Phishing via email has always been a core attack technique. Simply sending an email with a link to a deceptive website with a fake login is a favorite move. Recently, we have observed frequently utilized evolutions of this technique – where attackers leverage a fake login to trick the user into exposing his username and password by presenting fake files that require one to “login” in order to view the content of the file.
The attack involves sending an email with a legit looking document (either a PDF or Office file). The files don’t have any malicious content inside such as macros or exploits, and therefore easily bypass the most popular email security solutions.
When opening the file, the user will see some blurred content in the background and a claim that the file is protected by password or only available in the cloud. Therefore requiring the user to login to his account in order to view the content.
In the next image we can see an example of an email sent to one of our financial institution customers. As you see there’s a PDF attachment with a link inside leading to a fake Adobe login screen.
Here is a similar example with an Excel file:
These phishing attempts can be more effective than just sending a link inside an email. First, they easily bypass email security solutions that only scan URLs placed directly inside emails (for example Office 365 “safe links”). Second because it creates a call-to-action for the busy end user – the email is already in his inbox, he his seeing some blurry content that be believes he needs to access and all that’s left is to do a quick “login”.
The way Perception Point is able to identify this technique as malicious, and block it before it reaches the user, is thanks to our Recursive Unpacker, which “unpacks” several layers of files and links to identify embedded attacks, combined with our advanced Phishing engines.
To learn more about our solution,
Perception Point’s platform recently caught an advanced threat directed at one of our customers within a Microsoft Word file.
Over the years organizations have implemented multi-layered approaches to protect their email, due to the fact that no single solution has provided sufficient results.
In this series of posts we’re going to demonstrate how modern CFI implementations can be circumvented.Show More