Network security firm Cofense was able to identify a code trace in phishing emails that revealed SuperMailer abuse in the attacks. Credit: Thinkstock SuperMailer, a legitimate email newsletter program, has been found abused by threat actors to conduct a high-volume credential harvesting campaign, according to network security firm Cofense.“The SuperMailer-generated emails have been reaching inboxes at an increasingly remarkable volume,” Brah Haas, cybersecurity threat intelligence analyst at Cofense, said in a blog post. “Emails containing the unique SuperMailer string barely registered in January and February, but in the first half of May they accounted for over 5% of credential phishing emails.”The unique SuperMailer string refers to a coding mistake included by the threat actors when crafting email templates in SuperMailer. Cofense was also able to identify other indicators of compromise in the emails with the SuperMailer string, which when cross-referenced, rounded out 14% of total phishing incidents identified in May.Phishers are attracted by core SuperMailer featuresSuperMailer is a paid application designed for desktop use, billing itself as a tool for generating and dispatching email HTML newsletters and customized bulk emails. A pack of attractive features, according to Cofense, is possibly responsible for an increased pace of the campaign despite occasional errors. “The threat actors behind the campaign found a working combination of tactics, refined it, and scaled it up, all within a matter of weeks. The fact that the emails are reaching users so consistently underscores the importance of user awareness and a robust, intelligence-driven email security program,” Haas said.The features with great value to threat actors include placeholder fields for email personalization, a visual editor, a multithreaded send option, and compatibility with several mailing systems. While the placeholder fields and visual editor allow for deep customization including the addition of a first name, last name, email address, organization details, and visually appealing HTML emails, the compatibility and send options make it easy to mail it across numerous channels quickly.Furthermore, the attackers were found employing familiar email themes such as password expiration alerts, scanned document or signature service notifications, and overdue invoices or payment reminders, alongside their customization efforts. In recent campaigns, the threat actors are specifically targeting Microsoft login credentials according to Cofense.Multiple tactics to avoid SEG detectionFor phishing emails to successfully deceive the recipient, they must also bypass the recipient’s email filtering systems. In order to achieve this, the recent campaigns generated by SuperMailer employ various strategies to evade detection by security email gateways (SEGs) and other security measures.A few evasion techniques observed in the campaign include open redirect abuse, URL randomization, varied email senders, and reply chains.While open redirects, directing users to external URLs, are used as SEG can’t follow the redirect, URL randomization is a known technique to evade URL blocking owing to the presence of suspicious strings as parts of the URL.Faking the origins of emails and introducing email reply chains are techniques to fake reputation and thereby bypass detection both by SEG and the users. “By combining SuperMailer’s customization features and sending capabilities with SEG evasion tactics, the threat actors behind the campaign have delivered tailored, legitimate-looking emails to inboxes spanning every industry,” Haas said.Despite Cofense catching them because of a coding mistake, Haas cautioned, the threat actors behind the campaign must be taken seriously as they have also shown sophistication through this combination of tactics. Related content news Amazon debuts biometric security device, updates Detective and GuardDuty Amazon’s latest security offerings, announced at its re:Invent conference, cover everything from advanced biometrics to new tools for defeating runtime and cloud threats, including identity and access management (IAM) capabilities. By Jon Gold Nov 29, 2023 3 mins Biometrics Security Monitoring Software Threat and Vulnerability Management news Almost all developers are using AI despite security concerns, survey suggests About 96% of developers are using AI tools and nearly eight out of 10 coders are bypassing security policies to use them, while placing unfounded trust into AI’s competence and security, according to the report by Snyk. By John Mello Jr. Nov 29, 2023 4 mins Development Tools Security Practices Supply Chain news FBI probes Pennsylvanian water utility hack by pro-Iran group Federal and state investigations are underway for the recent pro-Iran hack into a Pennsylvania-based water utility targeting Israel-made equipment. By Shweta Sharma Nov 29, 2023 4 mins Cyberattacks Utilities Industry feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe