Email_collection — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/email_collection/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 02 Jan 2024 12:00:00 +0000Suspicious Inter-Process Communication via Outlook COMhttps://feed.craftedsignal.io/briefs/2024-01-outlook-com-abuse/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-outlook-com-abuse/Adversaries may target user email to collect sensitive information or send email on their behalf via API by abusing Outlook's Component Object Model (COM) interface from unusual processes.Attackers may exploit the Component Object Model (COM) interface in Microsoft Outlook to automate tasks such as sending emails or exfiltrating sensitive information. This attack involves leveraging unusual processes to interact with Outlook, potentially bypassing security measures. The activity is detected by monitoring for unexpected processes initiating communication with Outlook, especially those lacking trusted signatures or recently modified, indicating potential malicious activity. The detection focuses on identifying processes like rundll32.exe, mshta.exe, powershell.exe, cmd.exe, cscript.exe, and wscript.exe interacting with Outlook. This activity can lead to unauthorized access to sensitive email data or the ability to send malicious emails from compromised accounts.

Attack Chain

  1. An attacker gains initial access to a Windows system, often through phishing or exploiting a vulnerability.
  2. The attacker uses a scripting language or executable, such as PowerShell or cmd.exe, to interact with the Outlook application via its COM interface.
  3. The script attempts to enumerate mailboxes and email messages.
  4. Sensitive data from the email messages is collected and prepared for exfiltration.
  5. The script initiates a network connection to a remote server controlled by the attacker.
  6. The collected data is then exfiltrated to the attacker’s server.
  7. Alternatively, the attacker crafts and sends emails from the compromised Outlook account to further propagate malware or conduct phishing campaigns.
  8. The attacker cleans up any traces of the malicious script or executables to maintain persistence.

Impact

Successful exploitation could lead to the compromise of sensitive information contained within user email accounts. This includes confidential business communications, personal data, and potentially credentials. The impact extends to potential data breaches, financial losses, and reputational damage. The number of affected users and the extent of the damage depends on the attacker’s objectives and the level of access achieved within the compromised email environment.

Recommendation

  • Monitor process execution for unusual processes (rundll32.exe, mshta.exe, powershell.exe, pwsh.exe, cmd.exe, regsvr32.exe, cscript.exe, wscript.exe) spawning or interacting with OUTLOOK.EXE. Deploy the “Suspicious Outlook COM abuse by Scripting Host” Sigma rule to your SIEM and tune for your environment.
  • Implement code signature validation for all executables in your environment. This will help identify and block unsigned or untrusted executables.
  • Monitor for any network activity associated with the identified unusual processes. This helps to identify potential data exfiltration attempts.
  • Enable process creation logging with command line arguments to enhance visibility into potential malicious activities. This is critical for the Sigma rules to function correctly.
  • Regularly review and update your endpoint protection policies to ensure that similar threats are detected and blocked.
  • Investigate any alerts generated by the “Suspicious Outlook COM abuse by New Process” Sigma rule, correlating with user activity and network connections.
]]>mediumadvisoryemail_collectioncom_abusewindows