Phishing Attacks Getting Sneakier

Author Avatar


Posted on December 20, 2021

Want to interview James?


Phishing attacks are a daily challenge for IT managers, and the bad guys keep stepping up their game.

Two new types of attacks highlight this issue; one focuses on tricking users, the other leverages technology designed to evade traditional cyber defenses.

ProxyLogon and ProxyShell Exploits

ProxyLogon is a series of vulnerabilities in Microsoft’s Exchange Server that allows an attacker to bypass authentication and impersonate an admin. One analyst warned that ProxyLogon “might be the most severe and impactful vulnerability in the Exchange history ever.” Microsoft issued a patch for several ProxyLogon vulnerabilities back in March 2021, but not all customer servers have been updated.

ProxyShell is a somewhat newer exploit; and users that have not patched their Microsoft Exchange servers since July 2021 remain vulnerable. Once cybercriminals have gotten into a system with ProxyShell, they have “god mode” access and can function as an absolute administrator and run any commands or programs they desire.

In September Trend Micro reported seeing a new malware loader named SQUIRRELWAFFLE that was distributed via Microsoft Office documents. The hackers got access to systems via ProxyLogon or ProxyShell, and then hijacked legitimate email threads.

Mail gateways may not filter or quarantine these emails when they are interchanged between internal users. The attackers were careful not to move laterally on servers or install other malware so as to avoid detection.

If an email recipient opens the attachment, they are prompted to enable macros. If they do so, SQUIRRELWAFFLE will execute and download final stage payloads.

Even users who are knowledgeable about phishing and very cautious might fall for these attacks as they appear to be sent by someone with whom they have already been emailing and which appears to be part of an existing thread. This new breed of phishing leaves users in a quandary as to whether it is safe to open attachments from even known and trusted contacts.


RATDispenser is the very appropriate name for a JavaScript loader that infects devices with remote access trojans (RATs).

What makes RATDispenser dangerous is that it’s very good at evading traditional cybersecurity defenses. The attack begins with a phishing email containing a malicious JavaScript attachment with a double “.TXT.js.” extension. Since Windows defaults to hiding extensions, the file appears as a harmless text file to the recipient. To enable it to sneak past most security software as well, the file is heavily obfuscated. Once launched it writes a VBScript file which executes to download the trojan.

According to research conducted by HP,

Using each sample’s earliest scan result, on average the RATDispenser samples were only detected by 11% of available anti-virus engines, or eight engines in absolute numbers.
A whopping 89% of anti-virus engines failed to detect RATDispenser, demonstrating yet again that detection-based cyberdefenses cannot be relied on to protect against phishing-delivered malware.

The Need for Zero Trust

These new types of attacks further drive home the urgent need for a Zero Trust security approach. The ProxyLogon/ProxyShell exploits show that you can’t trust a user or email simply because it’s coming from within your own network or in a thread from trusted correspondents. RATDispenser shows (in case numerous zero days did not already convince you) that you can’t rely on detection-based anti-malware software to protect your organization.

Zero Trust security operates on the assumption that all network traffic, emails and web interactions are risky. The many elements of comprehensive Zero Trust solutions like ZTEdge are designed to mitigate the risks and provide safeguards to minimize damage in the event that an exploit succeeds in getting past all the defenses.

Remote Browser Isolation, which can be thought of as a Zero Trust security approach to web access, routes all web traffic – including URLs launched from emails and attachments — through a virtual browser located in an isolated container in the cloud. No website code ever runs on the user’s device, so no malware can be installed if a user clicks on the wrong link.

Content disarm and reconstruct (CDR) brings a similar concept to downloads, isolating and sanitizing email attachments before they are brought down to local devices so embedded malware can’t do harm.

In the event that a breach does occur, microsegmentation and least privilege access techniques can minimize damage by preventing or strictly limiting lateral movement within a network that has been breached.

Legacy cybersecurity tools are not up to the task of defending against today’s threats – and defense is a top priority for everyone today, up to and including the White House, which has mandated adoption of a Zero Trust approach for federal agencies, and is strongly encouraging the private sector to adopt it as well. Isn’t it time for your organization to do the same?

Share this on:

Author Avatar

About James Lui

Ericom Software Group CTO, Americas

Recent Posts

Air Gapping Your Way to Cyber Safety

Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.

Motion Picture Association Updates Cybersecurity Best Practices

The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.

FTC Issues Cybersecurity Warning for QR Codes

QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.