New BI.ZONE CESP protects against quishing, takes into account employee cyber awareness levels

We have updated our email protection service to defend organizations from more malicious scams

April 26, 2024

Now adversaries won’t be able to conceal phishing links with QR codes, uncommon punctuation marks, HTML anchors, or query parameters. The updated BI.ZONE CESP also reveals attempts to hide large numbers of mailing recipients. Thanks to integration with BI.ZONE Security Fitness, the service helps to improve the protection of the most vulnerable employees.

68%

of targeted attacks on Russian companies in 2023 started with a phishing email

70–80%

of such attacks were recorded in Q1 2024

This year, QR code phishing (quishing) and various ways of hiding malicious links (behind HTML anchors, query parameters, uncommon characters and punctuation marks) were among the most popular ways of disguising unwanted content.

New methods to hide dangerous links

QR code links generally lead to websites mimicking those of well‑known companies or services. For example, in Q1 2024, BI.ZONE CESP detected and blocked a quishing mailout where the QR code redirected to a fake authorization page of a popular mail service. The page is designed in such a way that the credentials go directly to the attackers as soon as the user hits Enter. Once it is done, the page returns an error message.

HTML anchors and query parameters were used to hide malicious links in 30% of phishing emails (source: BI.ZONE CESP, Q1 2024). In regular links, HTML anchors allow the user to go directly to a specific section of a website. Query parameters simplify search and navigation as well as enable collection and systematization of website visit data.

According to the RFC 3986 standard that regulates URL structure and syntax, browsers should not process characters if they are behind special delimiters. In practice, this regulation is often overlooked to the advantage of scammers: they add hidden malicious elements to a seemingly legitimate link.

Attackers may also add uncommon characters or punctuation marks to malicious links to prevent security tools from recognizing URLs. Another popular method involves mass mailing to a concealed number of recipients, with the expectation that a larger audience will increase the chances of success.

400+

Russian companies were compromised within 24 hours through a single malware mailout

4,000+

addresses were targeted in one of the largest malware mailouts

Now machine vision enables BI.ZONE CESP to recognize QR codes and analyze the links in them. We have also improved the URL parsing to make sure malicious techniques are not hiding behind query parameters or HTML anchors. We constantly expand the set of readable characters and formats for our parsers to detect any attempts at unusual encoding.

The updated BI.ZONE CESP captures the techniques for hiding a large number of email recipients. Such emails automatically get a higher spam rating and are quarantined, even if other scanning checks have not detected malicious content.

Dmitry Tsarev

Head of Cloud Security Solutions, BI.ZONE

Protection against social engineering techniques and software vulnerabilities

The new BI.ZONE CESP can better counter social engineering techniques. This is achieved through an extensive integration with BI.ZONE Security Fitness, a platform for raising employee cyber awareness. By training with BI.ZONE Security Fitness each user generates an individual rating reflecting vulnerability to social engineering attacks. For more vulnerable employees, the message quarantine rules will be stricter and cover even slightly suspicious emails. This will reduce the risk of compromising the entire corporate infrastructure as a result of opening a phishing email.

In addition to the tactics and techniques used by attackers, the BI.ZONE CESP team keeps track of new vulnerabilities in the software that engages in the SMTP dialog. If a vulnerability requires manipulation of the email traffic, our specialists promptly create security rules to protect its users before the patches become available.

In the last 10 months alone, our experts have resolved two critical vulnerabilities: CVE-2024-21413 (CVSS score 9.8 out of 10) and CVE-2023-34192 (CVSS score 9 out of 10). In addition, BI.ZONE CESP has stood the test against a number of SMTP Smuggling medium vulnerabilities (CVE-2023-51764, CVE-2023-51765, CVE-2023-51766), which are actively exploited for sending spoof emails.

Additional administration capabilities

An important part of the BI.ZONE CESP update is the expansion of client‑side administration capabilities, including message log management. Now the administrator can email the output for any filter of the message log. The CSV document for each message contains the date, time, connection and message identifiers, sender IP address, sender and recipient email addresses, subject line, message size in bytes, spam rating, delivery status, and BI.ZONE CESP actions.

The message log has become more detailed. The updated cards show whether the message’s sender, recipient, or IP address are whitelisted or blacklisted. If the message has links, the cards will reflect web categories of the corresponding domains. Similarly, if an extended list rule is triggered by the message, the rule will also be logged. Each property can be examined in detail. Furthermore, there is advanced filtering by delivery status, URL category, mail server response during delivery, and protected domain.

The process of configuring protected domains has become more transparent. Now that the process is on the BI.ZONE side, you can see which of the four stages it is going through: synchronization, SMTP server verification, test email sending, or pending change of MX records. At each stage, you can run the check and see the actual status.