Phishing hackers have devised a new method to bypass secure email gateways, according to a recent report from Cofense. The company discovered that attackers targeting Spanish-speaking employees at an international financial firm used a technique to evade detection by Cisco IronPort’s static scanning functions. This approach likely works with secure email gateways from other manufacturers as well.

The technique itself is not particularly complex; it involves disguising the malicious attachment’s real file extension. Hackers inserted the harmful file into a compressed archive and manipulated it to appear as an MPEG file by altering the file header, while the true file extension (.html) was hidden in the footer. Cisco IronPort failed to detect the inconsistency between the header and footer, allowing the malicious file to bypass the security checks.

1 Phishing Trick Security Software Can’t Stop: Information Security Media Group reached out to Cisco for comment but has not yet received a response.

Max Gannon, Cofense’s threat intelligence manager, noted that headers are generally considered reliable by many programs. “If a program isn’t sophisticated enough, it will take the header’s information at face value.”

Some unzipping tools Cofense used were able to detect the header-footer mismatch. However, ironically, desktop applications that recognized the file as an HTML file rather than an MPEG file also allowed the malicious code to execute.

Gannon mentioned that this method of exploiting static scanning limitations is relatively new and hasn’t been widely used. “We haven’t seen this before. I believe it was an initial attempt to test its effectiveness, and it worked quite well,” he said, adding that this technique is not found in any known phishing kits.

While Gannon cannot confirm whether the hackers successfully infected the targeted financial institution with their info stealer, he suspects that at least one workstation was likely compromised.

1 Phishing Trick Security Software Can’t Stop: Max Gannon from Cofense suggested that dynamic scanning of email attachments would be an ideal solution, but the processing power required makes it prohibitively expensive. He proposed that static scanning could still be improved; for example, identifying mismatches between file types in the header and footer should trigger alerts. Additionally, code embedded in attachments is a strong indicator of malware. However, extracting code from files would require significant computing resources, and analyzing very large archived files might be too costly.

Gannon also pointed out that secure email gateways need to account for “zip bombs”—files that expand dramatically when extracted—from small sizes to potentially massive ones. This exploitation of the archiving process adds complexity to scanning.

He criticized secure email gateway developers for not incorporating more comprehensive static analysis, labeling them as “basically lazy” because they often avoid adding extra effort due to a lack of accountability.

In a recent report, Cofense noted that attackers are increasingly bypassing email security products like VIPRE, BitDefender, Hornet Security, and Barracuda. They achieve this by encoding URLs with one secure email gateway and then forwarding the malicious link. Since these encoded links are often not rescanned by subsequent security gateways, attackers can exploit this loophole to evade detection.