By Adrien Gendre, Chief Product & Services Officer, Vade Secure
Ransomware hobbled businesses in 2020, while COVID-19 spawned an endless stream of cyberattacks. What both have in common is email. With 91 percent of cyberattacks beginning with an email, a single click can mean the difference between business as usual and operations standstill. Here are three hacking techniques to watch out for in 2021.
- Leveraging images to bypass email filters
Image quality might be critical to the authenticity of a phishing email, but it’s what’s going on behind the image that makes the difference between detection and delivery. Known phishing emails—or phishing emails that have been blacklisted—can find their way back into inboxes with a series of image manipulation techniques. Unfortunately, most email filters cannot detect them.
Invisible to the naked eye, images that have been even slightly manipulated cause a known phishing email to appear unique to an email filter. By distorting the color, tone, or geometry of an image, a hacker has the ability to update a blacklisted phishing email with a new image and bypass an email filter that can’t extract and analyze content from images.
Recently, we’ve been seeing an increase in the number of malicious emails containing remote based that store malicious textual content. Embedded in the body of email but hosted on outside domains, remote images must be fetched over a network to be analyzed. The process can’t be done in real-time. In November alone, Vade Secure analyzed 26.2 million remote images and blocked 261.1 million emails containing remote images.
Extracting and analyzing content from images requires Computer Vision, an expensive, resource-intensive field of artificial intelligence that has yet to become standard in email security. Until then, we expect to see manipulated images and remote-based images grow.
- Depositing malicious emails via IMAP connections
In late November, Vade Secure detected a mass wave of spam emails being deposited into mailboxes without passing through transport layers. We suspect that the hacker or hackers used a new tool called Email Appender, which is available on the dark web, to deposit the spam.
Email Appender allows hackers to validate compromised account credentials and connect directly to the accounts via IMAP. Once connected, hackers can configure proxies to avoid detection and deposit emails directly into accounts, even in bulk. Because the emails are sent from compromised accounts, it’s not necessary for hackers to spoof the email addresses. However, they can adjust the sender display names to fit the narrative of the spam campaign.
We believe that hackers are using spam messages to test Email Appender and the IMAP method before moving on to phishing and malware attacks, which require more time, effort, and skill. Hackers tend to test new techniques on consumers before moving on to corporate targets. Business users are more savvy because of mandated security awareness training, and businesses tend to have more sophisticated security systems.
When the IMAP method goes corporate, we expect platforms like Microsoft 365 to become targets. API-based email security solutions that are natively integrated with Microsoft 365 offer post-remediation capabilities not found in secure email gateways. If and when email threats bypass security, businesses can reach in and remove them, often before users have the chance to click.
- Hijacking email threads
When Emotet malware returned in July, it was made all the more difficult to detect due to thread hijacking. Leveraging user accounts already compromised by Emotet and other viruses, hackers injected themselves into legitimate email threads, spreading phishing links and malware-loaded Word documents as they posed as business colleagues and acquaintances.
While many users might be trained to inspect email for signs of spoofing, the average user is unlikely to scrutinize an email that is part of a thread. This is what makes thread hijacking so dangerous. With the conversation already established, hackers are free to converse with other users in the thread. And because their guard is down, users are likely to take the bait.
With a technique like thread hijacking, hackers can forgo border security and infiltrate a business from the inside. With the relative ease of getting inside, we expect thread hijacking to gain prominence in 2021.
Mitigating new threats
The above techniques prove that hackers are not only keeping up with the advances in email security but also outpacing it in many respects. Innovations in artificial intelligence bring new detection and remediation capabilities that will only grow in the coming years. But when threats do bypass security, continuous user training, including at the moment of need, will be critical to neutralizing attacks.
About the Author
Adrien Gendre is Chief Product & Services Officer at Vade Secure. His product vision and cybersecurity experience has been instrumental in Vade Secure’s evolution from startup to world leader in predictive email defense. A speaker at M3AAWG (Messaging, Malware & Mobile Anti-Abuse Working Group), Adrien is a sought-after email security expert who shares his expertise to educate businesses about email threats and facilitate new approaches in the cybersecurity community. With unparalleled access to global email threat intelligence, Adrien brings his email security expertise and innovative product approach to the ongoing development and advancement of phishing, spear phishing, and malware protection technologies at Vade Secure.