When attackers can use hijacked email threads, they lend instant credibility to their attacks since their victims simply believe that they are continuing to communicate with the same person as in previous emails. In this case, the attacker first compromised a vendor account and then inserted themselves into an ongoing email conversation to send the attack.

The attack itself instructs the recipient to open a file containing the “necessary records” for an upcoming meeting. Upon clicking the link, the target is asked to insert a password, which is included in the email itself. Once they do so, the malware is decrypted;  Emotet, Qakbot, and other trojans are passed in this manner, providing a foothold for other attacks like Ryuk ransomware. 

Status Bar Dots
62bcc12504feb268f5884299 1920176847

Why It Bypassed Traditional Security

This attack uses a domain that passes SPF checks and because the file is password protected, legacy solutions have difficulty scanning it for malware. Further, the malware is encrypted using random passwords, which changes the file signature and allows it to evade threat intelligence tools. Including the password in the email allows it to be easily accessible to humans, but hard for automated systems to decrypt. 

Detecting the Attack

To understand that this is a malicious file, content analysis is required to detect both the presence of the link as well as the password for opening the link. Further context around the recipients, departments, and normal communications are helpful to flag suspicious content, even when the majority of it is duplicative of the email communication earlier in the thread. Understanding these behavioral systems is required to avoid false positives for this type of attack. 

Risk to Organization

If the target were to open this file and enter the password, malware is likely to be installed on the device. From there, attackers can complete a variety of other attacks related to ransomware, data theft, and more.

Analysis Overview




Malware Delivery


Hijacked Email Thread


Fake Document

See How Abnormal Stops Emerging Attacks

See a Demo