Skip to main content

Malicious Email—Today’s New and Evolving Threats

Malicious Email—Today’s New and Evolving Threats

In combination with advanced detection technologies, SilverSky’s Threat Intelligence Team delivers Targeted Attack Protection (TAP), a product within SilverSky’s Email Protection Suite (EPS). TAP detects advanced malicious email threats through static and dynamic analysis of attachments, websites, and downloads linked to inbound emails.

This article shares some meaningful malicious email detections and new threats the team has identified within the past few months. For a more complete look at detected and new threats and threat analysis and detection trends, we invite you to access and subscribe to our Malicious Email Activity Report Library.

Malicious Email Attacks of Interest

Covid-19 Agent Tesla Variants

Agent Tesla, an information-stealing malware, has been used extensively in email attack campaigns. TAP has been seeing the exploit of Agent Tesla variants widely since the outbreak of the COVID-19 virus in January 2020. This month’s detection starts with a phishing email containing a “Purchase-Order” themed attachment. Disguised as an RTF file, the payload is seen to exploit CVE-2017-11882, a stack buffer overflow, and the catalyst to delivering Agent Tesla. Using code injection in a Windows process, the injected process performs all malware activity and, subsequently, sends it to the C2 server. It has also been observed that the attachment within this email contains OLE2Link, which triggers the execution of scripts without any user interaction. The file then executes Powershell.exe to download and execute the Agent Tesla malware.

Voicemail Attacks Targeting Office 365 Users

Cybercriminals are using coronavirus-themed voicemail notifications in the latest efforts to steal credentials. The attachment consists of an audio file with a phishing URL hidden in it. When the user clicks on the file, they are directed to the Microsoft Office 365 (O365) phishing page requiring login credentials. 

Increased Abuse of Google APIs

TAP has observed a significant increase in Google APIs phishing URLs whereby hackers use Google Cloud Storage (GCS) to host phishing kits and redirect users to harmful pages on their malicious websites. According to our investigation, this campaign is a part of a mass-distributed general phishing campaign; however, there is no evidence to confirm these cases as if they are a part of a targeted attack or related to a special hacking group. Weaponizing third-party services, instead of hosting their own malicious websites, is a new trend among cybercriminals. Besides that, this method also has the capability to infect the devices of users with different kinds of malware such as ransomware.

Agent Tesla with WHO “Method” for Covid19

We noticed an email phishing campaign sent by threat actors spoofing the real address of the head of the World Health Organization (WHO), one of the premier scientific resources on Covid19, claims method/preventive measures against Covid19 disease. The malicious email attachment named “Method_COVID2019_Safety.pdf.rar” contains the Trojan agent compressed in Archive RAR file format with .pdf extension to trick users. The email came to the recipient’s inboxes allegedly from the WHO, with a sender email address of World Health Organization <who[@]>. Notice that the sender’s email address domain is “astaylojstlk[.]com” when legitimate WHO email addresses instead end with “” Once the recipient opens and runs the attachment, GuLoader, used to load the real payload, installs Agent Tesla, trojan written in Visual Basic that can steal usernames, passwords, and credit card information from the user’s system.

Phishing Campaign Installing NetSupport Manager RAT

The infection chain starts with a phishing email bearing a Microsoft Word document laced with malicious macro code. The attachment named “NortonLifeLock” is a password-protected file that tricks the user into opening the document. The password for opening the file is probably contained in the email that delivers the attachment. Upon enabling the macros, a dialog box appears asking for the password. Entering the password then triggers malicious code execution, which then leads to the deployment of NetSupport Manager RAT. Following its instruction, the attacker gains complete access to the targeted system.

Conversation Hijacking Attacks

There has been a rise in cybercriminals using a novel phishing technique to trick employees into unwittingly installing malware, transferring money, or handing over their login credentials. In conversation-hijacking attacks, hackers infiltrate real business email threads by exploiting previously compromised credentials, which they may have purchased on dark web forums, stolen or accessed via brute force attacks, before inserting themselves into the conversation in the guise of one of the group. Once they gain access to the account, attackers will spend time reading through conversations, researching their victims, and looking for any deals or valuable conversations into which they can insert themselves. The idea is that by using the identity of a real person and mimicking the language that they use in emails, the phishing attack will be viewed as coming from a trusted colleague and is thus much more likely to be successful.

SilverSky’s Malicious Email Activity Report Library houses monthly reports offering a detailed look at detected and new threats for a given month. Additionally, each report offers monthly threat analysis and detection trends. We invite you to access and subscribe to our Malicious Email Activity Report Library and don’t hesitate to contact us if you need help strengthening your email security program.