Skip to main content

Tags:

Staying Ahead: Understanding the Latest Email Evasion Tactics

 

 

Introduction

Email remains a cornerstone of modern communication, yet it continues to be a primary vector for cyber threats. Cybercriminals have consistently refined their tactics, particularly in evading detection systems. The rise of sophisticated evasion techniques has made detecting and neutralizing email-based malware increasingly challenging. Understanding these evolving threats is crucial for organizations to adapt their security strategies effectively.

This blog explores emerging trends in email-based malware evasion, focusing on the latest strategies used by cybercriminals. By examining case studies, understanding common evasion techniques, and discussing the future of malware evasion, we aim to equip readers with the knowledge necessary to protect themselves and their organizations from these stealthy threats.

Current Email Threat Landscape

At Inception Cyber, our continuous monitoring of the email threat landscape reveals a shift towards more complex evasion techniques. Our research shows that email payloads are predominantly URL or attachment-based, with attackers heavily relying on HTML, PDF, and archive file formats. These formats are favored due to their ability to evade security filters, their familiarity and trust among users, and their potential for embedding malicious content. Additionally, they offer cross-platform compatibility and provide rich opportunities for social engineering, making them ideal for cybercriminals.

Figure 1: Top payloads in malspam emails

Noteworthy Evasion Techniques in Current Email Threats

Our analysis has uncovered compelling case studies demonstrating how attackers are not only using evasion techniques within email communications but also across the entire attack kill chain. These real-world examples underscore the rapid evolution of attacker strategies, particularly their sophisticated use of legitimate services to bypass traditional detection technologies at every stage of an attack.

Case Study #1: Exploiting Legitimate Services with Cloudflare reCAPTCHA

In a recent malspam campaign, we observed attackers leveraging Cloudflare reCAPTCHA services to evade automated analysis and security filters. This tactic increases the chances of their malicious pages going undetected by blocking automated tools and adding an air of legitimacy. The reCAPTCHA mechanism delays analysis, filters out non-human traffic, and ensures that only real users—especially targeted victims—proceed to the next stage of the attack. This underscores the need for advanced security measures and heightened user awareness to combat sophisticated threats.

Figure 2.0: Kill chain for malspam using legitimate services

Employing a combination of evasion tactics ensures that the email bypasses corporate security filters effectively. Notable evasion techniques as shown in figure 2.0 email kill-chain included:

Evasion Technique

MITRE ATT&CK Tactic

Stage of Kill Chain

Technology Bypassed

Why Technology Will Be Bypassed

OneDrive-themed PDF with URL to Legit Office Forms

Phishing (T1566)

Delivery

Email security filters, URL reputation services, Antivirus

The PDF and URL are associated with trusted services (OneDrive, Office Forms), making it difficult for security filters to identify the threat.

Leveraging Office Forms to Host Malicious URL

Phishing (T1566)

Delivery, Exploitation

Web security gateways, Anti-phishing technology

Office Forms is a legitimate service, so URLs hosted here are often not flagged by security tools, allowing the malicious URL to bypass detection.

Using Cloudflare reCAPTCHA before Downloading Payload

Defense Evasion (T1562)

Exploitation

Web filtering, Automated analysis technologies such as sandbox

Cloudflare reCAPTCHA adds a layer of legitimacy and prevents automated tools from accessing the malicious payload, hindering detection and analysis.

 

In another case, an email contained a redirector URL leading to a Freshdesk support page, which mimicked a OneDrive file and used Cloudflare CAPTCHA before downloading the malicious payload. This multi-layered evasion demonstrates the evolving sophistication of attacker tactics.

Figure 2.1. Showing URL in malspam body redirecting to legit webpage

Case Study #2: Abusing the "search-ms" URI Protocol with Cloudflare Tunnels

In recent months, we've identified a surge in emails employing advanced tactics, techniques, and procedures (TTPs) to bypass detection and enhance effectiveness. These emails, often themed around financial transactions, used HTML payloads as the initial infection vector. This particular campaign stood out due to its use of advanced evasion tactics, such as the search-ms URI protocol handler and Cloudflare tunnels.

