DIGITAL LIFE

Fortinet identifies multilayered email fraud campaigns in Europe

Fortinet, through its FortiMail IR team, has identified and analyzed recent Multilayered Email campaigns targeting specific geographic locations, including Portugal, Spain and Italy.

The company’s analysis reveals increasing tactical sophistication, characterized by the exploitation of legitimate cloud services (Dropbox, Google Drive) and the use of tunneling tools (Ngrok) to evade security mechanisms and deliver a malicious payload.

The effectiveness of this campaign lies in the combination of multiple tactics: social engineering for the initial lure, evasion of email security filters and precise geographic targeting. Fortinet “dissected” the infection chain and details the TTPs (techniques, tactics and procedures) used by threat actors, from the entry vector to the data exfiltration phase.

The initial attack vector is an email that exploits social engineering practices. The message, with a subject line that suggests urgency (e.g., invoice verification), is sent from a domain with a correctly configured SPF (Sender Policy Framework) policy, which gives it a high degree of legitimacy in the eyes of perimeter security filters.

The attachment is a PDF document that does not contain the direct payload. Instead, it functions as a redirector: it claims a viewing error and instructs the victim to click on an embedded button. This button triggers the download of a local HTML file, which in turn simulates a CAPTCHA verification. This step serves to break the analysis chain of automated security tools and to trick the user into proceeding to the next phase of the infection.

After interacting with the fake CAPTCHA, the user is redirected to a dynamically generated URL via Ngrok. The attackers use this tool to obfuscate the origin of the command and control (C2) infrastructure and to implement a geofencing mechanism.

Only requests originating from IP addresses located in the target countries (Portugal, Spain, Italy) are redirected to the payload. Requests from other locations are forwarded to harmless pages to avoid detection by security researchers.

The final payload, a JAR file (e.g. “FA-43-03-2025.jar”), is hosted on file-sharing services such as MediaFire or Google Drive. This tactic aims to bypass domain reputation and increase the download success rate.

The JAR file corresponds to “Ratty,” a remote access trojan (RAT) with capabilities to perform screen capture, keylogging, and exfiltration of sensitive data.

In Portugal, impersonation of healthcare entities was observed to increase the credibility of the scam.

The analysis of this campaign highlights the need for a cyber defense-in-depth strategy. Organizations must implement security controls that go beyond simple email filtering.

Fortinet recommends strengthening endpoint detection and response (EDR) solutions, using sandboxing to analyze attachments, and implementing ongoing phishing training and simulation programs to empower employees to identify and report multilayered threats.

https://www.fortinet.com/

mundophone