Abnormal Attack Stories: Targeted Hijacked Email Thread / Malware - Abnormal Security

Abnormal Attack Stories: Targeted Hijacked Email Thread / Malware

In this attack, malicious actors insert themselves into an email conversation to deliver malware in an attempt to harvest credentials from employees.

Quick Summary of Attack Target

Platform: Office 365
Email Security Bypassed: Office 365
Mailboxes: Greater than 50,000
Payload: Malware
Technique: Impersonation

What was the attack?

Setup: Hijacking conversation threads are an especially effective technique that attackers utilize from compromised accounts to leverage trust from recipients. In these situations, recipients are more likely to trust requests from senders they have had prior communication with and especially from within an existing email thread. In this case, the attacker has managed to infiltrate a legitimate email thread.

Email Attack: This attack leverages social engineering to compromise recipient endpoints by hijacking an existing email thread between the recipient and a vendor. The attacker compromised this vendor email account and used the existing email thread about credentials in order to launch this attack on the recipient.

Payload: Within the body is a link that redirects to the domain “houseofmarketing[.]co[.]uk”, which automatically downloads a .zip file. Within the file is dangerous malware that would allow attackers to gain access to the recipient’s device, and, in turn, their corporate network. 

Result: If downloaded, the recipient is then infected with cookie-stealing malware known as Qakbot, a Windows-based modular information stealer that monitors web traffic and harvests credentials to retrieve illegal funds. 

Why is this attack effective?

Urgency: In a twist, the attacker takes the email out of context, and forges urgency by selecting a conversation that the recipient once communicated for a request that had to be performed in an urgent timeframe and then replying to it with malicious content.

The language is neutral and contains two call to action phrases. The first is in the title “Have not heard back” indicating the sender has been waiting for a response and would like to receive one. The second is in the body  “Check the document and let me know what you think about it” a request that is seemingly reasonable and one that would not necessarily warrant suspicion. 

Compromised email:   In a multi-faceted process, the attacker had to first exploit a vulnerability from someone associated with the recipient and compromise an email account they were communicating with. It is unknown which method was used to retrieve the credentials but is possible to have been harvested through a separate phishing campaign.

Next, as evidenced by the language selection, the attackers eavesdropped on communication with the compromised vendor. A socially engineered email was then chosen to send to the target, as evidenced by the once valid request sent to the vendor by the target. Since the target has had previous correspondence with the attacker, email filters are less likely to block suspicious emails because there is a frequency of messages between the two user email endpoints. This is highly personalized and easy to miss on the recipient’s end. 

Detection Evasion: As the payload for the malware is sent via a link and not as an attachment, simple email detection systems are unable to verify that the message itself is malicious.

Related content