Evasion Technique

MITRE ATT&CK Tactic

Stage of Kill Chain

Technology Bypassed

Why Technology Will Be Bypassed

HTML Smuggled search-ms URL Protocol Handler Link

Execution (T1204)

Delivery, Exploitation

Web content filters, Endpoint security technologies

The search-ms protocol is legitimate, making it difficult for filters to block without affecting legitimate usage; endpoint security may not recognize it as malicious.

Malware Delivery via Cloudflare Tunnel Abuse

Command and Control (T1071)

Delivery, Exploitation

Network security technologies, Traffic inspection

Cloudflare tunnels encrypt traffic and obfuscate command and control communication, bypassing traditional network security and inspection tools.

Payload Staging via WebDAV and SMB

Execution (T1204), Lateral Movement (T1021)

Exploitation, Installation

Endpoint detection, Network monitoring technologies

WebDAV and SMB protocols are often used legitimately, allowing attackers to stage payloads without triggering alarms.

Code-Obfuscation of Helper Scripts

Defense Evasion (T1027)

Exploitation, Installation

Antivirus, Script analysis technologies

Obfuscation techniques make the malicious code difficult to detect or analyze, evading antivirus and traditional script analysis technologies.

 

Figure 3. Showing malspam abusing "search-ms" URI Protocol Handler with Cloudflare Tunnels

The use of the search-ms protocol handler allows Windows users to perform search operations via a URI. In this case, attackers use this feature along with TryCloudflare tunnels as part of a malware campaign. TryCloudflare tunnels enable cybercriminals to create temporary infrastructure. Each TryCloudflare tunnel generates a random subdomain on trycloudflare[.]com, with traffic to these subdomains being proxied through Cloudflare to the attackers' local server.

This case study highlights the evolving and sophisticated nature of modern email-based attacks, emphasizing the importance of staying vigilant and adapting security measures to counter these advanced evasion techniques.

Case Study #3: Exploiting Signed Payload on Legitimate Cloud Hosting

A recent malware campaign targeting Israeli companies utilized a well-known technique where attackers exploited recent news events (CrowdStrike outage and the Israel-Hamas war) to craft their emails. This strategy, which capitalizes on heightened interest and urgency, increases the likelihood of recipients engaging with malicious content.

Figure 4: Email exploiting legitimate cloud hosting with a signed payload

The email contained a link to a .zip file with an installer (.msi) that included a pre-configured Atera remote admin agent capable of taking control of Windows devices. This combination of tactics made the malware particularly effective and difficult to detect.

In this particular campaign, attackers employed multiple evasion tactics:

Evasion Technique

MITRE ATT&CK Tactic

Stage of Kill Chain

Technology Bypassed

Why Technology Will Be Bypassed

Use of Recent Event-Themed Email

Phishing (T1566)

Delivery

Email filtering services, User awareness programs

Attackers exploit the timeliness and relevance of events to create urgency, which can lead to users bypassing normal caution and security checks.

Malicious Payload Signed by Atera

Defense Evasion (T1218)

Execution

Endpoint protection, Digital signature verification

The payload is signed, causing endpoint protection and signature verification systems to treat it as legitimate.

Payload Hosted on Legitimate Cloud Storage (Onehub)

Command and Control (T1071)

Delivery, Exploitation

URL filtering, Network security technologies

Hosting the payload on a reputable cloud service bypasses URL filtering and security tools that trust domains like Onehub, allowing the download and execution of malicious content.

 

Case Study #4: Abusing Open Redirect Vulnerabilities

We observed a significant rise in phishing campaigns that exploit open redirect vulnerabilities. Malware attackers exploit open redirect vulnerabilities to deceive users and security systems by manipulating URLs to appear legitimate while redirecting victims to malicious sites. This tactic allows attackers to bypass security filters that might not scrutinize the destination of a trusted URL, trick users into believing they are visiting a safe website, and increase the chances of successful phishing or malware delivery. By leveraging open redirects, attackers can effectively disguise their malicious intent and enhance the effectiveness of their campaigns.

