Exploring Email Defense Tactics with delivr.to and Sublime Security

This article outlines my approach to learning about email attacks and defense techniques, using delivr.to and Sublime Security as interactive tools.

• delivr.to hosts 500+ email attack payloads that include descriptions and references, and the payload itself for download. Useful for learning about what kind of payloads are seen in email attacks.
• Sublime Security is an email detection and prevention platform that hosts open-source detection rules. Useful for learning about what kinds of defensive measures are taken to prevent various email attacks.

We’ll use Sublime Security’s sandbox tool to get hands-on and see the defensive measures in action.

MQL (Message Query Language) is used to create detection rules in Sublime Security, you’ll want to understand how it works. I recommend reading this blog post.

Workflow

1. Choose and download a payload from delivr.to. Read the description and references, and move forward when you have at least a high-level understanding of what the payload is doing.
2. Find a matching detection rule. For example, I’d expect Parse-Outlook.xls (.xls with embedded VBA) to trigger the attachment_suspicious_vba_macro detection rule.
3. Open Sublime Playground, copy and paste the corresponding detection rule from GitHub to the rules section, and create an .EML file and attach the payload. The other aspects of the .EML, such as the sender display name or subject line, aren’t important since the focus is the payload itself. Hit “Test Rule” and confirm the message flags against the rule.
4. Refer to the docs and learn what the MQL functions are doing behind the scenes.

Example 1: One Note attachments

Email attacks involving OneNote files are trending, so let’s use cancellation.one as our first example.

@pr0xylife is often referenced in delivr.to payloads. Their Tweets can appear cryptic if you’re unfamiliar with malware analysis. The delivr.to description is high-level and can help as a starting point.

Sublime Security’s OneNote commands detection rule seems likely to flag on our payload.

name: "Attachment: Malicious OneNote Commands"
description: |
  Scans for OneNote attachments that contain suspicious commands that may indicate malicious activity.
references:
  - "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/"
  - "https://bazaar.abuse.ch/sample/aafc0ca9681c1f5c368b0f6da85b90e433f6d62fb34ed2e968e53f83981a800f"
type: "rule"
authors:
  - twitter: "Kyle_Parrish_"
    name: "Kyle Parrish"
severity: "high"
source: |
  type.inbound
  and any(attachments,
      (
          .file_extension in~ ("one") or
          .file_extension in~ $file_extensions_common_archives
      )
      and any(file.explode(.),
      any(
          .flavors.yara, . == "onenote_file"
           and
            any(..scan.strings.strings,
              strings.ilike(.,
                  "*WshShell*",
                  "*ExecuteCmdAsync*",
                  "*CreateObject*",
                  "*Wscript.Shell*",
                  "*schtasks*",
                  "*CreateProcess*",
                  "*winmgmts*",
                  "*SetEnvironmentVariable*",
                  "*powershell*",
                  "*echo off*")
                )
            )
        )
    )
tags: 
  - "Suspicious attachment"
  - "Malware"

Here is how the detection rule reads from top to bottom, starting at “source”:

Inbound emails containing an attachment that has the file extension of “one” OR one of the file extensions in the $file_extensions_common_archives list

AND after using the file.explode function (uses Strelka, a file extraction and metadata collection system), matches a YARA rule for a OneNote file

AND matches strings from file.explode (scan.strings.strings) and strings similar to *WshShell*, *ExexcuteCmdAsync*, *CreateObject*, etc…” (strings.ilike)

Since the payload has a .ONE file extension, matches the yara rule for a OneNote file, and has strings similar to PowerShell commands, the detection rule is flagged.

Example 2: HTML Smuggling

Let’s use smuggled_test_iso as our next payload.

The detection rule we’re using is attachment_html_smuggling_embedded_b64_iso.

name: "Attachment: HTML smuggling with embedded base64-encoded ISO"
description: |
  HTML attachment contains a base-64 encoded ISO. This is a known TTP for multiple threat actors.
references:
   - "https://delivr.to/payloads?id=cf6c9867-4358-4b3b-b7eb-3432ac39e71d"
   - "https://playground.sublimesecurity.com?id=78587abf-1027-4c6c-9edf-c1bd928de97a"
type: "rule"
severity: "high"
source: |
  type.inbound 
  and any(attachments, 
      (
          .file_extension in~ ("html", "htm") or
          .file_extension in~ $file_extensions_common_archives or
          .file_type == "html"
      ) 
      and any(file.explode(.), 
          any(.scan.strings.strings, strings.ilike(.,
              // Base64 encoded ISOs
              "*SVNPIDk2NjAvSEZT*",
              "*MTk5MyBFLllPVU5HREFMRQ*",
              // Reversed base64 encoded ISOs
              "*TZESvAjN2kDIPNVS*",
              "*QRMFERH5UVPllLFByM5kTM*"
          )
      ))
  )
tags:
  - "Suspicious attachment"
  - "HTML smuggling"

Here is how the detection rule reads from top to bottom, starting at “source”:

Inbound emails containing an attachment that has the file extension of “html” or “htm” OR one of the file extensions in the $file_extensions_common_archives list OR has a file type of “html”.

AND after using the file.explode function, grabs all strings from the output (scan.strings.strings), and looks for strings similar to base64 encoded ISOs.

Since the payload has an .HTML file extension, and contains base64 encoded strings representing an ISO, the detection rule is flagged.