Wed, March 13, 2019

What You Should Know About The NoRelationship Phishing Attack

Cyber threats continue to evolve and phishing emails are now almost commonplace. Cyber criminals continue to look for new ways to gain unauthorized access to sensitive material for financial gain. Most recently, a new phishing attack called NoRelationship evades Office 365 by exploiting a vulnerability in relationship flies. Read more about this attack, and how Barracuda’s layered email security provides protection against it.

 

What is the NoRelationship attack?

NoRelationship is able to circumvent Microsoft’s Exchange Online Protection (EOP) URL filters. These filters scan Office documents including .docx, .xlsx, and .pptx to warn users when malicious content is detected. Malicious links within these attachments lead to a credential harvesting login page. People log in and boom…a hacker has their credentials.

Link parsers used in scanning documents do not always scan a full document. In fact, they rely on a relationship file to list external links found in the document. These links are then checked against known threats. Scammers exploit this process by deleting external links from relationship files, which causes Microsoft EOP to fail to detect the phishing attempt.

 

How can Barracuda help?

Barracuda’s Advanced Threat Protection is able to catch this attack using a static analysis layer. Advanced Threat Protection (ATP) uses next-generation sandbox technology including full-system emulation to catch advanced persistent threats, zero-day malware, and all advanced malware designed specifically to evade detection. Besides applying the more traditional approaches, like URL filtering (which prevents users from going to bad sites in the first place) and a regular antivirus and firewall solution, ATP provides an additional layer of protection. This analyzes what the actual file being downloaded really does once executed using a process called sandboxing. Barracuda uploads the file to their cloud, running the file to classify if it is benign or malicious. If the file is malicious it is blocked. However, if it is determined to be safe it is then passed down to the user.

Barracuda does not solely rely on relationship files to detect malicious links. Instead, ATP completes a more comprehensive analysis by thoroughly extracting out the links from the .docx archive and validating them.

In conclusion, Barracuda customers with the ATP subscription are fully protected. If you are not currently a Barracuda customer, ask us about Barracuda Essentials or Total Email Protection to enhance your business’ email security.