urlscan.io logo urlscan.io
SecurityTrails logo

www.zscaler.com Open in urlscan Pro
2606:4700::6812:1c4a  Public Scan

Back to summary
Submitted URL: https://zscaler.voicestorm.com/Article/Redirect/edbdb713-d9b8-4aa6-9987-c4c1d8a0dc6a?uc=11264&g=4e214a83-16b2-4d4b-b897-d0d5719...
Effective URL: https://www.zscaler.com/blogs/security-research/new-phishing-trends-and-evasion-techniques
Submission: On May 24 via api from US — Scanned from DE

Form analysis 5 forms found in the DOM

<form class="topSearch_searchInputWrapper__n8dSG"><input type="text" name="query" class="topSearch_searchInput__E0Bk3  bg-none" placeholder="What are you looking for?" aria-label="What are you looking for?" aria-hidden="true" tabindex="-1" value="">
</form>

<form class="marketoForm_root__Wkgni marketoForm_variant_cta_module__IwKzs mktoForm mktoHasWidth mktoLayoutLeft" id="mktoForm_7971"
  style="opacity: 100; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" novalidate="novalidate">
  <style type="text/css">
    .mktoForm .mktoButtonWrap.mktoRound .mktoButton {
      color: #fff;
      border: 1px solid #a3bee2;
      -webkit-border-radius: 5px;
      -moz-border-radius: 5px;
      border-radius: 5px;
      background-color: #779dd5;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#779dd5), to(#5186cb));
      background-image: -webkit-linear-gradient(top, #779dd5, #5186cb);
      background-image: -moz-linear-gradient(top, #779dd5, #5186cb);
      background-image: linear-gradient(to bottom, #779dd5, #5186cb);
      padding: 0.4em 1em;
      font-size: 1em;
    }

    .mktoForm .mktoButtonWrap.mktoRound .mktoButton:hover {
      border: 1px solid #45638c;
    }

    .mktoForm .mktoButtonWrap.mktoRound .mktoButton:focus {
      outline: none;
      border: 1px solid #45638c;
    }

    .mktoForm .mktoButtonWrap.mktoRound .mktoButton:active {
      background-color: #5186cb;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#5186cb), to(#779dd5));
      background-image: -webkit-linear-gradient(top, #5186cb, #779dd5);
      background-image: -moz-linear-gradient(top, #5186cb, #779dd5);
      background-image: linear-gradient(to bottom, #5186cb, #779dd5);
    }
  </style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
      <div class="mktoOffset" style="width: 10px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email_7971" id="LblEmail_7971" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email_7971" name="Email" placeholder="Email Address" maxlength="255" aria-labelledby="LblEmail_7971 InstructEmail_7971" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 250px;" aria-label="Enter email"><span id="InstructEmail_7971" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="subBlog" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Single_OptIn_IP_Address__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Type__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Theme__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="newFirstName" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Google_Click_Id__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoRound" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
    value="7971" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="306-ZEJ-256" placeholder=""><input type="hidden" name="LeadSource" class="mktoField mktoFieldDescriptor" value="Website Direct"
    placeholder=""><input type="hidden" name="Lead_Source_Type__c" class="mktoField mktoFieldDescriptor" value="Website" placeholder=""><input type="hidden" name="Lead_Source_Detail__c" class="mktoField mktoFieldDescriptor" value=""
    placeholder=""><input type="hidden" name="Lead_Source_Recent__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input type="hidden" name="Campaign_Content__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input
    type="hidden" name="Campaign_ID__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input type="hidden" name="Campaign_Term__c" class="mktoField mktoFieldDescriptor" value="" placeholder="">
</form>

<form class="marketoForm_root__Wkgni marketoForm_variant_footer__jwLCq mktoForm mktoHasWidth mktoLayoutLeft" id="mktoForm_1944" style="opacity: 100; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;"
  novalidate="novalidate">
  <style type="text/css">
    .mktoForm .mktoButtonWrap.mktoRound .mktoButton {
      color: #fff;
      border: 1px solid #a3bee2;
      -webkit-border-radius: 5px;
      -moz-border-radius: 5px;
      border-radius: 5px;
      background-color: #779dd5;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#779dd5), to(#5186cb));
      background-image: -webkit-linear-gradient(top, #779dd5, #5186cb);
      background-image: -moz-linear-gradient(top, #779dd5, #5186cb);
      background-image: linear-gradient(to bottom, #779dd5, #5186cb);
      padding: 0.4em 1em;
      font-size: 1em;
    }

    .mktoForm .mktoButtonWrap.mktoRound .mktoButton:hover {
      border: 1px solid #45638c;
    }

    .mktoForm .mktoButtonWrap.mktoRound .mktoButton:focus {
      outline: none;
      border: 1px solid #45638c;
    }

    .mktoForm .mktoButtonWrap.mktoRound .mktoButton:active {
      background-color: #5186cb;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#5186cb), to(#779dd5));
      background-image: -webkit-linear-gradient(top, #5186cb, #779dd5);
      background-image: -moz-linear-gradient(top, #5186cb, #779dd5);
      background-image: linear-gradient(to bottom, #5186cb, #779dd5);
    }
  </style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
      <div class="mktoOffset" style="width: 10px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email_1944" id="LblEmail_1944" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email_1944" name="Email" placeholder="Please enter your email to subscribe" maxlength="255" aria-labelledby="LblEmail_1944 InstructEmail_1944" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 250px;" aria-label="Enter email"><span id="InstructEmail_1944" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="subBlog" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Single_OptIn_IP_Address__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Type__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Theme__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="newFirstName" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Google_Click_Id__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Campaign_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoRound" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
    value="1944" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="306-ZEJ-256" placeholder=""><input type="hidden" name="LeadSource" class="mktoField mktoFieldDescriptor" value="Website Direct"
    placeholder=""><input type="hidden" name="Lead_Source_Type__c" class="mktoField mktoFieldDescriptor" value="Website" placeholder=""><input type="hidden" name="Lead_Source_Detail__c" class="mktoField mktoFieldDescriptor" value=""
    placeholder=""><input type="hidden" name="Lead_Source_Recent__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input type="hidden" name="Campaign_Content__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input
    type="hidden" name="Campaign_ID__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input type="hidden" name="Campaign_Term__c" class="mktoField mktoFieldDescriptor" value="" placeholder="">
</form>

