New Phishing Trick That Can Bypass Email URL Filters

There is a new Phishing trick that hackers have come up with, this trick is to make Office documents carrying malicious links undetectable by many email security services. They go about deleting the links from the document’s relationship file (xml.rels). This phishing trick has been seen by security professionals during email spam campaigns, these URL’s direct victims to a credential harvesting login page.

How does it work?

What makes up an office document? “Office documents (.docx.xlsx.pptx) are made up of a number of XML files that include all the font, image, formatting, and object information which make up the document,” Avanan researchers explain.

These xml.rels file maps the relationships within these doc files and with resources outside of the them. When the document includes web links, they are added to the xml.rels files.

How does your spam filter or antivirus goes about scanning attachments with malicious content? Most email filters scan these documents for external web links and compare them to their database of malicious sites or follow the links and evaluate the target themselves. But, unfortunately, some spam filters and antivirus skip that step and check only the contents of the associated relationship file. “If, for some reason, the document contains URL links that are not included in the xmls.rels file, these parses will not see them, even though they are still active and clickable within the document,” the researchers explained.

Who can be affected by this?

Users that have email inboxes which are protected by Microsoft Exchange Online Protection (EOP), ProofPoint and F-Secure are vulnerable to this so-called NoRelationship attack, while those shielded by Microsoft Advanced Threat Protection (ATP), Mimecast and Avanan are not.

This comes back to doing research on the type of security providers give you is a must. “It seems there are no shortcuts to be had in email scanning,” the researchers noted. “The only solution is to scan the entire file.”

Do not forget about the types of Email Scams you should be Vigilant about and to go through Basic Email Security Training.


Discover more from Patrick Domingues

Subscribe to get the latest posts sent to your email.

author avatar
Patrick Domingues

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.