• Rss
  • LinkedIn
  • Youtube
  • Twitter
  • Instagram
  • English English English en
  • Deutsch Deutsch German de
Sales: +49 5251 304-800 | Support: +49 5251 304-636
NoSpamProxy
  • HOME
  • PRODUCT
    • NoSpamProxy Cloud
    • NoSpamProxy Protection
    • NoSpamProxy Encryption
    • NoSpamProxy Large Files
    • NoSpamProxy Disclaimer
  • SUPPORT
    • Knowledge Base
    • Forum
    • Training courses
    • Support Request
    • Software-Download
    • Resources
  • PARTNERS
    • Finding Resellers
    • Becoming Reseller
    • Partner Portal
  • COMPANY
    • Team
    • Testimonials
    • Career
    • Contact
  • EVENTS
    • Events
    • Webcast Training
  • BLOG
  • FREE TRIAL VERSION
    • Price request
    • Free trial version
  • English
    • Deutsch
  • Search
  • Menu Menu
  • Rich Text File Type Evasion Tricks erfolgreich abwehren

Successfully fend off Rich Text File Type Evasion Tricks

Since this week, we have been noticing a new wave of attacks with RTF documents, where spammers use various “file type evasion tricks”. We show how you should configure the content filter to fend off the attacks. For NoSpamProxy Cloud customers, we have already implemented the appropriate measures.

Richtext File Type Evasion Tricks - Spam message example

Example of a recent spam message with a malicious RTF document.

At first glance, the attachment looks like a Word document. This simple trick has long been used in the repertoire of spammers, because unfortunately Microsoft Word is so forgiving and also opens these documents. In our blog blog, we already recommended actions in 2018 in the wake of Emotet to successfully fend off a corresponding mismatch of the file type and file extension in the content filter.

In the current wave, the header of the RTF document is now also additionally manipulated. In the original rich text specification from June 1992, Microsoft defines the header as follows:

Richtext File Type Evasion Tricks - Microsoft Richtext Format Specification 1.0

The first rich text specification appeared 29 years ago.

But in Redmond they don’t seem to stick to their own specification and spammers now use documents which don’t start with “{rtf1”. Unfortunately, Microsoft Word is also so tolerant here and opens the manipulated RTF documents, which e.g. only begin with “{rt”.

Due to these manipulations of the RTF header the file type detection in NoSpamProxy does not work correctly anymore and the attachment is falsely detected as “Text only / Plain text”.

Richtext File Type Evasion Tricks - NoSpamProxy - Message tracking

Various test documents and detection in NoSpamProxy Message Tracking

Configure content filter

For stricter handling of these spam emails, we recommend the following temporary local modification:

Therefore, configure the content filter entry as described in “Configuration option 2” of the Knowledge Base article “Configuring content filters“.

Richtext File Type Evasion Tricks - NoSpamProxy - Inhaltsfilter (deutsch)
  • File type: Text -> „Rich-Text-Format“ AND Filename: *.doc; *.docx
  • File type: Text -> „Rich-Text-Format with OLE-Objects“ AND Filename: *.doc; *.docx
  • File type: Text -> „Only Text“ AND Filename: *.doc; *.docx

SQL query

Furthermore, we provide an SQL query to search for such tricks on RTF documents in the NoSpamProxy database: Download

Here you can also quickly see in advance whether this tightening in the content filter could possibly lead to problems with legitimate e-mails from partners. This gives you the opportunity to address these affected partners and point out the upcoming tightening of your e-mail policy in advance.

  1. Install Microsoft SQL Management Studio on the system where the affected database is installed. Microsoft SQL Management Studio is available free of charge on the Microsoft website.
  2. Start the SQL Management Studio.
  3. Log on to the SQL instance where the database is running. Usually these instances are called (local)SQLEXPRESS or (local)NOSPAMPROXY.
  4. After successful login, execute the SQL query

Test documents

We also provide the following harmless “Hello World” test documents to be able to test the successful tightening in the content filter as well:

  • HelloWorld-ExtensionTrick.doc
  • HelloWorld-MagicBytesTrick-rt_instead_of_rtf1.doc

IOC List

Filename: „Order Enquiry.doc“

Sha256 Hash: 83d493530df0cc487e1adf6684ffef73415f69d54c0b665d7276d81575f2dc02

VirusTotal

  • share 
  • share 
  • tweet 
  • email 

SEARCH

PRODUCT

  • All Topics
  • NoSpamProxy Cloud
  • NoSpamProxy Protection
  • NoSpamProxy Encryption
  • NospamProxy Large Files

Knowledge Base

Knowledge Base

Note: The information in this knowledge base is only relevant for NoSpamProxy up to version 13.2. All information for NoSpamProxy 14 and higher can be found in the online documentation.

CATEGORY

  • All Topics
  • News
  • Product
  • Tech & Support
  • Events
Subscribeto RSS Feed

NoSpamProxy

  • NoSpamProxy Cloud
  • NoSpamProxy Encryption
  • NoSpamProxy Large Files
  • NoSpamProxy Disclaimer
  • Price request
  • Team
  • Career
  • General terms and conditions
  • Data Protection Information for Business Partners and Applicants
  • Cybersecurity (PSIRT)

Partners

  • Becoming a reseller
  • Partners
  • Order Certificates
  • Newsletter

Categories

  • All topics
  • News
  • Support
  • Updates
  • Order certificates

Latest News

  • Info IconCritical Outlook vulnerability: No threat to NoSpamProxy customers24.03.2023 - 15:09
  • Default filter settings in NoSpamProxy 1422.03.2023 - 10:00
  • NoSpamProxy UpdateGlobal Rollout NoSpamProxy Version 14.0.515.03.2023 - 15:20
IMPRINT • EULA • Privacy Policy • © 2023 Net at Work GmbH
  • Rss
  • LinkedIn
  • Youtube
  • Twitter
  • Instagram
Sender Reputation and Email Security – Part 5: DNS-based Authentication of...DomainKeys Identified Mail DKIM PreviewExcel als Malware-Schleuder Gefahr durch XLL-Dateien PreviewExcel as a Malware Launchpad: Danger From XLL Files
Scroll to top