“Secure Hop” or How Attackers Bypass Microsoft Office365 ATP (Advanced Threat Protection)

In this post, I’ll present an analysis of a phishing attack we recently saw in the wild that targeted Facebook. The attackers used an easy trick we called “secure hop” to bypass Microsoft Office365 ATP solution (tested) and probably other similar URL reputation-based solutions (untested).

The Attack

The first page of the attack is hosted on Google Sites (https://sites.google.com/site/unblocksafetty018/, the site is up at the time of writing) and thus has a valid SSL certificate from Google. Here is a screenshot:


Chrome doesn’t consider this site malicious as it doesn’t steal credentials (yet). The question of whether this website is malicious is subjective (some would argue that yes, it is), but I’ll go with google here and say I don’t consider this site malicious (yet).

If we go ahead and click on “Connect with Facebook,” we are redirected to the next page, which Chrome already blocks (because this is already a day-old URL, and it was blacklisted). If we go ahead and continue anyway, we can see that Phish.AI detects this webpage using PhishProtectTM AI and a computer-vision Cloud engine.

PhishProtect Prevention

The Bypass

Now, let’s go ahead and send this link to an Office365 mailbox that is ATP-enabled.

Here is a screenshot of the rewritten URL (you can see it in the left bottom corner – https://emea01.safelinks.protection.outlook.com/********).

Office365 ATP
Office365 ATP

The first time I pressed on it, it took Office365 ATP about 30 seconds to process it and to redirect me to the page anyway.

Office365 doesn’t consider this link as malicious as the attackers use a technique we call “secure-hop” to bypass solutions like Office365 ATP. The attackers send a link, via email or another channel, pointing to a valid website and redirecting the user to the malicious website only after the user clicks on a link from the “legitimate” website where Office365 already doesn’t have the visibility, as they only see the first link.


This is an example of why successful zero-day phishing prevention has to be done with in-browser security powered by a cloud-based AI and computer-vision analysis to detect fraudulent sites. As a human with some knowledge of security looking at picture number (2) and looking at the domain, you would classify this website as malicious. Although, in the era of AI and self-driving cars, there is no reason a computer won’t do it to save the employee’s time and to save us from costly mistakes; we don’t always have time to pay attention to every link we access.

Register for a two-week free trial and see our AI and Computer Vision engine in action.

Comments are closed.