public:emai:malware

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
public:emai:malware [2021-10-21 13:51] veselypublic:emai:malware [2023-03-09 12:13] (current) vesely
Line 13: Line 13:
 **The generously opened and heterogeneous nature of the academic and research institution is extremely vulnerable to such kind of threat.** Regular enterprises and other profit-making businesses are usually much more homogenous with much simpler rules and measures against the third parties (no IMAP, no access to emails from non-business devices, strict mobile device management, blocked or limited traffic etc.). **The generously opened and heterogeneous nature of the academic and research institution is extremely vulnerable to such kind of threat.** Regular enterprises and other profit-making businesses are usually much more homogenous with much simpler rules and measures against the third parties (no IMAP, no access to emails from non-business devices, strict mobile device management, blocked or limited traffic etc.).
  
-Both areas of malicious or potentially problematic emails and regular emails are overlapping; it is not easy to distinguish between them sometimes.+ 
 +<font inherit/inherit;;#f39c12;;inherit>**Both areas**</font>  of 
 + <font inherit/inherit;;#c0392b;;inherit>**malicious or potentially problematic emails**</font>  and 
 + <font inherit/inherit;;#339933;;inherit>**regular emails**</font>  ** <font inherit/inherit;;#f39c12;;inherit>are overlapping</font> **; it is not easy to distinguish between them sometimes. 
  
 **The most dangerous threats are usually those of the "zero day attack" nature**; they usually take advantage of badly protected or misprotected email servers and domains so they can mimic the regular sender.\\ **The most dangerous threats are usually those of the "zero day attack" nature**; they usually take advantage of badly protected or misprotected email servers and domains so they can mimic the regular sender.\\
Line 37: Line 41:
  
   * [[:public:emai:malware#spf_hard_fail|SPF hard fail]] - sending server __is not on the allowed list__  provided by domain's owner and the domain owner asks for message blocking.   * [[:public:emai:malware#spf_hard_fail|SPF hard fail]] - sending server __is not on the allowed list__  provided by domain's owner and the domain owner asks for message blocking.
-  * [[:public:emai:malware#spf_soft_fail|SPF soft fail]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - SPF - soft fail]</font> - sending server is not listed among allowed ones, but the domain owner allow message passing with warning. +  * [[:public:emai:malware#spf_soft_fail|SPF soft fail]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - SPF - soft fail]</font>  - sending server is not listed among allowed ones, but the domain owner allow message passing with warning. 
-  * [[:public:emai:malware#spf_bad_alignment|SPF bad alignment]] - <font inherit/inherit;;#f39c12;;inherit>[Covert sender]</font> - verify the authenticity of the domain sending the email by using two diffrenent header signatures in the message. +  * [[:public:emai:malware#spf_bad_alignment|SPF bad alignment]] - <font inherit/inherit;;#f39c12;;inherit>[Covert sender]</font>  - verify the authenticity of the domain sending the email by using two diffrenent header signatures in the message. 
-  * [[:public:emai:malware#bad_dmarc|Bad DMARC]] - <font inherit/inherit;;#f39c12;;inherit>[Bad DMARC]</font> - the sender's domain does not have DMARC record and SPF set properly. +  * [[:public:emai:malware#bad_dmarc|Bad DMARC]] - <font inherit/inherit;;#f39c12;;inherit>[Bad DMARC]</font>  - the sender's domain does not have DMARC record and SPF set properly
-  * [[:public:emai:malware#ip_reputation_database_-_dnsbl|DNSBL listed]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputation - DNSBL listed]</font> - the sender's IP is listed in SPAM database. +  * [[:public:emai:malware#arc|Bad ARC]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - bad ARC]</font>  - the sender's email has ARC Seal but it's validation did not succed (e.g. invalid calculated email hash)
-  * [[:public:emai:malware#suspicious_newsletter|Suspicious Newsletter]] - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - it may be found that certain newsletters are suspicious because they may actually be spam under the disguise of newsletters. +  * [[:public:emai:malware#ip_reputation_database_-_dnsbl|DNSBL listed]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputation - DNSBL listed]</font>  - the sender's IP is listed in SPAM database. 
-  * [[:public:emai:malware#ip_reputation|Bad IP reputation]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputaton]</font> - emails from IP addresses with bad reputation may be discarded or quarantined. It may be dangerous to receive emails from such IPs. +  * [[:public:emai:malware#suspicious_newsletter|Suspicious Newsletter]] - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font>  - it may be found that certain newsletters are suspicious because they may actually be spam under the disguise of newsletters. 
-  * [[:public:emai:malware#warning_disclaimer_prepended_to_email|Warning Disclaimer]] (prepended to email) - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - Anti-Phishing engine cannot decide about targeting URL link (usually concealed by click spying) +  * [[:public:emai:malware#ip_reputation|Bad IP reputation]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputaton]</font>  - emails from IP addresses with bad reputation may be discarded or quarantined. It may be dangerous to receive emails from such IPs. 
-  * [[:public:emai:malware#suspicious_content_html_links_docs|Suspicious content]] (HTML links, docs) - <font inherit/inherit;;#f39c12;;inherit>[Suspicious]</font> - HTML content and attachments may contain potentially hazardous tags and attributes +  * [[:public:emai:malware#warning_disclaimer_prepended_to_email|Warning Disclaimer]] (prepended to email) - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font>  - Anti-Phishing engine cannot decide about targeting URL link (usually concealed by click spying) 
-  * [[:public:emai:malware#image_spam|Image Spam]] (images, pdf) - <font inherit/inherit;;#f39c12;;inherit>[Image spam]</font> - Some spammers conceal spam text as an image or PDF document. +  * [[:public:emai:malware#pdf_macro|PDF macro]] - PDF files include the ability to execute code on your device — and that’s where the danger lies 
-  * [[:public:emai:malware#deepheader_analysis|Deepheader analysis]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - header analysis]</font> - Deepheader analysis examines the entire message header for spam characteristics.+  * [[:public:emai:malware#suspicious_content_html_links_docs_macro|Suspicious content]] (HTML links, docs) - <font inherit/inherit;;#f39c12;;inherit>[Suspicious]</font>  - HTML content and attachments may contain potentially hazardous tags and attributes 
 +  * [[:public:emai:malware#image_spam|Image Spam]] (images, pdf) - <font inherit/inherit;;#f39c12;;inherit>[Image spam]</font>  - Some spammers conceal spam text as an image or PDF document. 
 +  * [[:public:emai:malware#deepheader_analysis|Deepheader analysis]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - header analysis]</font>  - Deepheader analysis examines the entire message header for spam characteristics.
  
