Dark web merchants have been observed selling a new tool that allows cybercriminals to plant malicious emails into users’ inboxes by secretly accessing their accounts and then abusing a special Internet Message Access Protocol (IMAP) feature that allows you to append a message.
Because the attacker never actually sends an email over the internet, the email essentially bypasses certain email security solutions that would ordinarily detect and filter out the malicious message while en route to the recipient.
This tool – written in Node JS, compiled into an MS-Windows executable, called the Email Appender – could be useful for anyone looking to launch phishing or business email compromise attacks, warned a new blog post from Gemini Advisory, whose analysts discovered the threat. “Criminal actors have made their next move to outflank existing anti-spam and anti-fraud security precautions by moving to email implantation. The ball is now back in the cybersecurity practitioners’ court," the post stated.
To work, the attacker first needs to be in possession of potential victims’ email address and account credentials. However, that's easy enough: "Billions of credential pairs are easily available as part of free or low cost dumps traded and sold by cybercriminals, so this will likely not be a deterrent," said Erich Kron, security awareness advocate at KnowBe4.
The Email Appender tool uses any valid stolen credentials to connect to their corresponding email accounts through IMAP, and then uses the protocol’s "append" feature to tack on a new message. These email communications can be tailored to look especially credible and convincing. In fact, the attack can even modify the sender name and address to perfectly spoof a genuine company’s domain.
"This stands in contrast to typical email schemes that are forced to slightly alter the spelling of the actual email address," Gemini Advisory said in the blog post. Moreover, the attackers can also modify the reply-to field "to redirect responses to an email address under their control and away from the falsified Sender and From addresses."
“Given the threats that email phishing poses to organizations, this ability to inject messages directly into the email box could be a very powerful tool for cybercriminals,” Kron concluded. “By bypassing the spam filters and email gateways, this will allow for attachments that may otherwise be caught to arrive safely in the user’s inbox.
However, Kevin O'Brien, CEO and co-founder of email security company GreatHorn, told SC Media that the threat is “overblown” and can be easily neutered by simply disallowing IMAP connections or by using any modern “cloud-native email security solution that analyzes message at the mailbox level."
He said only legacy secure email gateways would be bypassed by this.
"IMAP... dates back to 1986, and this 'attack' is basically nothing more than IMAP doing what it’s supposed to do," O'Brien continued. "With full credential access to a mailbox, you can do things with it that could be deceptive – which is not interesting or new." He compared it to a burglar getting your house keys, then being concerned that the burger might use it to put fake mail on your kitchen table, because you might then send a check to pay a fake bill.
"It could happen, but the burglar could also steal your electronics or jewelry – and that’s easier and faster," he said.
Whether the tool represents a serious danger or not, there are measures that individuals and organizations can take to defend themselves against it. For starters, Gemini Advisory recommends implementing multi-factor authentication for email accounts.
Additionally, Krone's said people "should be taught to use unique passwords for each website they create accounts on."
O'Brien, however, called the response trivially easy: don’t allow IMAP connections. "That’s a default setting in Office 365. It’s not a protocol needed in 2020 in almost any circumstances."
With that said, Gemini Advisory did note that many corporate and government organizations still "offer IMAP connectivity alongside their Bring Your Own Device (BYOD) programs."
But even for those who choose to use IMAP, "any integrated email security solution – any cloud-native email security solution that analyzes at the mailbox level, not as a perimeter security tool – would analyze the appended mail and flag it instantly as being completely fraudulent," said O'Brien. "This attack completely falls apart with a modern email security solution in place, which would see all of the missing details that an inserted message would have."
Gemini Advisory noted several other key attributes of Email Appender reporting that the tool can be configured to use SOCK proxies as a way to deceive email platforms that monitor the IP addresses of users seeking to connect to accounts via IMAPs. "To make matters worse, Email Appender also comes pre-packaged with 10,000 IMAP server configurations that can be updated as needed, and the software can analyze victims’ email addresses to identify which server connection should be used," the blog post said.
Gemini Advisory also warned that attackers could use the tool to make their own copy of a victim's mailbox and then delete the original in order to hold the stolen emails for ransom.