Phishing – New Tactics and Techniques
We’ve recently observed a new trend with phishing and targeted malware attacks that use domains to bypass anti-spam. The attackers are using valid domains, SPF, SMTP, and reply addresses that mimic newsletter bouncebacks. These tactics allow the messages to bypass reputational and other types of checks.
The attachments are typical droppers, highly obfuscated and using Microsoft Word macros. Attachments were known under names such as Trojan-Downloader, VBA.Agent, and Exploit.Siggen leveraging Office CVE-2017-0199.
Domains w/ Virustotal link:
DocuSign – docusign.delivery
Bank Of America – securemsg-bankofamerica.com
Internal Revenue Service – irsinvoice.com
Dunn & Bradstreet – dnbdocuments.com
Tactics and Techniques:
Attackers are using return addresses that resemble a real newsletter bounceback.
SPF records exist for the domain, and they match the servers that send the targeted emails. They are online, answering to SMTP connections that use the appropriate banner for the website.
Attackers are using VPS or full service hosting accounts to launch attacks like LeaseWeb and Secure Servers LLC. Devices have remote administration ports and services open.
Incoming emails are highly obfuscated by a randomly generated Word document with macros. Attackers will change payload if a “virus” message is received. If it’s a RBL message, they will switch to another SMTP address and continue to hammer the system until it allows a delivery. Messages are modified near real-time after each rejection, until one is accepted.
If I had not configured a HOLD on documents with macros, these would have been delivered by my spam provider. I had an option configured to recognize “Newly Observed Domain,” but it didn’t recognize them, and it wasn’t set to block them. It may be a good idea to inspect these manually, or you could put in some kind of workflow for content examination to alert you when they are delivered. I’m looking for keywords like the ones below, and I’m also scanning some of the messages:
Domain record shows that it was registered today:
Here’s the SPF record for docusign.delivery:
SMTP server at the host answers on behalf of this domain as well for spam filters that form a connection back to the system during validation:
The sender passes SPF checks because they’re using a legitimate domain:
spf=pass (spfCheck: domain of docusign.delivery designates 22.214.171.124 as permitted sender) client-ip=126.96.36.199; firstname.lastname@example.org; helo=docusign.delivery Content-Type: multipart/mixed;
Nmap results show smtp/25 is open, and proxy/8080 is listening. Neither is an open relay, so we assume the attacker configured for quick remote access and spamming:
Email content was a word document:
Content-Disposition: attachment; filename="3873JDSB987391.doc" Content-Transfer-Encoding: base64 Content-Type: application/msword; name="3873JDSB987391.doc"