Phishing Emails are happening right now! (pt.11)

I am going to bring my “Back-to-Basics Phishing Emails – A Primer” series to a close today – although if other primer projects are any measure we will return with further updates in the future.

phishing emails - are a problem every organisation has to face.

Phishing Emails – A Clear and Present Danger

Just last week the cyber security press was reporting yet another slant on phishing emails, that takes a useful Windows feature and exploits it to execute the threat actors’ attack. (Toulas, 2024)

These phishing emails include an .html attachment which appears, at first glance, to be an invoice in a .zip file. This obfuscation is employed as it helps evade anti-virus and email scanners, as some do not parse compressed/archived files for malicious content. (Q. does this apply to the AV/Email scanning you use?)

If the .zip and the .html are opened, the .html file forces Windows Search to access a remote server and download malicious files, then it displays a shortcut to an “invoice” for the user to click on. If the user clicks on this link, a file on the remote server will run and the attack continues.

Phew

Trustwave SpiderLabs researchers could not identify the end game for this set of phishing emails, as the rogue server went down before they could complete their investigations – but based on the amount of work done to get the attackers this far it could not have been good.

Your takeaway after eleven articles about phishing emails

Some of the steps in the described attack are automatic. However, if the user is aware of the types of modern cyber security threat every organisation faces daily, they can make the conscious decision they are being attacked and stop.

Does your team have that type of Cyber Security Awareness Training? Because as quickly as the vendors fix their AV/scanning software to protect you from this attack, the threat actors will come up with another variant – your technical defences will only take you so far! We can help you!

Next…

I am having a break next week.

Clive Catton MSc (Cyber Security) – by-line and other articles

References

Toulas, B. (2024). Phishing emails abuse Windows search protocol to push malicious scripts. BleepingComputer. https://www.bleepingcomputer.com/news/security/phishing-emails-abuse-windows-search-protocol-to-push-malicious-scripts/

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Phishing Emails – A Clear and Present Danger

Phew

Your takeaway after eleven articles about phishing emails

Next…

References

Further Reading

Back-to-Basics Phishing Email Primer