The Eight Ways Phishing Attacks Bypass Sandbox Technology

Jane Wasson |@Area1Security| Area 1 Security

Sandbox technology is a favorite tool for security researchers, enabling them to analyze files and detect malware. But is it effective at actually stopping phishing attacks without slowing down business productivity?

Phishing attacks, the cause of 95 percent of data breaches, often start with an email file attachment that’s hiding malware or a malicious link that downloads malware. The unsuspecting victim opens the file attachment or clicks the malicious link, and unknowingly downloads that malicious code directly into their system. The consequences are often severe, providing hackers the entry they need to crash systems, steal data, or infect an organization’s network infrastructure, backend systems, or data and carry out their malicious intent.

How Sandboxing Works

To defeat phish, security teams frequently deploy sandbox technology or web isolation technology with embedded malware sandboxing features, either as an on-premises appliance or as a cloud service, to detect malware hidden in email attachments or web downloads. With these technologies, files execute in a sandbox environment, and the behavior is analyzed to judge whether it’s malicious.

If a file is judged to be malicious, robust solutions generate a report detailing the malicious behavior, and the security team is alerted. The report includes information such as how the malware interacts with the sandbox host system and how it attempts to communicate with other devices or websites.

Neutralizing and Removing the Phish

Using the reported information, the security team is armed to track down and remove the malicious file if it was delivered, clean affected systems and update other security infrastructures such as firewalls, web gateways and secure email gateways with newly discovered threat intelligence and rules to protect the organization from follow-on attacks.

This sounds great: the phishing attack is detected, and the security team notified. They’re now armed to respond, clean up the damage, and prevent follow-on attacks.

But Not So Fast — Threats Evade Sandbox Technology

However, hackers are aware that many organizations fortify their security infrastructure with sandbox technology. Cyber attackers continuously evolve their malware and phishing techniques to evade sandbox defense. For example:

• Sandbox Detection and Evasion: Hackers are designing their malware to detect whether the file is in a sandbox or in the target host environment before it executes its malicious behavior. If the malware senses that it’s in a sandbox environment, it quickly terminates. More sophisticated malware even runs phony benign operations to fool the sandbox, which then fails to detect malicious behavior, judges the file harmless — and delivers it right to the target victim!
• Delayed Malware Execution: Hackers recognize that businesses are time-sensitive. That means sandboxes have limited time to analyze files and render a verdict before delivering a file to its recipient. But hackers can intentionally design their malware to delay execution of malicious behavior; or trigger execution only after an event such as a system reboot. In that case, the sandbox analysis environment may not detect or identify the code as malicious. Again, the sandbox technology judges the file to be benign and delivers it to the end user.
• Hiding Malicious Code in Password-Protected Attachments: In some cases, hackers hide malicious code in password-protected file attachments. They then send a password in the body of an email, out of reach of the automated sandbox. In this case, most automated sandbox technologies can’t open the file for analysis. Once more, the sandbox can’t judge the file to be malicious and may deliver it to the desk of the intended recipient.
• Hiding Malicious Code in Obscure File Types, Large Files, or Targeting Malware for Mobile Environments: Sandbox technologies and cloud sandbox services often have limitations on supported file types, file sizes, operating system environments, and even number of files analyzed per hour. These limitations provide opportunities for hackers to craft files with hidden malware that sandboxes won’t detect.
• Sending Malicious Files in Encrypted Traffic: More than 50 percent of Internet traffic travels encrypted. But most organizations don’t decrypt incoming traffic. That means files transmitted in encrypted traffic are invisible to the security infrastructure. Therefore, these files can bypass inspection by sandbox technology.
• File Analysis Delays Delivery: Sandbox file analysis can take from 30 seconds to 10-plus minutes. If sandbox technology holds files for delivery until it determines a judgment, that delays both harmless and malicious files. This delay causes loss of end-user productivity, and frequently results in executive and employee dissatisfaction. So in some cases, to protect from productivity loss, the sandbox technology doesn’t delay file delivery until it has finished analyzing a copy of the file. Instead, it delivers and downloads the file to the recipient’s target system before the judgment is available. If the file turns out to be malicious, the damage is done. The time and expense of remediation can balloon enormously.
• Credential Harvesting Attacks: Not all phishing emails involve malicious file attachments. For example, credential harvesting attacks often start with targeted phishing emails that pretend to be from a trusted organization such as a bank, and request the victim to click on a link and log into their account or change their password. In this case, the link directs the user to a spoofed site. The attacker then harvests the credentials that the victim enters and uses those credentials to log into the victim’s actual account. With credential harvesting attacks, there’s no malicious file to analyze so a sandbox solution won’t detect the phishing attack.
• Business Email Compromise (BEC) Threats: BEC threats are targeted phishing campaigns that rely on impersonation to trick victims into providing confidential information or transferring funds to the hacker. With BEC, cybercriminals use various spoofing techniques to disguise an email, making it appear as if it came from an organization executive. Again in this case, there’s no file download, so a sandbox cannot detect the threat.

A Better Way to Defeat Phishing Attacks

So if sandbox technology isn’t effective, how can organizations better defend from phishing attacks?

We can take a lesson from history.

Key to protecting Britain from enemy aircraft bombs in World War II was the use of radar. Radar deployed along the coast of England allowed the Royal Air Force(RAF) to detect enemy aircraft during the earliest phases of an attack, while enemy planes were flying over France. This early insight gave RAF commanders time to deploy defenses effectively to intercept bombing raids. Radar gave the RAF the early visibility necessary to defeat their enemy.

At Area 1 Security, we believe that effective cybersecurity also starts with early visibility. Our technology crawls the web, continuously and proactively discovering phishing campaigns and infrastructure before attacks launch. On average, Area 1 Security detects malicious sites and payloads a full 25 days before other industry defenses.

The Area 1 Horizon™ anti-phishing service is locked and loaded with preemptive threat insight that allows us to detect and stop email, web, and network phishing attacks effectively that other security technologies, including sandboxes, miss so that your business is protected.

To learn more about how phishing attacks bypass sandbox technology and how Area 1 Horizon anti-phishing service stops them, watch our webinar.