Fortra Addresses the Top 3 Malware Problems Most Solutions Miss

The irony of password-protected attachments is that while they are intended to provide more security, most tools give up on scanning them because these tools don’t have the passwords required to open them. Instead of getting scanned, they get acknowledged as files that can’t be opened—and therefore passed along to the recipient by default without any internal vetting. 

Opening such files can pose significant risks. While there are several ways around this, the most effective and pragmatic is to block all password-protected files by default. Then, if you expect a password-protected file from a trusted contact, you (as the end user) can give permission for that specific file to be received. Each organization should establish its own procedure to manage this process. 

The last thing you want to do is place this inconvenience on the system administrators, who are already burdened enough. This entails the sys admin requesting the password, opening it, and scanning the message themselves – making it a cumbersome workflow from user A to user B.  

The best approach for users to obtain passwords directly from trusted senders, which requires a certain degree of security training. 

Quishing is another tricky attack vector, in part because traditional email security tools are trained to locate URLs in the body – not scan images such as QR codes. How do you get around it? 

When it comes to QR codes, people have become accustomed to pulling their phone out and scanning without thinking – for the QR code menu, the QR code parking meter, the QR code app downloads, and more. This knee-jerk reaction has been a boon to attackers, who exploit the tendency to take trust for granted when it comes to QR codes. 

The first plan of action is to encourage users to use their common sense. Don’t automatically click and scan because it says so. This is the same as clicking on a potentially malicious link, which a lot more users have been habitually trained to avoid. Here, like in password protected files, user education is a key mitigation strategy.  

Getting into technical approaches for vetting QR codes, Fortra Email Security offers something called deep content inspection. It looks beyond just words and phrases, instead searching for collections of objects to help identify whether or not the message is dangerous.  

This means looking at how the message was constructed and where it comes from. For example, a file type could be renamed as a .txt, but upon further inspection it's revealed as an executable. In one of the original classic cases, the “Anna Kournikova” virus played on this exact weak spot. Users would get what looked like an image file (“AnnaKournikova.jpg.vbs”), but in reality, the malicious extension was tacked on at the end. To make matters worse, early versions of Outlook couldn’t handle showing the full file name. While this is one of the oldest examples, these types of ploys are, remarkably, still in use today.  

In other cases, a file can say it’s only 1000 bytes, but upon deep packet inspection, it’s really 3,000 bytes. Something is being hidden here, and it’s usually not good.  

With deep content inspection, Fortra Email Security starts at the top and examines every element of the email for suspicious behavior. 

• Sender — is the sender valid

• Source — is the sending host a legitimate sender for that domain

• URL — is it good or bad, does it have a good reputation? How long has it been up? 

• Certificate — Is the TLS certificate still valid?

• What’s in the message body — is there any spurious content 

• What files are attached — what do they contain? 

• QR Code — the QR code is examined using optical character recognition (OCR) or other code built for the purpose.

This last threat is related to QR code scams, but not the same, as this is using images to carry the threat and it’s easy to detect. Nevertheless, it can be equally difficult for the bulk of industry-standard email security solutions to catch.  

Hiding malicious code within images or video files falls under the umbrella of steganography, although the hidden information doesn’t have to be “bad” to fit the definition. In these particular cases, however, they generally are. Fortra uses steganography tools to dive into these images, probing the file structure for unexpected data. Within images, there are “pockets” within the file structure where attackers can insert malicious code. Steganography tools find these codes and expose them. 

For example, you might have an innocuous file that appears to do very little, but once it extracts from the image file (through the process of steganography) it is able to become weaponized. This could be some new code, or a URL to a hosted file that can be retrieved and executed. 

When an infected image comes in – even if it's only suspicious – Fortra Email Security immediately deconstructs it, saves the essential data that makes up the image, eliminates any spurious or suspect data, and reconstructs the image, freshly sanitized – all in under a second.  

In other words, Fortra transforms the file to build a new version of the image. That ensures that any data that is “hidden” is left behind and the recipient is left with clean data. 

There are subtle malicious tactics today that traditional cybersecurity tools simply cannot match. Advanced email security capabilities like those found in Fortra Email Security are the answer to many of these modern issues.  

Leveraging solutions like integrated cloud email security (ICES), secure email gateway (SEG), deep packet inspection, and more, Fortra Email Security supports organizations with the capabilities they need to complement and strengthen their user awareness efforts  and stay one step ahead of threats.