{
	"id": "61a1ece9-5d1c-44f3-838b-c921682634ab",
	"created_at": "2026-04-06T00:09:54.858537Z",
	"updated_at": "2026-04-10T03:22:03.583769Z",
	"deleted_at": null,
	"sha1_hash": "1ca38a9ca9ccea9feff888f1b100f29da7767807",
	"title": "Categorisation is not a Security Boundary - MDSec",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 375945,
	"plain_text": "Categorisation is not a Security Boundary - MDSec\r\nBy Admin\r\nPublished: 2017-07-11 · Archived: 2026-04-05 20:19:37 UTC\r\nhttps://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/\r\nPage 1 of 7\n\nAdversary Simulation\r\nOur best in class red team can deliver a holistic cyber attack simulation to provide a true evaluation of your\r\norganisation’s cyber resilience.\r\nApplication\r\nSecurity\r\nLeverage the team behind the industry-leading Web Application and Mobile Hacker’s Handbook series.\r\nhttps://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/\r\nPage 2 of 7\n\nPenetration\r\nTesting\r\nMDSec’s penetration testing team is trusted by companies from the world’s leading technology firms to\r\nglobal financial institutions.\r\nhttps://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/\r\nPage 3 of 7\n\nResponse\r\nOur certified team work with customers at all stages of the Incident Response lifecycle through our range\r\nof proactive and reactive services.\r\nResearch\r\nMDSec’s dedicated research team periodically releases white papers, blog posts, and tooling.\r\nTraining\r\nMDSec’s training courses are informed by our security consultancy and research functions, ensuring you\r\nbenefit from the latest and most applicable trends in the field.\r\nInsights\r\nhttps://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/\r\nPage 4 of 7\n\nView insights from MDSec’s consultancy and research teams.\r\nPrior to commencing any red team engagement, it is important to carefully consider how your infrastructure will\r\nbe designed. As part of this process, one pivotal consideration is the host/domains you will use for phishing, c2\r\nand exfiltration. In February, we discussed how Domain Fronting could be used to evade security controls such as\r\ncategorisation and domain reputation. There are however some drawbacks to this technique, namely the\r\nlimitations when encountering a RFC 2616 compliant proxy.\r\nDomain categorisation can often prove a thorn in the side of many red teams, as new domains are always\r\nuncategorised and are therefore likely to be blackholed by most corporate proxies. Additionally, more mature\r\nenvironments are highly likely to restrict the categories that can be accessed to only those that are most trusted\r\nsuch as Finance or Government. If your phishing or c2 domain is blocked due to categorisation by the proxy it\r\noften means the end of that campaign unless by chance it lands on a user outside of the network controls or with a\r\nless restrictive policy applied. An example of what the user may see if the domain is not in a permitted category is\r\nshown below, courtesy of @_RastaMouse:\r\nTraditionally, the approach for evading categorisation has been to acquire domains that have been previously\r\ncategorised and have recently expired. Tools such as CatMyFish and DomainHunter somewhat automate this\r\nprocess and can prove effective in identifying domains to use during your campaigns. There are however\r\ndrawbacks to this technique, namely it becomes less likely you will find target relevant domains that would add\r\nauthenticity to your campaigns, e.g. acmecorp.com might mean you want to use acmecorpservices.com, as well as\r\ntypo-squatted domains.\r\nWith this in mind, the ActiveBreach team started to research how categorisation was determined and how sites\r\ncould be submitted for categorisation. To our surprise, we quickly found that in most cases, little validation was\r\ndone when a new site was submitted for categorisation. While in other cases, we found flaws in how the validation\r\nwas performed such that we could instantly fool the proxy service in to categorising our domain to an arbitrary\r\ncategory. An example of categorising an non-existent domain with IBM X-Force is shown below:\r\nhttps://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/\r\nPage 5 of 7\n\nThis ultimately led to the development and release of the Chameleon tool which assists red teams in categorising\r\ntheir infrastructure under arbitrary categories. Currently, the tool supports arbitrary categorisation for Bluecoat,\r\nMcAfee Trustedsource and IBM X-Force. However, the tool is designed in such a way that additional proxies can\r\nbe added with ease.\r\nA video of Chameleon instantly categorising a newly created host, on a newly registered domain against Bluecoat\r\ncan be seen below:\r\nThis blog post was written by @domchell of the MDSec ActiveBreach team.\r\nChameleon can be downloaded from the MDSec ActiveBreach github page.\r\nReady to engage\r\nwith MDSec?\r\nhttps://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/\r\nPage 6 of 7\n\nStay updated with the latest\r\nnews from MDSec.\r\nSource: https://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/\r\nhttps://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/\r\nPage 7 of 7\n\nCategorisation By Admin is not a Security Boundary - MDSec\nPublished: 2017-07-11 · Archived: 2026-04-05 20:19:37 UTC \n   Page 1 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/"
	],
	"report_names": [
		"categorisation-is-not-a-security-boundary"
	],
	"threat_actors": [],
	"ts_created_at": 1775434194,
	"ts_updated_at": 1775791323,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1ca38a9ca9ccea9feff888f1b100f29da7767807.pdf",
		"text": "https://archive.orkl.eu/1ca38a9ca9ccea9feff888f1b100f29da7767807.txt",
		"img": "https://archive.orkl.eu/1ca38a9ca9ccea9feff888f1b100f29da7767807.jpg"
	}
}