Kobold Letters: HTML-based Email Phishing Attacks
On March 31st 2024, Luta Security released an article shedding light on a new sophisticated phishing vector, Kobold Letters. Unlike traditional phishing attempts, which rely on deceptive messaging to lure victims into divulging sensitive information, this variant exploits HTML’s flexibility to embed concealed content within emails. Dubbed “coal letters” by security experts, these hidden messages exploit the Document Object Model (DOM) to selectively reveal themselves based on their relative position within the email structure.
While the concept of hiding secrets within emails may initially seem innocuous or even ingenious, the reality is far more sinister. Malicious actors can exploit this tactic to bypass detection and distribute harmful payloads. By embedding malicious content within the email body, particularly content that activates upon forwarding, perpetrators can potentially evade security measures, thereby increasing the risk of malware dissemination or perpetrating fraudulent schemes.
Notably, this vulnerability affects popular email clients such as Mozilla Thunderbird, Outlook on the Web, and Gmail. Despite the widespread implications, only Thunderbird has taken proactive steps towards addressing the issue by considering a forthcoming patch. In contrast, Microsoft and Google have yet to provide concrete plans for resolving this vulnerability, leaving users vulnerable to exploitation.
While email remains a cornerstone of modern communication, this vulnerability highlights the need for robust email security measures. Heightened vigilance and proactive measures are essential to mitigate the risks of evolving email threats. Additionally, fostering a culture of shared responsibility and proactive engagement through collaboration and collective action is key to fortifying defences.
