Email-based attacks remain at the forefront of the cybersecurity threat landscape, ever-evolving to circumvent defenses and trick unsuspecting users. In this presentation, we will discuss the nuances of the latest trending social engineering techniques including QR codes, image-as-content attacks, HTML Smuggling SVGs, and more. We will examine several real-world examples, discuss attacker objectives, and explore the tactics used to make them appear legitimate. Additionally, we will discuss methods of detection and prevention by analyzing signals unique to these attacks.

The pervasiveness of QR codes in daily life, combined with the ease of generating them, presents unique security challenges. Their quick-scan nature means users often trust and act on them without the scrutiny given to URLs. Moreover, most traditional email security systems are geared towards analyzing text-based content, making QR-encoded URLs slip through undetected.

In parallel, attackers are leveraging images to embed the text of their attacks. Since many email security scanners rely on analyzing suspicious text and URLs embedded directly in the body of messages, attackers are often able to bypass traditional detection.

Attendees will come away from this talk with a better understanding of the latest email threats and the methods they can use to protect themselves and their organizations against them.

Email remains the #1 initial access vector for commodity malware and nation state actors. Historically, tackling email-based threats has been considered the purview of black-box vendor solutions, with defenders having limited scope (or tooling!) to swiftly and effectively respond to novel offensive tradecraft.

In this training, attendees will be given detailed insight into the latest techniques used to deliver prevalent malware strains, including QakBot and Emotet, and will hunt through email data to identify this malicious activity, developing rules to detect and block these attacks.

Initially attendees will be introduced to the foundational technologies that enable threat hunting and detection engineering in the email domain, before being given access to the email data of a fictitious company seeded with benign and real-world attack data.

Attendees will be guided through the rule creation process, utilizing free and open detection engines including Sublime and Yara, and will be introduced to the signals that can be used to craft high-fidelity rules, including sentiment analysis, domain age, and attachment analysis. Having completed the training, attendees will have a strong understanding of the tools and techniques at their disposal to defend their organizations from all manor of email threats.