Perhaps the most famous virus distributed was the “I Love You” virus from the year 2000. According to Wikipedia, this malicious attachment was spread to more than 10% of all internet connected computers and cost more than USD 15 billion to fix.

One should certainly think that e-mail based viruses would be a problem of the past, considering the long history of this threat and the cost of damages and remediation. However, e-mail is still one of the key mechanisms criminals are using to spread malware. The “I Love You” virus was a vbs file, a type of script that would automatically run on Windows computers in the past. Today, executable files are typically stopped by antivirus and spam filters, so criminals use malicious documents in Microsoft Office formats, or in the form of PDF files to spread the malware. Business users are used to getting legitimate communication in e-mail in these formats, so the chance of a well-known file format like this to be perceived as “safe by default” is quite high, and this is why this is such a successful attack vector. A key insight from this discussion is that you should reduce the need for e-mail attachments in your organization’s daily workflows.

If we are used to opening attachments all day long as part of the normal work, we naturally will lower our guard and eventually fall for malicious ones.

– Cybehave Security Insight

What are some recent examples?

How antivirus programs performed on one example of a malicious Microsoft Word document. This document contained a downloader for the trojan Emotet, which is subsequently used to install other malware or provide criminals with remote access to the computer where it is installed.

Emotet: over the last year and a half or so this malware has been used a lot by cybercriminals to take over computes and download other software on it. It is an advanced malware that uses mutliple mechanisms to spread, and has several modules attackers can use for various purposes, such as keylogging, remote access and potentially also making the victim computer part of a botnet. The primary mechanism for spreading Emotet is e-mail with Word or PDF attachments. For details on how the malware spreads and works, see https://www.us-cert.gov/ncas/alerts/TA18-201A.

Stealthy attachments: as attachments are typically thoroughly scanned, attackers are getting creative in their methods for malware delivery via e-mail. The email may still contain an attachment, but without any malicious code embedded within the document itself. It is then likely that the e-mail will pass through any filters. So how is this dangerous?

Office files with DDE enabled. DDE is a a feature that allows MS Office applications to load data from other Office programs, like Word getting data from Excel. This has been a feature for many years, and has in the last years been used to reference malware online. Current versions of MS Word have this feature turned off by default but many companies are still using old versions where this feature is active.

Another trend seen recently is HTML file attachments, that are only used to redirect the user to a malicious site when opened. Putting a meta tag in the head of that HTML file is enough:

<meta http-equiv="refresh" content="0; url=http://cybehave.no/" />

The result of this is that when opening the file the user is reidrected to cybehave.no – or a phishing site if that is the specified URL.

Dealing with the issue

Attachments are still unavoidable in many contexts but because of the dangers inherent in trusting attachments making it a part of the daily workflow is not a good idea. If we are used to opening attachments all day long as part of the normal work, we naturally will lower our guard and eventually fall for malicious ones.

Most malware infections start with a mouse click on that legitimate looking e-mail attachment.

Inside the organization: when collaborating on and sharing documents, it is much better to use a cloud service meant for document collaboration than to rely on e-mail attachments. This will remove the habit of opening and inherently trusting every attachment that comes along. Think Office365, G Suite and similar services.

Then the more obvious things that will be massively helped by stopping to use attachments as part of the everyday work:

  1. Use technology to filter out malicious content. A good spam filter with a sandbox for attachments not caught by signature based antivirus products is a good bet here. It will not take everything but perhaps 80% of it?
  2. Train users to check for indicatros of malicious emails, such as unusual language, the sender e-mail, etc. Let them also know about attachments and the types of problems they can expect.
  3. Segregate networks to avoid a successful infection from spreading.
  4. Turn off all unused services. Follow security recommendations of vendors.
  5. Keep your software up to date!
  6. Make your people understand that malware infections can happen to anyone and that it is OK to report it. If people feel they will be “blamed” for being infected, the problem will only be amplified.

Leave a Reply