Here’s How Phishing Messages Break Through Email Filters

August 27, 2024  |  David Balaban

The content of this post is solely the responsibility of the author.  LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Phishing is an email-borne malicious technique aimed at learning the sensitive credentials of users or spreading malware. This practice has been on the list of the top cyber threats to individuals and businesses for years. According to the latest Phishing Activity Trends Report by APWG, the total number of phishing attacks identified in Q1 2024 exceeded 963,000. The average wire transfer amount requested in business email compromise (BEC) attacks during this period reached $84,000, showing a 50% increase compared to the previous quarter.

With the staggering statistics in mind, this hoax is among the strongholds of the global cybercrime economy. It comes as no surprise that there are plenty of security companies whose area of expertise is isolated to anti-phishing services that prevent rogue emails from reaching their customers’ inboxes. Since orchestrating these campaigns is becoming more difficult for criminals, they are developing more sophisticated attack vectors that get around mainstream defenses.

Phishers Are Thinking Outside the Box

Malicious actors leverage a few effective evasion techniques to make sure their misleading messages arrive at their destination. Here are several real-world stratagems used to obfuscate bad intentions and circumvent automated protection tools.

Hybrid “Vishing” Attacks Gaining Momentum

Voice phishing, or vishing, has become an effective social engineering scam over the years. The fact that the manipulation takes place over the phone plays into the hands of fraudsters, as it slips below the radar of traditional security controls. The caveat comes down to high reliance on factors like cold calls that many people ignore, which reduces the success rate of such hoaxes.

In an attempt to close that gap, criminals came up with a multi-step scheme that combines vishing and misleading emails. The idea is to contact a would-be victim initially with an email lure that contains a phone number in it. These messages will typically convey urgency by stating that the recipient might be locked out of their bank account, or that a suspicious financial transaction has been made without their consent.

The user is instructed to call the number specified in the email to solve the problem. However, instead of providing assistance, the scammer on the other end will try to learn sensitive information. The original phishing email doesn’t contain any suspicious attachments or links, which makes it look normal when inspected by spam filters and antivirus protections.

In some scenarios, criminals collect information about the victim from social media and other publicly accessible sources to make sure that the bait message correlates with their interests and lifestyle. The use of reliable data broker removal services can minimize the risk of exposure to this shady open-source intelligence (OSINT).

Compromised SharePoint Accounts

Another method for phishing scams to slide unnoticed into users’ inboxes is to piggyback on previously hacked SharePoint accounts. Email filters trust the domains used by this cloud-based collaborative service from Microsoft. The messages ask the recipients to click on an embedded secondary URL that leads to a malicious OneNote document disguised as a OneDrive for Business sign-in page. The credentials entered in this fake login form automatically go to the fraudsters.

Elusive Emails Impersonating Major Banks

This is a long-running hoax in phishing operators’ repertoire. The spoof email pretends to come from a popular financial institution such as the Bank of America. It asks the recipient to update their email address and provides a link leading to a credential phishing page camouflaged as the bank’s official site. To feign legitimacy, the scam includes an extra page where the victim is supposed to enter their security challenge question.

While the message is sent from a “@yahoo.com” email address rather than the real domain of the mimicked bank, many anti-phishing tools cannot identify it as potentially malicious. One of the reasons is that this fraud zeroes in on only several people in an organization rather than maximizing its reach. Filtering technologies mainly inspect large volumes of similar emails and may ignore messages coming in small quantities.

Secondly, the email passes security checks because it’s sent from a personal Yahoo account. Traditional verification instruments such as the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) confirm that the message doesn’t spoof the domain it’s coming from.

Thirdly, the blocklists integrated in a Secure Email Gateway (SEG) or the VPN of the user’s choice might not include the replica of the bank’s page due to its recent registration. Furthermore, the domain uses a valid SSL certificate issued by a trusted authority such as COMODO. This combo of techniques, plus subtle elements of urgency and pressure imposed upon a recipient via social engineering, makes this ostensibly simple phishing wave highly effective.

ZIP Archive with a Catch

One of the clever tricks in the modern criminal’s handbook is to cloak a malicious email attachment within a dodgy ZIP archive. The structure of a benign ZIP file normally includes a single “End of Central Directory” (EOCD) value that denotes the final component of the archive composition. Attackers are increasingly leveraging ZIP archives that contain two EOCD entries rather than one, which means that the attachments contain an extra archive structure hidden in plain sight.

The decompression engines built into some SEGs will only identify and vet the harmless “decoy” element while failing to detect and inspect the malicious sub-hierarchy of the archive. As a result of the furtive file extraction, a strain of info-stealing malware infects the victim’s computer.

Skewing an Email’s HTML Code

Yet another mechanism for getting around SEGs is to reverse the text in the source code of a message and then render it forward in the email itself. This way, security filters may allow the message to get through because its raw HTML content doesn’t match any known phishing templates. Meanwhile, the email will be shown to the would-be victim in a perfectly readable form.

A particularly tricky strand of this ruse involves Cascading Style Sheets (CSS), a programming tool designed for adding style elements to HTML documents. Attackers mishandle it to combine Latin and Arabic scripts in an email’s code. Since these scripts flow in different directions (left-to-right vs right-to-left), this method facilitates text reversing.

Vigilance is Key

While email filters are indispensable for protecting inboxes, they aren’t foolproof. Phishing schemes are constantly evolving, and some shadowy messages will slip through. The onus is ultimately on you, the recipient, to avoid being fooled. You can significantly reduce the risks by understanding the common phishing attempts and treating any email with a healthy dose of skepticism.

Share this with others

Featured resources

 

Futures Report

2024 LevelBlue Futures™ Report: Cyber Resilience

 

2024 Futures Report

Get price Free trial