Time-Delayed Payload Delivery

Timeline: The Cat and Mouse

2016 ← Attack emerges → 2017 ← Defenses respond → 2022 ← Sophisticated timing → Present

The Evolution

Key Events with Sources

Overview

Email security scans URLs when emails arrive. Attackers exploit the time gap between scanning and clicking by initially hosting benign content, then switching to malicious content after the email passes inspection. When the victim clicks hours or days later, they reach a phishing page that wasn’t there during scanning.

The Attack

The Time Gap

T+0 (Email Received):
┌─────────────────────────────────────────────────────────┐
│  SECURITY SCAN                                          │
│  URL: https://attacker.com/page                         │
│  Content: "Coming Soon" landing page                    │
│  Malware: NONE                                          │
│  Verdict: CLEAN ✓                                       │
└─────────────────────────────────────────────────────────┘
        Email delivered to inbox

T+4 hours (Attacker Action):
┌─────────────────────────────────────────────────────────┐
│  ATTACKER UPDATES PAGE                                  │
│  URL: https://attacker.com/page (same URL)              │
│  Content: Microsoft 365 phishing page                   │
└─────────────────────────────────────────────────────────┘

T+8 hours (User Clicks):
┌─────────────────────────────────────────────────────────┐
│  USER EXPERIENCE                                        │
│  Clicks link → Phishing page                            │
│  Enters credentials → Compromised                       │
└─────────────────────────────────────────────────────────┘

Technical Methods

Simple Page Swap:

Before scan: Upload innocent page
After scan: Replace with phishing page

JavaScript-Based:

// Serve different content based on time
var launchTime = new Date("2024-01-15T18:00:00Z");
if (new Date() > launchTime) {
    loadPhishingContent();
} else {
    loadBenignContent();
}

Server-Side Logic:

def serve_page(request):
    if is_security_scanner(request):
        return benign_page()
    if datetime.now() > launch_time:
        return phishing_page()
    return benign_page()

Redirect Chains:

Email link → Redirector (benign initially)
Later: Redirector updated to point to phishing

Timing Strategies

Weekend Weaponization:

• Send Friday afternoon
• Security scans Friday
• Weaponize Saturday
• Victims click Monday

Business Hours Targeting:

• Send late evening
• Weaponize overnight
• Active when users arrive

Scan Detection:

• Detect security scanner visits (user agent, IP, behavior)
• Only weaponize after scanner has visited
• Ensures scan sees clean content

Why It Works

Scan-Once Limitation:

• Traditional security scans at delivery
• One-time check, verdict cached
• No re-checking later

Attacker Control:

• Full control over when content changes
• Can observe scanner behavior
• Weaponize with precision timing

Volume Advantage:

• Send thousands of emails
• All pass initial scan
• Weaponize single page, affect all

Defenses

URL Rewriting (Safe Links)

Microsoft Safe Links, Proofpoint URL Defense:

Original: https://attacker.com/page
Rewritten: https://safelinks.protection.outlook.com/
           ?url=https://attacker.com/page

Click → Security checks URL again → Then redirects

Limitation: Attackers can detect rewriting and adapt.

Time-of-Click Scanning

Check URL when clicked, not just when delivered:

• Real-time reputation check
• Page content analysis
• Block if malicious at click time

Continuous Monitoring

Re-scan URLs after delivery:

• Periodic re-checking of links in delivered emails
• Alert if previously clean URLs become malicious
• Retroactive protection

Detonation at Click

Full sandbox analysis at click time:

• Open URL in sandbox
• Analyze actual page content
• Check for credential forms, malware

Attacker Adaptation

Defeating Time-of-Click

Very Short Windows:

Weaponize just before business hours
De-weaponize after expected click window
Re-scan misses malicious period

Per-User Tracking:

Each recipient gets unique URL
Track who has clicked
Weaponize only unclicked URLs
De-weaponize after click

Scanner Detection:

If request from security scanner IP: Serve benign
If request from target organization IP: Serve phishing

Fast Flux

Rapidly change what URL points to:

• Page changes every few minutes
• Scanner sees version A (clean)
• User sees version B (malicious)

Legitimate Infrastructure

Use compromised legitimate sites:

• Good reputation masks malicious intent
• Harder to block known-good domains
• Change content on compromised page

Current State

Status: Active

Time-delayed attacks continue to evolve:

Detection Guidance

URL Monitoring

Implement continuous re-scanning:

• Re-check URLs in delivered emails
• Flag URLs that change post-delivery
• Alert on clean→malicious transitions

Behavioral Indicators

Suspicious patterns:

• Recently registered domain in email
• URL with no initial content (“coming soon”)
• Redirectors in email links
• URLs that resolve differently over time

Click-Time Analysis

Ensure time-of-click protections:

• Enable Safe Links or equivalent
• Configure for all users
• Don’t whitelist external domains

SIEM Correlation

email.delivered_time < click_time - 4 hours
AND click.url.content_changed = true
AND click.url.now_contains credential_form

User Reports

Investigate when users report:

• “Link didn’t work earlier but now shows login page”
• “Page looks different than expected”
• “I clicked but nothing happened initially”