Malicious campaign operators have devised a new method for sending documents with malicious files
Phishing campaign operators found ways to
prevent malware-loaded Office documents from being detected by some security
software solutions; according to network security and ethical hacking
specialists from the International Institute of Cyber Security, attackers are
deleting links from the relationship file (xmls.rels) of the malware-infected
document.
This technique, known as ‘NoRelationship Attack’, has already been detected in a spam
campaign, whose main purpose was to lead victims to a fake login page to
extract their access credentials.
Network
security
experts described the operation of this campaign: “An Office document, whether
Word, PowerPoint, Excel, etc., is comprised of a set of XML files that include
font, images, formatting, and embedded object details. The xmls.rels file maps
the relationships within these files and the resources out of them. Documents
that include links to websites are added to this file”.
Many of the email filtering tools scan the
attachments in a message and compare them with a database of malicious
websites, or they can even address the link themselves. However, many security
tools omit this step and are limited to only verifying the content in xmls.rels
file.
“A file containing URLs that are not included
in the xmls.rels file will not be able to perform malicious content scanning.
These files will be seen in the message anyways, and the user could click on
any of them,” said network security specialists.
Users using tools such as Microsoft Exchange
Online Protection or ProopfPoint are the most vulnerable to the Norelationship
Attack. On the other hand, users of tools such as Microsoft Advanced Threat
Protection or Mimecast are safe from this phishing variant.
