SquareX Uncovers Critical Vulnerabilities in Malicious Document Detection Among Top Webmail Providers Like Gmail, Outlook
For Press enquiries: https://sqrx.com/pr-and-release
For Investor enquiries: Vivek Ramachandran founder@sqrx.com
SquareX is developing a browser-native security product to detect and mitigate web attacks including the capability to detect malicious office documents. For testing our malicious document detector, our research team, consisting of Dakshitaa Babu and Govind Krishna created samples of malicious documents. These include both known and unknown malicious documents, as well as documents with minor modifications.
As our product is an in-browser security agent, we distributed these malicious test documents through email and well-known websites to test various entry points into a user’s computer. This approach helped us emulate the real-world workflows users experience daily in their browsers. We were expecting most of the known samples to be immediately picked up and blocked by well known Web Email providers. Alarmingly, we discovered that most of these documents successfully evaded their anti-virus/malware scans. It genuinely scared us that it was this easy! We hence decided to go public with our research in the interest of public good.
This blog post delves into the details of our research. We welcome your questions and are eager to engage in further discussion.
Study Methodology
100 malicious document samples were collated, studied and broadly categorized into 4 main groups:
- Original Malicious Documents from Malware Bazaar
- Slightly Altered Malicious Documents from Malware Bazaar, such as changes in metadata and file formats
- Malicious Documents modified using attack tools that have existed for many years
- Custom created but basic Macro-enabled Documents that execute programs on user devices
These document samples were sent through a third party email provider (ProtonMail) to each of the email providers (Gmail, Outlook, Yahoo, AOL, and Apple iCloud Mail). The criterion for a successful attack was straightforward: whether the email containing the malicious document attachment was delivered without any warnings or blocks. Our focus was only MS Office documents with malicious macros in it.
In this section, we disclose some of the samples and show demos of how various email clients handle these documents. At a later date, we plan to release the full data set for research use.
Unmodified Malware Samples
1. Malicious .pptx document
Hash: 061e17f3b2fd4a4dce1bf4f8a31198273f1abc47c32456d06fd5997ea4363578
Source: Malware Bazaar
Analysis: This file employs obfuscation and executes commands to manipulate and execute files on the system without user consent. It attempts to disguise its actions with a misleading error message, indicating an attempt to compromise the system. Full analysis here.
2. Malicious .xls document
Hash: a1d323166349f499aa796148c0120f89d3a0946abdf74f0dc045c5641b2ab2d3
Source: Malware Bazaar
Analysis: Recognized by 35 security vendors and sandboxes as containing a trojan downloader, this Excel file is clearly identified as malicious and poses a significant threat. Full analysis here.
Modified Samples
3. Malicious .doc document
Hash: 77b45d70062e2d27973484bfa11f3dc838a579d53d0989ba630bf109316d4684
Source: Malware Bazaar
Analysis: Contains macros that perform suspicious functions, such as file manipulation and displaying splash screens. The malicious document has been purged (modified) with OfficePurge to potentially evade antivirus detection. Full analysis here.
4. Malicious .xlsx document
Hash: af843dee2be7f8aac802500b3ea1c848e36cd936073250be0dfad58e842e75ee
Source: Malware Bazaar
Analysis: The malicious excel document contains a trojan. In the modified version, the excel contents are exactly the same, but the metadata — name of creator, name of author, time of created and time of last modification has been modified. This changes the hash of the file, seems to surprisingly beat Webmail scanners. Full analysis here.
Billions of internet users and SMBs blindly trust public webmail providers to scan document attachments for security risks. We recommend that webmail providers transparently publish details of their scanning technology’s limitations and explicitly warn users about these caveats. This will ensure that users understand the risks and the need to use additional security products.
SquareX’s browser-native security product hooks events like file download triggers, and can in-memory analyse malicious office documents. This also makes it privacy-safe as the data never leaves the user’s device. We have made an early preview of this technology available in our free Chrome extension which already has over 100,000+ cybersecurity and IT users. The full product will be unveiled at RSA next month which will have both a professional and enterprise version.
In the video below, we demonstrate the most advanced attack among the four that none of the webmail clients detected, the purged document (3), now launched with SquareX enabled on the browser. SquareX is able to detect and mitigate this threat, regardless of the source of the file.
One of the free features that we have released includes ‘Gmail: Scan for Malicious Documents’ introduced the first of our In-browser malicious document detection — a completely privacy safe way to scan documents entirely in the browser. We have also extended this in-browser detection to all internet downloads through our ‘Scan for Malicious Documents in Download Interceptor’ feature.
Getting Started with SquareX for Individuals and Enterprises
Individuals: It’s simple to get started with our free browser extension:
- Visit sqrx.com on Chrome/Brave/Edge or other Chromium-based browsers.
- Add SquareX to your browser. Sign up for free.
Enterprises: Experience the full power of SquareX enterprise and detect-mitigate-threathunt web attacks in your enterprise. Contact us to get started with a pilot.
For press enquiries: https://sqrx.com/pr-and-release
For investor enquiries: Vivek Ramachandran founder@sqrx.com
Press Coverage: