September 3, 2015 By Rick M Robinson 2 min read

Malicious attachments are making a comeback. These are email attachments, typically purporting to be documents or spreadsheets, that are laden with malware. Clicking on the attachment allows the malware to infect the user’s computer — from which it can spread to others in the same network, potentially infecting an entire company.

Malicious email attachments never went away, but as recently as last year, cybercriminals preferred to use Web links to deliver malware to unsuspecting victims. But attachments can evade many of the defenses erected against malicious URLs. And in the social media age, they can be targeted to thousands of users and spread across networks within hours.

Bait for Spear Phishing

As Karen A. Frenkel reported at CIO Insight, malicious attachments in emails are on the upswing. And while the total amount of spam email has been reduced substantially in the last year — thanks to the successful takedown of several botnets used for propagating spam — this new breed is more dangerous.

Malicious attachments are an old technique, but cybercriminals have gone back to it because it offers several advantages. Malware in email attachments can be platform-agnostic, running on practically any computer that loads it. It evades the reputation-based Web defenses that have been developed to identify suspicious URLs. And an email attachment can have any title or file format, allowing it to bypass most automated detection.

Malicious Attachments Target the User

Also adding to the risks from today’s malicious attachments are developments that have made email-based attacks more effective. The most important of these is the rise of so-called spear phishing, or targeted email attacks.

Unlike old-style phishing like the poor foreign widow emails of yore, spear phishing is targeted to particular individuals or occasions. For example, a spear phishing email may be addressed to the intended victim by name rather than a generic header such as “Dear Customer.” The result is that people are more likely to trust the email, click the link and infect their computers and networks.

Attackers are also leveraging social media both to gain targeting information such as people’s names and to access more potential targets. For example, spear phishing attacks geared to a high-profile event such as the Super Bowl can easily reach tens of thousands of victims via social media. And cybercriminals are also directing more such attacks at businesses. They know that a single mistaken click can expose the entire organization to attack.

Defense Against Spear Phishing

Because spear phishing, like other forms of social engineering, exploits the human factor, there is no purely technical defense. The best protection comes from user awareness of the threat and a corresponding wariness of emails that seem unusual or odd.

But big data analytics is also emerging as an effective tool for protection. By tracking large volumes of traffic, dynamic and predictive malware analytics can identify malicious attachments based on suspicious patterns that previously would have eluded detection. Combining analytics with digital forensics and effective use of such basic tools as archiving can help organizations detect malicious attachments before they do their damage.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today