Phishers’ new trick for bypassing email URL filters

Phishers have come up with another trick to make Office documents carrying malicious links undetectable by many e-mail security services: they delete the links from the document’s relationship file (xml.rels).

The trick has been spotted being used in a email spam campaign aimed at leading victims to a credential harvesting login page.

Why does this approach work?

“Office documents (.docx, .xlsx, .pptx) are made up of a number of XML files that include all the font, image, formatting, and object information which make up the document,” Avanan researchers explain.

The xml.rels file maps relationships within these files and with resources outside of the them. When the document includes web links, they are added to this file.

When scanning attachments for malicious content, most email filters scan the document for external web links and compare them to a database of malicious sites or follow the links and evaluate their target themselves. But, unfortunately, some skip that step and check only the contents of the associated relationship file.

“If, for some reason, the document contains URL links that are not included in the xmls.rels file, these parses will not see them, even though they are still active and clickable within the document,” the researchers explained.

Who may be affected?

Users whose email inboxes are protected by Microsoft Exchange Online Protection (EOP), ProofPoint and F-Secure are vulnerable to this so-called NoRelationship attack, while those shielded by Microsoft Advanced Threat Protection (ATP), Mimecast and Avanan are not.

“It seems there are no shortcuts to be had in email scanning,” the researchers noted. “The only solution is to scan the entire file.”