Wednesday, March 22, 2017

A phishing email - missed by mimecast, caught by Check Point

A friend of mine has got an email from his bank one day to his corporate mailbox. From the start he knew it was a phishing email. There were several clues.

Firstly, his bank does not know his corporate email address. Secondly, the only emails bank sends are the warnings not to open any emails with attachments from that bank, ever. And of course, the colleague got an email with an attached HTML file.

Being an IT guy, he is aware of the danger involved. Being a curious guy, he asked me to assist him with getting details of who attacks him and how. He asked me to assist. This is what we have done to get to the bottom of it.

1. Email headers info

The email has been sent from a private residential IP address in Spain and routed through a mail server belonging to a law firm in Santiago, Chile, most probably with weak security settings on its SMTP server. The sender's mail address was spoofed to look like the email sent from LinkedIn.

- Come on, guys, how stupid should your supposed victim be? Banking email sending messages through LinkedIn? Seriously?

My friend's company uses mimecast service to filter out  malicious emails. It was only partially effective in this particular case. In the mail header, the service flagged SMTP server as not trusted to belong to LinkedIn., Yet, the email was delivered nonetheless.

2. Attachment analysis

As mentioned, the email has an attachment with a suspicious HTML file. The file has a couple of lines of code, with obvious obfuscated payload in it. Before trying to open it, we have decided to scan it on VirusTotal. Out of 55 vendors, only Mcafee had this file previously scanned and marked malicious. That was more than suspicious, so at this point we have asked Vulnerability Research team at Check Point to assist. They have kindly agreed to help.

It turns out the obfuscated code is not a malware in a technical sense. Instead, it has a phishing page with a fake dialog for collecting credit card details.

The actual link goes to a web site in Brazil, which is already closed by ISP for suspicious activity.

3. How that would look with Check Point phishing protection

One important note is that if my friend would use Check Point Anti-Phishing browser extension, even after opening an attached HTML file he would not possible fall a victim of this scam. Why? Because he would see a warning like that:

Special thanks to Oded Vanunu and Check Point Vulnerability Research team.

To support this blog send your donations to

No comments:

Post a Comment