Fake Failed to Send Message and Catch All Mailboxes

Threat actors are very smart at having various methods of communication. New research by Jigsaw Security shows that threat actors are using specially created email boxes to make it appear as though the accounts emailed are invalid, however the threat actors are using a feature in mail servers to deliver the content anyway.

We are not sure why the threat actors are taking this step but it may be used like a digital dead drop to send messages to perform other actions.

We are already aware of people using the email draft feature to put messages in accounts as sort of a dead drop that never get sent. We have observed this in our forensics work. This new method however we believe it being used for C2 communications to control malware infected devices as well. Customers should look for any outgoing email to mail services not used by your organization, and potentially block access to these resources.

One of the other methods we are starting to see is intelligence organizations using mailboxes that are configured to automatically response with a not a valid user message, but do in fact receive any email sent to the domain. This dead drop like activity is being observed and actively being investigated.

For additional information please open up an RFI (Request for Information) with the SOC.



Contact: (800)447-2150 Ext. 1        To contact Jigsaw simply send a message in our chat window!

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2017-2018 Jigsaw Security Enterprise Inc.

Jigsaw Security Enterprise Inc is a SDVOSB - Service Connected Disabled Veteran Owned Small Business Jigsaw Security is an operator of WIMAX networks and is operating under license WQVC235 as a common carrier, non-common carrier and private communications operator. Jigsaw Security operates cable and satellite services. Courses may be provided by a third party authorized training partner in some cases. Some training is only available for cleared and US Citizens. Courses approved by the North Carolina Department of Public Safety Private Protective Services Board for licensing and CE credits. JPM program insurance is provided by an authorized Jigsaw Security Insurance Partner and is not underwritten by Jigsaw Security. For insurance information please contact our JPM program manager. Jigsaw Security operates a network through our NCBroadband brand.