Threat Actors Customize URLs to Avoid Detection

5 Oct

Threat actors have many ways to avoid being detected. Today, let’s look at how they tweak URLs to bypass firewall rules—and what you can do to stop them from succeeding.

By combining various components of Uniform Resource Locators (URLs) and certain methods of encoding and obfuscation, OLE Object Relationships can be abused to download malicious content while avoiding many forms of detection both dynamically and statically.

Because different operating systems and versions of Microsoft Office handle the URLs involved in these relationships differently, threat actors can craft URLs that cannot be easily detected with the same static firewall rule across those systems. Variations in the method of handling can allow malicious content to be loaded without the victim’s consent or knowledge.