<form class="marketoForm_root__Wkgni marketoForm_variant_cta_module__IwKzs mktoForm mktoHasWidth mktoLayoutLeft"
  style="opacity: 0; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" novalidate="novalidate"></form>

<form class="marketoForm_root__Wkgni marketoForm_variant_footer__jwLCq mktoForm mktoHasWidth mktoLayoutLeft"
  style="opacity: 0; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" novalidate="novalidate"></form>

Text Content

___

This site uses JavaScript to provide a number of functions, to use this site
please enable JavaScript in your browser.
Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of
Zscaler’s special offer today
Read more
Close
OpenSearch
CXO REvolutionariesCareersPartnersSupport
ShowContact UsOptions
Get in touch1-408-533-0288Chat with us
ShowSign InOptions
Zscaler Cloud Portal | AdminZscaler Cloud Portal One | AdminZscaler Cloud Portal
Two | AdminZscaler Cloud Portal Three | AdminZscaler Cloud Portal Beta |
Adminadmin.zscloud.netZscaler Private Access Sign-In

Home
The Zscaler ExperienceProducts & SolutionsPlatformResourcesCompany
Request a demoopen search
open navigation
The Zscaler Experience

Zscaler: A Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge
(SSE)

Get the full report

Your world, secured

Experience the transformative power of zero trust.



The Zscaler Difference

The Zscaler Difference
Experience the World’s Largest Security Cloud
Customer Success Stories
Analyst Recognition
Machine Learning and AI at Zscaler
Reduce Your Carbon Footprint

Zero Trust Fundamentals

Zero Trust Fundamentals
What Is Zero Trust?
What Is Security Service Edge (SSE)?
What Is Zero Trust Network Access (ZTNA)?
What Is Secure Web Gateway (SWG)?
What Is Cloud Access Security Broker (CASB)?
What Is Secure Access Service Edge (SASE)?
What is Data Security Posture Management (DSPM)?
Zero Trust Resources
Products & Solutions
Secure Your Users

Provide users with seamless, secure, reliable access to applications and data.


Secure Your Workloads

Build and run secure cloud apps, enable zero trust cloud connectivity, and
protect workloads from data center to cloud.


Secure Your IoT and OT

Provide zero trust connectivity for IoT and OT devices and secure remote access
to OT systems.




Products

Products

Transform your organization with 100% cloud native services

Secure Internet Access (ZIA)
Secure Private Access (ZPA)
Digital Experience (ZDX)
Data Protection (CASB/DLP)

Solution Areas

Solution Areas

Propel your business with zero trust solutions that secure and connect your
resources

Cyberthreat Protection
Data Protection
Zero Trust Networking
Business Analytics
VPN Alternative
Zero Trust SASE
Accelerate M&A Integration
Optimize Digital Experiences
Zero Trust SD-WAN
Zero Trust Cloud Connectivity
Zero Trust for IoT/OT
Data Security Posture Management (DSPM)
Find a Product or Solution
Partner IntegrationsIndustry and Market Solutions
Platform
Zero Trust Exchange Platform

Learn how Zscaler delivers zero trust with a cloud native platform that is the
world’s largest security cloud

Zero Trust Exchange PlatformTitle Link


Transform with Zero Trust Architecture

Transform with Zero Trust Architecture

Propel your transformation journey

Secure Digital Transformation
Application Transformation
Network Transformation
Security Transformation

Secure Your Business Goals

Secure Your Business Goals

Achieve your business and IT initiatives

Ensure Secure Business Continuity
Accelerate M&A and Divestitures
Recession-Proof Your Enterprise
Secure Your Hybrid Workforce
Download Zscaler Client Connector
Resources
Learn, connect, and get support.

Explore tools and resources to accelerate your transformation and secure your
world

Learn, connect, and get support.Title Link

Amplifying the voices of real-world digital and zero trust pioneers

Visit now


Resource Center

Resource Center

Stay up to date on best practices

Resource Library
Blog
Customer Success Stories
Webinars
Zpedia

Events & Trainings

Events & Trainings

Find programs, certifications, and events

Upcoming Events
Zenith Live
Zscaler Academy

Security Research & Services

Security Research & Services

Get research and insights at your fingertips

ThreatLabz Analytics

Tools

Tools

Tools designed for you

Security Preview
Threat Assessment Tools
Security Advisory Updates
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator

Community & Support

Community & Support

Connect and find support

Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
Explore the latest Zscaler Innovations

Industry & Market Solutions

Industry & Market Solutions

See solutions for your industry and country

Public Sector
Healthcare
Financial Services
Education
See all

Resource Center

Resource Center

Stay up to date on best practices

Resource Library
Blog
Customer Success Stories
Webinars
Zpedia

Events & Trainings

Events & Trainings

Find programs, certifications, and events

Upcoming Events
Zenith Live
Zscaler Academy

Security Research & Services

Security Research & Services

Get research and insights at your fingertips

ThreatLabz Analytics

Tools

Tools

Tools designed for you

Security Preview
Threat Assessment Tools
Security Advisory Updates
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator

Community & Support

Community & Support

Connect and find support

Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
Explore the latest Zscaler Innovations

Industry & Market Solutions

Industry & Market Solutions

See solutions for your industry and country

Public Sector
Healthcare
Financial Services
Education
See all
Company
About Zscaler

