A new form of spear-phishing attack emerged in late 2017 called a Conversation Hijacking Attempt. It intercepts legitimate email conversations and sends infected documents to one of the participants posing as the other person, a technique that raises the chances of the targeted person actually clicking on the malicious attachment.

The first stage of the attack uses very clever techniques to steal email account credentials from people at targeted organisations; the second involves hackers logging into those accounts and jumping into ongoing email conversations – the “hijacking” portion of the operation.

Raising probability

Hackers pose as one of the participants and send an infected email to the other, usually one with a macro-laden document attached with a quick message like “Please look this over”, which ensured a high probability of that other participant actually opening the email, thereby infecting their PC with the hacker’s payload.

The third phase of the attack kicks off when the targeted user actually opens the infected attachment, whose malware goes on to steal data and report back to the hacker. It’s sophisticated enough that it can even fool “…some the savviest of users”, says an article on Channel Futures.

Payload

The payload, which researchers at Palo Alto Networks dubbed PoohMilk, deploys a secondary payload called Freenki, which does all the info-gathering that hackers would then use to steal data and gain access to financial accounts. A bank in the Middle East and a big (but unnamed) sporting organisation were revealed by Channel Futures as two targets of this particular attack.

No silver bullet, but…

While there is no silver bullet solution to CHAs, suggested countermeasures include enabling email features that strip out harmful attachments if they are detected and implementing technologies that actively scan incoming emails for signs of deception, even when they are from trusted sources.

Examples of this tech are Mimecast’s Advanced Targeted Threat Protection services, which also includes an anti-impersonation module called Impersonation Protect that deep-scans emails for suspicious indicators and flagging those up when found – all without affecting the speed of delivery.

Ultimately, the lesson here is to be ever-vigilant when it comes to how your organisation handles email, as attacks are becoming more and more sophisticated as countermeasures make “easier” attack vectors more transparent.