World's First Real-Time In-Attachment Phishing Detection

There are emails with phishing links, there are BEC phishing emails impersonating your colleagues or contacts, and there are in-attachment phishing attacks.

Phishing attacks inside attachments are the most complex to detect, and most of them can not be stopped in real-time by any security software โ€“ until Cyberfish came along.

First there is in-attachment Documents ๐Ÿ—Ž Phishing: โ€ข Phishing links delivered via MS Office files: Word, Excel, PowerPoint โ€ข Phishing links delivered via Adobe PDF files The main challenge here is not only to extract those links, but rather to detect them as phishing in real-time, before someone will report them โ€“ what Cyberfish excels in, with our unique Visual Sandbox ๐Ÿ‘๏ธ technology.

Existing blacklist & signal based protections are not relevant for this kind of phishing โ€“ 98% of phishing links that delivered via attachments are not blacklisted for at least 8 days.

And then there are HTML ๐Ÿ“œ based attachments . These are divided to two types: HTML with scripts, and in-line HTML attachments.

Lets review them: HTML with scripts โ€ข These files are automatically redirecting to phishing website once downloaded to the recipient's device, both mobile and desktop. โ€ข The phishing email typically impersonates voice message, invoice, delivery service, etc with call-to-action to open the attachment (voice message, invoice, shipment notice, etc). The recent phishing kit uses โ€œAudio Message Receivedโ€ theme, impersonating voice message service, attaching files such: ๐Ÿ“žAudioMessage0522_2020.html โ€ข After the attachment is being downloaded to recipient's device it's opened automatically with in-device default browser and the browser automatically redirects to a phishing page:

Typically these file are encrypted ๐Ÿ”’ and consist from a โ€œgoodโ€ mix of JavaScript, HTML and different techniques which make it very hard to parse it.

What's interesting, that users are actually get used to receive such emails, as Microsoft uses similar scheme to send legit messages:

๐Ÿ’ก But wait, there is more. On-top of these there are in-line phishing HTML attachments.

How do they work? Simple: the phishing page is being delivered within the email and when opening it with in-device browser it opens locally on-recipient's device and show phishing page (blazing fast, the experience is just amazing), sometime even with interactive dialog box and input fields โ€“ all without leaving the recipient's device.

The goal is the same โ€“ the phishing HTML file impersonates a known brands and steals users' credentials.

What's unique here you just can not block this URL โ€“ because there is no one.

Such HTML files are missed by most anti-virus software including different CDR ๐Ÿ’ฃ (Content Disarm & Reconstruction) providers, and stopped only when there is โ€œsignatureโ€ match, which means that only already known attacks will be stopped, similar to the URL in blacklist.

So here comes the announcement: ๐ŸŽ‰

Cyberfish releases the world's first real-time in-attachment phishing protection module based on its patented "Visual Sandbox" technology powered by Computer Vision and AI. "Visual Sandbox" emulates human vision and behavior and stops the most advanced and yet unknown phishing attacks in real-time.

PS. Below an example of phishing email stopped by Cyberfish which includes brand impersonation, spoofing, in-line encrypted phishing HTML attachment rendered on the recipient's device, encapsulating sophisticated script which presents an interactive dialog box to steal victim credentials:


About Cyberfish

Cyberfish is a zero-second phishing protection solution that combines Computer Vision and AI to stop phishing emails and websites in real-time โ€“ before they have been reported and added to the blacklists. Cyberfish offers employee protection solution with one-click onboarding for Office 365 and G-Suite and low-touch support. Cyberfish is specifically designed for MSPs and MSSPs allowing multi-tenant management, reporting and integration. https://cyberfish.io