Discover how it began and where it’s going

Partners

Meet our partners and explore system integrators and technology alliances

News & Announcements

Stay up to date with the latest news

Leadership Team

Meet our management team

Partner Integrations

Partner Integrations

Investor Relations

See news, stock information, and quarterly reports

Environmental, Social & Governance

Learn about our ESG approach

Careers

Join our mission

Press Center

Find everything you need to cover Zscaler

Compliance

Understand our adherence to rigorous standards

Zenith Ventures

Understand our adherence to rigorous standards

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research


NEW PHISHING TRENDS AND EVASION TECHNIQUES

KAIVALYA KHURSALE
January 15, 2021 - 15 min read



Security Insights


Contents

 1. Article
 2. More blogs

Copy URL
Copy URL


Zscaler ThreatLabz researchers recently came across multiple phishing campaigns
using novel obfuscation and evasion techniques. In this blog, we will present an
analysis of four phishing campaigns and the various obfuscation methods used in
each, also describing some of the tools the attackers used to obfuscate their
JavaScript code. 

JavaScript is a powerful, flexible, and popular scripting language used in
numerous web applications. There are many packers and obfuscators available to
reduce the size of the JavaScript code, to hide business logic, and make the
source code unreadable, and attackers also take advantage of these tools.   

Why obfuscate?

Each day, security engines are becoming smarter, using machine learning,
heuristics, image recognition, and other innovations to detect phishing attacks.
In parallel, attackers are applying new and sophisticated techniques for evading
detection, including the use of obfuscation and by hosting phishing content on
trusted providers such as Google hosting domains. The main purpose of code
obfuscation is to protect exposed code by making it extremely hard to decipher
and understand, but obfuscation is also heavily used to bypass automated URL
analysis engines which prolongs the malware’s survival. Obfuscation tools are
also used by many legitimate websites to prevent their code from analysis and
theft.
 


PHISHING CAMPAIGN 1:

This campaign is sophisticated, as demonstrated by the well-designed phishing
pages that are difficult to distinguish from legitimate pages. The attackers
used the latest tactics to evade detection from signature-based scan engines,
with most of the JavaScript code being obfuscated.

URL: tawooos[.]com/commonn/login/?code=<Mail ID>



Figure 1: Microsoft login phishing page

Obfuscated part of source code

The tool used to obfuscate is JavaScript Obfuscator 4.3. It's readily available
on multiple free software download sites. In Figure 2, the portion highlighted
in red is the function that performs the deobfuscation and the portion
highlighted in blue is an argument to that function. You can see that there are
many backquotes in the source code (highlighted in yellow). This function
removes the backquotes and decodes the rest of the data and returns the decoded
code.



Figure 2: Microsoft login phishing page source code

Deobfuscated source code

A few keywords in the source code are highlighted below. The presence of all of
these keywords together can be used to flag this page as phishing.



Figure 3: Deobfuscated source code

After sending the credentials to the command-and-control (C&C) server, the
victim gets redirected to a legitimate Microsoft site. 



Figure 4: PCAP of phishing page sending the credentials to the server

As the phishing pages are obfuscated, they are undetected by analysis engines.



Figure 5: No VT detections
 


PHISHING CAMPAIGN 2:

In this case, the entire source code has been obscured with multilayered
obfuscation. The first layer is using the Eval Execution obfuscation and Base64
encoding. All of these phishing pages were seen to be hosted on
storage.googleapis[.]com. Like Amazon Simple Storage Service (Amazon S3),
storage.googleapis[.]com is a hosting domain, used to store and access data on
Google Cloud. Many analysis engines allowlist these domains, and attackers take
advantage of the fact that these domains/IPs belong to trusted sources.

http://storage.googleapis[.]com/asmuggishly-757767673/billing.html



Figure 6: Chase Phishing page

Part of the source code is Base64 encoded, which gets decoded at runtime by
atob() and then executed by the eval() function.



Figure 7: Source code of Chase phishing page

The following is the code after one first round of deobfuscation. We can notice
that it is still heavily obfuscated and not in a readable format. This is a hex
encoding function and variable names obfuscation, in which the variable and
function names and the strings in the code are being obfuscated using
hexadecimal patterns to make the JavaScript code hard to read and detect.



Figure 8: Source code after one round of deobfuscation

After accepting the user credentials, they are sent across
to hxxps://moneysmtp[.]com/email-list/chase-nww/action.php, which is controlled
by the attacker, and then redirects the user to the legitimate Chase website.



Figure 9: PCAP of phishing page sending the credentials to the server

Below are snapshots of a few phishing pages targeting different brands using the
same multilevel obfuscation techniques.


Figure 10: Dropbox phishing page



Figure 11: Microsoft phishing page
 


PHISHING CAMPAIGN 3:

Web.app is a mobile platform used for building mobile apps hosted by Firebase,
which is Google’s mobile app platform. Under this category, all the phishing
pages are hosted on the Web.app domain and use SSL certificates issued by
Web.app. In this scenario, phishing pages are partially obfuscated by
hex-encoding variable names obfuscation, as described in the previous case.
Here, the tool that is used to obfuscate the source code is JavaScript
Obfuscator. We believe this tool is also utilized in phishing campaign 2 for
some level of obfuscation. This is a free tool and has multiple levels for
obfuscation, such as Low, Medium, and High.

The tool is available on GitHub:

https://github.com/javascript-obfuscator/javascript-obfuscator

Online version:

https://obfuscator.io/

This variant is mostly targeting Microsoft. 



Figure 12: OneDrive phishing page



Figure 13: OneDrive phishing page source code



Figure 14: Phishing page source code after deobfuscation

As we can see how the attackers are continuously abusing Google's trusted
domains, the graph below gives a peek into the number of phishing pages hosted
on storage.googleapis[.]com and *.web.app seen across the Zscaler cloud. (These
stats include all blocked transactions and are not specific to the cases in this
analysis.)



