While most attackers using phishing choose quantity over quality, some hackers have opted for a more fine-tuned approach. Sending malicious files as email attachments and having malicious URLs in the email body is a risky endeavor, prone to getting caught by spam filters employed by email service providers and organizations. The solution? Hide your malicious payload in a password protected attachment.
Why go through the trouble?
Modern email filters make it difficult for attackers to deliver malicious links and attachments. However, encrypting the attachment carrying your malicious payload, be it a link to a credential harvesting site or macros waiting to drop malicious software onto your pc, will make it almost impossible for email filters to detect. This approach is also very easy, as encrypting an attachment file requires very little technical know-how.
From a social engineering perspective, having the attachment file be password protected adds a layer of credibility. The file is encrypted so it must contain confidential information for my eyes only, right? This added level of credibility is particularly effective when used as part of a spear-phishing email.
This approach also exploits our tendency to continue an endeavor once an investment of time, money or energy has been made - commonly known as the sunk-cost fallacy. When the user has already gone through the trouble of opening the password protected attachment, he is more likely to enter his company credentials when additional authentication is required. The human mind is full of these software bugs and hackers know to exploit them.
How it works
These days attackers know to use Microsoft Office documents and PDF files to fool users, as these are widely used across businesses on a daily basis. Their everyday nature can lull the unsuspecting user into a false sense of security and into opening the attachment. Compressed .zip archives are also commonly used by hackers using this approach. The file can be named using a string of randomly generated numbers, or a more elaborate name, sometimes even using the name of the recipient or their organization.
Once the user opens the attachment file, it asks for the password that was revealed in the email body. Entering the password will open the attachment, and this is where the attacker has hidden the actual malicious payload or a link to a malicious site. If the attachment file is a Word or a PDF document, it might contain a message requesting additional authentication, and link to a credential harvesting site. In the case of an Excel file the user is usually asked to enable content, executing the macros hidden in the attachment and giving the attacker access to the user’s computer.
More sophisticated examples
Staying off the hook
- Don’t trust attachments from unknown senders.
- Be equally suspicious of Microsoft Office attachments, as you would be of executables.
- Hovering over the links in text documents lets you see the url destination underneath. If the url does not look like it goes to a legitimate email service provider’s login page, it probably doesn’t.
- Don’t enable editing in suspicious Excel or Word attachments.