Security researchers at MailGuard analyzed a targeted spear phishing attack on an organization and discovered the use of a novel technique intended to spoof email filters and spam scanners, highlighting how threat actors continuously adapt their tactics, techniques, and procedures.
In this incident, the spear phishing email alleges the recipient’s “mailbox has now exceeded the limit,” and warns, “Emails sent to you will not be delivered.” The email masquerades as an automated message from the company’s support department and includes the targeted company’s logo and name in the body of the email. The message is also customized for the targeted recipient, with hyperlinks featuring the employee’s email address embedded in the email. To address the purported issue, the targeted employee is prompted to login to their email via a link in the message. However, once clicked the victim is taken to a phishing page appearing to be a login portal where their account credentials will be stolen. What’s novel about this attack, according to MailGuard, “is that the HTML portion of the email has been obfuscated with tags that contain random text in an attempt to hide its intent, tricking spam filters into marking it as safe.” Read more at MailGuard.