During attack Simulation, you may face Symantec Email Security Cloud (Message Lab ) while conducting a phishing campaign. Message Lab stops known and unknown techniques while delivering malicious email content.
The Email Security.cloud service helps organizations combat these threats through advanced perimeter defenses and our proprietary SkepticTM technologies. Operating at the Internet level with automatic and continuous updates, Email Security.cloud delivers protection against both known and unknown threats https://www.symantec.com/content/en/us/enterprise/fact_sheets/b-datasheet_ml_email_security_cloud_DS.en-us.pdf
How it Works!
while receiving emails from external resources, the message lab spider will open the message and parse the content of the body, scanning attachments, also validating the links by navigating into them behind the scene.
- Message Lab will open the email follow all links, so if any external URL contains a malicious payload, an email message will be blocked
- scanning attachment for malicious payloads
- if the content of the message is safe, an email message will be delivered
Tackling Message Lab Spiders
to determine which IP Address Message Lab uses while crawling links inside the email body or even inside the attachment is by sending a test email with a link that’s redirected into your web server. Message Lab’s Spiders’ real IP address is only used while delivering your email successfully, while if you getting hits from IP ranges that are not related to message lab this is because of the usage of some ISP solutions.
- The attacker sends a test email including his own webserver link.
- inspection of weblogs to determine which IP address is used.
Redirecting your spiders to your Big daddy
the idea of bypassing is to setup deny rules for a specific range of IP addresses gathered before about Message Lab Spiders, and forward it into a safe URL while malicious links will be accessible for whitelisted IP address
- Cloud instance.
- OpenLightSpeed webserver
so from the access control option, you can set up a new deny rule which will deny all requests that comes into the attacker machine from Spiders, below used of IP address gathered from the test stage done before. after setting up the denied list , any requests that come into the webserver from an authorized source will be forbidden. a feature comes with open light webserver which redirects requests per response code. it means you control URL navigation by Error Response code (403 or 403)
After configuration is done, now you are ready to send your email with a malicious link you choose whether an on-click downloadable attachment or a phishing landing page
offensive security expert and founder of 0xsp security research and development (SRD), passionate about hacking and breaking stuff, coder and maintainer of 0xsp-mongoose RED, and many other open-source projects