A new attack uses an invisible image to hide JavaScript code in emails. The technique allows the victim to be redirected to a compromised site without being detected by the computer’s security software.
Pay attention to the attachments of your e-mails. avanaan email security specialist, has just discovered a new email cyberattack that manages to bypass filters and antivirus software through the use of a blank image.
The email pretends to be a message sent by DocuSign, a service that allows you to electronically sign documents, and widely used by companies. The content of the message seems legitimate, and even the button to access the document does refer to the DocuSign site. The attack is in an attachment in .htm (HTML) format.
The HTML file contains a few lines of code, including an image in SVG vector format that is not in a separate file. Its content is directly included in the HTML code and encoded in base 64 in order to bypass filters and antivirus. Once decoded, the image contains JavaScript that redirects the victim’s browser to another page, used to infect the computer with malware or carry out a phishing attack.
The user therefore risks nothing if he clicks on the link in the message. The attack completely depends on the victim’s curiosity to open the attachment. According to Avanan, even VirusTotal, which scans by combining more than 70 antivirus products, fails to detect malicious code. The cybersecurity company advises all users to be wary of attachments in HTML format, and simply recommends that administrators block such attachments as well as executable files.
