Vade has detected a wave of spam emails that are being directly deposited into mailboxes without passing through transport layers. The wave, which included 300,000 spam messages sent to a single customer in one day, has been detected in France, Italy, Denmark, and the US.
Spam emails: how it works
Security researchers at Vade suspect that cybercriminals are using a new tool called Email Appender to connect directly to compromised email accounts via IMAP. Available on the dark web, Email Appender allows a cybercriminal to validate compromised account credentials, configure a proxy to avoid IP detection, draft a malicious email, and deposit the spam emails into compromised users’ accounts.
Email Appender, first reported by Gemini Advisory in October 2020, features a UI that allows a hacker to customize the email, including changing the display name of the sender address and creating a reply-to address. The compromised account credentials are most likely purchased from the dark web and then validated with a tool like Email Appender to connect to the user’s account via IMAP.
Here’s a real-world example of what it means to “deposit” an email without passing through transport layers:
- You create a draft email in an email client.
- You drag and drop the .EML file to a folder on your computer.
- You connect to your Microsoft Outlook online account.
- You drag and drop the .EML file into Outlook.
The email never passes through Microsoft’s security layers. It’s deposited.
The current situation is being remedied by shutting down compromised accounts and resetting compromised account credentials. This requires users to contact their ISPs directly, which is costly. The average support call costs ISPs an average of €20 to €70.
The emergence of Email Appender as a subscription is a warning sign of what’s to come in the cybercrime-as-a-service space. Ransomware-as-a-service (RaaS) is helping a generation of low-tech criminals pull of successful ransomware attacks. If Email Appender and other tools like it continue to show these types of results, it could go viral in the cybercriminal community.
An emerging trend
While this latest threat primarily features spam emails, we expect hackers to hone their techniques before moving on to more advanced threats, including phishing and malware. Spam is easy to produce, and it’s cheap, but phishing and malware require more sophisticated methods and tools to be successful.
We’ve seen in the past that hackers will test their techniques on the consumer market with ISPs before moving to the business market. This could be for two reasons: First, businesses have more sophisticated security solutions. Second, business users are more savvy and less likely to fall for amateurish scams. This requires hackers to test and adapt to perfect their techniques.
If and when this threat morphs into phishing, business email compromise, or malware, a platform like Microsoft 365 is ripe for attack. Most email security solutions for Microsoft 365 are not integrated with the platform via API but sit outside the Microsoft tenant. This means that not only do they not scan internal Microsoft 365 email for insider threats, but they also cannot act on malicious emails once they have been successfully delivered.
Protecting your business
2FA will not prevent a hacker from connecting to a compromised account via IMAP. If a user has 2FA enabled, however, they could be alerted to the connection and can contact their ISP to reset their credentials. Unfortunately, 2FA is not mandatory, and many consumers have not activated the service.
The IMAP method is a strong case against outdated border security and for an API-based approach. Border security solutions sit on the outside and have only one chance to catch a threat. An API-based solution sits on the inside and can continuously scan mailboxes for spam emails.
The API approach allows for both internal email scanning and post-delivery remediation. When the IMAP method moves into the business market, businesses need to be ready with a solution that has the ability to act from the inside when threats are detected.
