Blog

Email

Threat Finds

Darktrace email finds: Rare file type used to evade gateway tools

Darktrace email finds: Rare file type used to evade gateway toolsDefault blog imageDefault blog image
27
Aug 2020
27
Aug 2020

Darktrace has recently seen a string of email attacks that use some degree of social engineering to convince the recipient to open a misleading link and divulge their credentials. In this blog, we look at an email attack targeting a Spanish customer that involved hiding malicious content in an unusual file type that is not regularly checked by common email security tools.

An ISO file, often referred to as an ISO image, is an archive file that contains an identical copy of data found on an optical disc, like a CD or DVD. They are primarily used for backing up optical discs or distributing large file sets that are intended to be burned onto an optical disc. Since they are relatively unusual – and are typically extremely large files – most standard email controls don’t analyze them in any depth, if at all.

Darktrace detected one cyber-criminal using ISO files to inflict damage on a food distributor in Spain. The organization, which had adopted Antigena Email just two weeks earlier, received around 84 emails from the same sender, each containing a malicious ISO attachment. The emails were received from info@valeplaz[.]com, a clever and well-executed spoof of the email address info@valenplas[.]com, which is the contact email of a legitimate Spanish manufacturer – possibly even a supplier of the victim organization.

Figure 1: A snapshot of Antigena Email’s user interface

Darktrace noticed that the sender had never been seen in any prior correspondences across the business. Additionally, the personal field does not correspond with the header in the email itself – which is what would be visible to the recipient. In the connection IP address and checks, Darktrace’s AI revealed that the true sender does not correspond with the domain valeplaz[.]com.

The subject line suggests that the email is about an order the client made. Analyzing the attachments, Darktrace surfaced a file titled URGENTE_PO_120620.iso. The name of the file suggests the sender is attempting to use the social engineering tactic of urgency in order to alarm the recipients, leading them to jump into action and click a link or open attachments without carefully considering the details of the email.

Darktrace’s AI also recognized that the file extension .iso is highly anomalous for the group, user, and the organization as a whole. Even more suspiciously, the size of the attachment is incredibly small (just 485.4 kB), which makes it highly unlikely that it was, in fact, a genuine invoice in the form of a PDF or Word attachment. These findings, in conjunction with the New Contact and Wide Distribution tags of the email, caused Antigena Email to strip the email of the attachment and hold it back from each recipient’s inbox. In addition, Darktrace’s AI revealed that the email contained an anomalous link which it deemed highly suspicious, and locked the link in all emails while the security team investigated the incident.

Figure 2: The suspicious link in question

Stopping the attack without a Patient Zero

When the security team later checked the file hash on the attachment, they discovered that some anti-virus vendors, including Microsoft, had already labelled it as malware. The crucial challenge is to stop the malicious email in the first instance – before it lands in the first inbox. With a continuously updated understanding of ‘self’, Darktrace’s AI is able to do just that – stopping attacks without requiring a ‘Patient Zero’ be infected.

Moreover, many legacy solutions hadn’t yet recognized this file hash as malicious, suggesting that this was a relatively new attack. This exposes an increasingly obvious limitation of such tools – attackers are refreshing their attack infrastructure so often that no matter how frequently legacy tools or blacklists are updated, they are outdated almost immediately.

Antigena Email caught this attack without relying on any signatures and blacklists, but instead by learning whether or not the email, file, and behavior was normal for the unique business. With Cyber AI protecting their inbox, this organization was able to thwart this attack in the first instance – before any emails landed in an inbox or any employees clicked on the link.

More in this series:

No items found.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Mariana Pereira
Director of Email Security Products

Mariana is the Director of Email Security Products at Darktrace, with a primary focus on the capabilities of AI cyber defenses against email-borne attacks. Mariana works closely with the development, analyst, and marketing teams to advise technical and non-technical audiences on how best to augment cyber resilience within the email domain, and how to implement AI technology as a means of defense. She speaks regularly at international events, with a specialism in presenting on sophisticated, AI-powered email attacks. She holds an MBA from the University of Chicago, and speaks several languages including French, Italian, and Portuguese.

USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
Darktrace email finds: Rare file type used to evade gateway tools
Share
Twitter logoLinkedIn logo

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.