How I recreated the NSA’s legendary QUANTUMINSERT attack tactic to phish gMail on iOS. And why I wish I couldn't.

It is concerning that I was able to create my own variation of the NSA's infamous QUANTUMINSERT attack vector at home, without super-fast computers, by exploiting bugs in some of our most commonly used systems and services. In kinetic warfare terms, it’s like a drone hobbyist building a military-grade Transatlantic Boeing MQ 28 Ghost Bat in their garage. Until affected parties fix the bugs that my own HOXINSERT attack leverages, it lurks in the wild as a potential attack tactic that few systems are prepared to prevent or detect.

Post hero image

Table of contents

QUANTUMTHEORY-style “HOXINSERT” for gmail: a uniquely dangerous phishing attack

In this article, we will revisit my offensive research on my creation and deployment of a variation of the NSA's QUANTUMINSERT attack technique. This particularly dangerous strain of Adversary-on-the-Side (AotS) is usually linked with cyber superpowers like the NSA. The point of my research is to:

A) Alert users of the danger so we can harden our defenses

B) Alert internet service providers of the bugs, loopholes, misconfigurations, or vulnerabilities that they can fix so as to prevent hackers from gaining illegal access to our systems

The fact that I was able to recreate my variation of the the infamous QUANTUMINSERT attack vector by exploiting bugs in some of our most commonly used systems and services is concerning. In kinetic warfare terms, it’s like a drone hobbyist building a military grade Transatlantic Boeing MQ 28 Ghost Bat in their garage.

When the NSA first used QUANTUMINSERTS in their QUANTUMTHEORY tactical suite from 2005 - 2010, they inflicted 80 times more successful breach rates against 300 thought-to-be-unexploitable targets compared to the phishing campaigns they’d previously relied upon.

This time around, I’ll phish Gmail user credentials with the technical variation I created, which I call HOXINSERT. Previously, I used HOXINSERT to deploy malware into the Microsoft environment. 

Please note that I’m a mere mortal, without deep pockets or nation-state backing. Until the bugs in these commonly used systems are fixed, they are vulnerable to this attack. Theoretically, hackers could right now be using QUANTUMINSERT-style attacks against us. It’s hard to say because in addition to being highly effective, QUANTUMINSERTs leave very few prints at cyber crime scenes and are thus hard to trace.

What is HOXINSERT

My HOXINSERT technique mimics QUANTUMINSERT by using a combination of phishing, HTML smuggling, and status bar bugs in email clients to trick targeted users into interacting with malicious content. It evades traditional human detection methods such as hovering over a link in an email, because the status bar displays a trusted URL.

However, upon clicking, a different URL hosted on a malicious server—the NSA called theirs, FOXACID and  I named my own version, HOXACID—is requested. HTML smuggling is used to deliver malicious payloads, while the bugs in email clients allow for status bar manipulation. This misleads users into trusting and clicking the malicious link.

Combining all of these techniques, I created HOXINSERT. For greater detail, this article covers the history and mechanics of QUANTUMINSERTS and the QUANTUMTHEORY attack suite.

QUANTUMINSERT + FOXACID architeture, simplified

My HOXINSERT + HOXACID architecture, simplified

QUANTUMINSERT glossary of terms

Here’s a quick refresher on the terms and technologies that drive the original and my own version of the QUANTUMINSERT attack technique.

QUANTUMTHEORY: A highly sophisticated cyber attack toolset developed by the NSA, which leveraged some capabilities unavailable to mere mortals who aren’t backed by a military superpower.

QUANTUMINSERT: Multi-tool Adversary-on-the-side (AotS) tactic for intercepting web traffic by using things like ultra-fast servers and redirecting to malicious servers without the user suspecting nefarious activity.

HOXINSERT: My own version of the QUANTUMINSERT, but I use bugs in email clients and the well-known HTML smuggling technique instead of SHOOTER servers.

