Email remains a top vector for attackers. Over the years, defenses have evolved, and policy-based protections have become standard for email clients such as Microsoft Outlook and Microsoft Mail. Such policies are highly effective, but only if they are maintained as attacker’s keep changing their tactics to evade defenses. For this reason, McAfee endpoint products use a combination of product features and content for increased agility. In McAfee Endpoint Security (ENS) 10.5+, such protection is enabled via the ‘Detect suspicious email attachments’ option and maintained through DAT content. This capability goes beyond the level of protection offered by email clients by not only blocking applications and scripts, but also a variety of threat types in their native form, as well as those compressed and contained within archives and other formats.
Figure 1 – ENS 10.6.1 Configuration Screen
An example of this capability in action can be seen against a recent spam run.
In this campaign, a malicious email message contained the attachment BANK DETAILS.ZIP. Inside this archive was the file BANK DETAILS.ISO. Malicious ISO spam has been increasing over the past six months, and while it is common for ISO files to be blocked by email clients, this is not the case where the ISO is inside of a ZIP. Inside the BANK DETAILS.ISO file resides BANK DETAILS.EXE. Email clients will typically block executable files attached to messages, but not if they are inside a container.
When the email client attempts to write the attachment to disk, ENS scans inside the ZIP and subsequently the contained ISO and EXE files (ZIP -> ISO -> EXE).
Figure 2 – ENS Toaster Popup
In this case, 2-year-old DAT content proactively stopped the threat.
If the system had not been protected, an unsuspecting user might open the ZIP to reveal the ISO.
Figure 3 – Inside ZIP file showing ISO file
The ISO can then be accessed via Windows Explorer, which appears as a DVD Drive containing the executable, password-stealing, payload.
Figure 4 – EXE file inside Bank Details.ISO
Since the advent of policy-based email attachment blocking, attackers have continued to seek ways to evade that protection. ISO abuse may be the latest chapter in the story, but others are sure to follow.
Tens of thousands of new and unique malicious attachments are blocked each month via the ‘Suspicious Attachment’ detection feature.