A high-volume credential-harvesting campaign is using a legitimate email newsletter program named SuperMailer to blast out a significant number of phishing emails designed to evade secure email gateway (SEG) protections.
According to a report from Cofense on May 23, the campaign has snowballed so much that SuperMailer-created emails account for a significant 5% of all credential phishes within the firm’s telemetry in the month of May so far. The threat seems to be exponentially growing: The monthly volume of the activity overall has more than doubled in three out of the past four months — notable even in a landscape where credential phishing is growing overall.
“Combining SuperMailer’s customization features and sending capabilities with evasion tactics, the threat actors behind the campaign have delivered tailored, legitimate-looking emails to inboxes spanning every industry,” explained Brad Haas, cyber threat intelligence analyst at Cofense and author of the research.
And indeed, Cofense reports that the threat actors behind the activity are casting a wide net, hoping to haul in victims in a varied sea of industries, including construction, consumer goods, energy, financial services, food service, government, healthcare, information and analytics, insurance, manufacturing, media, mining, professional services, retail, technology, transportation, and utilities.
Supersized Phishing With SuperMailer
What makes the numbers even more interesting is the fact that SuperMailer is a somewhat obscure German-based newsletter product that has nowhere near the scale of more well-known email generators such as ExpertSender or SendGrid, Hass tells Dark Reading — yet it’s still behind wide swathes of malicious emails.
“SuperMailer is desktop software that can be downloaded for free or for a nominal fee from a number of sites that may be completely unassociated with the developer,” he says. “A free version of SuperMailer was released on CNET in 2019, and since that point has had approximately 1,700 downloads. This number is low in comparison to many popular software downloads, but we do not have any other information on the number of legitimate organizational users.”
SuperMailer did not immediately respond to Dark Reading’s request for comment. But since the clients are propagated via third-party websites and have no server or cloud component, Haas notes that SuperMailer’s metaphorical hands are tied when it comes to rooting out the activity.
“In the past, we’ve seen large, cloud-based services abused to send phishing emails or create unique URL redirects pointing to phishing pages, but those services often catch and combat the activity after a period of time,” he says. “We do not know the extent to which the SuperMailer developer is capable of fighting this abuse.”
That in of itself makes SuperMailer attractive to cybercriminals. But the other reason is that it offers an attractive disguise for getting past SEGs and ultimately end users, thanks to some unique features.
Evading Email Security With Ease
“This is another example of threat actors abusing tools that were designed for legitimate purposes,” Haas notes, adding that features that legitimate users find helpful will also appeal to crooks. “This already happens in the penetration testing arena, where open source penetration testing tools are regularly abused by threat actors to conduct actual threat activity,” he says.
In this case, SuperMailer offers compatibility with several email systems, which allows threat actors to spread their sending operation across multiple services — this decreases the risk that a SEG or upstream email server will classify emails as unwanted due to reputation.
“The threat actors likely have access to a variety of compromised accounts, and they use SuperMailer’s sending features to rotate through them,” Haas wrote in his report on the threat.
The SuperMailer-generated campaigns also take advantage of template customization features, like the ability to automatically populate a recipient’s name, email, organization name, email reply chains, and more — all of which boosts the legitimacy of the email for targets.
The software also doesn’t flag open redirects — legitimate Web pages that automatically redirect to any URL included as a parameter. That allows bad actors to use completely legitimate URLs as first-stage phishing links.
“If a SEG does not follow the redirect, it will only check the content or reputation of the legitimate website,” Haas said in the report. “Although open redirects are generally considered to be a weakness, they can often be found even on high-profile sites. For example, the campaigns we analyzed used an open redirect on YouTube.”
Defending Against the SuperMailer Threat
Cofense has been able to track the SuperMailer activity thanks to a coding mistake that the attackers made while crafting the email templates: The emails have all included a unique string showing that they were produced by SuperMailer. However, parsing messages for that string or more broadly blocking entire legitimate mailing services isn’t the answer.
“We haven’t yet uncovered any default characteristics that would allow us to broadly block emails generated by SuperMailer,” Haas says. “In this case, the identifiable characteristics were discoverable only due to a mistake by the threat actor. Without the mistake, it wouldn’t be feasible, as those characteristics are not visible in every SuperMailer email.”
However, he notes that there are other characteristics that would identify the emails as potential security threats, even without knowing their origin — including their content. An example would be non-target-specific email reply chains appended to the messages.
This is especially important given that Cofense has discovered that the SuperMailer phishes are part of a larger set of activity that has accounted for a full 14% of phishing emails landing in inboxes in May in the Cofense telemetry. Haas explained that all of the emails — SuperMailer-sent and the others — share certain indicators that tie them all together, such as the use of URL randomization.
“Human intuition is often much better at recognizing these differences,” Haas says “so training employees to be vigilant against phishing threats is a critical element of good cyber defense.”