Figure 15: December 2020 blocked transactions for storage.googleapis[.]com and
*.Web.app
 


PHISHING CAMPAIGN 4:

This variant differs from the previous three cases, where the evasion technique
was JavaScript obfuscation. In this fourth scenario, attackers are using
embedded Base64 images for evasion, achieved by increasing the size of the
source code. The campaign involves adding all the required images in the source
code itself in the Base64-encoded format, to make it difficult for the
analysis engines to detect these phishing pages. Under this variant, most of the
phishing pages are hosted on compromised WordPress websites and target Microsoft
brand. 



Figure 16: Microsoft phishing page







Figure 17: Source code of Base64 encoded images

 

Zscaler has been successfully detecting and blocking all the four variants
described in this report.



Figure 18: Phishing pages seen on Zscaler cloud between Nov 2020 and Jan 2021

 

Conclusion

Phishing attacks have always been on the rise. As the security products are
upgrading their detection methodologies, attackers have also upped the ante by
evolving the way in which the phishing content is being delivered as well as
tactics being leveraged to make the phishing pages stay undetected for longer
period.

Zscaler ThreatLabz team continues to monitor these campaigns, as well as others,
to help keep our customers safe from phishing attacks.

 

Indicators of Compromise:

Campaign 1:

1solutionpbt[.]com/mpl/officev4/
3dmerchant[.]com/css/officev4/
a2zconsultant[.]com/one/officev4/
adbmedwaste[.]club/crist/audio/
aderarty[.]club/manuel/audio/
adpngo[.]in/one/officev4/
alnada-eg[.]com/common/oauth/
alphanettingsolutions[.]com/one/officev4/
alqudari[.]com/bui/
amorexigente[.]org[.]br/eni/offi/
amr[.]rmal[.]com[.]sa/sui/
annyrorse[.]com/officev4/
antliaworks[.]com/one/officev4/
aoeioanc[.]com/zimc/
aprilwight[.]com/.well-known/officev4/
ascendrsps[.]com/.well-known/officev4/
atone-health[.]co[.]uk/aaakhis/
auxczvbb[.]tk/acb/pcvbm/
bandmusicconnection[.]com/jmz/officev4/
bayfieldadvisers[.]com/omfa/
beebay[.]biz/ed/officev4/
beijingmark[.]com/asvii/aidofficev4kv0f9/
bergenintemational[.]com/omfa/
berioacn[.]com/saga/
bestdevelopers[.]in/tui/
bestsoundbases[.]com/zui/xqu/
binceste[.]com/xec/
bnet[.]russianviptravel[.]com/wap[.]secure/
breathpunch[.]com/officev4/
building-inspections[.]com/holu/mcz/
cauproviden[.]ml/common/login/
chespicac[.]com/tesd/
cheyennedormitory[.]com/officev4/
cilipadi[.]net/common/oauth/
classicnet[.]in/secure/
clougheybowlingclub[.]co[.]uk/printrecording/officev4/
coachcuz[.]com/.well-known/officev4/
comproautoschocados[.]cl/sui/
contraprova[.]com[.]br/vr/officev4/
cozmyklaw[.]com/.well-known/officev4/
cracksense[.]com/ww/lk4/
crossroadschurchjenks[.]com/cy/officev4/
dcare-eg[.]com/hols/officev4/
dealercarshare[.]com/officev44/
deskimps[.]com/delc/
domefavors[.]com/menc/
donatecaballero[.]com/common/login/
donmikia[.]uk/ches/
drivangalindo[.]com[.]br/officev4/
efimilos[.]com/officev44/
elmoprofessional[.]com/officev4/
embedinn[.]com/.well-known/officev4/
eoianac[.]com/thuc/
esbonacorp[.]pe/maz/officev4/
esquadraocelular[.]com[.]br/.well-known/officev4/
fanvironmental[.]club/dxb/audio/
fatsofleece[.]com/officev4/
fewasoc[.]com/nomac/
filmtvdb[.]net/avcnm/
firekillertech[.]com/tui/
forumwebsitehosting[.]com/tui/
friendsoftoto[.]com/incub/incub/
galaxycarcare[.]com/.well-known/officev4/
geekshub[.]com/mowa/officev4/
getyourads[.]xyz/officev4/
globalseedsindia[.]com/one/officev4/
graysmail[.]com/gkala/
gtechsoftware[.]in/.well-known/officev4/
gvihardwares[.]com/.well-known/mm/me/
