The fight against attachment-based malware such as Emotet

José Ferreira By José Ferreira • July 14, 2022

With this article, where showing the set of technologies we use specifically to fight attachment based attacks


There are many ways (attack types) - which are usually deployed simultaneously - to ensure a victim deploys a malware code in an endpoint system. For successful phishing attacks, the right amount of victim knowledge, social engineering, insights on organizations, habits, and processes and, of course ensuring that the zombie system the attacker is using pretends to be honest - in terms of network reputation and compliance with authentication protocols, such as TLS and DKIM. And then, there is the Malware that the attacker intends to disguise in an innocent URI or file - what we're focusing on this article

As for defence systems, the traditional way to stop this type of threats - Malware hidden in attachments - is to stop it before you actually have to analyze files - either by user and network behavior analysis, by reputation, controls and blocklists, by content patterns. If an email goes through all the systems unharmed, defence systems usually run the files through one or more antivirus and, if these are sophisticated systems, they'd also use sandbox based malware systems.

These Sandbox systems - also known as Dynamic Malware Analysis - are systems that open files in controlled environments emulating user endpoints (accounts, operating system, applications) and then observe if anything abnormal occurs (for instance, a doc file is not supposed to alter a Windows registry file). Seems easy but it is actually very demanding, because malware have built-in mechanisms to avoid defenses. Antivirus are signature-based, meaning they will compare a hashed version of the file with a database of signatures. To create such databases, Antivirus vendors often use code analysis and....Sandbox systems.

Antivirus have two major problems: the first is they need to have seen that bad file somewhere before, and this is not often the case, either because Antivirus are not so prevalent in a certain geography, or because the malware is just too recent. The second problem is that Antivirus can only compare file hashes. and if a file is hidden inside other file or, worse, it is encrypted / password protected or archived (zip file, for example) the hash will be different. The end result is that AntiVirus rarely pass 60% average on Malware detection.

Even more advanced defence systems try to pick up where Antivirus and Sandbox systems fall short, either by assuming a code is dangerous, regardless of seeing it in action, either by trying to make sure Antivirus have the correct hashes to compare.

We have developed such a system over two years ago. We call it M3D - Mailspike Dangerous Document Detection - and what it basically does is working has a bridge between our content analysis, our file detection mechanisms, and our 4 anti Malware systems (Sophos, Bitdefender, ClamAV EBA (Enhanced by Anubis) and Checkpoint - which, by the way, were picked due to its prevalence in our markets, making a combined catch rate superior to other combinations). M3D does a few things:

  1. M3D dismantles files by discovering files within files, and files whose extension is false.
  2. M3D analyzes code blocks within certain files (office based, and pdf) for suspicious code (according to MITRE @ttack framework)M3d-1
  3. M3D detects files are password protected, and uses a Natural Language Processing Engine to search for passwords in that email or related email messages. It then uses the password to unlock the file and send it to the AntiVirus and Sandbox, where they can properly compare signatures.

Other techniques can also be deployed, such as holding the file until the malware is known, or 

When even the most advanced techniques fail in discovering malware within files, the following step is usually to adopt Control-based measures, instead of security mechanisms: for example blocking certain file types, blocking office documents with macros, applying Content Disarm and Reconstruction engines or simply removing the files and leaving them in quarantine.

Up until this moment, and by using our M3D engine combined with other systems, we were able to detect the Emotet-based malware campaigns within our customers, proving that advanced security works.


Can your current solution withstand the have of Ransomware?  Reach us for a  conversation!