How Phishing Messages Break Through Email Filters


Phishing remains a persistent danger. It’s an email-based cyber threat through which threat actors target sensitive user credentials and distribute malware.

More than 963,000 attacks were discovered recently in the APWG’s Phishing Activity Trends Report for Q1 2024.

EHA

In Business Email Compromise (BEC) fraud, there was an increase of 50% in the average wire transfer request to $84,000 per transaction.

This spike highlights phishing’s role in the cybercrime economy, which shows the need for innovative anti-phishing measures. 

Cybersecurity researchers at LevelBlue Labs recently unveiled how phishing messages break through email filters.

Technical Analysis

To evade security measures, threat actors employ sophisticated evasion techniques, and these include multi-step schemes like:-

  • Voice phishing (vishing) with email lures.
  • Exploiting compromised SharePoint accounts to distribute malicious OneNote documents.
  • Sending targeted phishing emails from legit personal accounts like (@yahoo.com). 

Not only that, but they also use social engineering, create urgency, and leverage trusted domains to appear legitimate.

Technical aspects exploited the limitations of SEGs, passing SPF/DKIM/DMARC checks, utilizing valid SSL certificates, and targeting small groups to avoid detection by volume-based filters. 

Besides this, OSINT techniques can also be used by threat actors, as this allows them to personalize their attacks, making data broker removal services valuable for potential victims. Threat actors bypass email security gateways (SEGs) with the help of sophisticated TTPs.

Among them, one method involves manipulating ZIP archives which includes two “End of Central Directory” (EOCD) entries instead of one. 

As this allows them to hide the malicious content within an innocent-looking file.

Besides this, several SEGs only inspect the harmless “decoy” element, which enables info-stealing malware to infect the systems of its victims.

Another tactic reverses the text in the email’s source code, which further enhances the final display.

Now here at this point exploiting their different directional flows (left-to-right vs. right-to-left) to reverse text, this approach might use the CSS in an attempt to combine the Latin and Arabic scripts.

All these methods enable malicious content to evade detection by not matching known phishing templates, and this scenario urges users to remain vigilant in detecting evolving phishing attempts.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial



Source link