Figure 5.0: Email exploiting open redirect feature of legitimate websites

The email in question redirects victim to a legitimate NaukriGulf job site in the Gulf. However, the URL comes from a phishing email with a redirect link. When users click the link, they briefly land on this legitimate page before being redirected to a phishing site.

For this case, attackers use tactics like:

Evasion Technique

MITRE ATT&CK Tactic

Stage of Kill Chain

Technology Bypassed

Why Technology Will Be Bypassed

Spoofing Sender Domain with a Call-to-Action in Email Body

Phishing (T1566)

Delivery

Email filtering services, Sender authentication checks (SPF/DKIM/DMARC)

The spoofed domain can closely mimic a legitimate one, and the call-to-action often appears urgent, leading users to act without scrutiny. Existing authentication checks might not detect the subtle differences or may be bypassed entirely if the spoofed domain is convincing.

Abusing Redirect Feature of a Legitimate Webpage

Phishing (T1566)

Exploitation

Web filters, URL reputation services

Attackers exploit the legitimate website's redirect feature, making the malicious link appear trustworthy. Web filters and URL reputation services may not block the redirect since the initial domain is reputable.

 

In one similar case, a malspam campaign was seen tricking the recipient with a claim that they have voicemail. Here as well multiple evasion techniques were seen in the email to avoid traditional security detections.

Figure 5.1. Malspam spoofing email headers and with redirect URL

By employing an open redirect, attackers mask the malicious link behind a trusted domain, allowing them to evade security measures that assess a domain’s reputation and age to filter out threats.

Case Study #5: Credential Phishing via Submission Form Services

HTML/SHTML smuggling campaigns have emerged as a significant attack vector, with an increase in credential phishing attacks through fake documents featuring login pages. A notable trend is the use of submission form services like NoCodeForm, Submit-Form, and Formbold to create deceptive phishing pages and streamline the collection of stolen credentials.

Figure 6: Credential phishing email campaign kill chain

In this case, attackers employ the following evasion tactics:

Evasion Technique

MITRE ATT&CK Tactic

Stage of Kill Chain

Technology Bypassed

Why Technology Will Be Bypassed

Use of Reputable Submission Form Services

Phishing (T1566)

Delivery

Email filtering services, Domain reputation checks

Attackers leverage legitimate services, making detection difficult as the domain is trusted and not flagged by reputation checks.

HTML/SHTML Smuggling Payload

Command and Control (T1071)

Exploitation

Network security tools, Content inspection

Attackers leverage legitimate services, making detection difficult as the domain is trusted and not flagged by reputation checks.

Credential Phishing via Fake Documents

Credential Access (T1078)

Delivery, Exploitation

Email security gateways, User training programs

Fake documents appear authentic, bypassing security filters; users are deceived by well-crafted phishing sites that mimic legitimate services.

 

Detection and Prevention Strategies for Evasive Malware

In today’s rapidly evolving threat landscape, attackers are using increasingly sophisticated, multi-layered evasion techniques that challenge even the most advanced detection systems. As Generative AI continues to evolve, the complexity and volume of these attacks will only grow, making them harder to identify. Traditional security measures—such as signature-based systems, sandboxes, and spam filters—are often inadequate against these evolving tactics.

To counter these threats effectively, adopting next-generation threat prevention strategies is crucial. AI-powered solutions provide a proactive defense that adapts to new attack vectors in real-time. Leveraging AI and large language models (LLMs) enhances defenses by enabling dynamic analysis of emerging threats, identifying patterns and anomalies that traditional methods might miss, and continuously learning from new data to refine detection and response strategies. This integration of advanced AI technologies ensures a more resilient and adaptive cybersecurity posture.

Conclusion

The current landscape of email threats is characterized by increasingly sophisticated, multi-stage attacks, with each phase involving distinct evasion techniques designed to bypass traditional security measures. As highlighted in this blog, the necessity for advanced threat prevention is more critical than ever. InceptionCyber.ai’s Neural Analysis and Correlation Engine (NACE) is uniquely equipped to tackle these challenges by going beyond traditional detection methods, ensuring robust protection against the evolving threat landscape.

 

Post by Kalpesh Mantri, Principal Research Engineer
Aug 14, 2024 1:20:42 PM