New MIME multipart technique to avoid SEG detection

I hate to write and English isn’t my native language, but still I decided that I’m going to put some effort into this blog. I plan to work as a CISSP course instructor part-time for a while and one of the goals of this blog would be to give my audience some idea on what typical information security work is, what incident response is, some thoughts on security certifications, careers in the industry, etc. If you are reading this you are most likely aware of recent high-profile breaches and of increased demand for security professionals and probably looking to “break into security” yourself, or already there, but still looking for tips on how to make a better version of yourself in this competitive area. So I plan to fill this blog with some information that could be helpful in gauging if you are really up to this.

So the first post in English here would be about how phishing emails bypass some of the most sophisticated security controls of modern Secure Email Gateways (SEGs) and end up in users mailboxes. In general, it’s pretty hard or even nearly impossible to penetrate well configured enterprise-level front-end email security solutions, but still it happens, because of poor security budgeting or vendors dragging behind, lack of proper configuration. Even if everything is in place and properly configured, it sometimes happens because of the bad guys being very creative.


2016 so far has been a year of soaring phishing trends according to multiple observers, this particular graph is coming from Kaspersky Labs. In addition to increased volumes of phishing emails, I see the bad guys using a somewhat new approach to bypassing secure email gateways (SEGs). Their ultimate task is to get phishing emails delivered to users’ mailboxes without getting detected by any of the security controls we set up on our front-end email servers. More often than I would like they manage to do that. Here I want to dissect a certain technique that lets the bad guys pierce through SEGs and deliver malicious attachments to users. Continue reading