Cyber attackers have used email obfuscation techniques for decades to conceal malicious code or data within a file, script or network traffic. There are many email obfuscation methods, such as putting addresses into images, captchas or texts that bots cannot read. Such traditional email obfuscation tactics are well known, and security controls have historically been good at patching and stopping them. But recently our threat researchers have uncovered some newly evolving techniques that are designed to evade modern security controls. Below, we detail this new attack technique including real-world examples our researchers have observed.
JavaScript-based obfuscation involves addresses that are dynamically placed onto a webpage, effectively hiding them from bots. Attackers can set an ID for the HTML tag containing the email address, with the email encoded in base64, a binary-to-text encoding scheme. Base64 represents binary data in an ASCII string format by translating it into a visual representation to ensure that humans can read the printable data.