New Attack Convinces Receiver to Retrieve Junk or Quarantined Emails

New York City-based cloud security platform provider Avanan discovered a new attack so convincing, users are pulling phishing emails out of the junk folder or asking IT to unquarantine them.

“After compromising a user’s email account in a successful phishing attack, hackers identify threads that they can reply to as the impersonated user,” Michael Landewe, co-founder and chief security officer of Avanan, said.

Typically, the hacker selects an email chain where there is an attachment or a request to respond. Impersonating that user, the hacker then hijacks the email thread, replies to the earlier messages, and attaches a malicious .DOC file that appears to relate to the subject of the thread.

Typically, the attack starts outside the target organization with the compromise of a single user within another trusted organization that sent previous emails. Attackers searched through the inbox of the compromised user and find messages sent from their ultimate target. In one case cited, city and county governments.

From these emails, attackers manually filtered for specific messages:

• From mid-to-high-ranking individuals.
• From a group address that could represent multiple users (i.e. “ABCD@city.gov”), most likely including department heads.
• With an action item that would likely drive a user to open the email.
• That included a document or mentioned an attachment.

Some examples:

• “Online Survey Results on departmental activities”
• “Upcoming Emergency Training inspection form”
• “Reminder: Auditing Task Force next week”
• “New Contract – RFP 37-2019 for Fed Services and RFQ 38-2019 for State Services”
• “Agenda for today’s call”

These examples represent legitimate emails sent from the target organization and received by the compromised user.

Landewe explained, the attackers manually created a reply to each email, sometimes with a small, customized note to open the attachment as a way to increase the level of trust. For example, “I’ve attached the results. If you have any questions, please contact me at tim.fletcher@partner.com.” Because the original chain might have included an attachment and requested a response, the recipient would often be expecting the message. Most of the replies included a “Re:” subject, and some were edited to increase the level of urgency:

• “Re: Departmental Services Update — Sept 20” (added Re: and date)
• “Compliance Meeting Next Week: Updated Agenda (added “updated agenda”)
• “Re: Re: Upcoming Services Survey – last chance!” (added “Re:” to a previous reply-all and “last chance!”)

“The ultimate goal of the attacker is to fool the recipient to open the attached .DOC file,” Landewe said. The manual process is evidence of the targeted attack. Avanan explained the .DOC attachment included a well-known dropper macro, normally detectable by most email systems, but specifically designed here to bypass the default Microsoft Exchange Online Protection malware detection. “Each message included a slightly different version of the attached document so that each displayed a different MD5 hash to avoid lookup-based detection,” Landewe said.

When opened, the attached file instructed the user to “enable content,” if not already turned on, allowing the malicious script to run, in some cases, downloading a payload from a remote server. The resulting behavior depended upon the downloaded malware, but in at least one case, led to the compromise of a user’s email inbox, saved for use in another attack.

This attack targeted government organizations using Office 365 or Exchange email. In a third of the cases, the malicious email would have reached the user inbox unfiltered. Because many of the distributed servers that sent the attack had proper sender policy framework authentication, the emails passed the basic phishing filters.

While an email with a spam-confidence-level score greater than 4 (on a scale of 1-9) usually goes to the junk folder, at least a third of emails in this attack considered benign, went straight to the inbox. In the remaining cases, the malicious emails considered spam would have gone to the junk folder. Most importantly, in no case did the Microsoft Exchange Online Protection filters consider them phishing.

Landewe pointed out. while it is fortunate that a large percentage of the messages went to the junk folder, hackers sent the messages multiple times from multiple servers to ensure that at least one copy of the message made it to the inbox.

Landewe suggested what makes this attack interesting was the users’ behavior. “The emails are so convincing users went out of their way to open and click the attached document. This type of attack takes advantage of the fact users will often browse their junk folder looking for mislabeled messages. The emails are convincing enough to cause users to move them from the junk folder, sometimes even whitelisting the compromised address.”

“This attack methodology begins with the compromise of a single employee or trusted partner who had previously communicated with the target. The choice of the user is probably opportunistic, as they were likely compromised via another attack method,” Landewe said.

Though uncertain as to the compromise of the original partner, Avanan explained they know the attackers had at least four months of messages, capturable by a single login, from a compromised phone or lost laptop. “No email was sent from the compromised user, which would imply that the attackers did not have that level of access or were wary of detection,” Landewe said.