SHOOTER servers: Turbo-charged servers that can intercept and seamlessly redirect legitimate traffic because they’re faster than the intended web service’s actual servers. Upon a targeted user’s request for a legit site like https://LinkedIn.com , the SHOOTER server would beat the legitimate LinkedIn server to the punch.

FOXACID: Malicious server for SHOOTER-redirected traffic that deploys a payload automatically optimized for the target user’s system. FOXACID fingerprints the web browser and operating system and delivers an exploit specific for that combination, e.g. malware or a credential harvesting page depending on what service the target user initially requested.

HOXACID: Like FOXACID, my version, HOXACID, can fingerprint the target web browser and OS and appropriately choose the exploit, malware, or phishing page: e.g. a phishing page if the device is iOS, Android, or ChromeOS-based; and a malware-laced document if Windows or MacOS-based.

How effective is QUANTUMTHEORY?

The NSA started using techniques in the QUANTUMTHEORY suite when they found that their spam attacks were getting 1% click rates. Missions with QUANTUMTHEORY were hitting 80% success rates. QUANTUMINSERT’s operational success was rated as “highly successful“ against 300 “targets that were un-exploitable by any other means“.

HOXINSERT against Gmail on iOS

I used HOXINSERT to fingerprint the target user’s device based on its User-Agent, whereupon the user was immediately redirected to a credential harvesting page to steal their login credentials. After the user logs in, they are once again redirected to the final document they anticipated, all while avoiding any suspicion.

How dangerous is the QUANTUMINSERT technique?

QUANTUMINSERT uses the Adversary-on-the-Side technique, which is different from Adversary-in-the-Middle. AotS and AitM are, in my opinion, the future of human-targeted attacks. They are harder to prevent, anticipate, and detect than traditional phishing attacks because you can’t avoid them with common best practices like hovering over a malicious URL. Indeed, QI and HOXINSERT are a special breed because they'd show a trusted URL even on a hover-over. AotS and AitM are not by default unless of course they are used with QI or HOXINSERT techniques.

HOXINSERT would make highly-targeted attacks even more stealthy and dangerous. In a large scale attack, email clients not affected by the status bar bugs and thus by HOXINSERT, will just skip it and nothing bad will happen; no SHOOTER-to-FOXACID malicious payload.

The same mass QUANTUMINSERT attack campaign will hit those with vulnerable servers and not touch those without. This makes it hard to detect if you don’t know what you are looking for.

How do we defend against AitM and QUANTUMINSERT attacks?

Security training is as critical for defending against these attacks as it is against phishing attacks. People must always “look both ways” when they go online. Training will eventually need to drive home the fact that they can’t even trust the URL on a classic hover technique.

From a technical perspective, it is possible to build detections against HOXINSERT in email environments by looking for certain strings in the email body. This would be a place where AI could be used to improve firewalls, filters, and EDR.

My testing shows that HOXINSERT still works even after the Microsoft Safelinks URL rewrite. On certain email clients, Safelinks displays a special hover-over tooltip showing you the “Original URL;“ but it will actually load the malicious URL upon being clicked because of HOXINSERT.

Until affected parties fix the bugs that HOXINSERT leverages, it’s a potential attack tactic that few systems are prepared to prevent or detect.

Read more of Pontus’s offensive research

Quantum Insert article 1: https://www.hoxhunt.com/blog/hoxinsert-nsa-aots-quantuminsert-attack

Quantum Insert article 2: https://www.hoxhunt.com/blog/hoxinsert-attack-vector-outlook-web-app-owa-windows-vulnerability

https://www.hoxhunt.com/blog/phishing-web-page-public-cloudflare-workers

https://www.hoxhunt.com/blog/credential-harvesting-fake-popups-microsoft-windows-os

https://www.hoxhunt.com/blog/what-is-a-spear-phishing-attack-and-how-do-you-recognize-it

https://www.hoxhunt.com/blog/advanced-phishing-attack-using-google-subdomain-could-trick-anyone

https://www.hoxhunt.com/blog/bug-g-suite-lets-attackers-spread-malware

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this