or reference a well-known company or brand. A new phishing attack analyzed by Armorblox takes advantage of Symantec to trick users into falling for the scam. In a blog post published Thursday titled “Credential Theft Using Symantec URL Rewriting,” Armorblox describes how this campaign operates.

More about cybersecurity

Sent to an employee who works with real estate, the phishing email contained a link to a PDF that purportedly included bid details for an upcoming building project. Clicking on the link redirects the recipient through several pages, ending with one asking for login details. Designed to resemble Microsoft OneDrive and Adobe pages, the login page asks recipients to enter their account credentials, which are then captured by the attacker.

SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic) 

One interesting factor in this campaign is the exploitation of security firm Symantec. Among the multiple redirects discovered by Armorblox was one created using Symantec’s Click-Time URL Protection. Designed to help organizations protect their users from spam, Click-Time Protection scans and rewrites potentially malicious URLs. In this case, though, the attacker used this protection to hide the actual URL of one of the suspicious pages.

Further, the email itself includes a notice that it was scanned by Symantec Security cloud service with a URL of That domain doesn’t actually exist; the real URL for Symantec Cloud is But an unsuspecting user who’s in a hurry or otherwise distracted could easily take this as verification that the email has been scanned and cleared by Symantec.


Image: Armorblox

Beyond the use of Symantec, the attacker created a new domain for the final phishing site, allowing it to get through Microsoft’s Exchange Online Protection filters. As the login pages look like legitimate Microsoft and Adobe pages, users might enter their credentials for either type of account.

Finally, the email was targeted in the sense that it contained details about a real estate bid and was sent to an employee who works with real estate projects. If the recipient was expecting such a bid, that person could easily try to download the attached PDF file, thereby giving the attacker access to sensitive account credentials.

Users must always think twice before clicking on a link or file attachment, even if the email seems legitimate and expected. But the right security protection is also essential for safeguarding organizations from these types of attacks.

“Traditional Secure Email Gateways (SEGs) and other threat-feed based detection solutions by definition miss zero-day attacks because they may not show up in threat feeds for several hours until someone reports it as a bad URL,” Armorblox co-founder and head of engineering Arjun Sambamoorthy said. “Organizations need to look for modern email security solutions that go beyond links and look at the emails in their entirety. The ability to traverse a link down through all the redirections to the final destination and programmatically compare that with known login pages of products like Office 365 is vital to detect if login pages are being spoofed.”

Also see

Cyber security lock. Security computer Data Internet protection with lock, key on microscheme chip. Hacker attack and data breach, information leak concept.Cyber security lock. Security computer Data Internet protection with lock, key on microscheme chip. Hacker attack and data breach, information leak concept.

Image: Nature, Getty Images/iStockphoto