Attack Trend

Phishing links moving to email attachments.

By Michael Aminov, Founder & Chief Architect
19 March, 2018

Our last attack trend blog focused on n-days and zero-days. However, this time I will discuss an evolved “everyday” attack we’ve seen recently – phishing links inside files. This type of attack doesn’t require advanced hacking skills as an attacker simply sends an email trying to trick the employee into willingly submitting his username & password to a shady website that looks like a legit, well-known website.

Typically those phishing links are sent directly inside the email body, but we’re starting to observe a trend in our customers – attackers embed their phishing links inside an email attachment instead of the email body. This way they are able to avoid traditional cyber security solutions that scan all links inside the email body. This trick will also bypass an organization that is using url-rewrite solutions.

Here’s an example of an excel document our engine caught, it looks like a “locked” file and there’s a big link in the center:

phishing excel demo

When clicking on the link, a web page pretends to be “Excel online” and ask for user credentials in order to view the file:

excel online

This file is still reported clean on VirusTotal:

VirusTotal example

Clearly there is a gap between what major solutions see and this everyday approach utilized by hackers.

What should I do?

First, confirm your email protection technology is able to detect such files before they reach the user and second, ensure your users are warned of such techniques in case they break through.

Share the joy
Stay a step ahead

Research & News.

Asset 5
Case Study

Case Study: Advanced Attack Analysis

Uri Ahronovich

Perception Point’s platform recently caught an advanced threat directed at one of our customers within a Microsoft Word file.

Asset 5

Why Relays, AVs, & Sandboxes just aren’t enough anymore

By Jonathan Levy

Over the years organizations have implemented multi-layered approaches to protect their email, due to the fact that no single solution has provided sufficient results.

Asset 5

Breaking CFI: Exploiting CVE-2015-5122 using COOP

By Oshri Sela & Shlomi Levin

In this series of posts we’re going to demonstrate how modern CFI implementations can be circumvented.

Show More
Contact Us

Schedule a trial today.

Yes, I would like to receive email communications from Perception Point. I understand I can unsubscribe at any time.