Phishing emails leverage unique subject lines, Office docs

Phishing emails continued to evolve last year, according to a new report from PhishMe, with Microsoft Office documents and unique subject lines used to get past enterprise filters.

Malicious Office macros have been around since the 1990s, said David MacKinnon, director of research at PhishMe, because there’s little that companies can do to block them.

“Office documents are part of everyday use,” he said.

And although many Office users don’t take advantage of the macro functionality, if a company shuts off macros then the documents take the users through the process of turning them back on again.

“Inside these Word documents, there would just be a single image embedded, and the image just says, ‘Your security settings don’t allow you to view the document,’ and guide the user to enable the macros,” said MacKinnon.

One new take on Office documents is the use of PowerPoint files, he added. “This was new for us.”

PowerPoint attachments, instead of using macros, use embedded objects, he said.

“You can’t block it,” he said. “Most security controls will miss it.”

Attackers have also dramatically increased their use of unique subject lines to get past controls, he said.

They have become clever in using recipient names, unique identifiers purporting to be invoice numbers or shipping codes, and templates with lists of words that can be recombined in various ways.

The latter look a little bit like the game Mad Libs, where, say, one of the words could be “advice,” “memo,” “note,” “plan,” “report,” or “statement.”

The result is an email that is both unique but still feels believable to the recipient.

And it’s not just the subject lines that are changing, he added.

“Instead of 100,000 emails with the same attachment, you’ve got 100,000 emails with 100,000 different attachments,” he said.

And the message bodies are varied as well. For example, a fake invoice email could contain a random dollar amount and different financial account codes.

PhishMe is a vendor that sends simulated phishing emails to enterprise employees as part of security awareness training.

According to MacKinnon, the likelihood that an employee will respond to a malicious phishing email can be decreased significantly with training.

However, the goal of anti-phishing training shouldn’t be to reach a particular low click rate, he said.

“It only takes a single click to open the door to attackers,” he said.

Instead, training should focus on teaching employees to report the phishing emails to security staff, so that they know when a company is being targeted by a phishing campaign and be prepared to respond.

After successful training, employees become the first line of defense against these kinds of attacks, instead of being the weakest links.

“We have more users reporting the phishing emails than clicking on them,” he said.