New Phishing Attack Emerges using SHTML File Attachments

In early April, the Mimecast Threat Center team was alerted to a rare type of server-parsed HTML (SHTML) based phishing attack emerging from the UK.

When users opened attachments in these phishing campaign emails, they were immediately redirected to a malicious site requesting sensitive information. The image below shows an example of the targeted attack email that organizations received.

Overall, 55% of this campaign was distributed in the UK, 31% in Australia, 11% in South Africa and 3% elsewhere. In the UK and South Africa, the finance and accounting sectors were mainly targeted, while in Australia it was largely the higher education sector.

This phishing attack was unique in that it utilized SHTML file attachments, which are typically used on web servers. Discovered inside the file contents was JavaScript code as displayed below. This was responsible for obfuscating the malicious URL.

The Threat Center utilized this critical threat intelligence to create an advanced custom rule that directly identifies the SHTML construction. Mimecast’s gateway now detects and blocks all inbound emails containing the SHTML code to invisibly safeguard customers from this kind of phishing. In a two-month period since deployment, more than 100,000 individual users have been actively protected from attack by the unique signature.

Phishing Attacks Still Proliferate Despite Increased Cyber Threat Intelligence

Phishing attacks are still one of the most common and dangerous methods used by cybercriminals to steal sensitive data and infiltrate networks. A form of social engineering, phishing seeks to gain the trust of potential victims by posing as known or legitimate sources. You might be presented with a request from your bank to update your credentials, or perhaps your company’s CEO sends you an email urgently requesting confidential information or a fund transfer.

These tactics take advantage of your natural emotional reactions – curiosity, fear and urgency – and attempt to obtain sensitive information, steal credit card details or deploy malware with the single click of an attachment.

The result of these phishing attacks is almost always financial losses. For companies and governmental organizations, this includes business disruption, loss of credibility, enforcement penalties and wire fraud perpetrated by scammers.

Email is the Number One Attack Vector

Email is still one of the most widely used communication tools because of speed and ease of use, and it’s also the number one attack vector. Research shows that 91% of all cyberattacks originate via email and phishing is just one method threat actors use. Given their nature, it only takes a momentary lapse in user vigilance for a scam to wreak havoc – and the threats are becoming more sophisticated and difficult to identify. Due to the high daily volume of messaging in the workplace, this presents a huge ongoing challenge to organizations to keep information secure.

Mimecast’s June 2019 Email Security Risk Assessment report concluded that on average, one malicious URL is delivered to an employee’s inbox for every 69 delivered emails. These phishing attempts might use images in place of written text to evade mail filters, or code obfuscation techniques to prevent detection by security software. The Mimecast Threat Center employs a group of cybersecurity experts dedicated to gathering the latest threat intelligence to defend against these evolving threats.

The Takeaway

Phishing is an increasingly common and widespread problem that isn’t going away anytime soon. Remain vigilant by avoiding links and attachments – like the malicious SHTML document employed in the above phishing attack – in email messages unless you’re certain they’re legitimate. If in doubt, follow the most basic and effective solutions at your disposal – ignore, delete and report.