Um novo truque permite o bypass de emails de phishing em documentos do Microsoft Office. Basicamente, os endereços maliciosos são excluídos do ficheiro de relacionamentos do documento (xml.rels).
O truque tem sido utilizado numa campanha de spam de e-mail que visa levar as vítimas a uma página de autenticação maliciosa com o objetivo de recolher credênciais.
“Office documents (.docx, .xlsx, .pptx) are made up of a number of XML files that include all the font, image, formatting, and object information which make up the document,” Avanan researchers explain.
O ficheiro xml.rels mapeia os relacionamentos dentro desses ficheiros com recursos agregados ao documento. Quando o documento inclui links, eles são inseridos nesse ficheiro.
Ao varrer anexos de conteúdo malicioso, a maioria dos filtros de e-mail varre o documento na tentativa de identificar links externos e classifica-os com base numa BD de websites mal-intencionados e avalia os IPs associados.
“If, for some reason, the document contains URL links that are not included in the xmls.rels file, these parses will not see them, even though they are still active and clickable within the document,” the researchers explained.
Os utilizadores cujas caixas de entrada de e-mail são protegidas pelo EOP (Microsoft Exchange Online Protection), ProofPoint e F-Secure estão vulneráveis ao ataque NoRelationship.
“It seems there are no shortcuts to be had in email scanning,” the researchers noted. “The only solution is to scan the entire file.”
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.