Entries by Rodolfo Saccani

Email trojan horse: application/html entity

We just discovered a new trick that is currently being used to slip malicious html files through email security solutions and,  in some cases, through antivirus engines. The trick is quite simple: declaring an email entity as “application/html” instead of “text/html”. “application/html” is an invalid type and this allows it to slip through some checks. […]

Phishing campaign uses Google reCAPTCHA to avoid Sandbox detection

Recent email phishing campaigns are using Google reCAPTCHA as part of their efforts to bypass click-time protection sandboxing, requiring user interaction before delivering the actual contents of the phishing page. We have seen two different instances of such campaigns, both are targeting Office 365 users in order to collect their credentials. Implementation details suggest that […]

What’s the difference between email backup and email archiving?

Lots of differences, actually. An email backup is a snapshot of a specific point in time, it’s purpose is for recovery in case of a disaster. Email archiving does not archive a series snapshots but it preserves all data history. The purpose of the archiver is much broader: discovery, compliance, legal, search, analysis and for […]

ClamAV PDF issue on 2019-05-25

On the 25th of may clamav released a signature database containing a virus signature that mistakenly flagged as virus many legit pdf files. The name of the failing signature is Win.Exploit.CVE_2019_0903-6966169-0 On the 26th of May Libraesva released an override directive to all ESVA appliances to ignore this failing signature. You can find and release […]

Ramnit apparently still spreading after 9 years

It might be a targeted attack, given that we detected it only in one organization, or it might just be an ancient infection still attempting to propagate. In both cases it is an interesting case. The attack is coming via email, which is interesting given that it is a vbscript attack. Here is how the […]

Tracking pixels can be used to compromise enterprise security

Tracking pixels, or beacons, are widely used in email advertising, but a more subtle and dangerous use is possible. Tracking pixels are basically very small images (usually invisible to the human) embedded in the email, whose content is loaded from a server when the email is opened. When your email client loads this image from […]

Targeted attacks through mobileconfig attachments

We spotted an instance of what appears to be a targeted attack through a phishing email delivering a .mobileconfig file. This is a file format used to deliver configurations to iphones. The attack originates from domain that appears to have been created just for this purpose. This is how the email appears to the recipient: […]

Attaching malware to email replies is very effective

It’s almost one month now that a very effective malspam campaign delivering the ursnif trojan is in progress in Italy. The trick that the malware uses to spread is simple and effective: once run on the victim’s machine it sends replies to existing email threads attaching a copy of the malware itself. This strategy is […]