文章描述了一种复杂的钓鱼邮件技术:攻击者利用HTML条件语句,在Outlook中显示良性链接,而在其他浏览器中显示恶意链接。这种技术旨在企业环境中隐藏攻击行为,并确保非Outlook用户被引导至恶意网站。尽管该技术自2019年起已有记录,但在实际案例中较为少见。 2025-6-4 09:23:19 Author: isc.sans.edu(查看原文) 阅读量:18 收藏
I recently came across an interesting phishing e-mail. At first glance, it looked like a “normal” phishing that tried to pass itself off as a message from one of the Czech banks asking account holders to update their information…
Nevertheless, when I hovered above the rectangle that a recipient was expected to click on, I was surprised to see that the link in the pop-up actually pointed to the legitimate domain of the bank.
My first thought was that threat actors behind the phishing made a mistake. My assumption was that they used a real e-mail from the bank as a baseline that they wanted to modify to create a message that would point recipients to a malicious site, and mistakenly sent it out before it was finished – strange as it may sound, it wouldn’t have been nowhere near the first case of something like that I’ve seen.
Nevertheless, once I looked at the HTML code of the message, it quickly emerged that I was wrong. The threat actors actually used a technique which changes displayed content based on a “browser” it is opened in. The technique in question leverages HTML conditional statements <!--[if mso]> and <!--[if !mso]> that specify content that should be displayed if a message/HTML page is opened in Outlook or in any other reader/browser.
Using it, threat actors behind the message caused the link shown/pointed to in Outlook to a benign one, while making it point to a – presumably – credential stealing website in any other e-mail client/browser…
<!--[if mso]>
...
<a href=[benign link] >
...
<![endif]--><!--[if !mso]><!-->
...
<a href=[malicious link] >
...
<!--<![endif]-->In this case, threat actors likely used this technique with the intention of hiding the malicious link in corporate environments, where Outlook is commonly used (alongside security mechanisms that scan web traffic, DNS requests, etc.) and where users would probably be less likely to click, since an e-mail from a bank sent to their work e-mail, instead of a private one, would probably be a red flag on its own, while ensuring that recipients who opened the e-mail in a non-Outlook client would still be directed to the malicious website.
While this approach isn’t new – in fact, it has been documented since at least 2019[1] – its use in the wild is not too common… And since it is therefore among the lesser-known phishing techniques I believe it is worthy of at least this short reminder of its existence.
[1] https://www.libraesva.com/outlook-comments-abused-to-deliver-malware/
-----------
Jan Kopriva
LinkedIn
Nettles Consulting
如有侵权请联系:admin#unsafe.sh