Check Point Email Security | Blog

The Static Expressway: Leveraging Legit Sites to Get to the Inbox

Written by Jeremy Fuchs | June 22, 2021

We've been writing a lot lately about hackers are leveraging legitimate services as attack vectors. This trend is not going away, whether it's Google Docs, MailGun, FlipSnack, or Movable Ink. Why? Because it works, leveraging static lists to get to the end-user. Call the Static Expressway—a straight ticket to the inbox.

This latest attack looks like this:

 

This email presents a very legitimate body with proper grammar and keywords that users may expect. This attacker is mimicking vonage.com’s eFax delivery confirmation. For those familiar with this type of email, it's familiar, and it's likely that they will immediately click on the phishing link embedded in the "View Document Here" button. 

That's what the hackers want. The link embedded within the button is hosted using HostGator's temporary hosting services. We've also seen similar attack attempts, all of which bypassed Proofpoint, that link to other landing pages hosted by HostGator.

Hackers leverage these legitimate services because they tend to be on a static Allow List. That means threat actors have an express lane into the user's inbox. 

Once again, we see how static Allow Lists simply don't work. Utilizing a multi-tiered security solution like Avanan's is crucial because it allows emails to be caught by Avanan's AI.