healestbenefits[.]com/one/officev4/
hpma[.]in/.well-known/officev4/
husdocssl[.]ml/common/login/
ipe[.]unsa[.]edu[.]ar/richhhhh/
ipservercr[.]com/aui/
iwsas[.]com/.well-known/officev4/
janalamas[.]com/lcn/
japanesport[.]com/aa/officev4/
jataq[.]com/.well-known/officev4/
jerioanc[.]com/dasex/
jornalcorreiodovale[.]com[.]br/mcv/moz/
k9apparels[.]com/in/officev4/
kaliony[.]bootydev[.]co[.]uk/resources/vbn/tdds/
kol-voip[.]life/topt/
kontakllc[.]com/m12/muz/
lakewaydirectory[.]com/aa/officev4/
lanuevadelpueblo[.]com/.well-known/officev4/
linpelts[.]com/decx/
livademir[.]com/common/auth/
manacinema[.]com/dsd/managerssss/
mc-solutions[.]com/css/officev4/
mellifluousweb[.]net/common/oauth/
millcityingsstudios[.]icu/.well-known/officev4/
mjhs-mu[.]org/common/login/
mshdigital4u[.]com/wp-errs/officev4/
mycloudquant[.]com/common/
nationalstandardtrustsavings[.]com/in/officev4/
newbrunswickwebdesign[.]com/officev44/
nms-sy[.]com/.well-known/officev4/
nmvformacion[.]com/common/login/
nrg91[.]gr/wp-includes/pomo/wp_includesss/bodsanfr/officev4/
oamii[.]com/css/officev4/
pastryrinse[.]com/wp_includesss/officev4/
pathwaysflp[.]com/cgi/officev4/
peeschute[.]com/.well-known/officev4/
perduepavementsolutions[.]com/officev44/
phenoindia[.]com/st/officev4/
pinazindustries[.]com/common/login/
plombierhochelagamaisonneuve[.]ca/officev4/
poligamografico[.]com/.well-known/officev4/
poophawseholev[.]com/**bc34n**/
precipitateafloat[.]com/officev4/
productcreationprofit[.]com/wps/officev4/
production[.]kaplanstock[.]com/wps/officev4/
protrainservices[.]com/dapot/
pruebaeme[.]pinfo[.]co/wp-file/officev4/
pwanprime[.]com/ioui/
rajputanaonline[.]com/one/officev4/
reversespeech[.]org/database1/officev4/
riceroadssuite[.]xyz/efkvrelsziteefj/
ringacandy[.]net/wpnews/officev4/
rooftimegc[.]com/officev4/
roshanpackages[.]com[.]pk/wp-includes/wp_includess/offficees/officev4/
royalpromotion[.]ch/common/oauth/
rrssserralheria[.]com[.]br/cn/officev4/
saltacil[.]com/asiom/
samh-conglomerat[.]com/.well-known/officev4/
satnampsyllium[.]com/aa/officev4/
securemessage2020[.]net/bn/cbnzxc/
server213-171-197-190[.]live-servers[.]net/commonn/oauth/
shizzades[.]com/.well-known/officev4/
siddiquiofindia[.]com/.well-known/officev4/
sjrfood[.]com/wp-includes/pomo/wp_includes/officev4/
smartclickearn[.]com/afxcyc/
staronepestcontrol[.]co[.]in/.well-known/officev4/
summitmicrosystems[.]com/officev44/
sushiyany[.]com/ok/officev4/
tapali[.]com[.]pk/pc/officev4/
tdcpk[.]org/.well-known/officev4/
tenbellsnyc[.]com/exchange/officev4/
title5inspector[.]com/custom/officev4/
tombintery[.]com/den/
traviskidd[.]net/tui/
umcstmarks[.]org/ofc/officev4/
urinaryfoyer[.]com/officev4/
urupatopfest[.]com[.]br/epla/mzx/
vedrunapalamos[.]org/commonn/oauth/
vivirsinfronteras[.]cl/sui/
vo-icetech[.]live/topt/
volgaboutique[.]com/.well-known/officev4/
webinar[.]eventcasterindia[.]com/officev4/
webqoder[.]com/login/index[.]php
wecontainmultitudes[.]world/tui/
whizz[.]pk/.well-known/officev4/
wideneed[.]com/.well-known/officev4/
www[.]aydinlarizabe[.]com[.]tr/common/
www[.]azia[.]ca/azure/eiirffice4049/
www[.]bagstailor[.]com/jkm/
www[.]cap-cap[.]md/addon/plugin/
www[.]chitrakootdham[.]com/kip/
www[.]friss[.]com[.]ec/addin/pluggin/
www[.]fxtokeninvest[.]com/csss/0d9d0fficev40d0d/
www[.]gdsi[.]co[.]za/able/903uuisfficev4db/
www[.]gigacorp[.]com[.]ar/excel/officev4/
www[.]radiodestellosdeluz[.]com/cffm/officev4knsioe3/
www[.]teotozmaskesi[.]com/mvip/
www[.]unique-ltd[.]com/ofz/mzu/
www[.]vedantacareerforum[.]in/addin/plugins/
www[.]weblifeinfotech[.]com/.well-known/officev4/
www[.]yellowpowerghana[.]com/admin/agree/

