Bypass Symantec Email


During attack Simulation , you may face Symantec Email Security Cloud (Message Lab ) while conducting phishing campaign . Message Lab stops known and unknown techniques while delivering malicious email content .

The Email service helps organizations combat these threats through advanced perimeter defenses and our proprietary SkepticTM technologies. Operating at the Internet level with automatic and continuous updates, Email delivers protection against both known and unknown threats

How it Works !

while receiving email from external resources , message lab spider will open the message and parse content of body , scanning attachments , also validating the links by navigating into them behind the scene .

  • Message Lab will open the email follow all links , so if any external URL contains malicious payload , email message will be blocked
  • scanning attachment for malicious payloads
  • if the content of message is safe , email message will be delivered

Tackling Message Lab Spiders

to determine which IP Address Message Lab uses while crawling links inside email body or even inside the attachment is by sending a test email with a link that's redirect into your web server . Message Lab's Spiders real IP address is only used while delivering your email successfully , while if you getting hits from IP ranges that's not related to message lab this because usage of some ISP solutions .

  • Attacker send test email including his own webserver link .
  • inspection of web logs to determine which IP address being used .

Redirecting your spiders to your Big daddy

the idea of bypassing is to setup deny rules for specific range of IP address gathered before about Message Lab Spiders , and forward it into safe URL while malicious link will be accessible for white listed IP address R**equirements**

  • Cloud instance .
  • OpenLightSpeed webserver

so from access control option , you can setup a new deny rule which will deny all requests comes into attacker machine from Spiders , below used of IP address gathered from test stage done before . after setting up denied list , any requests comes into web server from un authorized source will be forbidden . a feature comes with openlight webserver which redirect requests per response code . it means you control URL navigation by Error Response code (403 or 403)

After configuration is done , now you are ready to send your email with a malicious link you choose whether on-click downloadable attachment or phishing landing page

Lawrence Amer
offensive security expert and founder of 0xsp security research and development (SRD), passionate about hacking and breaking stuff, coder and maintainer of 0xsp-mongoose RED, and many other open-source projects


To stay informed with all the news, please subscribe!