Email Appender: A New Threat for Targeted Email Attacks
A new tool called Email Appender has been advertised on a Russian-language underground forum, offering cybercriminals a way to deliver fake emails directly into victims’ inboxes while bypassing protective filters on the way to the recipient’s server. According to experts, using Email Appender can significantly increase the effectiveness of targeted phishing and business email compromise (BEC) attacks, as well as simple extortion schemes involving malware.
How Email Appender Works
Unlike traditional mailer programs that send out messages, Email Appender injects emails directly into the targeted victim’s mailbox. This new tool is offered to spammers on a subscription basis, with the service costing twice as much as standard options.
Analysts from Gemini Advisory, who discovered the tool, noted that the technique used by Email Appender is not new. Experts have previously encountered it in targeted phishing attacks and malicious campaigns involving Emotet, QBot, the JavaScript trojan Valak, and Ursnif (also known as Rovnix and Papras).
Technical Details and Capabilities
To use Email Appender, attackers need a list of compromised credentials—a database that can be easily purchased on the dark web. The program cycles through logins and passwords, attempting to authenticate on the email server, open the target mailbox, and add its own message. According to experts, the IMAP protocol allows authenticated users to perform such actions.
To evade email monitoring systems that track logins from unusual IP addresses, attackers can route their traffic through a SOCKS proxy server—Email Appender’s settings make this possible. The tool also comes with an up-to-date list of 10,000 IMAP server configuration options, which it uses to more accurately target victims.
Once inside a compromised mailbox, the attacker can modify their message to make it more convincing for the specific target. Since the email does not travel the usual route to the recipient’s server, changes to the sender or adding “RE:” to the subject line go unnoticed.
How to Protect Against Email Appender Attacks
To block the attack vector used by Email Appender, experts recommend enabling multi-factor authentication (MFA). Many major email providers offer this option, but unfortunately, few customers take advantage of it. While notifications about logins from unusual IP addresses cannot prevent account breaches, they can help victims quickly detect incidents and take appropriate action—such as changing their password and enabling MFA.