 ===== Possible Spoof ===== ===== Possible Spoof =====
Line 62: Line 68:
 **Malicious use of spoofing**  - Phishing and business email compromise scams generally involve an element of email spoofing. Email spoofing has been responsible for public incidents with serious business and financial consequences. **Malicious use of spoofing**  - Phishing and business email compromise scams generally involve an element of email spoofing. Email spoofing has been responsible for public incidents with serious business and financial consequences.
  
-Example of spoof email:+**Example of spoof email:**
  
-MAIL FROM: **johndoe2<font inherit/inherit;;#2980b9;;inherit>@gmail.com</font>** \\ +MAIL FROM: **johndoe2 
-From: **john.doe<font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font>** \\ + <font inherit/inherit;;#2980b9;;inherit>@gmail.com</font> ** \\ 
-To: **jane.dow<font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font>**+From: **john.doe 
 + <font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font> ** \\ 
 +To: **jane.dow 
 + <font inherit/inherit;;#d35400;;inherit>@cerge-ei.cz</font> **
  
 Such email is suspicious. Some user with an account at Gmail (johndoe2@gmail.com) set his profile to use institutional email address (john.doe@cerge-ei.cz). \\ Such email is suspicious. Some user with an account at Gmail (johndoe2@gmail.com) set his profile to use institutional email address (john.doe@cerge-ei.cz). \\
Line 149: Line 158:
  
