While attachment threat vectors are one of the oldest malware-spreading tricks in the books, email users are still clicking on malicious attachments that hit their inbox, whether it’s a purported “job offer” or a pretend “critical invoice.”
The reason why threat actors are still relying on this age-old tactic, researchers say, is that the attack is still working. Even with widespread public awareness about malicious file attachments, attackers are upping their game with new tricks to avoid detection, bypass email protections and more. The attack vector is still widespread enough where tech giants are re-inventing new ways to try to stomp it out, with Microsoft just this week rolling out a feature for Office 365 that aims to protect users against malicious attachments sent via email, for instance.
“Email attachments, such as PDF or Office files, are an easy vector to deliver malicious content to end users,” Mohit Tiwari, Co-Founder and CEO at Symmetry Systems, told Threatpost. “For enterprises, the risk is that malicious actors can use these attachments to establish a toe-hold at the outermost edges of the enterprise, and then wait and wind their way to the crown jewels in their data stores.”
New Tactics
The 2020 Verizon Data Breach Investigations Report (DBIR) found that email attachment is a top malware vector that leads to data breaches, with almost 20 percent of malware attacks being deployed via email attachments. Email links are the top vector with 40 percent of attacks using this method.
While malware-laced attachments such as ZIPs, PDF, and MS office files (including DOC and XLSM file attachments) are more commonly used attachments, researchers warn that threat actors are starting to look to newer attachments – like disc image files (ISO or IMG files that store the content and structure of an entire disk, like a DVD or Blue-Ray) – as a way to increasingly spread malware.
The use of differing “lures” – used with social engineering to convince targets to open the attachment – is also evolving. Researchers noted huge spikes in tax-themed spam campaigns in March 2019 that were utilizing DOC and XLSM (macro-enabled spreadsheet created by Microsoft Excel) files to deliver the Trickbot modular banking trojan, for instance. That’s only gotten worse this year with the current pandemic, as cyberattackers look to send malicious attachments under the guise of Covid information, work from home related resources and other critical information.
Malicious attachments aren’t just sent via email anymore, either. The nation-state threat operator Lazarus Group recently targeted targeted admins at a cryptocurrency firm via with malicious documents sent via LinkedIn messages, for instance.
Updated Defenses
Even while threat actors step up their email based attacks, email providers and productivity application companies are also taking steps forward to stomp out this common threat vector. In 2019, Microsoft banned almost 40 new types of file extensions on its Outlook email platform, in hopes that the move would prevent users from downloading email attachments with various file extensions (including ones associated with Python, PowerShell, digital certificates, Java and more). Google has a similar policy for its Gmail email service and has blocked certain types of files, including their compressed form (like .gz or .bz2 files) or when found within archives (like .zip or .tgz files).
Microsoft this week meanwhile is rolling out a long anticipated Office 365 feature, Application Guard for Office, which isolates Office 365 productivity application files (including Word, Powerpoint and Excel) that are potentially malicious. The tool takes aim at a common attack vector – spear phishing campaigns and other web based attacks – which will use Word documents or other Office based attachments as a vehicle for malware. The feature is currently available on public preview. This is a status where the Microsoft product or service isn’t complete, but is made available on a preview basis so that customers can get early access and provide feedback.
“Files from the internet and other potentially unsafe locations can contain viruses, worms, or other kinds of malware that can harm your users’ computer and data,” said Microsoft in a post this week. “To help protect your users, Office opens files from potentially unsafe locations in Application Guard, a secure container that is isolated from the device through hardware-based virtualization.”
Application Guard specifically protects against files that are downloaded from domains that aren’t part of either the local intranet or a “Trusted Sites” domain on a user’s device, files that were received as email attachments from senders outside the user’s organization, files that were received from other kinds of internet messaging or sharing services or files opened from a OneDrive or SharePoint location outside the user’s organization.
“Features such as these will be continually developed to combat a constantly changing battleground in cyber security,” Justin Kezer, Managing Consultant at nVisium, told Threatpost. However, Kezer said, “the challenge is that email providers will continue to struggle because the security around email is opt-in rather than an opt-out policy.”
“Companies will need to properly configure their Active Directory and implement this new feature broadly, however, the unfortunate reality is that most companies do not implement these features due to the perceived business impact,” said Kezer.
This conundrum points to one of the biggest issues in defending against malicious attachment attacks: The end users and enterprises organizations themselves.
Researchers with Proofpoint surveyed enterprises’ prioritization of protecting against three types of phishing lures – links, attachments and data entry request. Though attachment tests were low on organizations’ priority lists during 2019, they proved the most effective in fooling users. In simulated phishing tests deployed by organizations to test their employees, most of the phishing tests with the highest failure rates (65 percent) were attachment-based.
This shows that user education – and the willingness of enterprises to prioritize protecting against attachment based threat vectors – are important staples in defending against these types of attacks, researchers said.
“The common bonds and the subject lines in these lists all reinforce our advice to test attachment vulnerabilities more frequently and to add more personalization to simulated phishing campaigns. Even if you see attachment-based attacks less frequently, they are going to be a problem for your organization if almost all users fall for them,” according to Proofpoint.
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Resister today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.