{"id":1811,"date":"2018-07-13T16:28:13","date_gmt":"2018-07-13T20:28:13","guid":{"rendered":"https:\/\/test.infinityns.ca\/?p=1811"},"modified":"2018-08-07T11:12:47","modified_gmt":"2018-08-07T15:12:47","slug":"attacks-evolving-phishing-via-xps-files","status":"publish","type":"post","link":"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/","title":{"rendered":"Attacks Evolving \u2013 Phishing via XPS Files"},"content":{"rendered":"

Uptick in Phishing Attempts via XPS file extensions<\/strong><\/h1>\n

We\u2019ve seen it time after time, malicious actors routinely attempt to confuse recipients of messages with obscure or lesser-utilized file extensions.<\/p>\n

Over the past month, some phishing attempts using xps files instead of the typical pdf or doc\/docx formats have been captured by our filters.\u00a0 The xps file format is Microsoft\u2019s alternative to pdf files.\u00a0 Windows machines with Vista or later operating systems natively support this extension with Windows xps file viewer.\u00a0 Actors have started taking advantage of this lesser-utilized format for their phishing campaigns.<\/p>\n

\"\"Phishing Examples<\/strong><\/h2>\n

Our\u00a0SecureTide email filtering<\/a>\u00a0has captured a wide range of these phishing messages.\u00a0 So far, they appear to be attributed to threat actors currently conducting\u00a0Business Email Compromise (BEC) attacks<\/a>.\u00a0 Attacks originate from legitimate (compromised) senders with the similar techniques, tactics, and procedures.\u00a0 Below is an example which could easily dupe unsuspecting users.<\/p>\n

\"XPS<\/p>\n

Viewing the XPS File<\/strong><\/h2>\n

Users should not open or view unsolicited attachments, even from a known sender without intense scrutiny and\/or verification.\u00a0 Scammers do exploit the trust that known contacts share.\u00a0 Hopefully a user will never see one of these, however, this is what these attached files look like when opened in an isolated test environment.<\/p>\n

\"Viewing<\/p>\n

Linked Phishing Portals<\/strong><\/h2>\n

If the user happens to click on the link in the attached xps file (pictured above), below is an example web phishing portal they might encounter.\u00a0 For this particular one, the first screen requests their email address.\u00a0 If they proceed with entering it, the next image shows the resulting page requesting their email credentials.<\/p>\n

\"Phishing<\/p>\n

\u00a0After entering email address:<\/h3>\n

\"Phishing<\/p>\n

Filter Evasion Techniques<\/strong><\/h2>\n

Malicious actors are attempting to use filter evasion techniques.\u00a0 They break up the suspicious phishing text via canvas clip mappings inside deeply embedded fpage files.\u00a0 An image portion below displays how they used multiple canvas clip mappings to stitch together the words, \u201copen with your professional email login credentials.\u201d<\/p>\n

\"Canvas<\/p>\n

Minimal Anti-Virus Signatures for XPS Files<\/strong><\/h2>\n

Most anti-virus engines do not have many phishing rules setup for the xps extensions like they would for more commonly used ones.\u00a0 We can see this example received 0\/60 hits when processed thru a popular anti-virus engine aggregator.<\/p>\n

\"VirusTotal<\/a><\/p>\n

AppRiver Protection<\/b><\/h2>\n

There is no shortage of spam, malware, phishing, or nefarious websites AppRiver\u2019s staff and systems continuously protect and defend against. Malicious actors work around the clock, therefore, we at AppRiver work even harder to stay one step ahead. Our team is here 24\/7 365 days a year\u00a0protecting and supporting clients and partners from security threats.<\/p>\n

POSTED BY\u00a0DAVID PICKETT<\/a> IN\u00a0DIGITAL DEGENERATE<\/a>,\u00a0PHISHING<\/a>,\u00a0SECURETIDE<\/a>,\u00a0SECURITY RISKS<\/a>,\u00a0TECH NEWS<\/a><\/p>\n

