It’s common knowledge that most cyberattacks begin with a phishing campaign, ie. malicious emails that seek to harvest the credentials of employees or deploy malware.
Is it possible to slam the door on that entry point? The most obvious solution was to prevent users from receiving phishing emails. No phishing emails, no beachhead for hackers. Seems logical doesn’t it?
This is what led to the development of anti-spam software. This approach is obviously useful insofar as it elevates the technical requirements to penetrate mailboxes. But, unfortunately, it cannot guarantee absolute protection against hackers who have an array of tools and techniques to bypass anti-spam filters.
This article will explore some fo the tactics hackers can use to ensure their message will reach its intended target.
These methods are constantly evolving, and the examples we present are mainly for educational purposes : they are there to help you explain clearly and simply to your users why anti-spam tools will never constitue an absolute barrier, and why vigilance needs to be maintained at all times.
What does an anti-spam do? The short answer : two things.
This does not mean that anti-spams are not useful and necessary for a company (quite the contrary). Simply that understanding what they do provides a framework on how to bypass them.
Hence there are two broad approaches for hackers wishing to bypass anti-spams :
In order to fool the assessment of the sender’s reputation, or rather to mask a negative reputation that would trigger the blocking of the email, hackers are going to try and give the impression that the email is trustworthy because it is from a trusted sender:
Hackers can easily give a layer of trustworthiness to their emails by taking some steps before sending them. This includes :
This type of attack obviously renders ineffective the “reputation” component of anti-spam protections.
Hackers use a first compromised account (supplier, customer...) as a stepping stone to send further, targeted, phishing emails.
By doing so they kill two birds with one stone, so to speak : they benefit from the reputation of the compromised account (considered a normal, human-used account as long as the amount of emails sent remains reasonable) and they benefit from the lack of vigilance of targets who are used to receiving emails from this send, and therefore risk being tricked by the trust they have in this sender.
For example, if you’re used to received pdf invoices and Excel attachments from a supplier, the anti-spam won’t be alerted if you receive (you guessed it) pdf files and Excel attachments from this supplier, thereby leaving the target vulnerable.
A phishing email generally seeks to deliver a payload that is usually either a URL link to direct the target towards a webpage (to trigger a download, harvest credentials), or an attachment (to execute malicious code, via, for example, macros).
Anti-spam protect users by analyzing the content of the email : URL and attachments, at times in an advanced fashion. But that hasn’t deterred hackers.
There are solutions to avoid detection of the malicious intent of a phishing webpage by anti-spam tools :
In order to defeat the countermeasures deployed by hackers, anti-spam tools rely on techniques such as URL rewriting to gain some time in order to run analyses and protect the users.
The idea is to redirect - briefly - the user who clicked on a link while the anti-spam tools analyzes the destination page for any malicious elements. This is due to the proliferation of malicious URLs and to avoid relying on static lists of blocked pages. However, hackers have also found ways around this :
A malicious attachment that will trigger the download of malware via macros (for example) is a very effective weapon used by hackers.
Anti-spams have sought to address this by executing any code contained in attachments in secure environments, isolated from the rest of the system (sandboxes), in order to verify that it is safe. But, here again, hackers have found ways around theses defenses.
Modern malware have sandbox evasion functionalities to detect and avoid protection mecanisms and to hide malicious elements in their code if they are executed in a sandbox environment. These include:
All in all, it’s possible to find malware with sandbox evasion functionalities for as cheap as 30$ on the darkweb:
Anti-spam tools are definitely a must-have. They prevent mass attacks, they increase the cost (time, money, resources) hackers have to invest in order to bypass them, and they provide a layer of analysis that can detect certain attacks.
But beware of certain beliefs held by users that are less knowledgeable, and who believe they can rely entirely on their company’s anti-spam or anti-phishing solutions for protection.
These tools do not constitute an absolute barrier against phishing attacks, who have evolved in order, specifically, to pass this first layer of defense.
Here are 10 must-haves for any training to be effective at lastingly changing users' behavior with regard to phishing attacks.
Why do humans love to play? And how can using these principles and relying on gamification help your cyberdefense?