What tools do hackers use to weaponize emails?

by Egress
Published on 2nd Sep 2022

Email attacks have become one of the key ways for hackers to target organizations and individuals. The sheer number of tools available has made it easier than ever for non-technical cybercriminals to launch sophisticated cyber attacks. As a result, many resources are available for each stage of the kill chain – from reconnaissance to delivery to weaponization.

Our recent report, ‘How to turn a hacker’s toolkit against them,’ discusses the full journey of how hackers use sophisticated toolkits to trick people into handing over sensitive information. 

This article focuses on the second stage of the cyber kill chain – weaponization.

Sophisticated tools are making it easier for hackers to steal information

Once hackers have chosen their victims, they often leverage tools that have been      created by experts that help them to create spoofs of secure, trusted websites. This tricks users into entering sensitive information, which hackers can exploit.

Some of the most popular techniques that hackers use to steal information include:

HTML obfuscation techniques

These are designed to add variation to hide what the software is doing and avoid detection. In 2021, Microsoft revealed that its year-long investigation of a targeted, invoice-themed XLS.HTML phishing campaign revealed that attackers changed obfuscation and encryption mechanisms every 37 days on average. This suggests that attackers attempt to change their tactics as often as security and protection technologies do. 

IP address blocklists and people agent blocking

These are designed to block security programs and known security crawlers from scanning the page for threats. 

Use of compromised or legitimate sites for hosting

This is designed to trick targets into thinking that they are entering their information into a legitimate website. Once they have entered their information, it’s sent to the cybercriminals.

How spoof websites help hackers to steal sensitive information

Spoof websites are essentially fake pages that mimic trusted websites and prompt people to enter sensitive information. Once they’ve fallen for it and submitted their information, it’ll be forwarded to the hackers, who can then use it to log into accounts. 

Meanwhile, people will be redirected to a legitimate website, where they’ll be prompted to re-enter their information. It’s typically too late when they realize that they’ve entered their information into a fake website. 

Even though spoofed websites look very similar to the legitimate versions they emulate, they will have fake URLs. However, this URL is often so similar to the URL of the legitimate website that it’s difficult to spot. Many cybercriminals trick people by hosting their websites in Microsoft Azure to make it look like the website is hosted on a Microsoft domain. 

Tools are also helping criminals to steal multi-factor authentication (MFA) tokens

MFA provides an extra layer of security to help protect a user’s data. According to Microsoft, MFA can block over 99.9% of account compromise attacks. 

However, an increasing number of freely available tools are available that help hackers steal these MFA tokens through sophisticated social engineering attacks. 

The most common way for hackers to steal MFA tokens is by directing people to a spoof website that’s designed almost identically to the original website and has a very similar domain name.

The website prompts people to log in using their username and password and also requests their MFA token. This information is forwarded to hackers, who can use it to log into peoples’ accounts. 

How to defend against weaponization

Given how quickly cybercriminals update their tools, it’s becoming increasingly difficult to defend against weaponization techniques – especially when it comes to complex social engineering attacks. 

The standardized email and web security solutions that most organizations have learned to rely on are no longer enough. 

Specialized software such as Microsoft Defender ATP Safe Links can help people to identify pages that are likely to have been created using phishing kits. This should be augmented with specialized software such as Egress Defend, an intelligent link inspection technology that can learn about the composition of bad links. 

Discover the full hacker’s toolkit

Weaponization is just one of the steps in the kill chain. Learn how attackers use the hacker’s toolkit to gather private information on their targets and evade security in the full report. Download yours for free.