The Phish That SOAR Missed: Why Modern Attacks Slip Through
The Phish That SOAR Missed: Why Modern Attacks Slip Through
Traditional SOAR (Security Orchestration, Automation, and Response) platforms often miss modern phishing attacks because their reliance on pre-determined playbooks and static rules makes them inflexible against rapidly evolving threats. Attackers exploit this rigidity by increasingly leveraging legitimate services like OneDrive and PowerBI to host malicious links, masking their true intent and bypassing SOAR's signature-based and reputation-focused detections. In contrast, AI SOC Analyst platforms are inherently more adaptable and goal-driven, utilizing advanced machine learning and behavioral analytics to automatically adjust investigation techniques and identify subtle anomalies that don't fit known patterns. By intelligently correlating diverse data and automatically investigating links embedded within the legitimate website's context, Culminate's AI SOC Analyst can effectively handle incomplete or ambiguous information, proactively detecting sophisticated phishing campaigns that intentionally evade conventional defenses.
The Problem:
Advanced phishing attacks pose a significant and growing problem for cybersecurity defenses, primarily due to their sophisticated evasion techniques. A key strategy employed by threat actors is the abuse of legitimate, widely trusted online services such as Microsoft PowerBI and OneDrive to host or embed malicious URLs. Instead of sending emails with obviously suspicious links or attachments, attackers craft highly convincing messages that appear to originate from these reputable platforms. Users, accustomed to legitimate shared documents or reports from OneDrive and PowerBI, are far more likely to click on these links without suspicion, believing they are interacting with a safe and familiar service.
The effectiveness of this tactic lies in its ability to bypass conventional security measures. Threat intelligence platforms like URLScan.io and VirusTotal, while invaluable for analyzing known threats, often struggle to identify the malicious nature of URLs embedded within these legitimate services. This is because the initial URL itself points to a genuine, reputable domain, which these tools naturally whitelist. The actual malicious payload or redirect may only activate after a series of clicks or user interactions within the seemingly legitimate environment, making it difficult for automated analysis to flag it as malicious. This results in the malicious link not triggering phishing flags on these critical threat intelligence sites.
This lack of detection by leading threat intelligence sources creates a critical blind spot for SOAR platforms. SOAR platforms like Splunk SOAR and Swimlane heavily rely on aggregated threat intelligence feeds and reputation scores to automate their responses. If a URL originating from OneDrive or PowerBI, even if it leads to a phishing site, isn't flagged by these intelligence sources, the SOAR platform will likely classify it as benign. This allows advanced phishing campaigns to slip through enterprise defenses, bypassing email filters, endpoint protection, and even the automated incident response capabilities of SOAR, ultimately putting organizations and their sensitive data at severe risk.
What do these attacks look like?
This email, at first glance, seems innocuous, purporting to be from HR and simply discussing company policy updates. There's a notable absence of urgency, no pressing call to action, and nothing within its tone or content that would immediately compel a user to click the embedded link. In fact, most recipients might well overlook it or save it for later, given its seemingly mundane subject matter. However, this very lack of obvious red flags is precisely what makes it a clever piece of social engineering. It's designed to blend seamlessly into the everyday flow of corporate communications, disarming a user's natural skepticism.
But what truly hides behind this seemingly benign communication? A closer look at the embedded URL reveals its true nature: https://app.powerbi[.]com/view?r=eyJrIjoiZTZjZmE0ZGMtNzM2YS00ZGZkLWFjNGYtM2Y2MWE3OTdjMTdmIiwidCI6IjcxOGNiYTc5LTYzNTAtNDMyZS04YjYwLTk2MDFiM2VhNDNiYSJ9. This isn't just any link; it points directly to PowerBI.com, a legitimate and widely trusted Microsoft service. This use of a reputable domain is a hallmark of advanced phishing, allowing the email to bypass many traditional security filters that are set to trust such well-known services. The attackers are banking on the user's familiarity and trust in Microsoft's ecosystem to overlook the subtle clues and proceed without hesitation.
Despite its deceptive nature, traditional security scanning tools would likely classify this PowerBI URL as completely benign, showing no signs of malicious intent. This is where the sophisticated nature of these attacks truly shines, or rather, where our defenses often fail. Because the link points to a legitimate and trusted Microsoft domain, most SOAR platforms would halt their investigation right here. Their automated playbooks, designed to flag known threats and suspicious domains, wouldn't find anything amiss. The incident would likely be closed as a non-malicious email, leaving your organization vulnerable and completely unaware that a meticulously crafted phishing attempt has just bypassed its defenses, waiting for an unsuspecting employee to take the bait.
The true danger of this attack, however, lies in its stealth, cleverly concealed within the webpage itself, a threat often undiscovered by traditional URL analysis technologies like URLScan.io. While these services might confirm the initial PowerBI link is legitimate, they often fail to peer deep enough into the page's structure to uncover subsequent malicious elements. This is precisely where advanced analysis becomes critical. By meticulously examining the Document Object Model (DOM) – essentially the webpage's underlying code and structure – we can reveal the true, hidden threat. This deeper inspection allows us to identify obfuscated redirects, dynamically loaded content, or embedded scripts that are designed to activate only after the initial trusted page loads, leading unsuspecting users to a malicious destination that remains invisible to surface-level scans.
Leveraging this deep DOM analysis, our advanced security platforms finally uncover the true objective: a sophisticated credential harvester intricately woven into the seemingly benign webpage. This malicious component is designed to trick users into entering their login information, which is then immediately stolen by attackers. This is where traditional detection methods, including most automated scanners, consistently fall short, as they lack the capability to peer beyond the surface and identify these hidden mechanisms. The ability to automatically deconstruct the page and trace the true origin of embedded forms is what allows these advanced platforms to catch what remains otherwise invisible.
How can Culminate help?
This is exactly where Culminate’s AI SOC Analyst platform truly shines. Unlike those rigid, playbook-dependent SOAR solutions that often miss the trick, Culminate is built for incredibly flexible and adaptive threat detection. It doesn't just stop at the first link; it automatically dives deep into suspicious webpages, even when they're hiding within trusted places like PowerBI or OneDrive. What's really clever is its ability to read the entire Document Object Model (DOM) of a webpage. Think of it like taking apart the webpage's blueprint to find every hidden link, script, and piece of dynamic content. This means Culminate Security can pinpoint any "stand-out" URLs, no matter how well they're camouflaged. From there, it automatically kicks off brand-new, focused investigations on those potentially dodgy domains, giving you a complete picture and response capability that older systems just can't match. Culminate AI SOC Analyst is constantly learning and adapting, so it's not stuck on old rules. It continually refines its understanding of new threats, making sure your defenses evolve as quickly as the attackers do.
