Monday, December 11, 2023

Protecting the perimeter with VT Intelligence - Email security

Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here.
One of the most common attack vectors to gain access to your network is through phishing emails with attachments containing malware, usually the first stage in a cyberattack kill chain. By gathering intelligence related to the latest phishing campaigns targeting our country or industry, we can prevent emails with malicious attachments reaching our company’s inboxes. This adds a security layer by reducing the burden on employees and not solely relying on their intuition to identify threats.
For this we will use VT Intelligence to hunt threats targeting our email gateway. Our approach starts with a simple example and we will gradually increase its complexity. For each VT Intelligence query we provide a detailed breakdown of the new added modifiers. We encourage you to test the examples provided and to further explore new queries.
Our first basic query searches for documents (“type:document”) tagged as attachments (“tag:attachment”) and submitted from Spain (“submitter:ES”). We will use the “p” modifier (“p” is short for “positives”, referring to the number of AntiVirus detections) to discard benign attachments. In this case, we want samples with more than 5 detections to avoid false positives, however this is completely at your discretion. Finally, we will look for files first seen (“fs” as short for first submission) in the last 14 days (14d+).

Moving to the next stage, we will explore the submissions modifier to identify large-scale attacks, in this case “submissions:50” indicates the minimum number of submissions for a given file which may flag a massive phishing campaign. We use the name of an AntiVirus engine as a modifier to narrow down the results to potential blindspots. In this case, our strategy is searching for files flagged as “clean” by our AntiVirus and detected as malicious by at least 5 other engines.

Finally, we will create a bit more complex condition by combining boolean operators like OR and NOT. We search for specific document types such as docs and spreadsheets, and exclude other document types to narrow to a particular suspicious dynamic behaviour, particularly those actions associated with early stages of an attack. In this example we are searching for office documents either executing powershell or executing macros running additional files when detonated in the sandbox.

You can learn more about file search modifiers in the documentation.
As always, we would like to hear from you.
Happy hunting!


Post a Comment