2,500 Emails, Zero Infections: The Power of EX and ETP

Today's security products are good enough that Nigerian Prince and other everyday spam campaigns are no longer a significant issue; however, attackers are still dodging those protections and finding alternative ways to deliver dangerous malware-laced emails at great scale.

Fortunately, the FireEye EX and ETP products are quite tough against these types of advanced email threats, and able to shut down sizable campaigns even when other technologies fail.

Just recently we observed a relatively massive and fairly sophisticated targeted spear phishing attack against one of our clients. The threat was actually observed against a city government and the county government for that city; however, the county took the bulk of the attack.

The incident involved nearly 2,500 malware-laced emails per hour bypassing the county’s anti-spam technologies, only to be caught instead by ETP. For some perspective, at the time we were generally seeing 50 to 60 emails not detected by anti-spam and antivirus per hour, with small spikes peaking at 250. This attack yielded a 500 percent difference in those alerts seen across the ETP stack for that hour.

Clearly the attackers knew what they were doing, as they used a variety of methods and techniques, as well as a highly distributed architecture, to dodge tried-and-true spam detection capabilities.

The distributed architecture is evidenced by the number of IPs that their spam provider reported, with 1,976 IPs being reported in their spam provider’s diagnostic headers pulled from the malicious emails. To us, it appears as though the attackers have a botnet that has an auto-mailer system configured, or that they have compromised an auto-mailer system (at the source code level) and are leveraging it to send singleton messages.

Sending servers for the attack were all over the globe. The attackers used various spoofed email addresses; some from domains that would not be sending mail and as such do not have SPF records configured, thus avoiding the anti-spoofing measures that are typically employed.

One reason the attack was so effective – and the reason it got through other non-FireEye technologies – is that the volume, email sources and subjects could not easily be filtered. The pattern was obvious to our analysts when looking at the attack, but there were considerable resources put into it, such as having a large number of hacked host sites from where to download the payload.

It is likely that the attack was premeditated due to the resources used and overall scope. We believe that it was motivated by a recent political announcement by the city and county.

Sometimes spam is nothing more than a nuisance, but these types of advanced and massive targeted spear phishing attacks can be particularly dangerous. It only takes one person to be compromised to put the whole organization at risk.

In this instance, all someone would have to do is open the attachment in the email or click a link to download a ZIP file and they would become infected with malware. The issue is compounded because without the FireEye products these emails would have never been stopped, meaning the chances that at least one individual is infected are extraordinarily high.

The FireEye EX and ETP products are pivotal because they protect against email attacks known to regularly bypass email security that uses conventional signature-based defenses, such as antivirus and spam filters. Part of what makes our products particularly special is that they detonate and analyze suspicious email attachments and embedded URLs and block malicious activity, thus enabling organizations to prevent, detect and stop email threats. Learn more about the FireEye email solutions.