In this attack, attackers disguise harmful malware as a “request for quote” (RFQ) to encourage recipients to download dangerous files.
Platform: G Suite
Mailboxes: 500 – 1,000
Payload: Malicious Link
This attack is an impersonation of a “request for quote” (RFQ) from a legitimate, outside organization. The attack originates from the throwaway address “firstname.lastname@example.org”, with the reply-to address “email@example.com”.
By using urgent language, the attacker attempts to coax the recipient to click on the link “Rfq 507890.pdf” without examining it for malicious content. Clicking on the link does not download a PDF or bring the recipient to an external website, but rather forces a malware download.
The downloaded file from the malicious link is a compressed .GZ file, which enables it to circumvent certain malware detectors. Within the compressed file is a text file full of malicious code, including spyware such as a keylogger. If the recipient allows this code to run, the attacker could record everything that the recipient enters into his or her computer or possibly even take complete control of the recipient’s device.
Many security systems can only detect malware if it is attached to an email in an uncompressed form. Putting malware into a .ZIP folder or a .GZ archive can easily circumvent these security measures. Abnormal Security prevented this attack by recognizing a number of signals that, when combined, flagged the email as malicious. Some of these signals are contained in the message body, such as the presence of suspicious wording. Others are contained in the message headers, such as the fact that the reply-to address for this email did not match the sender address or any of the links in the email. It is much more difficult for an attacker to hide these kinds of signals than it is to hide the malware.
Abnormal is the email security company that stands for trust.
© 2021 Abnormal Security Corporation.
All rights reserved.