Malicious attachments are making a comeback. These are email attachments, typically purporting to be documents or spreadsheets, that are laden with malware. Clicking on the attachment allows the malware to infect the user’s computer — from which it can spread to others in the same network, potentially infecting an entire company.

Malicious email attachments never went away, but as recently as last year, cybercriminals preferred to use Web links to deliver malware to unsuspecting victims. But attachments can evade many of the defenses erected against malicious URLs. And in the social media age, they can be targeted to thousands of users and spread across networks within hours.

Bait for Spear Phishing

As Karen A. Frenkel reported at CIO Insight, malicious attachments in emails are on the upswing. And while the total amount of spam email has been reduced substantially in the last year — thanks to the successful takedown of several botnets used for propagating spam — this new breed is more dangerous.

Malicious attachments are an old technique, but cybercriminals have gone back to it because it offers several advantages. Malware in email attachments can be platform-agnostic, running on practically any computer that loads it. It evades the reputation-based Web defenses that have been developed to identify suspicious URLs. And an email attachment can have any title or file format, allowing it to bypass most automated detection.

Malicious Attachments Target the User

Also adding to the risks from today’s malicious attachments are developments that have made email-based attacks more effective. The most important of these is the rise of so-called spear phishing, or targeted email attacks.

Unlike old-style phishing like the poor foreign widow emails of yore, spear phishing is targeted to particular individuals or occasions. For example, a spear phishing email may be addressed to the intended victim by name rather than a generic header such as “Dear Customer.” The result is that people are more likely to trust the email, click the link and infect their computers and networks.

Attackers are also leveraging social media both to gain targeting information such as people’s names and to access more potential targets. For example, spear phishing attacks geared to a high-profile event such as the Super Bowl can easily reach tens of thousands of victims via social media. And cybercriminals are also directing more such attacks at businesses. They know that a single mistaken click can expose the entire organization to attack.

Defense Against Spear Phishing

Because spear phishing, like other forms of social engineering, exploits the human factor, there is no purely technical defense. The best protection comes from user awareness of the threat and a corresponding wariness of emails that seem unusual or odd.

But big data analytics is also emerging as an effective tool for protection. By tracking large volumes of traffic, dynamic and predictive malware analytics can identify malicious attachments based on suspicious patterns that previously would have eluded detection. Combining analytics with digital forensics and effective use of such basic tools as archiving can help organizations detect malicious attachments before they do their damage.

More from Malware

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…