Email Attachment File Extension Blind Spot

October 18, 2019

In 2019, most cybersecurity attacks are being launched through email. In fact, 91% of all advanced threats originate with an email. This trend will only continue as a blind spot in email security has recently been identified.

CERT researcher Will Dormann has published an attack vector that you should act upon immediately to defend against. Since the attack is now public, the bad guys will be moving quickly to make use of it before organizations are informed and implement preventative measures. Mr. Dormann provides a very detailed explanation of the attack vector here as well as solutions to remediate this blind spot. In summary, Mr. Dormann wrote, “from a user experience perspective, starting with Windows 8, virtual hard drive files with the extensions VHD and VHDX can have a function similar to ZIP files.” He found that these files can be a means to deliver a malicious file as an email attachment because anti-virus software solutions, including Windows Defender, will not scan the files contained within a VHD or VHDX file. Windows Defender is intentionally configured to ignore these file extensions. Additionally, email gateway solutions are typically not configured by default to block these attachments. A short video demonstrating the attack can be found here.

In addition to Mr. Dormann’s recommendations to remediate the blind spot, the FireEye Endpoint Security (HX) solution can also be leveraged to detect a user clicking on a VHD or VHDX attachment. As described in my previous blog post, you can create your own custom HX detections to alert for potentially malicious activity using HXTool.

To configure the rule, you’ll need to have the HXTool installed and integrated with your HX instance. In the HXTool console, create the following rule called VHD File Download.

        fileWriteEvent/fullPath ends-with .vhd        
        fileWriteEvent/fullPath contains outlook        
        fileWriteEvent/fullPath ends-with .vhdx        
        fileWriteEvent/fullPath contains outlook

If either of the two conditions are met, a HX alert will be generated. The Outlook part of the rule limits the alert to a user clicking on the file as an email attachment. If you wish to expand the rule to a user clicking on a VHD or VHDX file anywhere, remove the lines containing outlook. Although that may create some false alerts caused by legitimate activity.

FireEye Endpoint Security can also be integrated with a solution such as Demisto, Forescout or Helix to automatically contain any device where the user has clicked on the VHD or VHDX attachment. It only takes one user to click on one attachment to breach the network if there is nothing to stop the attack.

If you need an email threat assessment, a next generation email gateway or endpoint solution to stop advanced threats contact me at How can Castle Ventures help you?