Phishing via email has always been a core attack technique. Simply sending an email with a link to a deceptive website with a fake login is a favorite movie. Recently, we have observed frequently utilized evolutions of this technique – where attackers leverage a fake login to trick the user into exposing his username and password by presenting fake files that require one to “log in” in order to view the content of the file. The attack involves sending an email with a legit looking document (either a PDF or Office file). The files don’t have any malicious content inside such as macros or exploits, and therefore easily bypass the most popular email security solutions. When opening the file, the user will see some blurred content in the background and a claim that the file is protected by a password or only available in the cloud. Therefore requiring the user to login to his account in order to view the content. In the next image, we can see an example of an email sent to one of our financial institution customers. As you see there’s a PDF attachment with a link inside leading to a fake Adobe login screen.




Here is a similar example with an Excel file:

Summary.

These phishing attempts can be more effective than just sending a link inside an email. First, they easily bypass email security solutions that only scan URLs placed directly inside emails (for example Office 365 “safe links”). Second, because it creates a call-to-action for the busy end-user – the email is already in his inbox, he his seeing some blurry content that he believes he needs to access and all that’s left is to do a quick “login”. The way Perception Point is able to identify this technique as malicious and block it before it reaches the user is thanks to our Recursive Unpacker, which “unpacks” several layers of files and links to identify embedded attacks, combined with our advanced Phishing engines.