A recent report from cybersecurity firm Cofense has revealed that a credential-harvesting campaign is using a legitimate email newsletter program called SuperMailer to send out large numbers of phishing emails. Designed to evade secure email gateway (SEG) protections, the campaign has seen SuperMailer-created emails account for 5% of all credential phishes in the month of May. The volume of activity has doubled in three out of the past four months alone. The threat actors behind the campaign are using SuperMailer’s customization features and sending capabilities to deliver tailored, legitimate-looking emails to victims in a wide range of industries.
SuperMailer is relatively obscure compared to well-known email generators, yet it is still behind significant numbers of malicious emails. Originating in Germany, the desktop software can be downloaded for free or a nominal fee from various sites. A free version was released on CNET in 2019, which has seen around 1,700 downloads. However, since clients are propagated via third-party websites with no server or cloud component, SuperMailer’s developers are currently unable to root out this activity.
Alongside this, SuperMailer offers features that are attractive to cybercriminals. It is compatible with several email systems, allowing threat actors to spread their sending operation across multiple services and decreasing the risk that a SEG or upstream email server will classify emails as unwanted. In addition, the software offers template customization features, including the ability to populate recipient details, email reply chains, and organization name. It also allows the use of completely legitimate URLs as first-stage phishing links by not flagging open redirects.
Cofense has been able to track the SuperMailer activity thanks to a coding mistake made by the attackers while crafting email templates. The emails have all included a unique string demonstrating that they were produced by SuperMailer. However, Cofense notes that parsing messages for that string or broadly blocking entire legitimate mailing services isn’t the solution. Instead, there are other characteristics that would identify the emails as potential security threats, such as non-target-specific email reply chains appended to the messages.
These SuperMailer phishes are part of a larger set of activity that accounts for a full 14% of phishing emails landing in inboxes in May in the Cofense telemetry. Training employees to be vigilant against phishing threats is therefore a critical element of good cyber defense, as employees are often better able to recognize differences in fraudulent emails that SEGs or other security measures may not detect.