Detection from First Preview Sight

Posted by: Ran Dubin / January 4, 2020
Tags: ai, computer vision, preview image

In today’s busy lifestyle, it’s important to try and create a work-life balance. To help make this separation most people have at least two email addresses, one for personal and the other for work. For hackers and scammers, email is the most successful attack entry point with over 91% of attacks starting with an innocent looking email in your inbox.

These attacks can inflict severe damage, from stealing sensitive customer information, selling that information or exploiting it in other ways.

Most users appreciate the importance and value of file/email detection services. However, the challenge to the vendor is maintaining a high Quality of Experience (QoE). There is a balance that needs to be struck which is, how to analyze millions of files quickly, keeping False Positive’s (FP) and to a minimum. Alongside this, the vendor needs to minimize the time between email deliver and content verification, so that content is not postponed.

Image preview detection using Artificial Intelligence (AI)

Artificial Intelligence (AI) has led to many breakthroughs in recent years and has proved its ability to tear through the boundaries of innovation. The potential of AI compared to a human expert capability in terms of speed, scale and quality is infinite. In cybersecurity, it’s agreed that AI is as a game changer. 61% of enterprises say they cannot detect breach attempts today without the use of AI technologies.

At SNDBOX we harness the power of AI to deliver ultra-fast analysis detection across multiple attack vectors. We are proud to launch our Image Preview Detection Service that adds a new efficient detection vector to our platform and designed to detect a known verified malicious preview signature image in a new document. By utilizing AI with computer vision, the service is fast and provide accurate results. It offers extremely low FP and can stop and detect attacks, where other security mechanisms have failed.

  • Macro

Using a malicious macro script to initiate the attack, macro attacks are usually disabled by default by the organization software policy. Unsuspected users that open the document are then guided in the first page of the document (that can be seen in the preview image) to take steps to enable the macro attack.

This Office file guides the user to “Enable editing and Enable content”. When the user follows the instructions, the outcome is a sophisticated attack that uses WMI services [Link to the sample]:

  • User interaction

Interaction attacks seduce the user to click on a file or link that initiates a phishing attack. This could involve the download of malicious files or payloads that start the attack. For example, this phishing One-drive PDF file asks the user to login with a well-known cloud application. In this example, when the user click a browser is open and ask for the user Office 365 credentials. Preview image of the fake One-Drive PDF file :

  • Exploit

Based on a zero-day or one-day attack which evade detection and target the infected host. Usually, the malicious nature will not be obvious to the user as these kinds of attacks do not depend on user interaction and the image preview will be empty sometimes.
For example [Link to the sample]:

The image preview for this file looks harmless as it has a white preview (empty document) but uses the well-known CVE-2017-11882 (equation) as the attack vector. When the user open the document the attacks initiates.

Our research team adds preview images of verified threats we see across the internet using proprietary honeypots, SNDBOX public malware research platform and partnership with other security vendors. In one click our active learning algorithms add the new image to all our products, ensuring our customers are protected immediately.

Preview image AI detection is fast, accurate, and provides great visibility. SNDBOX is proud to include it across our entire product range. It is now available as a stand-alone solution for our OEM customers.