Home » Blog
date 16.Jun.2019

■ That phishing email attachment got you p0wned


We all know not to open email attachments coming from random unexpected sources, right? They will invariably contain some nasty virus that's up to no good. They go straight to the junk mail bin anyway. However attackers get increasingly crafty, using the email of somebody you know and trust, and making the email look all reasonable and expected. They target you especially, knowing your business, putting together some plausible message with an attachment that seems legitimate (spear-phishing). But is it? Do you dare open it and risk a ransomware infection? Or end up in a botnet?

Of course most email attachments that appear reasonable (i.e. not promising a pic of the Kardashian family in the nude :) are legitimate. But it only takes one bad attachment to break in your defenses. In my line of business many people requesting xplorer² support send PDF attachments for no apparent reason, but most of them turn out to be safe. In the beginning I was testing them in a sandbox and I never found anything amiss. So I turned slack. And last week, I tried to open a DOC attachment that seemed to come from an xplorer² user with a problem and got bitten. I am lucky that the standard windows 10 defenses blocked the virus before it could do any harm. Obviously I am back to "trust no-one" mode.

Checking each email attachment before opening it is a big timewaster, so there must be a way to test the documents quickly. One possibility is to use a throwaway virtual machine (e.g. in Virtual Box) with MS Office and a PDF reader installed. Import the attachment in this sandboxed environment, and try to open it. If it turns out to be a nasty, just reset the VM and delete the rotten attachment.

The forthcoming windows sandbox is also a possibility but it's a default windows installation without office viewers etc installed

An easier solution to foil phishing attempts is to use xplorer² Extract text function (we find a use for this every week!) Instead of opening the attachment in its default program, it uses the windows search filter to extract the text out of the document, which will show you what's inside without running any scripts or viewer vulnerabilities that can harm your PC. If you don't need to see the full document, you can use the previewer pane in Draft mode (tab), which again will only show plain text without formatting. If instead of plain text you see a thumbnail, make sure you lock the viewer in Text only mode using the right click menu.

plain text preview of PDF attachment

Sadly, like airport security checks, anti-phishing protection requires some boring routine checks on each suspect email attachment. I hope the plain text extraction procedure just described will make things a little more bearable.

Post a comment on this topic »

Share |

©2002-2019 ZABKAT LTD, all rights reserved | Privacy policy | Sitemap