One of the more frustrating things that's become prevalent in my environment recently, is the ever elusive image based spam/phishing emails. If you're not familiar with this delivery technique consider yourself fortunate, because they can be quite frustrating to deal with.
Before we get into the "meat and tater's" of it all, it should go without saying: there is no technology that can replace well trained end users. They don't have to be experts, but they do need to know what is suspicious and what isn't. As I.T./security professionals it's up to us to make sure our users are trained. If they aren't and there's a breach, it's 100% our fault. Not the users.
In my organization we leverage knowbe4 and their phish alert button for all of our users. Knowbe4 is not affiliated, it's just what we use internally for reporting, phishing tests and supplemental trainings.
We were receiving a ton of phish alerts about these types of image based emails. It was infuriating, because it really caused a lot of clutter in the reports. Frankly, I was tired of seeing "docusign" and "Your password will expire" reports from adversaries being reporting constantly. I finally got pissed off enough to start investigating them and looking for a way to block them.
How They Work.
Basically an adversary will insert an image into an email that appears to the end user as standard text. The image is actually a hyperlink, so if the user clicks anywhere in the email they are directed to the adversaries site. From there they can deploy a payload or collect login credentials. The image shown is an example of one of these messages received by my domain recently.
What makes this method particularly frustrating is that none of the text in the image can be read by traditional email filters. So even if the entire text body of the email just screams "THIS IS SUSPICIOUS", to a spam filter, it makes it through anyway, because the filters just see it as an image...
Now there are some next generation email filters that you can leverage to help combat this type of attack. But we're not here for the people who have the budget for next gen products. We're here to help those who are working on securing an environment on a shoestring budget.
Fighting Back
The way to combat a majority of image based phishing emails is quite easy. You just have to know what to look for.
If you examine the properties of the underlying link within the email, you'll probably see something similar to this;
http://HijackedURL.com/cttm=34597709&r=NDkwMTUyMjM4ODM4S0&b=0&j=MjI4NDEwMjk5NwS2&%20of%&kx=1&kt=1&kd=https%3A%2F%2SecondURL.com/2Fnew%2Fauth/RHVtYkBzc1NjYW1tZXIuY29t
The first hijacked URL is simply used to redirect the user to their final destination, which is usually (but not always) a far more obvious URL where the collection or payload deployment takes place from. But that's not we need to focus on. The real focus is the base64 encoded text at the end, this is typically the recipients email address, in this case it's RHVtYkBzc1NjYW1tZXIuY29t. In my experience most of these emails will contain the target users email address in the URL in BASE64.
** A lot of legit emails will also utilize BASE64 encoding in URL's in order to track marketing campaigns **
Configuration
So you're probably saying to yourself, "Okay, neat. When's lunch? I'm hungry already. Maybe takeout today... Also, how do I leverage this information?". These types of emails are typically sent to a specific set of users in your environment. HR, Finance, and C-Suite are the big targets in my experience. Your milage may vary, but you should know who those users are.
- Create a list of users who are receiving these types of emails
- Take that list over to Base64encode.org and get the base64 equivalent of each email address.
- Create a mail filter that searches within the body of an email for specific text patterns
- Add all effected users BASE64 encoded email addresses
- I recommend setting up a mailbox for email approvals and forwarding anything caught by the filter to that mailbox for manual review. You will have some legit email get caught up by this filter, but you can add them to an exception in the rule as you discover them.
**In the coming days I'll add a tutorial about configuring a email approvals inbox in Microsoft365.**