1 Phishing Trick Security Software Can’t Stop (It’s Scary!)

Hackers have found a way to bypass secure email gateways by disguising malicious files as harmless media. This new phishing method exploits weaknesses in static scanning, making it difficult for security software to detect the threat.

Phishing Tactics Evolve to Bypass Security Software

A recent report from Cofense has revealed a new phishing method that successfully evades secure email gateways (SEGs), including Cisco IronPort. Attackers specifically targeted Spanish-speaking employees at an international financial institution, using a deceptive technique to bypass static scanning. This method involved embedding a malicious HTML file within a compressed archive and manipulating the file header to mimic an MPEG video, while the true file extension remained concealed in the footer. By doing so, the attackers ensured that traditional email security systems, which primarily rely on header information for file verification, would not flag the attachment as suspicious. Cisco IronPort’s security software, like many others, failed to cross-check the footer, allowing the phishing attempt to slip through undetected.

This technique highlights a critical flaw in static scanning methods, which often do not analyze file contents deeply enough to detect such inconsistencies. Since email security solutions primarily scan headers to determine file types, they may overlook embedded threats hidden within seemingly benign formats. Cybercriminals exploit this oversight by disguising malicious files as common media formats that appear harmless to both security software and unsuspecting users. Without more advanced detection mechanisms, such as dynamic scanning or behavioral analysis, organizations remain vulnerable to increasingly sophisticated phishing techniques that evade traditional security filters.

Security Limitations Enable Malware Execution

Despite some unzipping tools detecting the mismatch between the file’s header and footer, several desktop applications still identified and executed the malicious HTML file. Max Gannon, Cofense’s threat intelligence manager, explained that many programs trust file headers by default, making them a weak point in static scanning defenses. Attackers exploit this flaw by manipulating headers to disguise malicious files, allowing them to bypass security filters undetected.

Gannon noted that this method of deception is relatively new and not yet widespread in phishing kits, suggesting that hackers are actively testing its effectiveness. The use of compressed archives adds another layer of complexity, making it harder for security tools to properly analyze file contents before execution. This technique demonstrates how cybercriminals continuously refine their tactics to stay ahead of security measures. While it remains unclear whether the attack successfully infected the targeted financial institution, Gannon believes that at least one workstation was compromised. If such attacks become more common, organizations may need to rethink their approach to email security and adopt more advanced detection strategies.

Need for Stronger Email Security Measures

To counter such threats, Gannon recommended dynamic scanning of email attachments, though he acknowledged its high computational cost. He also suggested enhancing static scanning by flagging inconsistencies between file headers and footers and detecting embedded malicious code. However, the resource-intensive nature of analyzing large files poses a challenge. Additionally, he highlighted the risk of “zip bombs”—archives that expand significantly upon extraction—making thorough scanning even more difficult.

Criticizing the lack of proactive improvements in SEG technologies, Gannon described security developers as “lazy” for not implementing more robust static analysis techniques. The Cofense report further revealed that attackers have been exploiting security products from companies such as VIPRE, BitDefender, Hornet Security, and Barracuda. By encoding malicious URLs within one SEG before forwarding them, hackers can bypass subsequent security checks, allowing phishing attempts to succeed. These evolving tactics underscore the urgent need for stronger, more adaptive email security solutions.