This classic tactic is making a comeback and is elegantly simple to execute, yet sufficiently complex enough to keep email scanning solutions from seeing it as malicious.
Malicious attachments are nothing new; there are countless examples of how threat actors embed malicious code, links, etc. into attachments as the delivery vehicle. Most email scanning solutions either scan attachments or “detonate” them in a virtual sandbox to see the behavior of the attachment once run.
But an old method of embedding malicious content is making a comeback, according to security researchers at Avanan. This method places the malicious content into an .eml file (which is interpreted as an email) and can contain plain ASCII text for the headers and the main message body as well as hyperlinks and attachments) and then the .eml file is attached to the phishing email itself.
The end result is security solutions “overlook” the malicious content within the .eml file, leaving the threat actor with a viable mechanism to move the would-be victim towards performing the needed malicious action – be it clicking a link, opening a webpage, or providing credentials.
In the case of the example provided by Avanan, the .eml file points the victim to a supposed PDF file using Office 365 branding to establish legitimacy. Upon clicking the link to see the bogus PDF, an impersonated Office 365 logon screen is provided to capture user’s credentials.
The .eml angle is pretty dangerous. While it’s not often we as business professionals send an email as an attachment to another email – but it does happen, making it not completely inappropriate for a user to see this kind of email in the wild.
Users need to be educated on these kinds of tactics and to maintain a sense of vigilance with Security Awareness Training so that they treat emails like these – that seem just a bit out of the ordinary – as suspicious from the start, helping to minimize the risk that they fall for the scam.
