Fake RFQ Used in Malware Attack

April 14, 2021

A request for quote (RFQ) continues to increase in popularity as an attack type, as vendors are likely to open the attachments or click the links associated with these types of email. In this attack, attackers disguise harmful malware as a RFQ to encourage recipients to download the dangerous files.

Summary of Attack Target

  • Platform: G Suite
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

Overview of the RFQ Malware Attack

This attack is an impersonation of a “request for quote” (RFQ) from a legitimate, outside organization. The attack originates from the throwaway address “info@req-allparts.com”, with the reply-to address “glennmauldin@zidnei.com”.

By using urgent language, the attacker attempts to coax the recipient to click on the link “Rfq 507890.pdf” without examining it for malicious content. Clicking on the link does not download a PDF or bring the recipient to an external website, but rather forces a malware download.

The downloaded file from the malicious link is a compressed .GZ file, which enables it to circumvent certain malware detectors. Within the compressed file is a text file full of malicious code, including spyware such as a keylogger. If the recipient allows this code to run, the attacker could record everything that the recipient enters into his or her computer or possibly even take complete control of the recipient’s device.

Why the RFQ Malware Attack is Effective

The recipient of this email is likely to open this attachment, given that they believe it to contain information about a RFQ. In addition, many security systems can only detect malware if it is attached to an email in an uncompressed form. Putting malware into a .ZIP folder or a .GZ archive can easily circumvent these security measures.

Abnormal Security prevented this attack by recognizing a number of signals that, when combined, flagged the email as malicious. Some of these signals are contained in the message body, such as the presence of suspicious wording. Others are contained in the message headers, such as the fact that the reply-to address for this email did not match the sender address or any of the links in the email. It is much more difficult for an attacker to hide these kinds of signals than it is to hide the malware.

To learn how Abnormal Security can protect you from malware attacks that others miss, request a demo today.

Blog tall spike building
Recent email attacks detected by Abnormal Security, combined with an analysis of historical attack data, indicate that email attacks related to federal taxes are likely to spike in the coming weeks in advance of the May 17th filing deadline. Tax-related attacks in 2021 have followed a...
Read More
Yellow line engagement
If an advanced attack finds its way into an employee’s inbox, you hope that they remember their security and awareness training and do not engage with it. However, there is always the risk that they engage with the message—clicking a...
Read More

Related Posts

B 10 15 21
With Detection 360, submission to threat containment just got 94% faster, making it incredibly easy for customers to submit false positives or missed attacks, and get real-time updates from Abnormal on investigation, conclusion, and remediation.
Read More
Extortion blog cover
Unfortunately, physically threatening extortion attempts sent via email continue to impact companies and public institutions when received—disrupting business, intimidating employees, and occasioning costly responses from public safety.
Read More
Blog engineering cybersecurity careers
Cybersecurity Careers Awareness Week is a great opportunity to explore key careers in information security, particularly as there are an estimated 3.1 million unfilled cybersecurity jobs. This disparity means that cybercriminals are taking advantage of the situation, sending more targeted attacks and seeing greater success each year.
Read More
Blog hiring cybersecurity leaders
As with every equation, there are always two sides and while it can be easy to blame users when they fall victim to scams and attacks, we also need to examine how we build and staff security teams.
Read More
Cover automated ato
With an increase in threat actor attention toward compromising accounts, Abnormal is focused on protecting our customers from this potentially high-profile threat. We are pleased to announce that our new Automated Account Takeover (ATO) Remediation functionality is available.
Read More
Email spoofing cover
Email spoofing is a common form of phishing attack designed to make the recipient believe that the message originates from a trusted source. A spoofed email is more than just a nuisance—it’s a malicious communication that poses a significant security threat.
Read More
Cover cybersecurity month kickoff
It’s time to turn the page on the calendar, and we are finally in October—the one month of the year when the spooky becomes reality. October is a unique juncture in the year as most companies are making the mad dash to year-end...
Read More
Ices announcement cover
Abnormal ICES offers all-in-one email security, delivering a precise approach to combat the full spectrum of email-borne threats. Powered by behavioral AI technology and deeply integrated with Microsoft 365...
Read More
Account takeover cover
Account takeovers are one of the biggest threats facing organizations of all sizes. They happen when cybercriminals gain legitimate login credentials and then use those credentials to send more attacks, acting like the person...
Read More
Blog podcast green cover
Many companies aspire to be customer-centric, but few find a way to operationalize customer-centricity into their team’s culture. As a 3x SaaS startup founder, most recently at Orum, and a veteran of Facebook and Palantir, Ayush Sood...
Read More
Blog attack atlassian cover
Credential phishing links are most commonly sent by email, and they typically lead to a website that is designed to look like common applications—most notably Microsoft Office 365, Google, Amazon, or other well-known...
Read More
Blog podcast purple cover
Working at hyper-growth startups usually means that unreasonable expectations will be thrust on individuals and teams. Demanding timelines, goals, and expectations can lead to high pressure, stress, accountability, and ultimately, extraordinary growth and achievements.
Read More