Hackers Constantly Developing new evasion mechanisms to bypass security products

The digital landscape, once a serene meadow, has morphed into a battleground where attackers and security vendors engage in a perpetual arms race. 

As defenses become more sophisticated, attackers adapt, devising ingenious evasion techniques to bypass security products and inflict harm. 


One such tactic, recently uncovered by Trellix Email Security, leverages the foundation of security – caching – to weave a web of deceit and compromise unsuspecting users.

Diverse tools in an attacker’s arsenal:

  • Geofencing: Malicious content masquerades as benign in specific regions, evading detection elsewhere.
  • Captcha Bypass: Automated mechanisms circumvent captchas, hindering URL payload analysis.
  • IP Evasion: Blacklisted IPs shield attackers from scrutiny, ensuring their payloads remain hidden.
  • QR Code Phishing: QR code obscurity bypasses traditional email security filters, paving the way for phishing attacks.

Cache Poisoning: A Masterclass in Deception

Trellix Email Security has unraveled a novel evasion tactic that exploits caching, a mechanism employed by security products to optimize performance. 

Caching involves temporarily storing the analysis results of URLs. Upon encountering the same URL again, the cached verdict is retrieved instead of re-performing the analysis, saving valuable resources.

This innovative attack unfolds in three distinct phases:

Phase 1: The Enticing Bait

The attack begins with an email containing a seemingly innocuous Call to Action (CTA) URL, often disguised as a OneDrive document link. This tactic capitalizes on the inherent trust associated with Microsoft’s domain.

Phase 2: The Cloaked Payload

Upon encountering the CTA URL, the security engine analyzes it and discovers a link leading to a well-established website like Google or Microsoft. Deeming it safe, the engine caches this verdict.

Phase 3: The Chameleon’s Leap

Once the URL is cached as safe, the attackers strike. They stealthily modify the seemingly harmless link within the CTA URL, redirecting it to the actual malicious payload. 

However, the cached “safe” verdict remains, allowing subsequent encounters with the CTA URL to bypass security analysis and land in the recipient’s inbox.

Understanding this intricate manipulation of caching mechanisms is crucial for effective mitigation

A Global Threat: Beyond Borders and Industries

Trellix telemetry reveals that these cache poisoning attacks are not isolated incidents. They have targeted users across diverse industries and regions, highlighting the universality of this technique.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.