Emails have become a popular method of communication globally, used by individuals and organizations of all sizes and industries. However, phishing emails pose a serious threat, being a common tactic used by cybercriminals to gain access to systems.
Phishing emails are not limited to credential harvesting but also include sending malicious links or attachments to deploy malware, as outlined in the MITRE ATT&CK framework. The FBI’s Internet Crime Report consistently identifies phishing as a top cybercrime type, often used by ransomware attackers to gain initial access.
Cybercriminals continuously adapt their techniques to deceive users, making phishing a profitable endeavor. In 2022, successful phishing attacks led to a 76% increase in financial losses. As a result, security teams must filter and inspect numerous emails to prevent phishing attacks.
Threat actors use various methods, such as hiding malicious links behind QR codes, to evade detection by email security tools. This blog explores how threat actors make phishing emails appear legitimate and deliver malware to victims, providing insights into identifying and investigating malicious emails.
Threat actors leverage emails to gain initial access, launch attacks, steal information, install backdoors, and cause further damage. Attachments and links are common delivery methods for deploying malicious content in phishing emails.
Inspecting email headers and bodies is crucial for identifying malicious emails. Understanding sender addresses, email headers, and suspicious indicators can help detect phishing emails. By examining fields like “From,” “To,” and “Received,” analysts can uncover clues that reveal the true nature of an email.
Emails are like letters passing through different servers before reaching their destination, similar to how post offices work. Each server adds a layer of information containing a timestamp and details about the server it received the email from, resulting in multiple “Received” fields in some emails. Thus, it’s important to inspect the email header from bottom to top for a clearer understanding.
– The “Return-Path” specifies the address to return the mail.
– A “DKIM signature” verifies the authenticity of the sender using public key cryptography.
– “SPF” determines authorized mail servers for sending emails for a domain to prevent unauthorized use.
– “DMARC” is another authentication protocol using DKIM or SPF information to safeguard domains from phishing and spoofing attacks.
Other header fields to be aware of include:
– “MIME-version” extends email format for non-ASCII characters, audio, video, and applications.
– “Message-ID” is a unique identifier in emails.
– “X-header” are custom headers like X-Originating-IP and X-Spam-Status for additional information.
Inspecting email attachments is crucial as they can contain malicious code. Threat actors may use double extensions or Right-to-Left Override to disguise executable files within seemingly harmless files. Tools like OutlookAttachView, Msg-extractor, and Eml-extractor can help extract and analyze attachments for potential threats.
Commonly used attachment file types in malicious emails include Microsoft Office files and PDFs, which are often exploited by threat actors. It’s essential to understand these file formats and techniques used by attackers to hide malware within them. In addition to the risks posed by PDF readers and vulnerabilities, attackers can exploit specially crafted PDF files to execute code on endpoints. Tools and methods exist to inspect PDF files for malicious content, as detailed in our post on analyzing PDF files.
ZIP and RAR archive files are another common vector for malware distribution, as attackers can compress malicious executables and attach them to emails. Threat actors may also use password-protected archives or decoy files to evade detection. Similarly, ISO and IMG disk image files are used to bypass email-based antivirus scanners, allowing malware to execute without user warning.
To streamline the analysis of email attachments, tools like Intezer can automatically collect and classify files to identify malicious content. When inspecting links in emails, it’s important to use URL scanners to check for known malicious addresses and investigate further if needed.
Our research team uncovered phishing campaigns targeting large international companies with attachments containing known malware like Agent Tesla and Loki. By analyzing these attachments with Intezer, we were able to identify and attribute the malicious files to specific threat actors.
In a real-life example, a phishing campaign targeting government entities in Georgia used shortened URLs to redirect victims to malicious files hosted on a command and control server. The attachments varied in format and payload, with the goal of stealing files from infected systems. By analyzing these phishing emails, organizations can better understand the tactics and techniques used by threat actors to evade detection and compromise systems. Translation from Ukrainian – Subject: “Payments to ATO Veterans.” Content: “Please complete and return the form.” following sentence in a more concise manner:
“The company plans to implement new strategies in order to increase its market share and improve profitability.”
The company plans to implement new strategies to boost market share and profitability.
