It’s common knowledge that most cyberattacks begin with a phishing campaign, ie. malicious emails that seek to harvest the credentials of employees or deploy malware.

Is it possible to slam the door on that entry point? The most obvious solution was to prevent users from receiving phishing emails. No phishing emails, no beachhead for hackers. Seems logical doesn’t it?

This is what led to the development of anti-spam software. This approach is obviously useful insofar as it elevates the technical requirements to penetrate mailboxes. But, unfortunately, it cannot guarantee absolute protection against hackers who have an array of tools and techniques to bypass anti-spam filters.

This article will explore some fo the tactics hackers can use to ensure their message will reach its intended target.

These methods are constantly evolving, and the examples we present are mainly for educational purposes : they are there to help you explain clearly and simply to your users why anti-spam tools will never constitue an absolute barrier, and why vigilance needs to be maintained at all times.

What does an anti-spam really do ? And how can it be bypassed ?

What does an anti-spam do? The short answer : two things.

  1. It assesses the reputation of the sender
  2. It evaluates the content of the email to ensure there is no threat to the user

This does not mean that anti-spams are not useful and necessary for a company (quite the contrary). Simply that understanding what they do provides a framework on how to bypass them.

Hence there are two broad approaches for hackers wishing to bypass anti-spams :

  1. Improve the sender’s reputation
  2. Bypass defenses evaluating the email’s content.

1. Sender reputation

Trusted domain

In order to fool the assessment of the sender’s reputation, or rather to mask a negative reputation that would trigger the blocking of the email, hackers are going to try and give the impression that the email is trustworthy because it is from a trusted sender:

  • By using trusted email providers : using services like Gmail or mail.com that have a good starting reputation
  • By using other well-known and used services : emails coming from document sharing services such as Dropbox or Google Drive are less likely to draw attention of anti-spam filters
Example of a google doc phishing via Google Drive
  • By using email servers with a good reputation (eg. AWS) and spoofing a domain or near-domain that is not protected (with DMARC policy for instance).

Fake email trustworthiness

Hackers can easily give a layer of trustworthiness to their emails by taking some steps before sending them. This includes :

  • Setting up SPF, DMARC, DKIM on the domain
  • Using mailbox warm-up solutions, which establish that the sender regularly sends emails in the normal course of business, and by limiting the amount of emails sent from a single domain
  • Using an existing old domain, or at least waiting between the creation of the domain and the sending of emails
  • Using multiple IP addresses to send emails, and limiting the amount sent each time, in order to avoid being blacklisted

ATO (account takeover)

This type of attack obviously renders ineffective the “reputation” component of anti-spam protections.

Hackers use a first compromised account (supplier, customer...) as a stepping stone to send further, targeted, phishing emails.

By doing so they kill two birds with one stone, so to speak : they benefit from the reputation of the compromised account (considered a normal, human-used account as long as the amount of emails sent remains reasonable) and they benefit from the lack of vigilance of targets who are used to receiving emails from this send, and therefore risk being tricked by the trust they have in this sender.

For example, if you’re used to received pdf invoices and Excel attachments from a supplier, the anti-spam won’t be alerted if you receive (you guessed it) pdf files and Excel attachments from this supplier, thereby leaving the target vulnerable.

2. Bypassing defences

A phishing email generally seeks to deliver a payload that is usually either a URL link to direct the target towards a webpage (to trigger a download, harvest credentials), or an attachment (to execute malicious code, via, for example, macros).

Anti-spam protect users by analyzing the content of the email : URL and attachments, at times in an advanced fashion. But that hasn’t deterred hackers.

