What do Cryptolocker, Dridex, and Locky have in common? Besides being evil malware, they all started with malicious attachments. An innocent looking PDF, ZIP or Other, and before you know it you your sending money to a cyber criminal or a ransomware recovery specialist. When it comes to malicious attachments, the attack vectors can be manifold. The attachment can be a .zip containing a malicious application, an Office document with a malicious link that installs a keylogger or banking trojan or even non-malicious fake invoice as used in Business Email Compromise.
The Need For Attachment Defense.
There’s been a sharp increase in the use of email attachments as a way to launch attacks. The first reason being the low cost of launching an attachment containing a virus or malicious code. Criminals do care about ROI. Proofpoint research shows that attachment based campaigns cost 50% less than URL-based attacks, which often need the likes of phishing websites pharm the data. A cyber-criminal can launch a large scale phishing attack containing a malicious ZIP or PDF and be sure to catch a few victims.
According to a Verizon Enterprise report 66% of all malware was installed via malicious email attachments! These attacks have included as Zeus, Cryptolocker, and Dunihi amongst many others.
Attachment Attack Vectors
The Criminal’s varied endgame is another reason email attachment attacks have proliferated. They will generally use malicious attachments for the following:
Spear phishing attacks – This can be done through sending a malicious email to a well researched victim – and often results in ransomware (or blackmail).
Ransomware – A hidden file in a .zip, an .exe, .pdf or macro in a .doc and poof (or something like it) your computer is locked.
Exploits – Also hidden in a variety of attached files, only in this case the exploit can lurk for as long as the criminal has use of your network (or is discovered).
Deliver banking Trojans – A backdoor exploit, usually associated with gaining access to confidential banking information.
Keyloggers – Hundreds of breaches last year involved email attachments installing banking tojans and then using keyloggers (or form grabbers) to track your passwords.
Spoofing – Often, the attachment will appear to come from a stakeholder, internal or external, that is hard to differentiate by the naked eye. The fact that it appears to be from a legitimate source leaves the victim more vulnerable.
Why the SMB is vulnerable to Attachment Based Attacks
The Small-to-medium sized business faces cybersecurity challenges with needs differing from larger organizations. There are smaller IT teams, if there’s an IT team at all. If there is, the team might only be part time on security, with the majority of their time spent on the phone sorting out why the wifi is not working or why Janice from accounting can’t login. Devoting time on a regular basis to keeping up with trends in cybersecurity might not be realistic.
There’s less budget (in absolute terms) than compared to big companies, which often means skimping on anything but the most basic security and implementing less sophisticated security systems. That is if there’s an investment at all.
There’s also an environment with lower awareness and training, making human error a greater possibility (although there’s a lower number of people who might be “the one”).
How Attachment Defense Works
Attachment defense is designed to make sure that the malicious attachments don’t get through to the endpoint, and is based on a multi-layered approach. Fundamentally, “attachment defense” is a component and feature within all of these solutions which takes care of anything related to attachments. The choice to filter or not filter attachments is made based on known threats discovered through billions of emails filtered and many thousands of samples evaluated in a sandbox, along with inferences about where unknown threats can emerge based on the mass of knowledge of threats attachment defense accumulates over time. In order to make this easier to understand, consider some of the components laid out below:
As most of the email with malicious attachments will be unsolicited, spam filtering is the first line of defense.
Advanced Threat Protection
Outside of leading spam filtering, Targeted Attack Protection provides the next line of defense. Volume is key here (in our case billions of messages) and combined with machine learning, to analyze and identify malicious and suspicious emails, will ensure a much higher success rate.
Scanning Before Delivery
Once the malicious email attachment makes it into your network, the probability it will cause damage increases. It is key that attachments are scanned before they are delivered to your email servers.
EXE And other File Specific Actions
It is good practice to block all .exe files from deliverable email. Otherwise, files like .rar or .zip present a unique challenge as they can often contain hidden malicious content. Your attachment scanning protection should be able to scan these files pre-delivery.
And Most Importantly…
…Educate your users. There is so much info out there. Hold a regular awareness and training lunch. How many of your colleagues know that downloading an attachment can lead to serious consequences? Do they know about malicious macros?
Protecting your devices with anti-virus scanners is an essential (last) line of defense. The reason this can’t be relied on as “first line” (besides that email is the entry point of most attacks), is because there’s a lag between your anti-virus detecting the threat and the delivery. Proofpoint found only 10% of anti-virus engines would recognize a threat…a full 24 hours after delivery.
For these and as part of a complete email and cyber security plan, attachment defense is a must. Giving the prevalence of this form of spreading malware, and other attacks, it is hard to consider your protection complete if you haven’t considered malicious attachment defense.