Avanan researchers have uncovered a specific attack that was seen 282 times across 18 different environments in the past two weeks. This attack leverages Flipsnack, a free HTML5 flipbook creator. Flipsnack, a legitimate file-hosting service, allows creators to upload animations in the form of HTML files onto their websites, which are then available for anyone to view with a simple link.
In this case, what was uploaded to Flipsnack wasn't clever flipbooks. Instead, they were malicious files.
This attack passed by ATP, Mimecast and Proofpoint's scanners. Avanan stopped this attack in all instances.
Here's what the attack looks like:
Multiple compromised domains were used to provide false legitimacy to the emails; each email claims to present a proposal from a different company. All the malicious proposal files are hosted on Flipsnack.
The use of a legitimate service like Flipsnack is similar to attackers using Dropbox, Drive, etc to host malicious files but because of the popularity of Dropbox, Drive, etc, those services have been added to ATP and SEG static filters. Therefore attackers are always on the hunt for new, legitimate services that serve HTML files for free. Flipsnack was quick to detect and remove the malicious HTML files.
Each email was also sent from various different compromised business email addresses that don’t have proper SPF and DMARC checks in place. We saw over 11 different domains being used for this attack, which increases the attackers’ chances of breaching through ATP’s and SEG’s static domain blocklist. That's because the fastest way to get on a blocklist is to send out hundreds of emails from a single domain. This technique avoids that. Beyond that, savvy users could spot the phishing and report singular domains and have the entire operation shut down. If attackers spread the risk amongst many legitimate, but compromised, business email addresses, it reduces their chances of getting detected drastically.
Avanan caught this activity because of our tried and true mechanism of using AI and sender reputation to determine the legitimacy of emails rather than static blocklists.