New URL filter evasion method for phishing campaigns

Malicious campaign operators have devised a new method for sending documents with malicious files

Phishing campaign operators found ways to prevent malware-loaded Office documents from being detected by some security software solutions; according to network security and ethical hacking specialists from the International Institute of Cyber Security, attackers are deleting links from the relationship file (xmls.rels) of the malware-infected document.

This technique, known as ‘NoRelationship Attack’, has already been detected in a spam campaign, whose main purpose was to lead victims to a fake login page to extract their access credentials.

Network security experts described the operation of this campaign: “An Office document, whether Word, PowerPoint, Excel, etc., is comprised of a set of XML files that include font, images, formatting, and embedded object details. The xmls.rels file maps the relationships within these files and the resources out of them. Documents that include links to websites are added to this file”.

Many of the email filtering tools scan the attachments in a message and compare them with a database of malicious websites, or they can even address the link themselves. However, many security tools omit this step and are limited to only verifying the content in xmls.rels file.

“A file containing URLs that are not included in the xmls.rels file will not be able to perform malicious content scanning. These files will be seen in the message anyways, and the user could click on any of them,” said network security specialists.

Users using tools such as Microsoft Exchange Online Protection or ProopfPoint are the most vulnerable to the Norelationship Attack. On the other hand, users of tools such as Microsoft Advanced Threat Protection or Mimecast are safe from this phishing variant.