Malicious attachments continue to be a favorite cybercriminal threat vector | CyberNcrypt

Malicious attachments remain a significant danger vector in the cybercriminal world, even as public awareness grows and technology firms strengthen their security.

While attachment threat vectors remain one of the oldest malware-spreading techniques, email users continue to click on dangerous documents that arrive in their inbox, whether it’s a phony “job offer” or a bogus “important invoice.”

Researchers believe that threat actors are still using this age-old strategy since the attack is still effective. Despite broad public knowledge of dangerous file attachments, attackers are raising their game with new techniques to elude detection, circumvent email security, and more. The attack vector is still prevalent enough that IT behemoths are re-inventing new methods to combat it, with Microsoft just this week releasing a tool for Office 365 that seeks to protect users from malicious files delivered over email, for example.

“Email attachments, such as PDF or Office files, are a simple route for delivering malicious material to end users,” – Symmetry Systems Co-Founder and CEO Mohit Tiwari. “The concern for companies is that hostile actors may utilize these attachments to gain a toehold at the enterprise’s outermost edges, then wait and wound their way to the crown jewels in their data storage.”

New Methods

According to the 2020 Verizon Data Breach Investigations Report (DBIR), email attachments remain the leading vector for malware that leads to data breaches, with about 20% of malware attacks being distributed through email attachments. Email links are the leading vector, accounting for 40 percent of all attacks.

While malware-laced attachments such as ZIPs, PDFs, and Microsoft Office files (including DOC and XLSM file attachments) are more commonly used, researchers warn that threat actors are increasingly turning to newer attachments, such as disc image files (ISO or IMG files that store the content and structure of an entire disc, such as a DVD or Blu-ray).

The use of various “lures” to encourage targets to open an attachment through social engineering is also developing. In March 2019, researchers saw significant increases in tax-related spam operations that used DOC and XLSM (macro-enabled spreadsheet made by Microsoft Excel) files to transmit the Trickbot modular banking trojan, for example. With the current epidemic, cybercriminals are attempting to distribute harmful attachments under the pretext of Covid information, work-from-home-related resources, and other vital information.

No longer are malicious attachments transmitted through email alone. Recently, the nation-state threat operator Lazarus Group attacked administrators at a cryptocurrency company using malicious documents provided through LinkedIn messaging, for example.

Updated Defenses

Even as threat actors increase their email-based attacks, email service providers and productivity application firms are taking measures to eliminate this prevalent attack route. In 2019, Microsoft prohibited almost 40 new file extension types on its Outlook email platform in an effort to prevent users from downloading email attachments containing diverse file kinds (including ones associated with Python, PowerShell, digital certificates, Java, and more). Google has a similar restriction for its Gmail email service and has restricted some file formats, including compressed files (such as.gz and.bz2) and those contained inside archives (like .zip or .tgz files).

Microsoft is releasing Program Guard for Office this week, a long-awaited Office 365 feature that isolates potentially harmful Office 365 productivity application files (including Word, PowerPoint, and Excel). The program targets spear-phishing campaigns and other web-based attacks that leverage Word documents and other Office-based files to deliver malware. Currently, the functionality is accessible for public preview. This status indicates that the Microsoft product or service is not yet complete, but is made available for preview so that consumers may offer feedback.

Microsoft Office 365 phishing

“Files from the internet and other potentially risky sources may include viruses, worms, and other malware that might damage your users’ computers and data,” Microsoft said in a blog post this week. Office accesses files from potentially hazardous sites inside Application Guard, a secure container that is segregated from the device by hardware virtualization.

Application Guard protects specifically against files downloaded from domains that are not part of the local intranet or a “Trusted Sites” domain on a user’s device, files received as email attachments from senders outside the user’s organization, files received from other types of internet messaging or sharing services, and files opened from a OneDrive or SharePoint location outside the user’s organization.

Justin Kezer, the managing consultant at nVisium, told that “Features like this will continue to be created to address the continuously shifting cyber security battlefield.” However, Kezer said, “the difficulty is that email providers will continue to suffer due to the opt-in rather than opt-out nature of email security.”

“Companies will need to correctly set up their Active Directory and deploy this new function on a wide scale,” said Kezer. “However, the terrible fact is that the majority of businesses do not use these capabilities owing to the perceived commercial effect.”

This paradox highlights one of the greatest challenges in fighting against malicious attachment attacks: end-users and business companies.

Proofpoint researchers examined the importance of defending against three forms of phishing lures: links, attachments, and data input requests. Although attachment tests were low on the priority lists of most businesses in 2019, they proved to be the most successful at misleading users. The majority of attachment-based simulated phishing tests with the greatest failure rates (65%) were implemented by enterprises to assess the security awareness of their personnel.

This demonstrates that user education – and the desire of organizations to prioritize attachment-based threat vector protection – are essential components for fighting against these sorts of assaults, according to experts.

These lists’ commonalities and subject lines corroborate our recommendation that attachment vulnerabilities be tested more regularly and that more personalization is added to simulated phishing campaigns. Even if you see attachment-based assaults less often, they will be an issue for your business if the vast majority of your users fall for them, according to Proofpoint.