While email scams are getting more sophisticated, they’re still usually low-level traps where you either quickly engage or you don’t. More worrying is that state-sponsored actors have found more devious ways to lure targeted individuals into clicking a compromised link, according to the cybersecurity researchers at Proofpoint.
It’s a slow-burn attack. First, victims will find themselves CC’d into an email between several familiar-sounding individuals. A couple of days will pass, and then one of the other fake accounts will email the whole group back, again copying in the intended victim (i.e. you).
After this back-and-forth has played out for a while longer, one of the accounts will send an interesting-sounding attachment related to the previous chat — often marking it as password protected to make it seem extra intriguing.
Of course, this file won’t be what it claims to be. In the instance uncovered by the researchers, it was a .DOCX file packed with dangerous malware or macros designed to collect information, such as username along with the user’s public IP and other details. It then sends all of this back to the scammers remotely using the Telegram API.
This line of attack could prove more effective than standard phishing attacks for a number of reasons. On a basic level, multiple emails mean you have more chance of seeing a malicious link, as it keeps getting raised to the top of your email inbox. More than that, multiple emails seemingly without any bait to hook you in could make you let your guard down — especially as the scammers are essentially vouching for each other by responding to each others’ emails.
For the moment, the evidence suggests that this is an Iranian state-sponsored spear-phishing campaign, with specific targets in Middle Eastern Studies and nuclear security in mind according to the researchers. So it’s not something you’re likely to see popping up in your emails just yet.
While it’s not hard to imagine how this technique could be adapted for more general use, relying on people’s love of eavesdropping to open files not addressed to them, Proofpoint does highlight the fact that this style of attack is significantly more resource intensive than your average phishing campaign. In other words, the rewards would have to be worth the time involved in targeting you.
Even if you are not a high-profile individual specialising in nuclear security, Proofpoint’s advice is familiar, but worth restating.
Look out for the use of easy disposable email accounts from Gmail, Outlook, Hotmail or AOL rather than more professional-sounding email addresses, replies to blank emails (most likely an attempt to bypass security) and unsolicited Zoom links or draft documents.
Put simply, you always should maintain a heightened sense of awareness when receiving unsolicited emails and double-check the email address belongs to the individual that you think it does before engaging. You have been warned.