URL

There are solutions to avoid detection of the malicious intent of a phishing webpage by anti-spam tools :

Masking the URL’s destination

  • It’s possible for hackers to hide behind trusted domains (Google API, Amazon S3). This enables them to display a URL that links to a trustworthy domain (similar to a Google Drive share link for example) that cannot trigger anti-spam blocking because similar links are used for legitimate purposes. Another technique for hackers is to use a goole search redirect link (while ensuring that their malicious site is the top result, the one which will be opened)
  • Hackers can use URL redirects (the URL redirects towards another page) or URL shortening services (such as Bitly) : the idea is to mask the URL so it is not properly analyzed by the anti-spam tool
  • Using a pop-up on a trusted page : the URL indicates a trusted destination but also contains the elements for a pop-up that is the true threat
  • Even the content of the email that will lead the user to click can be hidden from anti-spam analyses by using techniques such as special fonts, images, obfuscation... All in effort to make analysis more difficult

Successfully pass analysis of the destination page by anti-spam tools

In order to defeat the countermeasures deployed by hackers, anti-spam tools rely on techniques such as URL rewriting to gain some time in order to run analyses and protect the users.

The idea is to redirect - briefly - the user who clicked on a link while the anti-spam tools analyzes the destination page for any malicious elements. This is due to the proliferation of malicious URLs and to avoid relying on static lists of blocked pages. However, hackers have also found ways around this :

Blocking the inspection of the page by the anti-spam tool :
  • Hiding the phishing content (a fake login page or a malware download page) behind captchas prevents anti-spam crawlers from analyzing and detecting the malicious content.
  • Moreover, it reinforcers the illusion of safety for the user. People are used to dealing with captchas when they are filling in forms or signing up online, and associate them with legitimate services (turning our habits against us is probably the most effective technique in hackers’ toolbox).
Example of a phishing campaign hidden behind a captcha
Tricking the anti-spam during the inspection of the webpage
  • Most anti-spams display behavioral traits that make them identifiable (IP adresses, HTTP headers, browser elements)
  • After mapping and research, hackers can “hide” their phishing content by redirecting visits tagged as anti-spam crawlers towards a legitimate and safe page.
  • A study on this topic allowed researchers to maintain, indefinitely and despite analysis by anti-spam crawlers, 18 of 20 phishing pages they created for the study (and the two that were blocked were reported manually by human users).

Attachment

A malicious attachment that will trigger the download of malware via macros (for example) is a very effective weapon used by hackers.

Anti-spams have sought to address this by executing any code contained in attachments in secure environments, isolated from the rest of the system (sandboxes), in order to verify that it is safe. But, here again, hackers have found ways around theses defenses.

Blocking inspection
  • By using document sharing services such as Wetransfer, Google Drive, Dropbox, hackers can avoir the analysis of the content of a document sent by malware detection tools. The fact that these services are used regularly, both professionally and personally, increases the likelihood a user will download the document.
Example of Wetransfer abuse to ultimately lead the target to a credential harvest page
  • Instead of putting the attachment directly in the email, hackers can host it on a nondescript page, where the user will be tricked into downloading it by social engineering techniques. Here again, hackers can add a captcha : as mentioned previously it can contribute to block analysis and induce a fake sense of legitimacy
Pass sandbox inspection

Modern malware have sandbox evasion functionalities to detect and avoid protection mecanisms and to hide malicious elements in their code if they are executed in a sandbox environment. These include:

  • System analysis: malware can check how many and which processes are running, which libraries are used, in order to detect whether they are in a sandbox environment
  • Patience: delaying before executing malicious action by considering that analysis must be conducted rapidly for efficiency reasons (no one wants to wait 15 minutes before opening an attachments)
  • Human interaction detection: by looking for signs of human behavior (mouse movement for example), malware can check if they are in an automated sandbox environment or not
  • Code obfuscation and analysis: hiding malicious segments of the code, and suspending their execution if a debugger is detected

All in all, it’s possible to find malware with sandbox evasion functionalities for as cheap as 30$ on the darkweb:

Conclusion

Anti-spam tools are definitely a must-have. They prevent mass attacks, they increase the cost (time, money, resources) hackers have to invest in order to bypass them, and they provide a layer of analysis that can detect certain attacks.

But beware of certain beliefs held by users that are less knowledgeable, and who believe they can rely entirely on their company’s anti-spam or anti-phishing solutions for protection.

These tools do not constitute an absolute barrier against phishing attacks, who have evolved in order, specifically, to pass this first layer of defense.