Phishers Use Blank Images to Disguise Malicious Attachments

Security researchers have spotted another innovative technique phishing actors are using to bypass traditional security filters – this time using blank images.

The email in question was detected by Check Point business Avanan, and arrived as a legitimate-looking DocuSign message.

Although the link in the email body will take the user directly to a regular DocuSign page, the HTML attachment at the bottom was more suspect.

The HTML file in question contained an SVG image encoded with Base64.

“At the core, this is an empty image with active content inside. In fact, there’s JavaScript inside the image. This redirects automatically to the malicious URL,” said Avanan.

“Essentially, the hackers are hiding the malicious URL inside an empty image to bypass traditional scanning services.”

Clicking on the link would automatically take the user to a malicious site.

“This is an innovative way to obfuscate the true intent of the message,” the security vendor concluded.

“It bypasses VirusTotal and doesn’t even get scanned by traditional Click-Time Protection. By layering obfuscation upon obfuscation, most security services are helpless against these attacks.”

It can be seen as a variation on a previous “MetaMorph” attack spotted by Avanan several years ago, in which phishing actors use “meta refresh” to redirect the user from the HTML attachment hosted locally to a phishing page on the public internet. A meta refresh is functionality that instructs a web browser to automatically refresh the current web page after a given time interval.

To mitigate the threat, security admins are urged to be suspicious of, or outright block, HTML or .htm attachments in any inbound emails – treating them effectively like executables.