Modern email filters make it difficult for attackers to deliver malicious links and attachments. However, encrypting the email attachment carrying your malicious payload, be it a link to a credential harvesting site or macros waiting to drop malicious software onto your pc, will make it almost impossible for email filters to detect. This approach is also very easy, as encrypting an attachment file requires very little technical know-how.
While most attackers using phishing choose quantity over quality, some hackers have opted for a more fine-tuned approach. Sending malicious files as email attachments and having malicious URLs in the email body is a risky endeavor, prone to getting caught by spam filters employed by email service providers and organizations. The solution? Hide your malicious payload in a password protected attachment.
Modern email filters make it difficult for attackers to deliver malicious links and attachments. However, encrypting the attachment carrying your malicious payload, be it a link to a credential harvesting site or macros waiting to drop malicious software onto your pc, will make it almost impossible for email filters to detect. This approach is also very easy, as encrypting an attachment file requires very little technical know-how.
From a social engineering perspective, having the attachment file be password protected adds a layer of credibility. The file is encrypted so it must contain confidential information for my eyes only, right? This added level of credibility is particularly effective when used as part of a spear-phishing email.
This approach also exploits our tendency to continue an endeavor once an investment of time, money or energy has been made - commonly known as the sunk-cost fallacy. When the user has already gone through the trouble of opening the password protected attachment, he is more likely to enter his company credentials when additional authentication is required. The human mind is full of these software bugs and hackers know to exploit them.
These days attackers know to use Microsoft Office documents and PDF files to fool users, as these are widely used across businesses on a daily basis. Their everyday nature can lull the unsuspecting user into a false sense of security and into opening the attachment. Compressed .zip archives are also commonly used by hackers using this approach. The file can be named using a string of randomly generated numbers, or a more elaborate name, sometimes even using the name of the recipient or their organization.
Once the user opens the attachment file, it asks for the password that was revealed in the email body. Entering the password will open the attachment, and this is where the attacker has hidden the actual malicious payload or a link to a malicious site. If the attachment file is a Word or a PDF document, it might contain a message requesting additional authentication, and link to a credential harvesting site. In the case of an Excel file the user is usually asked to enable content, executing the macros hidden in the attachment and giving the attacker access to the user’s computer.