 To check DMARC setup for any domain go to [[https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/|https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/]] To check DMARC setup for any domain go to [[https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/|https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/]]
 +
 +DKIM
 +
 +===== ARC =====
 +
 +Authenticated Received Chain (ARC) is an email authentication system designed to allow an intermediate mail server like a mailing list or forwarding service to sign an email's original authentication results. This allows a receiving service to validate an email when the email's SPF and DKIM records are rendered invalid by an intermediate server's processing.
 +
 +Please examine email message headers for further tedails if there is [Suspicious - bad ARC] in message subject includes.
 +
 +You may see something like that in email headers:
 +<code>
 +
 +ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 + b=jMJ9kzS3ngfZqq4sLjdzOVKx7B7ETxqwNJAxdqIF7+qlrcD6pM7yu1mXbV35SyfKZU7la+YKB3S46XgZe/l4bgDaJ7o+nv9FuW/E3ccOS9ZzBgVlxQB2D74IXT5dWfG/x7POuQmj6tNLChR8TTL6dAIz3zVI2ogJ83VOwq/mOFtK1sC6qg8dyVBVsI5Vbhxrq5svU2knQyp0S9lF/JNwHPBTU48Ed48TIzGug8uWbc72eY6hU5/hnMo+/2031o9A6xc88PeE0saE520/ha+NcW81euRWknP8k0QCtp8O86n9Hf6COGavEs5TicPVJsjXtH6IR3jzyj3rqjrXWaXuHw==
 +
 +ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 + s=arcselector9901;
 + h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 + bh=qK7o6sWqLXWSt8J0VLOnwQMuYeUgfyS3kDNbxNzpc/0=;
 + b=SW+mXPUU6eC5V3CcE9v8qUPIfj3uN4lGvca6QWqhnb35RiPKlrEUj80ajHwe6VX5B+LFgMvlqQTtyPtFLTrwiJ747lcuMRPIfOBphz+tyHKYMEYTvPzzj7KfvB2I0zJYHMVtVBjjAc0OcZS72CuYwbVPrRt+6Blh0I2ugfvuQieUniSjQwWCVQIF7aYExk4ruBz31qj2JHN2y7+dEp5YBZFctmpvrYMnbjjZif/2DpVAdzJtdm8bD907GqVYnoGj+RolBdeCaOXpJ3TkUmeedZE3STIy/3iEA6SRkrsT9PjbSt/aeoE5cXBjpiV2F9BqzP/1uxcy3IGxTps2brdv2Q==
 +
 +ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 + smtp.mailfrom=csob.cz; dmarc=pass action=none header.from=csob.cz; dkim=pass
 + header.d=csob.cz; arc=none
 +...
 +X-FEAS-SPF: spf-result=pass, ip=193.245.32.140, helo=mail1a.csob.cz, mailFrom=john.doe@csob.cz
 +X-FEAS-DKIM: Valid
 +X-FEAS-ARC: Fail (The ARC-Message-Signature (i=1) contains an invalid body hash)
 +X-FE-Envelope-From: john.doe@csob.cz
 +X-FM-Filtering-11: subject.tag:spam-suspicious-arc
 +
 +</code>
 +
 +[[https://en.wikipedia.org/wiki/Authenticated_Received_Chain|https://en.wikipedia.org/wiki/Authenticated_Received_Chain]]
 +
 +[[https://dmarc.org/presentations/ARC-Overview-2016Q3-v01.pdf|https://dmarc.org/presentations/ARC-Overview-2016Q3-v01.pdf]]
  
 ===== Reputation databases - Blacklists ===== ===== Reputation databases - Blacklists =====
Line 210: Line 255:
 Certain sort of newsletter senders wants to track recipients clicks (to monetize and/or monitor recipient behavior) so they conceal the target URL behind their own hash. It is then undecidable whether the redirected URL is OK or not (phishing). Certain sort of newsletter senders wants to track recipients clicks (to monetize and/or monitor recipient behavior) so they conceal the target URL behind their own hash. It is then undecidable whether the redirected URL is OK or not (phishing).
  
-**Example**+**Example** <font inherit/inherit;;#c0392b;;inherit>**Obfuscated/unresolvable link**:</font>  If you get the newsletter from **bostonglobe.com**  with links in the form [[https://bostonglobe.us11|https://bostonglobe.us11]].**list-manage.com/track/click?u=90f9e490a86&id=0c98f5&e=e8fef**  , it cannot be said what is the targeting URL. Hence the ** <font inherit/inherit;;#c0392b;;inherit>warning about uncertain content is added</font> **.
  
-<font inherit/inherit;;#c0392b;;inherit>**Obfuscated/unresolvable link**:</font>If you get the newsletter from **bostonglobe.com**  with links in the form [[https://bostonglobe.us11|https://bostonglobe.us11]].**list-manage.com/track/click?u=90f9e490a86&id=0c98f5&e=e8fef**  , it cannot be said what is the targeting URL. Hence the **<font inherit/inherit;;#c0392b;;inherit>warning about uncertain content is added</font>**.+** <font inherit/inherit;;#27ae60;;inherit>Regular/direct link</font> **: If the newsletter from **newyorker.com**  contains links in the form [[https://link|https://link]].**newyorker.com/view/5dc1b3fc91f4/03075c2d**  , it may be tracked down to the target URL and **is considered safe**.
  