 

Campaign 2:

storage[.]googleapis[.]com/alimli-147731386/index[.]html
storage[.]googleapis[.]com/acabouca-827409132/index[.]html
storage[.]googleapis[.]com/arecollectedly-745846914/index[.]html
storage[.]googleapis[.]com/asublaryngeal-942401075/index[.]html
storage[.]googleapis[.]com/aincogent-763500794/index[.]html
storage[.]googleapis[.]com/acurrock-418037438/index[.]html
storage[.]googleapis[.]com/aappendorontgenography-768893843/index[.]html
storage[.]googleapis[.]com/atidemark-450148136/index[.]html
storage[.]googleapis[.]com/ainsulse-944751843/index[.]html
storage[.]googleapis[.]com/agrege-856858175/index[.]html
storage[.]googleapis[.]com/anonconsciously-414681870/index[.]html
storage[.]googleapis[.]com/aabacuses-222389253/index[.]html
storage[.]googleapis[.]com/asmuggishly-757767673/billing[.]html
storage[.]googleapis[.]com/awebelos-698265298/index[.]html
storage[.]googleapis[.]com/agroover-952673710/index[.]html
storage[.]googleapis[.]com/acalibres-620331939/index[.]html
storage[.]googleapis[.]com/atranshumant-443099926/index[.]html
storage[.]googleapis[.]com/asyconia-659992695/login[.]html
storage[.]googleapis[.]com/apenfieldite-92629163/index[.]html
storage[.]googleapis[.]com/atornillos-106102152/index[.]html
storage[.]googleapis[.]com/afoveae-583108632/index[.]html
storage[.]googleapis[.]com/apapilio-458653235/stage1[.]html
storage[.]googleapis[.]com/akimchee-439724010/index[.]html
storage[.]googleapis[.]com/astrick-186905561/index[.]html
storage[.]googleapis[.]com/ahoardward-946940086/index[.]html
storage[.]googleapis[.]com/axanthones-495191651/index[.]html
storage[.]googleapis[.]com/amegilphs-163639534/index[.]html
storage[.]googleapis[.]com/adottling-195946905/index[.]html
storage[.]googleapis[.]com/amoslemin-967310995/index[.]html
storage[.]googleapis[.]com/acinques-665639902/login[.]html
storage[.]googleapis[.]com/aunsacrificed-190687410/index[.]html
storage[.]googleapis[.]com/ascrofuloderma-46621213/index[.]html
storage[.]googleapis[.]com/auntwirl-391340861/index[.]html
storage[.]googleapis[.]com/aimparting-68711433/index[.]html
storage[.]googleapis[.]com/aatalantis-739623290/index[.]html
storage[.]googleapis[.]com/abegruntle-40246949/index[.]html
storage[.]googleapis[.]com/aconceptualised-470215097/index[.]html
storage[.]googleapis[.]com/arudderhead-370810423/index[.]html
storage[.]googleapis[.]com/aastromancer-398680604/index[.]html
storage[.]googleapis[.]com/apa-317407023/index[.]html
storage[.]googleapis[.]com/aamphioxus-906636459/index[.]html
storage[.]googleapis[.]com/apontoneer-591920887/login[.]html
storage[.]googleapis[.]com/aprerepresentation-66370527/index[.]html
storage[.]googleapis[.]com/aunroyalness-974087096/index[.]html
storage[.]googleapis[.]com/aabietate-713295939/index[.]html
storage[.]googleapis[.]com/anefas-17843827/login[.]html
storage[.]googleapis[.]com/anonhabituating-594465665/index[.]html
storage[.]googleapis[.]com/aintervalometer-123954896/index[.]html
storage[.]googleapis[.]com/aherdess-767357057/index[.]html
storage[.]googleapis[.]com/apardonless-780884267/index[.]html
storage[.]googleapis[.]com/agermanely-776975203/index[.]html
storage[.]googleapis[.]com/adaylighted-903538410/index[.]html
storage[.]googleapis[.]com/anoneternally-982088190/index[.]html
storage[.]googleapis[.]com/aunstacked-984917203/index[.]html
storage[.]googleapis[.]com/arhopalocerous-457551896/index[.]html
storage[.]googleapis[.]com/aautosensitized-682287836/index[.]html
storage[.]googleapis[.]com/avirilisms-842115393/index[.]html
storage[.]googleapis[.]com/aarbalo-251593828/index[.]html
storage[.]googleapis[.]com/asyringitis-538839216/index[.]html
storage[.]googleapis[.]com/acionorrhaphia-41254689/index[.]html
storage[.]googleapis[.]com/apavises-321779368/index[.]html
storage[.]googleapis[.]com/aundiscernably-733914186/index[.]html
storage[.]googleapis[.]com/aunregard-438947492/emp[.]html
storage[.]googleapis[.]com/aforetelling-819024589/index[.]html
storage[.]googleapis[.]com/aphellogen-38165975/index[.]html
storage[.]googleapis[.]com/aunvirtuous-274079806/index[.]html
storage[.]googleapis[.]com/aelectant-280636513/index[.]html
storage[.]googleapis[.]com/asclerae-148597782/index[.]html
storage[.]googleapis[.]com/aidaein-829771506/index[.]html
storage[.]googleapis[.]com/aterremotive-103281912/index[.]html
storage[.]googleapis[.]com/agalactorrhoea-9550585/index[.]html
storage[.]googleapis[.]com/atizzy-269292408/index[.]html
storage[.]googleapis[.]com/acital-822541724/index[.]html
storage[.]googleapis[.]com/aprotriaene-335157269/index[.]html
storage[.]googleapis[.]com/ascholarch-890788164/index[.]html
storage[.]googleapis[.]com/aprediscontinuance-732910131/index[.]html
storage[.]googleapis[.]com/asubfestive-203388889/index[.]html
storage[.]googleapis[.]com/afulani-210582469/index[.]html
storage[.]googleapis[.]com/adaedal-37002271/index[.]html
storage[.]googleapis[.]com/aserpentarii-284490402/index[.]html
storage[.]googleapis[.]com/azax-39729869/index[.]html
storage[.]googleapis[.]com/asynonymatic-139119700/index[.]html
storage[.]googleapis[.]com/aaedegi-836148196/index[.]html
storage[.]googleapis[.]com/aoperations-27053020/index[.]html
storage[.]googleapis[.]com/aproctoscopies-858386799/index[.]html
storage[.]googleapis[.]com/atetramin-839735637/index[.]html
storage[.]googleapis[.]com/apeshkash-437756860/index[.]html
storage[.]googleapis[.]com/aallylate-704586416/index[.]html
storage[.]googleapis[.]com/amaria-707832457/index[.]html
storage[.]googleapis[.]com/ahammers-75087009/index[.]html
storage[.]googleapis[.]com/aorthopterology-195657039/index[.]html
storage[.]googleapis[.]com/agnarliness-34634799/index[.]html
storage[.]googleapis[.]com/alechriodont-807475378/index[.]html
storage[.]googleapis[.]com/afloodlike-845296568/thank-you[.]html
storage[.]googleapis[.]com/afloodlike-845296568/ccdetails[.]html
