SquareX publishes research on attacks that completely bypass Secure Web Gateways at DEF CON’32. Read More

SquareX Uncovers Critical Vulnerabilities in Top Webmail. Providers. Read More

✨ SquareX has raised a USD 6M seed from Sequoia Capital SEA. Read More

Home / Use cases / Malicious / Suspicious Websites

Malicious / Suspicious Websites

Of the billions of websites that exist on the internet, only a handful can be trusted and enterprises face a challenge in ensuring that users do not inadvertently access malicious websites. These sites can host a variety of threats, including malware, phishing attempts, and other forms of cyberattacks. While other solutions outright block or allow websites based on URL categories, SquareX takes a different approach, it provides enterprises the option to define what they consider malicious. For example, for some enterprises, domain age less than 30 days might be considered malicious, for others it could be websites hosted in specific geographical locations or sites seeking excessive permissions (such as clipboard, location, camera, etc). Along with this, SquareX has an in-browser site analysis engine capable of detecting potentially malicious websites; it does this by performing in-depth analysis of websites, which includes DOM monitoring, live OCR, domain authority, brand resemblance and many more checks. SquareX also incorporates popular phishing feeds to block known threats.

Block access to sites with suspicious redirects

Sites with multiple redirects across different domains is a common tactic used by attackers. Blocking sites with such behaviour helps protect users from falling victim to phishing or malware attacks. Admins can prompt Block access to sites suspicious redirects to generate this policy. The expected outcome would be:

Block typosquatted domains

With access to generative AI tools, it doesn’t take much technical expertise to make dupes of big brand sites as well as to buy a domain that is similar to the original page. As an example, typosquatting exploits common typing errors to direct users to malicious sites posing as legitimate SaaS applications. Blocking these links helps protect users from phishing attacks and malware disguised as trusted services. Using the AI Policy generator, admin can prompt Block Typosquatting Links to generate this policy. The expected outcome would be:

Block access to any known malicious sites

Blocking access to known malicious sites protects users from malware, phishing, and other cyber threats. Admins can prompt Block access to known malicious sites to create this policy. The expected outcome would be:

Block advanced Browser-in-the-browser attacks

There are classes of attacks that are orchestrated entirely within the browser that both cloud proxies and endpoint security have no visibility into. One such attack is the Browser-in-the-browser (BitB) phishing attack, where a browser view is embedded within a page, appearing as a window popup. Users get tricked into entering their data into these seemingly unassuming pages.Enterprises can leverage SquareX to block employees from facing BitB attacks. For instance, if an enterprise is using Okta for authentication, then a simple site content policy to check for Okta login content against the domain can be done effectively, using SquareX. A demonstration of this is shown against the recent and ongoing ‘Steamcommunity’ phishing attack that is propagated through Discord. Simply using a screenshot of the actual phishing page, you can see the power of SquareX’s detection technology.

Isolate all free hosted sites

Free hosted sites are often used to distribute harmful content as they are easy to setup and can leverage domain authority of the hosting platform to evade some of the security checks. Isolating these sites ensures users do not inadvertently download or execute malware. Admins can prompt Isolate all free hosted sites to create this policy. The expected outcome would be:

Block access to websites hosted in high-risk countries

Given the geopolitical climate and the potential for cyberattacks originating from certain regions, isolating certain geography sites can mitigate risks associated with state-sponsored or other regional cyber threats. As an example, using the policy-generating copilot, admins can prompt Block Sites from Russia to generate the appropriate policy. The policy should have the following conditions:

Isolate sites referred from social networking sites

Social networking sites can often be vectors for malicious links. Isolating these sites ensures that users are protected from potentially harmful content. Admins can prompt Isolate Sites Referred from Social Networking Sites to generate this policy. The expected outcome would be:

Protect employees from accidentally accessing Typosquatting eTLD

Many organizations struggle with typosquatting attacks including those done on an eTLD level (the suffix included in the domain i.e. .com). In their case, .ml and other common eTLDs were used to phish users who are looking for the .mil sites. SquareX has a very elegant solution to prevent employees from accidentally stumbling upon such typosquatting links - by leveraging our AI copilot, admins can simply mention the eTLDs to allow or block, as shown in this demonstration.

Isolate sites with unicode characters on the domain

Suspicious links come in many flavors and attackers using unicode characters is an age old trick. The most deterministic way to secure employees is to open suspicious links directly in browser isolation. As an example, admins can consider isolating all links with unicode characters. Despite this being an older attack, a snapshot of OpenPhish's live feed will show the prevalence of punycode used in phishing sites. To avoid getting detected as a spam site, many of these links redirect to other sites before the file download is presented to the user. Once the policy is in place, SquareX's disposable browser seamlessly integrates with employees' browser - based on policies that security admins create.

Block sites hosted on newly registered domains

Sites hosted on newly registered domains are often used in phishing campaigns, as they might not be crawled or detected by malicious site detection models yet. Since domain age is not easily accessible to the average user, they might unknowingly access these risky sites. An adversary group just purchased 500K new domains for their social engineering campaigns. These include many .BOND top level domain sites, among others. Intuitively, security admins might want to block employees from accessing any site with .bond TLD, but without access to the full list of domains that were purchased, this domain rule will not provide comprehensive protection. Instead, admins can consider blocking the access of all newly registered domains. This way, employees can be protected from being exposed to campaigns like this. Where it feels too restrictive to block the users entirely, SquareX's isolation technology can be used seamlessly.

Block phishing attacks originating from Legitimate Services

Attackers are leveraging popular services such as Sharepoint and Office Forms to spread phishing links. These are difficult to detect as the source is a legitimate website and usually the threat intel databases take a while to blacklist new phishing sites leaving a room for attacks on the organisation. With SquareX, administrators can take a preemptive measure, and create policies to block all websites with login forms that originate from Sharepoint (excluding trusted login pages)

Defending Against Multi-Hop Phishing Attacks Using SharePoint Links

Employees often receive phishing links from attackers posing as legitimate firms. These links lead to SharePoint pages prompting document access, ultimately asking for credentials. SquareX allows the creation of policies that block such sophisticated phishing attempts by analysing the visit or navigation path.

Page Content-based Web Filtering

SquareX supports blocking/isolating websites based on their URL categories. Along with this, administrators also have access to many more granular parameters, such as domain age, country, etc. SWGs monitor the network traffic and primarily relies on URL categorization, along with basic checks on the static HTML content. They are incapable of analysing Canvas based web pages as it renders entirely on the client side, with minimal-to-no information on the HTML. As SquareX runs on the client side, it is capable of performing live content categorization of the user’s view, allowing administrators to block/isolate sites based on their content.

Block advanced Browser-in-the-browser attacks

There are classes of attacks that are orchestrated entirely within the browser that both cloud proxies and endpoint security have no visibility into. One such attack is the Browser-in-the-browser (BitB) phishing attack, where a browser view is embedded within a page, appearing as a window popup. Users get tricked into entering their data into these seemingly unassuming pages. Enterprises can leverage SquareX to block employees from facing BitB attacks. For instance, if an enterprise is using Okta for authentication, then a simple site content policy to check for Okta login content against the domain can be done effectively, using SquareX. A demonstration of this is shown against the recent and ongoing ‘Steamcommunity’ phishing attack that is propagated through Discord. Simply using a screenshot of the actual phishing page, you can see the power of SquareX’s detection technology.