Abusing Trusted Relationships (T1199): Delivering Malicious Emails by Compromising Historical Recipients

Background: From time to time, the infosec community observes trends where threat actors abuse Trusted Relationships (T1199) to deliver malware to known recipients. This technique exploits the fact that people often trust emails from senders with whom they have had prior email interactions.

Attack pattern description: Threat actors, after compromising an email account, often use minimal words or sentences. For example, they might send a message such as: "Please find the necessary documents attached. I await your urgent reply," accompanied by a malicious attachment or link .

Attack example over abusing T1199: Attackers usually use three types of files: JS files, EXE files, and LNK files. For example, in one case, an EXE file is used with AutoIt, a tool designed for Windows automation purposes.

Initial checking: Based on its behavior via AutoIt, it decompiles the file payload to C:\Users\CurrentUser\AppData\Local\Temp, with the payload named "contrapose".

Action Items to Take in Such Cases: - Trust No One - Ensure that the email gateway protection supports automated attachment analysis. - Monitor for AutoIt execution alongside wscript and rundll32, especially when the file location is in the Temp folder. - Monitor persistence mechanism modifications, particularly registry changes. - Correlate the email sender with third-party Threat Intelligence (TI) tools to detect potential compromise.

Conclusion: In the modern digital world, nothing is completely safe. For this reason, you need to implement defense-in-depth protection to effectively combat Trusted Relationships (T1199), a MITRE sub-technique.

Stay Saf3 ! j0K3r