Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware

Chaînes de réponse par e-mail News

A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IceID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers.

” The emails used a social engineering technique called conversation hijacking, also known as thread hijacking,” Intezer (Israeli company) said in an article shared with The Hacker News. “A forged reply to a previous stolen email is being used as a way to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate. “

The latest wave of attack, discovered in March 2022,, is believed to have targeted companies within the energy, legal, and pharmaceutical industries.

IceID, aka BokBot, like its counterparts TrickBot and Emotet, is a banking trojan that has evolved to become an entry point for more sophisticated threats, including human-operated ransomware and the Cobalt Strike adversary simulation tool.

It can connect to remote servers and download next-stage malware and tools. This allows attackers to perform follow-on actions and then move laterally through affected networks in order to spread additional malware.

Exchange Servers to Spread Malware

In June 2021, enterprise security firm Proofpoint disclosed an evolving tactic in the cybercrime landscape wherein initial access brokers were observed infiltrating target networks via first-stage malware payloads such as IcedID to deploy Egregor, Maze, and REvil ransomware payloads.

While earlier IcedID campaigns have taken advantage of website contact forms to send malware-laced links to organizations, the current version of the attacks bank on vulnerable Microsoft Exchange servers to send the lure emails from a hijacked account, indicating a further evolution of the social engineering scheme.

” The payload also shifted away from Office documents to use ISO files with Windows LNK and DLL files,” Ryan Robinson and Joakim Kennedy, researchers said. “The use of ISO files allows the threat actor to bypass the Mark-of-the-Web controls, resulting in execution of the malware without warning to the user. “

The idea behind phishing emails is to use the email address of the victim to create a fake reply to an email thread.

“The use of conversation hijacking is a powerful social engineering technique that can increase the rate of a successful phishing attempt,” the researchers concluded. This approach makes the email appear more genuine and it is sent through normal channels, which may also contain security products. “

Rate author