New Phishing techniques and how to identify them
Phishing remains one of the primary attack vectors (if not the primary vector) for the compromise of user accounts and enterprise systems (spearphishing and malicious attachments).
As often occurs, the evolution of defensive systems drives a concurrent evolution of techniques employed by threat actors to circumvent defensive technologies.
Recently, to evade effective anti-spam controls, threat actors have begun embedding phishing pages directly within email messages.
Traditionally, BEC (Business Email Compromise) attacks leverage keylogger-type malware to steal target account credentials. However, the use of malicious file attachments represents an approach readily detectable by protective technologies.
Consequently, we observe an increasing trend toward the use of HTML-formatted file attachments.
A signature-less approach
Anti-spam solutions employ signature-based criteria for the identification of emails leveraging this class of attacks.
The problem can be addressed through anomaly detection and process analysis associated with the opening of suspicious files. Detection mechanisms must focus on behavioral indicators rather than file signatures alone. Our Cybersecurity Advisory processes identify process chain anomalies that deviate from baseline user activity patterns.
An example:
| Parameters | Values |
| Parent Process | Outlook.exe (and similar) |
| Process Name | Chrome.exe (and similar) |
| Command Line | *.htm (and similar) |
