Mimecast Logo
M365 Threat Scan Get a Quote

    Hiding with Turnstile Verification

    7 November 2024

    Key Points

    What you'll learn in this notification

    The latest obfuscation techniques to hide malicious content behind turnstile verification techniques.

    • Targeting all sectors
    • Attackers create Cloudflare Turnstile checks to obfuscate their phishing pages
    • The goal is to obtain credentials for onwards attacks and extortion.

    Mimecast Threat Researchers have identified the increased usage of Cloudflare's Turnstile checks to obscure malicious content and enhance the legitimacy of their phishing or fraudulent sites. Turnstile is designed to verify users without the need for traditional CAPTCHA challenges, making it an attractive tool for those looking to bypass security measures while maintaining a facade of credibility. Understanding the implications of Cloudflare Turnstile usage, along with recognizing common indicators of compromise (IOCs), is crucial for maintaining the security posture of your organization.

    Campaign Flow Examples

    • The majority utilize compromise accounts to share a phishing link.
    • Phishing links will automatically launch a Cloudflare Turnstile verification step.
    • Further obfuscation is utilized through embedded .wav files.
    • All pages redirect to a phishing page for Microsoft 365 Credentials
    Turnstile - Phishing page flow with Cloudflare Turnstile.png
    Phishing page flow with Cloudflare Turnstile

    A more obscure example utilizing a wav file to add another human interaction point to further obfuscate the malicious page.

    Turnstile - wav file hack.png
    Which ultimately directed users to here
    Turnstile -redirection.png


    Mechanisms of Abuse

    Legitimacy Through Verification

    Turnstile operates transparently, confirming that users are real without displaying traditional CAPTCHA challenges. This feature can be exploited by threat actors to create a false sense of security around their sites. By embedding Turnstile, they can convince users and security systems that their site is legitimate, thereby reducing the likelihood of scrutiny.


    Hiding Malicious Content

    In phishing campaigns, attackers can use Turnstile to obscure the actual content of their sites from security scanners. By integrating Turnstile, they can prevent automated systems from detecting malicious elements, as the verification process may mask the true nature of the site. This tactic allows them to evade detection while still appearing to comply with security protocols.


    Mimecast Protection

    We have rolled out new functionality to aid in the detection of this type of attack. Read the service update to learn more about the new capability of our URL Protect service.



    Targeting:

    Global, All Sectors



    IOCs:

    Primary URLs:


    kckcaybfelv63lh671791dc49405.mueblesnet[.]com

    dfo8pirl6ixxbq6671296e55b8a1.kodaa[.]lv

    jhfuhyjaie1a9qx67128bb6d5ce3.filsecestors-insularpoint[.]org

    filsecestors-insularpoint[.]org

    phh.filsecestors-insularpoint[.]org

    msd1u18s0hoj0dp670ff81742118[.]safescanlogistics


    Recommendations

    • Inform users about the risks of phishing and the tactics used by attackers, including the use of seemingly legitimate verification processes.
    • Search your phishing/URL logs to determine if you have been a victim of this style of phishing attack using the published IOCs
    • Reset the credentials of affected user(s) to ensure the malicious actor's access is revoked.
    • Utilize Multi-factor Authentication to reduce an attacker's ability to gain access to your users' credentials
    Back to Top