Threat actors are constantly evolving their tactics, techniques, and procedures (TTPs) to bypass user awareness and technological defenses. One such persistent method is the use of seemingly innocuous JPEG images to deliver malicious content, a tactic rebranded recently as the Evil MSI Background. With the rise of targeted spear-phishing campaigns, this methodology has found new life as detailed in a recent analysis by SANS Internet Storm Center.

Campaign or TTP Overview

In this latest campaign resurgence, threat actors have leveraged WeTransfer links in phishing emails to distribute JPEG images carrying malicious payloads. These campaigns have historically targeted corporate environments, notably industries where the transfer of large media files is routine, and they have recently been spotted targeting entities in the finance and communication sectors.

The attack, observed in late 2023, begins with an email purporting to be a legitimate file transfer notification from WeTransfer, a service many organizations have come to trust. The sender often uses cleverly spoofed email addresses that mimic internal or partner communications. The payload disguised as a benign image is hosted on WeTransfer, a decision that benefits from both the brand’s trustworthiness and its lack of immediate scrutiny in email filtering systems.

Attribution for these campaigns remains difficult, as the attackers utilize common tactics and tools available to multiple threat actors. However, the sophistication of the email construction and the specific targeting of executive personnel suggest a well-coordinated effort, potentially by a group with prior experience in corporate espionage.

How It Was Built

The technical underpinnings of this campaign are both clever and insidious. The initial stage begins with an email crafted to mimic a legitimate WeTransfer notification. A typical subject line might read: [WeTransfer] – You’ve received a secure file from Jane Doe. The sender address could appear as notifications@wetransfer-notify.com, subtly differing from the actual service domain.

The hyperlink included in the email does not direct the victim to a fake phishing site but rather to a genuine WeTransfer page where the payload is hosted. This method capitalizes on trust in third-party services, reducing suspicion that might arise from a direct foreign URL.

URL: https://wetransfer.com/downloads/fake_payload_in_Appearance.jpg [JPEG with embedded MSI]

The JPEG itself is the lure: upon inspection or attempted execution due to curiosity or compliance with a perceived request, the file attempts to load a malicious MSI package. Embedded through steganographic techniques, the MOSI payload runs scripts to download additional malware or execute credential-harvesting operations, depending on the attack vector’s final goal.

Why It Worked

Several factors contribute to the campaign’s effectiveness, beginning with the well-chosen framing of trusted services. By leveraging known platforms like WeTransfer, attackers exploit a pre-existing trust relationship and sidestep initial scrutiny. This approach is particularly potent against users conditioned to expect such alerts as part of their daily workflow.

The visual components of the phishing emails — from the spoofed domain to the polished layout — mimic authentic correspondence, adding a layer of credibility that’s challenging to resist at first glance. Additionally, the choice of JPEGs as carriers plays into users’ expectations; most users associate JPEGs with safe, non-executable content, a misconception that this technique exploitatively leverages.

The final touchpoint of effectiveness lies in targeting individuals with access to valuable information or system control, increasing the campaign’s impact potential with each successful compromise. By impersonating WeTransfer, the attackers eliminate the need for creating a convincing phishing site, which significantly decreases complexity while maintaining a high success rate.

Operator Takeaways

For red teamers, the Evil MSI Background campaign provides several key insights for simulating similar attack scenarios. First, capitalizing on existing trusted platforms to host malicious payloads can significantly raise the efficacy of a phishing campaign by reducing suspicion. When crafting scenarios, consider how leveraging commonly trusted SaaS platforms in your phishing simulations can augment their realism and effectiveness.

Additionally, meticulous attention to the aesthetic details of spoofed communications increases the likelihood of user interaction. Ensure that your emails closely mimic authentic internal communications or expected external correspondence. Lastly, targeting strategies should prioritize those with high levels of access within an organization to maximize the potential compromise footprint.

Do’s and Don’ts

• Do use real-world domains and brands already known to your target — the more familiar, the more effective.
• Don’t rely solely on email body copy — consider how the email’s visual elements contribute to legitimacy and trust.
• Do target users less likely to question trusted services, thereby increasing the likelihood of payload deployment and execution.
• Don’t use generic sender patterns or subject lines — these can easily be detected by automated filtering systems.

References

Analysis by SANS Internet Storm Center

Proofpoint Analysis on WeTransfer Threats

Related Reading

• Leveraging Image-Based Payload Delivery in Phishing Campaigns
• Understanding CAPTCHA Bypass Techniques in Phishing
• Integrating Vulnerability Exploitation into Phishing Campaigns
• What is Privilege Escalation in the Context of Phishing?

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.