storage[.]googleapis[.]com/aengleim-22202313/index[.]html
storage[.]googleapis[.]com/aozokerit-940378069/index[.]html
storage[.]googleapis[.]com/anonblended-222328769/index[.]html
storage[.]googleapis[.]com/ahough-723819821/index[.]html
storage[.]googleapis[.]com/aenwrapped-497258674/index[.]html
storage[.]googleapis[.]com/ascombresox-752589947/index[.]html
storage[.]googleapis[.]com/ahennaing-195361189/index[.]html
storage[.]googleapis[.]com/apackage-889059598/index[.]html
storage[.]googleapis[.]com/acerithium-715663857/index[.]html
storage[.]googleapis[.]com/asemilegislatively-737555048/index[.]html
storage[.]googleapis[.]com/areimpart-731291280/index[.]html
storage[.]googleapis[.]com/aschizophrenic-852501158/index[.]html
storage[.]googleapis[.]com/aostraeacea-303476625/surf5[.]html
storage[.]googleapis[.]com/aostraeacea-303476625/surf2[.]html
storage[.]googleapis[.]com/aostraeacea-303476625/surf4[.]html
storage[.]googleapis[.]com/acryptocarp-224010971/index[.]html
storage[.]googleapis[.]com/asangil-455740481/index[.]html
storage[.]googleapis[.]com/aemendatory-273709545/index[.]html
storage[.]googleapis[.]com/atripersonalism-844191482/index[.]html
storage[.]googleapis[.]com/arituale-126920889/index[.]html
storage[.]googleapis[.]com/afirecrest-55660520/index[.]html
storage[.]googleapis[.]com/atostao-328917181/index[.]html
storage[.]googleapis[.]com/akartvelian-558252283/yahoo[.]html
storage[.]googleapis[.]com/acondescendent-298330894/index[.]html
storage[.]googleapis[.]com/aindeliberately-897258294/index[.]html
storage[.]googleapis[.]com/acartooned-590869782/index[.]html
storage[.]googleapis[.]com/anonabsolution-546507296/index[.]html
storage[.]googleapis[.]com/aprehallux-831372274/index[.]html
storage[.]googleapis[.]com/adingled-862723013/index[.]html
storage[.]googleapis[.]com/abootmaking-335640809/index[.]html
storage[.]googleapis[.]com/ahiren-7401734/index[.]html
storage[.]googleapis[.]com/ainca-12736189/index[.]html
storage[.]googleapis[.]com/amoa-620648817/index[.]html
storage[.]googleapis[.]com/alicitation-522842407/index[.]html
storage[.]googleapis[.]com/aboatsmen-139464055/index[.]html
storage[.]googleapis[.]com/aperform-352099829/adobe-login[.]html
storage[.]googleapis[.]com/akartvelian-558252283/index[.]html
storage[.]googleapis[.]com/ainvendibility-786043259/index[.]html
storage[.]googleapis[.]com/aunshrine-323133029/index[.]html
storage[.]googleapis[.]com/acondemns-905913782/index[.]html
storage[.]googleapis[.]com/abrahmanist-186178631/index[.]html
storage[.]googleapis[.]com/aunbars-780985519/index[.]html
storage[.]googleapis[.]com/aqualitative-811176249/index[.]html
storage[.]googleapis[.]com/ataleful-348821200/index[.]html
storage[.]googleapis[.]com/anickstick-307761326/index[.]html
storage[.]googleapis[.]com/alectorship-84927521/index[.]html
storage[.]googleapis[.]com/aodea-208736814/index[.]html
storage[.]googleapis[.]com/abridely-333489834/index[.]html
storage[.]googleapis[.]com/amalodorant-950451553/index[.]html
storage[.]googleapis[.]com/ayawled-911675812/index[.]html
storage[.]googleapis[.]com/abirky-240459101/index[.]html
storage[.]googleapis[.]com/aoverturning-255869875/index[.]html
storage[.]googleapis[.]com/apseudophallic-889421432/billing[.]html
storage[.]googleapis[.]com/amyelopathy-195390597/index[.]html
storage[.]googleapis[.]com/arepairable-358680916/index[.]html
storage[.]googleapis[.]com/asestines-42817349/index[.]html
storage[.]googleapis[.]com/acrepitation-283172808/index[.]html
storage[.]googleapis[.]com/ajaundiced-513977881/index[.]html
storage[.]googleapis[.]com/aairable-214203130/index[.]html
storage[.]googleapis[.]com/arheumatogenic-683716643/index[.]html
storage[.]googleapis[.]com/amultidestination-847080470/index[.]html
storage[.]googleapis[.]com/apolysomaty-898829058/index[.]html
storage[.]googleapis[.]com/apoitrinaire-12614876/index[.]html
storage[.]googleapis[.]com/askirwhit-47671358/index[.]html
storage[.]googleapis[.]com/avoyeurism-318259797/index[.]html
storage[.]googleapis[.]com/apampanga-166098500/index[.]html
storage[.]googleapis[.]com/anun-908242083/index2[.]html
storage[.]googleapis[.]com/adegradedly-277339018/index[.]html
storage[.]googleapis[.]com/awhalings-302949577/index[.]html
storage[.]googleapis[.]com/abalducta-915289519/index[.]html
storage[.]googleapis[.]com/arelucted-787773075/index[.]html
storage[.]googleapis[.]com/asupplementally-858070387/index[.]html
storage[.]googleapis[.]com/afregatidae-217677069/index[.]html
storage[.]googleapis[.]com/aracoyian-21862863/index[.]html
storage[.]googleapis[.]com/ascotchwoman-979797192/index[.]html
storage[.]googleapis[.]com/aantimoralism-54859598/index[.]html
storage[.]googleapis[.]com/aouthaul-370806468/index[.]html
storage[.]googleapis[.]com/ahercynian-275744290/index[.]html
storage[.]googleapis[.]com/aphotopolymerization-352520518/index[.]html
storage[.]googleapis[.]com/aoverdearness-492275680/index[.]html
storage[.]googleapis[.]com/afergus-935018076/index[.]html
storage[.]googleapis[.]com/aprovisory-825150401/index[.]html
storage[.]googleapis[.]com/aphonasthenia-506169773/index[.]html
storage[.]googleapis[.]com/apoley-215933269/index[.]html
storage[.]googleapis[.]com/aslewingslews-789314006/index[.]html
storage[.]googleapis[.]com/amicroradiographical-929577851/index[.]html
storage[.]googleapis[.]com/aovist-532671161/index[.]html
storage[.]googleapis[.]com/afusileers-968365817/index[.]html
storage[.]googleapis[.]com/areducibility-583369670/index[.]html
storage[.]googleapis[.]com/apooling-267239360/index[.]html
storage[.]googleapis[.]com/alaparotomies-63776556/index[.]html
storage[.]googleapis[.]com/adiskindness-885924575/index3[.]html
storage[.]googleapis[.]com/akrater-612615588/index[.]html
storage[.]googleapis[.]com/ashists-509747929/index[.]html
storage[.]googleapis[.]com/apriestship-638820631/index[.]html
storage[.]googleapis[.]com/aabune-670480603/index[.]html

