Recently, we have noticed a considerable spike in spam and phishing campaigns using various techniques to cloak malware in email attachments. To help keep your business protected, it’s important to understand how these attacks work and what you can do to help prevent them.
Taking proactive measures is one of the best ways to combat attacks attempting to trick attachment scanning technologies. As an example, we have recently seen leveraging techniques that work to prevent virus scanners from checking the attachment by using corrupted MIME headers or corrupted archives.
Spam and phishing emails often contain malicious attachments in plain sight, or covertly hidden in zip/rar archives, or in Office documents as macros. To infect your computer, the email often includes an executable file. Although it can be difficult to identify suspicious files at first glance—as they are commonly hidden within zip archives to trick spam filters—they can often be recognized by their file extension, such as: .exe, .bat, .com, .cmd, .cpl, .js, .jse, .msi, .msp, .mst, .paf, .wsh, .wsf, .vbs, .vbe, .psc1, .scr, and .ink.
Let’s take a look at some of the most common extensions presented above:
These files are Windows-executable files and some of the most dangerous attachments you can receive in an email. It is uncommon for people to send executable files in emails as attachments, so such an email should immediately raise a red flag.
This is another format for Microsoft Installer used on Windows, though applications can also be installed via an .EXE file. It may carry malicious files bundled into another application, thus giving the impression that it’s installing a legitimate application.
These are executable Java applications that use the Java runtime environment to run on a specific machine. These usually leverage Java runtime vulnerabilities and download/install malware on the affected computer.
This is a batch file that contains a simple list of commands usually run in the Command Prompt and originally used by the old MS-DOS.
These are the same thing as the .BAT extension, but introduced in Windows NT. The effect is the same as the batch file.
This is a Visual Basic Script file that usually executes the script code embedded when run.
· . PSC1
This is a PowerShell script, which is executed on a Windows machine.
All these file extensions are constantly being used in spam and phishing campaigns, generating a lot of damage for unprotected computers.
It is critical to check what type of files you receive and refrain from opening any attachments containing the above file extensions, especially if they come from unknown sources. To help ensure you and your business are protected from spam, phishing, and all email-borne threats, always deploy an email security solution as part of your security strategy.
In the SolarWinds Mail Assure™ Control Panel, there is a feature called “Block Dangerous Attachments,” which is on the Attachment Restrictions page of the default domain settings. When this feature is enabled, all the file extensions listed above are blocked by default. On top of this, to help ensure there are no harmful files in the archive attachments, zip archives are being scanned for malicious applications.
To find out how SolarWinds Mail Assure can help you protect your systems, click here.
Sebastian Antonescu is the technical support team manager for the Mail Assure and SpamExperts brands.
© 2018 SolarWinds MSP UK Ltd. All rights reserved.
The SolarWinds and SolarWinds MSP trademarks, service marks, and logos are the exclusive property of SolarWinds MSP UK Ltd. or its affiliates. All other trademarks are the property of their respective owners.