World's First Real-Time In-Attachment Phishing Detection
There are emails with phishing links, there are BEC phishing emails impersonating your colleagues or contacts, and there are in-attachment phishing attacks.
Phishing attacks inside attachments are the most complex to detect, and most of them can not be stopped in real-time by any security software โ until Cyberfish came along.
First there is in-attachment Documents ๐ Phishing: โข Phishing links delivered via MS Office files: Word, Excel, PowerPoint โข Phishing links delivered via Adobe PDF files The main challenge here is not only to extract those links, but rather to detect them as phishing in real-time, before someone will report them โ what Cyberfish excels in, with our unique Visual Sandbox ๐๏ธ technology.
Existing blacklist & signal based protections are not relevant for this kind of phishing โ 98% of phishing links that delivered via attachments are not blacklisted for at least 8 days.
And then there are HTML ๐ based attachments . These are divided to two types: HTML with scripts, and in-line HTML attachments.
Lets review them: HTML with scripts โข These files are automatically redirecting to phishing website once downloaded to the recipient's device, both mobile and desktop. โข The phishing email typically impersonates voice message, invoice, delivery service, etc with call-to-action to open the attachment (voice message, invoice, shipment notice, etc). The recent phishing kit uses โAudio Message Receivedโ theme, impersonating voice message service, attaching files such: ๐AudioMessage0522_2020.html โข After the attachment is being downloaded to recipient's device it's opened automatically with in-device default browser and the browser automatically redirects to a phishing page:
Typically these file are encrypted ๐ and consist from a โgoodโ mix of JavaScript, HTML and different techniques which make it very hard to parse it.
What's interesting, that users are actually get used to receive such emails, as Microsoft uses similar scheme to send legit messages:
๐ก But wait, there is more. On-top of these there are in-line phishing HTML attachments.
How do they work? Simple: the phishing page is being delivered within the email and when opening it with in-device browser it opens locally on-recipient's device and show phishing page (blazing fast, the experience is just amazing), sometime even with interactive dialog box and input fields โ all without leaving the recipient's device.
The goal is the same โ the phishing HTML file impersonates a known brands and steals users' credentials.
What's unique here you just can not block this URL โ because there is no one.
Such HTML files are missed by most anti-virus software including different CDR ๐ฃ (Content Disarm & Reconstruction) providers, and stopped only when there is โsignatureโ match, which means that only already known attacks will be stopped, similar to the URL in blacklist.
So here comes the announcement: ๐
Cyberfish releases the world's first real-time in-attachment phishing protection module based on its patented "Visual Sandbox" technology powered by Computer Vision and AI. "Visual Sandbox" emulates human vision and behavior and stops the most advanced and yet unknown phishing attacks in real-time.
PS. Below an example of phishing email stopped by Cyberfish which includes brand impersonation, spoofing, in-line encrypted phishing HTML attachment rendered on the recipient's device, encapsulating sophisticated script which presents an interactive dialog box to steal victim credentials: