As if we didn’t have enough breaches that start by compromising an employee’s email account, now there’s more to worry about. Imagine that despite training your employees to be careful, and despite using updated AV or other software to detect nasties, a threat actor could deliver malware-laden emails directly into your employees’ inboxes. Will employees be more likely to open emails that have seeming passed through security checks and that are properly addressed in the from: and reply-to fields? I would guess that they would.
Researchers at Gemini Advisory released a new report today on what a threat actor calls an “Email Appender.” As Gemini describes it, this tool poses a significant risk to both individuals and businesses because “it raises the success rate of malware attacks, allows for more sophisticated phishing and business email compromise (BEC) campaigns, and opens the door for simplistic ransomware-like attacks.”
The Email Appender is not this threat actor’s first offering. Gemini notes that there was a previous version in 2019 that was a simpler email spam service called “GetMailer Pro.”
Details of how Email Appender works are provided in the full report, but it is worth noting that it all begins with the threat actor being able to get working login credentials. And we know that password reuse continues to be a major problem and that combo lists are a dime a dozen these days. Does that suggest one line of prevention to you? Gemini also notes:
Furthermore, email platforms typically monitor the IP addresses of users attempting to connect to an account via IMAP to prevent unauthorized or unusual activity. To overcome this security precaution, Email Appender can be configured to use SOCK proxies, which allow attackers to set their IP address to a location that they believe will deceive email platform security. To make matters worse, Email Appender also comes pre-packaged with 10,000 IMAP server configurations that can be updated as needed, and the software can analyze victims’ email addresses to identify which server connection should be used.
Read more on Gemini Advisory for technical details, potential impact, and what entities can do to protect from this type of attack, such as deploying multifactor authentication (MFA).