-**<font inherit/inherit;;#27ae60;;inherit>Regular/direct link</font>**: If the newsletter from **newyorker.com**  contains links in the form [[https://link|https://link]].**newyorker.com/view/5dc1b3fc91f4/03075c2d**  , it may be tracked down to the target URL and **is considered safe**.+===== Macro in attachments ===== 
 + 
 +==== PDF macro ==== 
 + 
 +PDF files include the ability to **execute code on your device**  — and that’s where the danger lies! 
 + 
 +Hence PDF files containing macro / executable code (like filling forms) are preventivelly **placed to users's quarantine**  where may be carefully released by user in case content is harmless. User may "whitelist" a trustful sender so quarantine might be skipped next time. 
 + 
 +PDF can contain the following: 
 + 
 +//Javascript//  – Javascripts are used in the website coding to control browser appearance and functionalityIn past, it has been used to exploit multiple vulnerabilities in Adobe as well as many other PDF readers. 
 + 
 +//System Commands//  – Launch action in PDF can open Command window and execute commands to initiate malware. Most of the commands have now been disabled by Adobe but they might be open in other readers or earlier versions. 
 + 
 +//Hidden Objects//  – PDFs can have embedded and encrypted objects which prevents being analyzed by antivirus scanner. These objects are executed when file is opened by the user. 
 + 
 +//Multimedia Control//  – When we say PDF can have embedded objects, it could be a quicktime media or flash file. Attacker can exploit vulnerability in media players.
  
 ===== Suspicious ===== ===== Suspicious =====
  
-==== Suspicious content (HTML links, docs) ====+==== Suspicious content (HTML links, docs, macro) ====
  
 //Added subject tag: **[Suspicious]** // //Added subject tag: **[Suspicious]** //
Line 242: Line 303:
 ===== Deepheader analysis ===== ===== Deepheader analysis =====
  
-//Added subject tag: [Suspicious] [Header analysis]//+//Added subject tag: [Suspicious - header analysis]//
  
-<font inherit/inherit;;#c0392b;;inherit>Tool to examine message header (displays human-readable content):</font>[[https://mha.azurewebsites.net/|https://mha.azurewebsites.net/]]+//Added warning text: "Deepheader analysis examines header for spam characteristics. Don't click any link unless you are certain it's legitimate.////"// <font inherit/inherit;;#c0392b;;inherit>Tool to examine message header (displays human-readable content):</font> [[https://mha.azurewebsites.net/|https://mha.azurewebsites.net/]]
  
 Deepheader analysis examines the entire message header for spam characteristics. Deepheader analysis examines the entire message header for spam characteristics.
  
-Basically an email has two parts. The body (information sent to recipient) and the header containing metadata (like "from", "to", content type, date of delivery, message forwarding path, signatures of mailservers, certificates, system-gegerated informations like spam level, processing info etc.).+More specifally - the deep header scan examines each message and **calculate a __confidence value__  based on the results of the decision-tree analysis**.The higher the calculated confidence valuethe more likely the message is really spam.
  
-Recipient can learn a lot about the email history and nature by examining message header. +There may be sometimes very subtle difference in the specific email, which triggers the confidence value. As a best practice it is always better to have an information that certain email may be problematicbecause attackers today are able to mimick messages that are almost indistinguishable from the original messages! **So check twice such messages before you click link in it or open an attachment**.
- +
-More specifally - the deep header scan examines each message and calculate a confidence value based on the results of the decision-tree analysis.The higher the calculated confidence value, the more likely the message is really spam.+
  
 Line //X-FEAS-DEEPHEADER://  is added to the message header that includes the message’s calculated confidence value. Line //X-FEAS-DEEPHEADER://  is added to the message header that includes the message’s calculated confidence value.
 +
 +Basically an email has two parts. The body (information sent to recipient) and the header containing metadata (like "from", "to", content type, date of delivery, message forwarding path, signatures of mailservers, certificates, system-gegerated informations like spam level, processing info etc.).
 +
 +Recipient can learn a lot about the email history and nature by examining message header.
  
  
  • /var/www/html/dokuwiki/data/attic/public/emai/malware.1634824279.txt.gz
  • Last modified: 2021-10-21 13:51
  • by vesely