• by Ray Schultz , December 14, 2018

Companies should be on the lookout  for a new security threat: Holiday greetings with numerous variants. Many such emails hit company inboxes around Thanksgiving, according to John Randall, VP of product management at EdgeWave.

“They were sending messages that had attachments purporting to be Thanksgiving cards, wishing you a happy Thanksgiving,” Randall says. “They would slightly change each variant, and the name of the attachment would slightly change.”

Randall adds that they “were all the same campaign from the same threat actor, but the pieces were changed enough in an obvious attempt to bypass the usual gateway filters and add legitimacy to the email itself.”

EdgeWave blocked over 30,000 variants of this campaign between November 20th and 26th. The emails had links pointing to sites in Russia and Eastern Europe. 

Typical subject lines were: 

• Thanksgiving Day Congratulation
• Happy Thanksgiving Day Greeting Message
• [Recipient Name] Thanksgiving eCard
• Happy Thanksgiving Day Message
• Happy Thanksgiving Day wishes
• Congratulations on Thanksgiving
• Thanksgiving Day Card
• Thanksgiving Greeting Card
• Thanksgiving email Greetings
• Thanksgiving Greetings
• Thanksgiving Wishes
• Thanksgiving ecard

Some of the emails contained actual quotes from well-known people. 

It’s not yet clear whether there will be a wave of similar fake Christmas greetings, but last week EdgeWave caught a credential-scrape attacking spoofing Microsoft Office 365, telling recipients that there was a failed delivery, and directing them to a fake login-in page.

Randall notes that there was “nothing right about it” when compared to a genuine Microsoft email, but that it could have fooled people.

It was traced to a “hijacked email server in Japan, pointing to a compromised server in Hong Kong,” he continues.

Malware senders are increasingly procuring security engines and testing against them. They are also sending themselves emails to see what gets through hosting services.

These tactics help them bypass gateway filters, Randall says.

To combat this, EdgeWave offers a post-gateway inbox detection service. Recipients can submit suspicious messages to the firm’s threat detection team for a quick review, Randall says. If malicious, the email will be quarantine and removed from all inboxes in the company.

Randall observes that email addresses are commonly listed for sale in the criminal underground. He adds, “It’s not hard to harvest a particular domain.”

As for Christmas, there’s a danger “any time you have the general population putting their energies elsewhere,” Randall says. People are in the holiday spirit, so it’s easier to interject malicious emails into the email flow “and have that apparent sense of legitimacy,” he contends.