Fortra has identified a novel phishing campaign using randomly generated character strings and nested email attachments to bypass email security controls. Attackers are targeting O365 credentials in the attacks, with 30 organizations across varying industries targeted. More than 2,000 emails tied to this campaign have so far been quarantined.
At Fortra, our Suspicious Email Analysis team monitors and investigates emails reported by organizations to identify new phishing tactics and support threat detection efforts across the globe. We are disclosing the details of this campaign and mitigation steps to better help organizations prepare for similar threats.
A Closer Look at the Initial Email
This campaign begins with an email subject line and sender name that uses terms like “Remittance,” “Wire Transfer,” or “Electronic Funds” to appear as though it is coming from a financial institution. In addition to this, the attacker includes long, random strings of characters in both fields. Every email contains a different string, with each one containing 30-40 characters. Despite its simplicity, this anti-automation/anti-blocking technique was proving effective. Because each message contained a newly generated string, emails were bypassing exact rules created for previously flagged subjects or senders, rendering security controls ineffective.
Payload Hidden in Plain Sight
Beyond the header information, the message body was blank. Instead, the attackers concealed their payload within a nested message. The original email included another email as an attachment, allowing threats to bypass scanning engines that prioritize the main message content. This embedded message held an SVG (Scalable Vector Graphics) file containing hidden, malicious code.
SVG files are commonly used for graphics, but they can also contain embedded scripts. In this case, the file held a base64-encoded script leading to an external phishing site. This script directs the recipient to a web page that looks like a standard CAPTCHA challenge, creating a false sense of legitimacy. After solving the CAPTCHA, the user landed on what looked like a PDF download portal.
To access the file, the user was prompted to enter their email address. This information was then used to generate a customized Office 365 login page, complete with the victim's organization branding and logo. The final step asked for login credentials, at which point the attackers would collect and potentially exploit them.
Detection and Response
Once these threats were identified, our team built an ETH (Email Threat Hunting) rule designed to catch future versions of the emails. We included wildcard symbols in the rule to account for the changing character strings. This broader pattern-matching approach is necessary when dealing with polymorphic threats like this one.
The rule was effective: it successfully flagged and quarantined 2,156 emails across 34 different organizations. For comparison, many detection rules typically catch fewer than 100 messages, which underscores the widespread nature of this particular campaign.
Several elements of this phishing attempt make it particularly noteworthy:
• Strategic language: Financial terms in subject lines and sender names created a false sense of urgency.
• Randomized headers: Unique strings in each email helped the messages bypass security filters.
• Nested delivery: The use of a message attached inside another message helped hide the phishing URL.
• Obfuscated scripting: A base64-encoded script was buried in an SVG file to mask its destination.
• Fake PDF site: Victims were first directed to a counterfeit Adobe-branded page that requested their email address under the pretense of accessing transaction documents.
• Adaptive phishing page: The final login screen mimicked the user’s company branding, increasing the likelihood of interaction.
Individually, none of these methods are new. But used together, they created a high-effort campaign that managed to evade defenses and appear convincing to unsuspecting users.
Final Thoughts
The phishing landscape continues to evolve, and so must the techniques used to detect and block threats. This campaign shows that attackers are constantly testing new combinations of tactics to improve their odds of success.
Defending against threats like this requires strong visibility and the ability to respond quickly. Email security tools must be backed by teams who can write flexible, responsive rules and investigate threats in depth. In this case, our ETH rule’s success in stopping thousands of malicious emails reinforces the value of continuous monitoring and rapid response.
