RTF-based phishing attacks are on the rise as malicious emails and attachments look more trustworthy than ever
Hackers have found a clever new way to exploit Rich Text Format (.RTF) files in phishing attacks, experts warn.
Cybersecurity researchers Iron scales claim to have seen a “major spike” in these campaigns in 2024, and in just one month (March 2024) the experts say they spotted and stopped 6,755 such attacks.
So what makes this attack so unique and ultimately so successful? Ironscales says three things: using an outdated file format, attachment personalization, and URL obfuscation.
Personalization attachments
RTF files are quite uncommon these days, the researchers said, which means two things: victims aren’t as suspicious when they receive them by email, and security solutions (especially traditional email security filters) don’t flag them as often.
So when a threat actor sends a phishing email with an .RTF file attached, victims are slightly more likely to open it. That brought the researchers to the second point: personalization of attachment. They say the criminals have found a way to change the filename in the email to match the intended recipient’s domain. Therefore, the attachment carries the name of the target company, which increases credibility.
Finally URL obfuscation. In the .RTF file, the crooks added a link that “looks innocent enough,” and often seemed to lead to a well-known site, such as microsoft.com. However, through clever use of the @ symbol, they can redirect the victim to a malicious site. The usual link in these files would look something like this: https://www.microsoft.com@malicious-site.com/invoice.pdf.
“In the world of URLs, everything before the @ is treated as a ‘username’, but can be written to resemble a trusted domain,” the researchers explain. “The catch? The browser ignores everything before the @ and only cares about what comes after.”
In other words, if the victim doesn’t read the entire link carefully, he might think he’s visiting microsoft.com, but he’ll be taken somewhere else instead.
In conclusion, crooks are getting smarter, Ironscales argues, which means organizations must do the same – or face the consequences.