A new year, and a new phishing technique. While it’s hard to qualify anything as truly “new”, it is always interesting to see the latest approach. This week the EdgeWave Threat Detection Center saw a dramatic increase in phishing email using EML attachments. That’s right, email attachments within an email. To be honest, this is not something that most users know how to do which, in itself, creates a certain level of suspicion. Users are very familiar with forwarding an email, but not so much sending an email as an attachment. Scanning an EML is also something that many email gateways may not do by default (if at all). All in all, an interesting start to phishing in 2019.
A longstanding, and easy, test for cybercriminals to perform is confirming their malicious content does not trigger AV engines or even some of the newer approaches to endpoint security. In this example, the EML is not identified by Virus Total or Malwarebytes. With an apparently valid attachment name of VRF_audio-mail.923.e.wav.eml, and no triggering of AV, unsuspecting users might be tempted to click and listen to this important voice mail.
Other attachment names we have seen:
- iRING=voice-mail.923.e.wav (1).eml
- RING=voice-.e.wav (1).eml
- FVX CorpFAX TRANSMISSION FROM +1(854) 809 0903.eml
- New fax message +1818 909 8811.eml
The Sending domain, lps.direct, is a valid domain owned by a London based property services company, On the other hand, the originating IP of this email is 126.96.36.199, associated with Strong Technology, a VPN provider from Boston. Here again, the criminal actors are recycling the tried-and-true technique of using a VPN to mask their true location.
Opening the attached EML presents multiple enticing links. Each links points to a page on honestypolicy.gq, based in Equatorial Guinea. While .gq is a valid top level domain, registration authority was assigned to an entity in Equatorial Guinea. This entity initially provided the .gq domains for free, which has resulted in a proliferation of shady websites using .gq. Pretty quickly, Google Safe Browsing identified the links in the attachment as malicious.
Examining a few EML attachments revealed some data that was 100% duplicated between samples, a strong indicator of forgery. But a closer look reveals the most compelling evidence of forgery – the received headers.
Generally, SMTP receive headers will follow this format:
- from sending.SMTP.server.hostname (IP_address) by receiving.SMTP.server.hostname (IP_address) with receiving smtp server id XX.XX.XX.XX; mon, 21 nov 2016 14:11:34 -0
Reviewing the received headers in the malicious attachment reveals incomplete data as well as a somewhat confusing route. While a use case could be created to support the email route, the incomplete headers are highly suspicious.
- From smtp9.relay.iad3a.emailsrvr.com (localhost[127.0.0.1])
- Note the lack of “by receiving.SMTP.server.hostname”
Even more compelling is the final entry that shows a received date of January 27, 2019. Not sure how this email server received an email sent recently on a date many days in the future. While we’ve all seen cases where the internal clock on a server stops syncing, this is more a case of the proverbial camel (and straw).
Whether sloppy by design, or just lazy, the forged EML attachment will still get past many email gateways and likely result in numerous end user clicks, and that’s all the criminals care about. In this campaign, the end goal was (yet another) credential scrape as the now unavailable malicious links pointed to fake login pages.
Stay tuned for the next campaign, likely starting before your email gateway is ready.
For security professionals.
- Block outbound connections to .gq domains
- Quarantine (or block) inbound email with .EML attachments