https:\/\/blog.appriver.com\/2018\/05\/bec-attacks-evolve-to-phishing-via-xps-files-appriver<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Uptick in Phishing Attempts via XPS file extensions We\u2019ve seen it time after time, malicious actors routinely attempt to confuse recipients of messages with obscure or lesser-utilized file extensions. Over the past month, some phishing attempts using xps files instead of the typical pdf or doc\/docx formats have been captured by our filters.\u00a0 The xps […]\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[82,81,72],"tags":[83,84,85],"yoast_head":"\nXPS Phishing Increasing & evolving<\/title>\n<meta name=\"description\" content=\"XPS phishing\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"XPS Phishing Increasing & evolving\" \/>\n<meta property=\"og:description\" content=\"XPS phishing\" \/>\n<meta property=\"og:url\" content=\"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/\" \/>\n<meta property=\"og:site_name\" content=\"Infinity Network Solutions\" \/>\n<meta property=\"article:published_time\" content=\"2018-07-13T20:28:13+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-08-07T15:12:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/test.infinityns.ca\/wp-content\/uploads\/2018\/07\/Phishing-Image.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jayne\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/test.infinityns.ca\/#website\",\"url\":\"https:\/\/test.infinityns.ca\/\",\"name\":\"Infinity Network Solutions\",\"description\":\"We're experts at being experts.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/test.infinityns.ca\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-CA\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/#primaryimage\",\"inLanguage\":\"en-CA\",\"url\":\"https:\/\/test.infinityns.ca\/wp-content\/uploads\/2018\/07\/Phishing-Image.png\",\"contentUrl\":\"https:\/\/test.infinityns.ca\/wp-content\/uploads\/2018\/07\/Phishing-Image.png\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/#webpage\",\"url\":\"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/\",\"name\":\"XPS Phishing Increasing & evolving\",\"isPartOf\":{\"@id\":\"https:\/\/test.infinityns.ca\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/#primaryimage\"},\"datePublished\":\"2018-07-13T20:28:13+00:00\",\"dateModified\":\"2018-08-07T15:12:47+00:00\",\"author\":{\"@id\":\"https:\/\/test.infinityns.ca\/#\/schema\/person\/ab6a7e098cdd3ccd793e3b9850893ff3\"},\"description\":\"XPS phishing\",\"breadcrumb\":{\"@id\":\"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/#breadcrumb\"},\"inLanguage\":\"en-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/test.infinityns.ca\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Attacks Evolving \u2013 Phishing via XPS Files\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/test.infinityns.ca\/#\/schema\/person\/ab6a7e098cdd3ccd793e3b9850893ff3\",\"name\":\"Jayne\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/test.infinityns.ca\/#personlogo\",\"inLanguage\":\"en-CA\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/1b4c72cab00c46e019c5cefd3591850b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/1b4c72cab00c46e019c5cefd3591850b?s=96&d=mm&r=g\",\"caption\":\"Jayne\"},\"url\":\"https:\/\/test.infinityns.ca\/author\/jayne_ins\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"XPS Phishing Increasing & evolving","description":"XPS phishing","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/","og_locale":"en_US","og_type":"article","og_title":"XPS Phishing Increasing & evolving","og_description":"XPS phishing","og_url":"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/","og_site_name":"Infinity Network Solutions","article_published_time":"2018-07-13T20:28:13+00:00","article_modified_time":"2018-08-07T15:12:47+00:00","og_image":[{"url":"https:\/\/test.infinityns.ca\/wp-content\/uploads\/2018\/07\/Phishing-Image.png"}],"twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jayne","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/test.infinityns.ca\/#website","url":"https:\/\/test.infinityns.ca\/","name":"Infinity Network Solutions","description":"We're experts at being experts.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/test.infinityns.ca\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-CA"},{"@type":"ImageObject","@id":"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/#primaryimage","inLanguage":"en-CA","url":"https:\/\/test.infinityns.ca\/wp-content\/uploads\/2018\/07\/Phishing-Image.png","contentUrl":"https:\/\/test.infinityns.ca\/wp-content\/uploads\/2018\/07\/Phishing-Image.png"},{"@type":"WebPage","@id":"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/#webpage","url":"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/","name":"XPS Phishing Increasing & evolving","isPartOf":{"@id":"https:\/\/test.infinityns.ca\/#website"},"primaryImageOfPage":{"@id":"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/#primaryimage"},"datePublished":"2018-07-13T20:28:13+00:00","dateModified":"2018-08-07T15:12:47+00:00","author":{"@id":"https:\/\/test.infinityns.ca\/#\/schema\/person\/ab6a7e098cdd3ccd793e3b9850893ff3"},"description":"XPS phishing","breadcrumb":{"@id":"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/#breadcrumb"},"inLanguage":"en-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/test.infinityns.ca\/attacks-evolving-phishing-via-xps-files\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/test.infinityns.ca\/"},{"@type":"ListItem","position":2,"name":"Attacks Evolving \u2013 Phishing via XPS Files"}]},{"@type":"Person","@id":"https:\/\/test.infinityns.ca\/#\/schema\/person\/ab6a7e098cdd3ccd793e3b9850893ff3","name":"Jayne","image":{"@type":"ImageObject","@id":"https:\/\/test.infinityns.ca\/#personlogo","inLanguage":"en-CA","url":"https:\/\/secure.gravatar.com\/avatar\/1b4c72cab00c46e019c5cefd3591850b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1b4c72cab00c46e019c5cefd3591850b?s=96&d=mm&r=g","caption":"Jayne"},"url":"https:\/\/test.infinityns.ca\/author\/jayne_ins\/"}]}},"_links":{"self":[{"href":"https:\/\/test.infinityns.ca\/wp-json\/wp\/v2\/posts\/1811"}],"collection":[{"href":"https:\/\/test.infinityns.ca\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/test.infinityns.ca\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/test.infinityns.ca\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/test.infinityns.ca\/wp-json\/wp\/v2\/comments?post=1811"}],"version-history":[{"count":9,"href":"https:\/\/test.infinityns.ca\/wp-json\/wp\/v2\/posts\/1811\/revisions"}],"predecessor-version":[{"id":1849,"href":"https:\/\/test.infinityns.ca\/wp-json\/wp\/v2\/posts\/1811\/revisions\/1849"}],"wp:attachment":[{"href":"https:\/\/test.infinityns.ca\/wp-json\/wp\/v2\/media?parent=1811"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/test.infinityns.ca\/wp-json\/wp\/v2\/categories?post=1811"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/test.infinityns.ca\/wp-json\/wp\/v2\/tags?post=1811"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}