 

Campaign 3:

login-51014-file.web[.]app    
onedrive-online718.web[.]app
onedrive-online912.web[.]app
onedrive-online642.web[.]app
onedrive-online236.web[.]app

 

Campaign 4:

www[.]adotcomcompany[.]com/ofc3/r[.]php
accessiondistribution[.]com/ofc3/r[.]php
monteagudoadvogados[.]adv[.]br/ofc3/r[.]php
reggaegills[.]com/ofc3/r[.]php
aamanzano[.]com/home/ofc/r[.]php
ourhomes[.]re/ofc3/r[.]php
armata-neagra[.]ro/ofc3/r[.]php
shakeandvape[.]com/b!/ofc/s/
candaceweststoryteller[.]com/ofc3/s/
cleanedgemanpower[.]com/ofc3/s/
fourcheriverdays[.]com/ofc3/s/
demandpower[.]ca/ofc3/s/
420australia[.]com/ofc3/s/
rehdainstitute[.]com/ofc3/s/
corp-elrociosac[.]com/images/ofc3/r[.]php
touch4career[.]com/ofc3/r[.]php
the-vapors[.]eu/ofc3/r[.]php
thewisetricks[.]com/ofc3/r[.]php
monabelle[.]com[.]br/scss/ofc3/s/
dineshdesai[.]in/wp-admin/ot/ofc/s/
hpma[.]in/ofc3/s/
goticapp[.]com/x/ofc3/s/
gonzaloivangomez[.]com/folder/bin/refresheedofccieesforthenewtwentytwentyscamp/ofc1/s/
avyconsulting[.]in/ofc3/r[.]php
alldelhi[.]com/ofc3/s/
nationalstandardtrustsavings[.]com/lf/ofc1/ofc1/le3_/
ventanalesbogota[.]com/ofc3/r[.]php
3x7konteyner[.]com/ofc3/s/
parmos[.]com[.]tr/ofc3/s/
www[.]storyofmeworkshop[.]com/x/ofc3/s/
sowamsheritagearea[.]org/cgi-bin/ofc3/s/
tailorbrandinsentive[.]net/home/ofc3/r[.]php
shippingdocument[.]com/ofc3/s/
fuhrerscheinprofis[.]com/ofc3/s/
laparotools[.]com/img/33/ofc/s/
zyclone[.]net/ofc3/s/





Thank you for reading


WAS THIS POST USEFUL?

Yes, very!

Not really


EXPLORE MORE ZSCALER BLOGS

Agniane Stealer: Dark Web’s Crypto Threat
Read post
The Impact of the SEC’s New Cybersecurity Policies
Read post
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read post
01 / 02
Go to next slideGo to previous slide


GET THE LATEST ZSCALER BLOG UPDATES IN YOUR INBOX

*












Subscribe

By submitting the form, you are agreeing to our privacy policy.






THE ZSCALER EXPERIENCE

Learn about:

Your world, securedZero TrustSecure Access Service Edge (SASE)Security Service
Edge (SSE)Zero Trust Network Access (ZTNA)Secure Web Gateway (SWG)Cloud Access
Security Broker (CASB)Cloud Native Application Protection Platform (CNAPP)Data
Security Posture Management (DSPM)
PRODUCTS & SOLUTIONS
Secure Your Users

Secure Your Workloads

Secure Your IoT and OT

Secure Internet Access (ZIA)

Data Protection (CASB/DLP)

Digital Experience (ZDX)

Industry & Market Solutions

Partner Integrations

Zscaler Client Connector

PLATFORM
Zero Trust Exchange Platform

Secure Digital Transformation

Network Transformation

Application Transformation

Security Transformation

RESOURCES
Resource Library

Customer Success Stories

Security Preview

Threat Assessment Tools

ThreatLabz Analytics & Insights

Upcoming Events

Blog

Zscaler Academy

CXO Revolutionaries

Zpedia

Ransomware Protection ROI Calculator

POPULAR LINKS
Pricing & Plans

About Zscaler

Leadership Team

Career Opportunities

Find or Become a Partner

Customer Success Center

Investor Relations

Press Center

News & Announcements

ESG

Compliance

Contact Zscaler

Home
English
EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues
- Brasil

Zscaler is universally recognized as the leader in zero trust. Leveraging the
largest security cloud on the planet, Zscaler anticipates, secures, and
simplifies the experience of doing business for the world's most established
companies.

English
EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues
- Brasil
*












Subscribe
Visit us on FacebookLinkedinFollow us on TwitterSubscribe our Youtube Channel
SitemapPrivacyLegalSecurity
© 2024 Zscaler, Inc.

All rights reserved. Zscaler™ and other trademarks listed at
zscaler.com/legal/trademarks are either (i) registered trademarks or service
marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States
and/or other countries. Any other trademarks are the properties of their
respective owners.



Zscaler uses cookies, pixels, and other tools to collect information you provide
to us and to capture and record your interaction with our site. We use this
information to enhance site navigation, personalize content, analyze your use of
our website, and assist in our marketing efforts and customer service. To
deliver the best experience and to assist with our efforts, Zscaler social
media, advertising, analytics, and hosting service providers may have access to
the information that you provide to us. By clicking "Accept All," you consent to
our collection, use, and disclosure of such information and to ourTerms of
Service. For more information about our data processing practices, please see
ourPrivacy Policy.
Manage Cookie Preferences Reject All Accept All