Malicious Email—Today’s New and Evolving Threats

Malicious Email—Today’s New and Evolving ThreatsIn combination with advanced detection technologies, SilverSky’s Threat Intelligence Team delivers Targeted Attack Protection (TAP), a product within SilverSky’s Email Protection Suite (EPS). TAP detects advanced malicious email threats through static and dynamic analysis of attachments, websites, and downloads linked to inbound emails.

This article shares some meaningful malicious email detections and new threats the team has identified within the past few months. For a more complete look at detected and new threats and threat analysis and detection trends, we invite you to access and subscribe to our Malicious Email Activity Report Library.

Malicious Email Attacks of Interest

Covid-19 Agent Tesla Variants

Agent Tesla, an information-stealing malware, has been used extensively in email attack campaigns. TAP has been seeing the exploit of Agent Tesla variants widely since the outbreak of the COVID-19 virus in January 2020. This month’s detection starts with a phishing email containing a “Purchase-Order” themed attachment. Disguised as an RTF file, the payload is seen to exploit CVE-2017-11882, a stack buffer overflow, and the catalyst to delivering Agent Tesla. Using code injection in a Windows process, the injected process performs all malware activity and, subsequently, sends it to the C2 server. It has also been observed that the attachment within this email contains OLE2Link, which triggers the execution of scripts without any user interaction. The file then executes Powershell.exe to download and execute the Agent Tesla malware.

Voicemail Attacks Targeting Office 365 Users

Cybercriminals are using coronavirus-themed voicemail notifications in the latest efforts to steal credentials. The attachment consists of an audio file with a phishing URL hidden in it. When the user clicks on the file, they are directed to the Microsoft Office 365 (O365) phishing page requiring login credentials. 

Increased Abuse of Google APIs

TAP has observed a significant increase in Google APIs phishing URLs whereby hackers use Google Cloud Storage (GCS) to host phishing kits and redirect users to harmful pages on their malicious websites. According to our investigation, this campaign is a part of a mass-distributed general phishing campaign; however, there is no evidence to confirm these cases as if they are a part of a targeted attack or related to a special hacking group. Weaponizing third-party services, instead of hosting their own malicious websites, is a new trend among cybercriminals. Besides that, this method also has the capability to infect the devices of users with different kinds of malware such as ransomware.

Agent Tesla with WHO “Method” for Covid19

We noticed an email phishing campaign sent by threat actors spoofing the real address of the head of the World Health Organization (WHO), one of the premier scientific resources on Covid19, claims method/preventive measures against Covid19 disease. The malicious email attachment named “Method_COVID2019_Safety.pdf.rar” contains the Trojan agent compressed in Archive RAR file format with .pdf extension to trick users. The email came to the recipient’s inboxes allegedly from the WHO, with a sender email address of World Health Organization <who[@]astaylojstlk.com>. Notice that the sender’s email address domain is “astaylojstlk[.]com” when legitimate WHO email addresses instead end with “who.int.” Once the recipient opens and runs the attachment, GuLoader, used to load the real payload, installs Agent Tesla, trojan written in Visual Basic that can steal usernames, passwords, and credit card information from the user’s system.

Phishing Campaign Installing NetSupport Manager RAT

The infection chain starts with a phishing email bearing a Microsoft Word document laced with malicious macro code. The attachment named “NortonLifeLock” is a password-protected file that tricks the user into opening the document. The password for opening the file is probably contained in the email that delivers the attachment. Upon enabling the macros, a dialog box appears asking for the password. Entering the password then triggers malicious code execution, which then leads to the deployment of NetSupport Manager RAT. Following its instruction, the attacker gains complete access to the targeted system. 

Conversation Hijacking Attacks

There has been a rise in cybercriminals using a novel phishing technique to trick employees into unwittingly installing malware, transferring money, or handing over their login credentials. In conversation-hijacking attacks, hackers infiltrate real business email threads by exploiting previously compromised credentials, which they may have purchased on dark web forums, stolen or accessed via brute force attacks, before inserting themselves into the conversation in the guise of one of the group. Once they gain access to the account, attackers will spend time reading through conversations, researching their victims, and looking for any deals or valuable conversations into which they can insert themselves. The idea is that by using the identity of a real person and mimicking the language that they use in emails, the phishing attack will be viewed as coming from a trusted colleague and is thus much more likely to be successful.

SilverSky’s Malicious Email Activity Report Library houses monthly reports offering a detailed look at detected and new threats for a given month. Additionally, each report offers monthly threat analysis and detection trends. We invite you to access and subscribe to our Malicious Email Activity Report Library and don’t hesitate to contact us if you need help strengthening your email security program.

Head of Product Management, Email Protection and Cloud Email , SilverSky
SilverSky offers a comprehensive suite of products and services that deliver unprecedented simplicity and expertise for compliance and cybersecurity programs.
follow me

Previous

Next

Managed Detection and Response

Comprehensive solutions to detect, prioritize, and address security incidents.

Managed Security Services

24 X 7 X 365 monitoring, management, and system maintenance.

Email Protection Suite

Monitor and manage your email environment with advanced email security and compliance protections.

Cloud Email and Collaboration

Cloud office productivity enhanced with proven security and compliance protection.

How does SilverSky's integrated stack of solutions meet your needs?

Compliance and Risk Services

Assess your program and controls, benchmark and identify areas for improvement. Develop your security roadmap for investment and improvements. Effectively measure ROI and impact on your security posture

Incident Response Readiness

Incident Response Plan Development / Review. Incident Response Readiness Review. Emergency Incident Response.

Discuss your compliance, risk management and incident response readiness needs.

Schedule Free 1-on-1 Consultation

Financial Services

1,500+ small & mid-sized financial institutions rely on SilverSky to meet and exceed FFEIC, GLBA and PCI DSS requirements and overall cybersecurity needs.

Healthcare

Hundreds of small & mid-sized healthcare organizations rely on SilverSky to address HIPAA and other regulatory requirements and serve overall cybersecurity needs.

Retail

Small and mid-sized retail organizations count on SilverSky to maintain PCI DSS requirements, secure customer data and reduce cybersecurity threats.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

Resources

White papers, guides, tools, on-demand webinars, case studies and more. Explore a range of topics. 

Events & Webinars

Blog

Product Sheets

SilverSky product and services information at your fingertips. Product data sheets, compliance matrixes, & brochures.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

Become A Partner

Partner with SilverSky to tap into the approaching $300 billion+ cybersecurity market.

Talk to one of our partner managers and consider expanding your cybersecurity offerings.

Schedule Partner Exploration Discussion

Share This