Take a Product Tour Request a Demo Cybersecurity Assessment Contact Us


The latest cybersecurity trends, best practices, security vulnerabilities, and more

Saints Turned Evil

Saints turned evil
(Attribution at the Bottom)

As technology advances, attackers are constantly developing new evasion mechanisms to bypass security products and stay one step ahead of security vendors and their products. We have seen various types of evasion mechanisms employed by attackers in recent years.


  • Geofencing, where a URL serves malicious content only when accessed from the target country or region, while remaining legitimate or providing no content to users from other countries.
  • Captcha to bypass automated crawling thus restricting analysis of URL payload by security products.
  • IP evasion, where attackers blacklist the public IPs of specific services or organizations. By doing so, they ensure that their phishing or malicious payload is not served when requests come from those blacklisted IPs. This approach effectively blocks the analysis of URLs by security products.
  • QR codes serve phishing attacks as discussed in our recent blog, since QR code hides the embedded payload, it evades detection from traditional email security products thus bypassing them.

Trellix Email security has recently discovered a novel evasion tactic. In this method, attackers aim to deceive the caching mechanism of security products. Their strategy involves caching a seemingly benign version of the attack vector and subsequently altering it to deliver a malicious payload.

What is caching?

In simple terms, caching involves temporarily storing the result for an input element. When that same input comes in again, the stored result is swiftly retrieved, cutting down on time and processing costs. Security Products frequently use caching to boost speed and efficiency. So, when a URL gets scanned, the result is stored and cached for a set time. If the same URL is checked within the pre-set time frame, the security product doesn't reprocess it — it just serves up the stored result.

Attack flow

Phase 1

The attack begins with the targeted individual receiving an email containing a Call To Action (CTA) URL, guiding them to a website or document containing an additional link or button. Our researchers have noted a recurring pattern where attackers often employ OneDrive Document URLs as CTA URLs. This choice is attributed to the sense of trust added by the reputation of Microsoft owned domain.

Figure-1: Phishing email containing OneDrive CTA URL
Figure-1: Phishing email containing OneDrive CTA URL

Phase 2

In the second phase, the Security Engine checks the CTA URL. This URL has a link/button that leads to well-known and harmless sites like google.com or microsoft.com. Since there's nothing suspicious about a URL linking to such trusted sites, the security engines label the CTA URL as safe and save this verdict in their cache.

Figure-2: The CTA URL leading to a One Note document
Figure-2: The CTA URL leading to a One Note document

Figure-3: The hyperlink inside One Note page leading to a trusted website
Figure-3: The hyperlink inside One Note page leading to a trusted website

Phase 3

In the third phase, the attackers wait for security vendors to process the CTA URL and cache their verdict. Once this happens, the attackers make their move: they tweak the link/button on the CTA URL. The link which was earlier leading to trusted websites, now redirects to the actual malicious page.

Figure-4: One Note page with modified phishing hyperlink
Figure-4: One Note page with modified phishing hyperlink

Since the page was initially cached as benign after the first scan by security vendors, until the cache period expires, every encounter with the same CTA URL prompts the security engine to consistently return a benign verdict stored in the cache.

With the verdict being benign, the email smoothly lands in the victim's inbox. Now, should the unsuspecting recipient decide to open the email and click on the link/button within the CTA URL, they would be redirected to the malicious page.

Figure-5: The Final Phishing Page
Figure-5: The Final Phishing Page

Figure-6: When CTA URL is scanned the first time
Figure-6: When CTA URL is scanned the first time
(Attribution at the Bottom)

Figure-7: When CTA URL is scanned the next time
Figure-7: When CTA URL is scanned the next time
(Attribution at the Bottom)

Trellix email security

Trellix Email Security performs force analysis of CTA URL at the time of user interaction, hence it sees the phishing URL embedded into the CTA URL, thus detecting the phishing URL. Consequently, any detected phishing URLs are instantaneously blocked, preventing the user from accessing potentially harmful content. Moreover, a protective block page is presented to the user, ensuring the safety of both the individual and the organization.

Trellix email security telemetry

We have witnessed these attacks occurring on a large scale rather than being aimed at specific customers, regions, or industries. Instead, they have encompassed various regions and industries. The following diagrams depict the impact of this attack on various industries and countries.

Figure-8: Targeted Industry distribution
Figure-8: Targeted Industry distribution

Figure-9: Targeted Country distribution
Figure-9: Targeted Country distribution

Indicators of Compromise (IOC)




[EXT] Stadex/Offerte nr. 20233054 dd. 25/07/23
Invoice 7027 re Work
ORDER 04-02102016.0
ORDINE /Re: richiesta di offerta
R: [EXT] R: Richiesta d'offerta per K350
richiesta vs offerta

Trellix product protections

The following is a subset of the Trellix Security detections that have been observed for the ongoing campaigns:

Trellix Email Security


In summary, we have observed that attackers have devised an innovative method of evading security products by targeting their architecture and design to carry out successful attacks. However, thanks to Trellix email security's force scanning of URLs during user interaction, altered phishing links are swiftly identified and detected. As a result, this novel evasion technique is effectively mitigated, ensuring the protection of our valued customers.


We would like to give proper credit and recognition to the various elements that have contributed to the content of this blog. The following list outlines the attributions for these elements:



We sincerely appreciate the contributions of these elements to our blog and acknowledge the importance of giving credit where it's due. Should there be any concerns regarding attributions or if corrections are needed, please don't hesitate to contact us. Your understanding and support are greatly valued.

This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers.

Get the latest

We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.

Please enter a valid email address.

Zero spam. Unsubscribe at any time.