Attackers Leverage IMAP to Infiltrate Email Accounts

Researchers believe cybercriminals are using a tool dubbed Email Appender to directly connect with compromised email accounts via IMAP.

Dark Reading Staff, Dark Reading

December 17, 2020

1 Min Read
Dark Reading logo in a gray background | Dark Reading

A newly detected wave of spam emails is bypassing transport layers and landing in mailboxes, Vade Secure researchers report.

This campaign sent 300,000 spam messages to a single customer in one day and has been seen in France, Italy, Denmark, and the United States. Researchers suspect the attackers are using a tool called Email Appender, which is available on the Dark Web and can be used to connect with compromised email accounts via IMAP.

Email Appender, first reported in October, lets attackers validate compromised email credentials they steal or buy on the Dark Web. They can use the tool to configure a proxy to avoid IP detection, draft a malicious email, and deliver spam straight into a user's account. Attackers can customize their malicious emails to include the display name of the sender's address and provide a reply-to address.

Researchers say this incident is being addressed by shutting down compromised accounts and resetting affected credentials. They note while this incident mostly delivers spam, it's a sign attackers are practicing the new technique before using it to distribute phishing and malware campaigns.

Read Vade Secure's blog for more details.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights