Connect with us

Hi, what are you looking for?


Email Security

Report Shows Increase in Email Attacks Using .com File Extensions

Leesburg, VA-based anti-phishing firm Cofense (formerly PhishMe) has discovered an uptick in the use of .com file extensions in phishing emails. 

Leesburg, VA-based anti-phishing firm Cofense (formerly PhishMe) has discovered an uptick in the use of .com file extensions in phishing emails. 

The .com file extension designated executable files in DOS and Windows 95, 98 and Me. It has been replaced by .exe in later versions of the operating system — for example, the early Windows shell program was replaced by cmd.exe in later versions. However, for backwards compatibility, Windows will still attempt to execute a file with the .com extension.

Throughout October, Cofense analyzed 132 unique phishing samples with the .com extension. To put this uptick in context, it found only 34 samples in the entire preceding nine months of 2018.

The most popular subject line lures in the new campaign (or campaigns) are ‘payment’ and ‘purchase order’ themes. These two make up 67% of the samples analyzed. Other themes include ‘shipping’, ‘invoice’ and ‘remittance advice’, giving the campaign a strong financial bias. The payload is generally information-stealing malware. “Threat actors,” writes Aaron Riley, intelligence analyst at Cofense, in a blog posted Thursday, “are likely carrying out these campaigns to target employees with financial information stored on their local machines, which explains the use of information-stealing malware as the campaignsí payloads.”

There is a correlation between the subject line and the delivered malware. Purchase order subject emails most commonly delivered the Loki Bot information stealer and the Hawkeye keylogger. Those with ‘payment’ subject lines more commonly delivered the AZORult information stealer. Riley isn’t sure whether this indicates multiple groups or a single group believing that different malware better suits different targets.

Loki Bot (36%), AZORult (34%) and Hawkeye (24%) together accounted for 94% of the payloads. Pony also occurred but comprised just 4% of the payloads. In most cases, the .com payloads are directly attached to the phishing email. In some cases an attachment contained an intermediary dropper. As awareness of these methodologies increases, Riley “expects to see an increase in intermediary delivery of malicious .com files, wherein a “dropper” attachment will arrive with the phish and subsequently load the weaponized .com file onto the end point.”

There was also a correlation between the malware type and their C2s. The samples of .com binaries that delivered AZORult communicated exclusively with domains hosted by Cloudflare. More than 75% of those delivering Loki Bot did similarly (Hawkeye stood apart, communicating exclusively with unique email domains). Cofense does not believe that Cloudflare is hosting the actual C2, but is rather being used as a domain front.

Advertisement. Scroll to continue reading.

“By using Cloudflare,” writes Riley, “which is typically trusted by most organizations, the attackers are able to circumvent blocks that might be put in place. Cloudflare recently changed its policies to disallow its use for malicious hosting, yet the service has continued to be used by attackers for malicious redirection.”

Cofense expects to see an increased incidence of malware using the .com extension, with similar campaigns expanding to other industries such as healthcare and telecommunications. “An increased use of the .com extensions,” warns Riley, “can be harmful to enterprise networks if organizations are not prepared for it, and once they are, another file extension will surge in popularity in a constant effort to stay ahead of the defense.”

Cofense has a different approach to anti-phishing than many of its competitors. While machine learning and artificial intelligence is increasingly being used by technology to detect phishing and other forms of malicious email, Cofense concentrates on harnessing the collective intelligence of the users who receive the email. It trains user awareness, encourages user reporting, and analyzes those reports. 

Cofense, formerly known as PhishMe, was acquired by a private equity consortium in February 2018. The deal valued the firm at $400 million. PhishMe had previously raised around $58 million in various funding rounds, including $42.5 million Series C funding in July 2016. 

Related: Phishing Campaign Targets 400 Industrial Organizations 

Related: Phishing Poses Biggest Threat to Users: Google 

Related: AI-Facilitated Product Aims to Stop Spear-Phishing Attacks 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...