SBS CyberSecurity is aware of a new style of phishing email that uses an initial link in an email to a legitimate website, pointing to user-editable content which contains the malicious link. Most of these emails are getting by filters because the initial link is to a reputable site. We’ve seen Microsoft Office 365 Advanced Threat Protection (ATP) catch one of these new phishing emails, but not immediately.
Who Can Be Affected?
Anyone who receives email.
How Does This Attack Work?
Attackers appear to be using compromised email address books to send legitimate-looking emails from legitimate contacts you may have received emails from before. The email contains a legitimate link to an online document from a provider such as Office 365, Evernote, or other reputable third parties, so the email is able to pass through all phishing filters to date. Microsoft does seem to be catching it in some of our tests, but not all, with their Office 365 ATP product once it finishes traversing all the linked and sub-linked content. The Evernote links have been untested by SBS. The message appears similar to this:
I just shared an invitation and proposal for your review and collaboration via One-note.
Carefully review below and don't hesitate to ask me any questions
<Legitimate link doc with harmful content linked>
Here is a screenshot of one of the link locations – a OneNote note/page:
As you can see, the image above is a view of a document that was accessed by clicking a link in an attacker’s email, as described above. Clicking the link and arriving at this document is not the malicious component of the attack, the document contained in this OneNote page is the actual malicious payload.
A screenshot of Microsoft’s Office 365 ATP catching the attack content:
Cuckoo – an Automated Malware Analysis tool - rates these links as “very suspicious”
Cuckoo also detected other parts of the attack normally unseen when a link is clicked.
What Can You Do?
Vigilance is always the first and best protection with this type of attack. If someone is sending you active content and it seems unexpected, call them and see if it’s something they actually sent to you. If you don’t normally receive Office 365 or Evernote-linked documents/presentations, OneNote items, or other editable content from the sender, then those emails should be considered suspicious.
This attack is so new that the phishing filters and spam filters aren’t catching it yet. So far, Office 365 ATP is the only product that has caught these attacks to our knowledge, but even that product took time to detect the email and the link as malicious.
Remember – if you receive an email:
- that you’re not expecting
- from someone that requires you to take an action you’ve not performed before
- asks you to perform an URGENT task that needs to be completed NOW
Please stop and ask questions. Make sure you’re 10,000% sure that the request, link, attachment, or task is legitimate before you take action. If not, ask questions until you are absolutely certain the request is legitimate.
Buzz Hillestad, SVP - Information Security Consultant - SBS CyberSecurity, LLC
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.