2025-08-04 –, Florentine A
Web isolation is a technology designed to enhance security. When applied, it allows firewalls to block HTTP/HTTPS traffic from workstations, which are often used by malware for Command and Control (C2) communication. However, does using web isolation completely eliminate all threats to workstations?
In this presentation, I will focus on C2 communication using Outlook to bypass web isolation environments. Since this method does not rely on HTTP/HTTPS communication, it allows for C2 traffic even in web-isolated environments.
While there are malware, threat actors, and attack techniques that use SMTP/IMAP for data exfiltration, these are not as widely recognized compared to HTTP/HTTPS or DNS. This session will introduce malware and threat actors leveraging SMTP/IMAP, alongside a demonstration of a custom tool I developed to abuse Outlook for C2 communication via the SMTP/IMAP protocol.
Furthermore, I will compare this technique to more common reverse shells and explore the detection capabilities of security products, along with examples of detection rules and mitigation strategies.
Web isolation is a technology that enhances security by eliminating the need for workstation HTTP/HTTPS communication. During my experience as a SOC Analyst in a web isolation environment, many alerts were closed due to the blocking of HTTP/HTTPS traffic by firewalls. For instance, typical attacks like macro-enabled Word documents that download malware over HTTP can be entirely blocked by firewalls. This security solution is sometimes used by organizations such as banks, hospitals, and local governments that are large, long-established, and handle sensitive information.
In web isolation environments, one of the few outbound communication methods permitted by firewalls is an email. However, tools that leverage email for C2 communication are uncommon, and therefore attract less attention compared to C2 traffic over HTTPS or DNS. As a result, they are sometimes overlooked by security teams and solutions. This presentation will demonstrate a C2 tool that uses email to show a viable threat scenario, even in web-isolated environments.
The presentation will cover the following topics:
-
Web Isolation Technology
- Overview of Web Isolation Technology
- Threats and not threats for web-isolated environments -
Actors and attack techniques utilizing SMTP/IMAP
- Email collection techniques/Agent Tesla/Emotet/APT28
- C2 Tools which use SMTP/IMAP
-
Introduction and demonstration of the developed tool
- Demo video
- Comparison with general reverse shells
- Detection results of AV/EDR products -
Detection and mitigation
- Setting to prevent this attack
- Sigma rule and Splunk, Elastic, and EDR solutions
Terada Yu is a researcher with Fujitsu Defense & National Security Limited. He worked as a SOC Analyst for over five years. In 2021, he joined his current company as a Security Researcher. He is primarily involved in developing new attack methods and tools. He also participates in internal red team activities and cyber exercises.
He has spoken at Black Hat USA/Europe, Code Blue, and several conferences in Japan. He holds a Master's degree in Computer Science, as well as certifications including OSEP, OSCP, CRTL, CISSP, GIAC, and CKS.