How Do You Treat Email Attachments?

New Email Campaign Using PDF Has Been Discovered

Email security should be the top priority as it is still the number one initial attack vector for data breaches, according to IBM. Despite this, sophisticated email attacks continue to effectively take their victims, exploiting the human factor, which has been involved in 82% of all breaches this year. Unfortunately, another malware distribution campaign using PDF attachments has been identified in the last month, with hackers finding a new way to smuggle malware onto victims' devices.

Let's recap how the attack was performed

The new cybercrime campaign — discovered by HP Wolf Security — leveraged uncertain user behavior, to distribute the Snake Keylogger onto vulnerable endpoints by PDF files.

The threat actors first sent an email holding the subject line “Remittance Invoice”, to trick the victims into thinking they’ll be getting paid for something. When the PDF was opened, Adobe Reader prompted the user to open an embedded document - a DOCX file - which could be suspicious but rather confusing to the victim, as the embedded document is named "has been verified". This makes the victim think that the PDF reader has scanned the file and it is ready to use.

The Word file is likely to contain a macro that, if enabled, will download the rich text file (RTF) from the remote location and run it. The file would then attempt to download the Snake Keylogger malware.

For the attack to succeed, the targeted endpoints must still be vulnerable to a given flaw. However, this time attackers did not send the malicious code, but tricked the victim into downloading it, bypassing detection-based gateway defenses.

The cybersecurity community believes that many of the security breaches were avoidable. For instance, the current flaw was identified in 2017 and the recent series of attacks could have been prevented if all device administrators keep their operating systems up to date.

According to Verizon’s DBIR, there are four major paths to corporate information: credentials, phishing, exploiting vulnerabilities, and botnets. Failing to block just one of the elements can lead to network intrusions. In this case, the attackers used two elements to attack:a well-choreographed email phishing scam to mislead unsuspecting users and an exploited vulnerability to install malicious files.

Commonly used protection measures

Since the new cybercrime campaign used email to distribute the Snake Keylogger to vulnerable endpoints via PDF files, the security best practices wouldn’t have worked properly due to the following reasons:

  • Exploits for vulnerabilities emerge in days, but it takes organizations weeks— or months— to patch.
  • Traditional email security solutions struggle to prevent zero-day attacks since no anti-virus signatures exist to detect them.
  • Sandbox solutions have emerged as one approach for advanced threat detection, but they are not well-suited for email since they add additional processing time before delivery
  • Beyond the negative impact on productivity, certain email security threats can evade sandbox detection. In this case, these two methods were applied:


    • Action-Delayed Execution
    • If hackers want to make sure their malware doesn’t execute in a sandbox environment, then another common approach is to wait for end-user interaction. This could be the click of the mouse, typing on the keyboard, or opening a specific application – the options are pretty much limitless. The important thing to the attacker is that sandbox solutions cannot account for these actions. Without such user action, sandbox solutions cannot detect these attacks.

    • Trojans & Macros
    • Trojan files are almost as old as ancient Greece, so to the credit of anti-virus and sandboxing solutions they can detect quite a few types of Trojan files. Detection-based solutions tend to fail once the malware is hidden in macro-enabled Microsoft Office documents. The only downside of macro-based attacks for attackers is that they require the end-user to enable them, so they are frequently accompanied by a social-engineering attack.

The Zero-Trust Philosophy

Organizations should assume that all emails and attachments are malicious. Common productivity files, such as Word documents, or PDFs, may be infected with malware and zero-day attacks, but it is unrealistic to block access to email or Word documents. Anti-virus and sandbox solutions are limited by their ability to detect advanced attacks. As we have seen with the attack above, using only detection-based protection is fundamentally the wrong approach. Instead, organizations should adopt a zero-trust security approach with a proactive solution that treats all files as malicious and cleans them in real-time. Such sanitized attachments can be delivered immediately to the user, thus not hindering business productivity, while in the background allowing time for further detection-based (or dynamic) analysis, which, if successful, can even send the original file to the user.

MetaDefender Email Gateway Security is such a solution. It provides a comprehensive approach to disarm attachments, email bodies, and headers, by removing all potentially malicious content and reconstructing it as a clean file. Thus, these files are fully usable and secure, providing adequate protection for insecure users against the attacks described above.

OPSWAT protects organizations from exploits and weaponized content without the need for detection. And it is 30 times faster than sandbox detection too!

If you want to learn more about how you can fill email security gaps to protect your organization from advanced threats, download our free whitepaper, “Best Practices for Email Security and Critical Infrastructure Protection”, or read more blogs on the topic here.

Contact OPSWAT today and ask us how we can help improve your email security.

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.