Over the last three days, we have seen over 800 phishing emails sent to 11 different clients that try and leverage language that is normally used by physical or online scanners. 

These types of phishing email is in no way new; we have been seeing scanner impersonation attempts for years. Avanan first started catching these emails using ML and AI; however, now that this exact format has been seen so many times (with slight changes), even an unsophisticated solution should be able to catch these attacks. 

In the example below, we see that the attackers are targeting an email group instead of specific users because that way they will make it into multiple users’ mailboxes. Here's what the email, missed by ATP, looks like:

 

These sorts of attachments are usually the electronic version of the document the user scanned or was sent to the user by someone else, but in the case of these phishing emails they are a very basic HTML file that loads up a webpage with some JavaScript:

 

The industry has decided that the use of JavaScript in an email attachment is suspicious and that alone would have been enough for many simple security vendors to block this email. Some security vendors take a step further and scan every JavaScript code snippet to see what the code is trying to do; if the code calls for suspicious functions like `unescape` they may block the email or if they load up a web page, they might then choose to scan that webpage for some malicious code.

At the time of writing this blog, the webpage this attack email loads via the attachment is unavailable and the history of the webpage shows high traffic, but not a lot of activity which tells us that this webpage’s attack payload has not yet been made live by the attackers. This is a clever strategy by the attackers to first ensure that their email has made it into a significant number of mailboxes and only then make the malicious payload live. This way the attack email bypasses any security vendors that only scan a URL at the time of delivery. Avanan offers ClickTime protection which scans URLs at the moment a user clicks on the link— if the scan shows malicious code being executed, the user is presented with a block page and if the scans show nothing suspicious, the user is taken to the webpage as normal. So no matter when attackers choose to take a link live, Avanan’s customers will be protected while also being safe from static rule-based URL filtering that causes a lot of false positives.

Subscribe to Our Attack Briefs for More Research