The Danger of SuperMailer Abuse: A Bypass to Email Security for Credential Theft

Phishing Campaigns Use SuperMailer to Evade Email Security

A high-volume, credential-harvesting campaign is using a legitimate email newsletter program called SuperMailer to send phishing emails designed to evade secure email gateway (SEG) protections. This campaign’s monthly volume has more than doubled in three out of the past four months, accounting for a significant 5% of all credential phishes in May. Cofense, an American software company, reports that the threat actors behind the campaign are targeting a wide range of industries, including healthcare, finance, government, technology, and more.

Features of SuperMailer

SuperMailer is a desktop software that can be downloaded for free or for a nominal fee from a number of sites without any server or cloud component. It is a somewhat obscure German-based newsletter product that has nowhere near the scale of more well-known email generators. However, the combination of SuperMailer‘s customization features and sending capabilities with evasion tactics has made this software an attractive tool for phishing. The software offers compatibility with several email systems, allowing threat actors to spread their sending operation across multiple services, which decreases the risk of detection. SuperMailer-generated campaigns also take advantage of template customization features, such as the ability to automatically populate a recipient’s name, email, organization name, email reply chains, and more – all of which boosts the legitimacy of the email to targets.

Challenges Faced in Rooting out the Activity

The clients are propagated via third-party websites and have no server or cloud component, which makes it challenging to combat this abuse. Moreover, it is uncertain whether the SuperMailer developer is capable of fighting this abuse. The threat actors are abusing tools that were designed for legitimate purposes, as happens in the penetration testing arena where open-source penetration testing tools are regularly abused by threat actors to conduct actual threat activities.

Defending Against the SuperMailer Threat

Cofense has been able to track the SuperMailer activity, thanks to a mistake made by attackers in crafting the email templates. However, parsing messages for that string or more broadly blocking entire legitimate mailing services is not the solution. Identifiable characteristics are discoverable due to a mistake by the threat actor, but without the mistake, those characteristics are not visible in every SuperMailer email. Human intuition is often much better at recognizing these differences; therefore, training employees to be vigilant against phishing threats is a critical element of good cyber defense.

Editorial and Advice

The exponential growth of phishing campaigns that use legitimate software to evade SEGs is cause for concern. It highlights the need for constant vigilance in a landscape where cybercriminals are continually looking for new ways to supercharge phishing. This incident also points to the importance of having skilled cyber threat intelligence professionals who can monitor the nuances of such attacks and quickly spot them. Organizations should invest in regular cybersecurity training to keep their employees informed about evolving threats, and they should also implement security measures, such as multi-factor authentication, security audits, and software updates, to stay ahead of cybercriminals.