Successfully fend off Rich Text File Type Evasion Tricks

Since this week, we have been noticing a new wave of attacks with RTF documents, where spammers use various “file type evasion tricks”. We show how you should configure the content filter to fend off the attacks. For NoSpamProxy Cloud customers, we have already implemented the appropriate measures.

Richtext File Type Evasion Tricks - Spam message example

Example of a recent spam message with a malicious RTF document.

At first glance, the attachment looks like a Word document. This simple trick has long been used in the repertoire of spammers, because unfortunately Microsoft Word is so forgiving and also opens these documents. In our blog blog, we already recommended actions in 2018 in the wake of Emotet to successfully fend off a corresponding mismatch of the file type and file extension in the content filter.

In the current wave, the header of the RTF document is now also additionally manipulated. In the original rich text specification from June 1992, Microsoft defines the header as follows:

Richtext File Type Evasion Tricks - Microsoft Richtext Format Specification 1.0

The first rich text specification appeared 29 years ago.

But in Redmond they don’t seem to stick to their own specification and spammers now use documents which don’t start with “{rtf1”. Unfortunately, Microsoft Word is also so tolerant here and opens the manipulated RTF documents, which e.g. only begin with “{rt”.

Due to these manipulations of the RTF header the file type detection in NoSpamProxy does not work correctly anymore and the attachment is falsely detected as “Text only / Plain text”.

Richtext File Type Evasion Tricks - NoSpamProxy - Message tracking

Various test documents and detection in NoSpamProxy Message Tracking

Configure content filter

For stricter handling of these spam emails, we recommend the following temporary local modification:

Therefore, configure the content filter entry as described in “Configuration option 2” of the Knowledge Base article “Configuring content filters“.

Richtext File Type Evasion Tricks - NoSpamProxy - Inhaltsfilter (deutsch)
  • File type: Text -> „Rich-Text-Format“ AND Filename: *.doc; *.docx
  • File type: Text -> „Rich-Text-Format with OLE-Objects“ AND Filename: *.doc; *.docx
  • File type: Text -> „Only Text“ AND Filename: *.doc; *.docx

SQL query

Furthermore, we provide an SQL query to search for such tricks on RTF documents in the NoSpamProxy database: Download

Here you can also quickly see in advance whether this tightening in the content filter could possibly lead to problems with legitimate e-mails from partners. This gives you the opportunity to address these affected partners and point out the upcoming tightening of your e-mail policy in advance.

  1. Install Microsoft SQL Management Studio on the system where the affected database is installed. Microsoft SQL Management Studio is available free of charge on the Microsoft website.
  2. Start the SQL Management Studio.
  3. Log on to the SQL instance where the database is running. Usually these instances are called (local)SQLEXPRESS or (local)NOSPAMPROXY.
  4. After successful login, execute the SQL query

Test documents

We also provide the following harmless “Hello World” test documents to be able to test the successful tightening in the content filter as well:

IOC List

Filename: „Order Enquiry.doc“

Sha256 Hash: 83d493530df0cc487e1adf6684ffef73415f69d54c0b665d7276d81575f2dc02

VirusTotal