State-backed hackers increasingly use RTF template injection for phishing

Discussion in 'malware problems & news' started by mood, Dec 1, 2021.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,316
    December 1, 2021
    Proofpoint: Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors
     
    Last edited: Dec 6, 2021
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    And what about if you simply block MS Word or any other document reader from making outbound connections, will this attack still work?
     
  3. Bellmu

    Bellmu Registered Member

    Joined:
    Dec 5, 2021
    Posts:
    1
    Location:
    United States
    In what ways should individuals and businesses protect against this new method of attack?
     
  4. RYT

    RYT Registered Member

    Joined:
    Dec 5, 2021
    Posts:
    1
    Location:
    Frankfurt
    How about blocking .rtf attachments alltogether unless there is a valid business reason and users could request the attachment to be released from quarantine and IT admins could analyze the file before releasing.
    I am wondering how EOP fairs with these method of attack.

    Alternatively there are other mitigating factors / tools:
    1. Tools like Second Change (from Know4before) can stop users from going to dodgy links as a warning pops up showing the actual link where the user will be taken and asking them if they want to continue.
    2. IDS / IPS software running on your network might catch that type of traffic and stop it
    3. a good EDR tool can also prevent such attacks from executing
    4. disabling macros and active content from Word
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.