Malware hidden in images strikes at Gmail and Outlook users.
Update, Jan. 20, 2025: This story, originally published Jan. 18, now includes mitigation advice to help protect against the hidden email hacking tactic used by the VIP Keylogger and 0bj3ctivityStealer threat campaigns as well as details of apps that can help prevent you from falling victim to phishing and malware attacks.
That hackers want your account credentials is no secret, be that from high-speed attacks against Microsoft accounts or two-factor authentication bypass attacks against Google users. The primary initial attack methodology revolves around your email, do not click attacks or phish-free threats alike. Now, security researchers have issued a warning about VIP Keylogger and 0bj3ctivityStealer malware, which are not as easy to spot as they are ingeniously hidden within your email messages. With Gmail and Outlook being the biggest email platforms, users are warned that they should stay particularly alert for these attacks. Here’s what you need to know.
How Hacking Threats Hide In Your Email
Although phishing threats are nothing new, and although they are constantly evolving, most still focus on the same old techniques of clicking on links and executing attached files. However, the latest HP Wolf security threat insights report has issued a warning regarding a critical malware threat being delivered by email while remaining hidden inside images. Not just the one malware threat, in fact, but two.
Security researchers have reported how they caught malware campaigns spreading the VIP Keylogger and 0bj3ctivityStealer hacking threats both using the same initial exploit techniques: hiding malicious code in images. VIP Keylogger can record keystrokes and exfiltrate credentials from a number of sources including apps and clipboard data. 0bj3ctivityStealer is also, as the name suggests, an information stealer and targets both account credentials and credit card data.
“By hiding malicious code in images and hosting them on legitimate websites,” the researchers said, “the attackers were more likely to bypass network security like web proxies that rely on reputation checks.”
“The tactics observed in the report demonstrate that threat actors are repurposing and stitching together attack components to improve the efficiency of their campaigns,” James Coker, writing at Infosecurity Magazine, said.
In what the HP Wolf researchers called “large malware campaigns” spreading the VIP Keylogger threat, emails were sent that posed as invoices and purchase orders to victims, and the investigation uncovered “multiple malicious images” with the most accessed one having been viewed 29,000 times.0bj3ctivityStealer, meanwhile, was sent using archive files pertaining to be requests for quotations. These would, if activated, download an image from a remote server containing the malicious code itself.
Mitigating The Phishing Dangers Hiding In Your Email
The Cyber Security Agency of Singapore has published a Jan. 20 update to its list of recommended security apps to boost protection against phishing and malware campaigns. Since the list was first compiled in 2023, CSA has conducted a number of tests of such apps on both the Android and iOS platforms, evaluating them based on performance in four categories: malware detection, phishing detection, network detection and device integrity checks. “Of these, network detection and device integrity checks are new categories added in this review,” a CSA spokesperson said, “six security apps made the list.”
Looking at the evaluation categories in more detail, CSA said that malware detection involved the installation of the security app in devices and testing its ability to detect various malware samples – including original, rehashed and obfuscated samples. When it came to phishing, the tests involved accessing selected phishing links across different environments, such as via in-app browsers, dedicated browsers such as Chrome for Android users and Safari for iOS users or through a URL checker provided by the app. Looking at the evaluation categories in more detail, CSA said that malware detection involved the installation of the security app in devices and testing its ability to detect various malware samples – including original, rehashed and obfuscated samples. When it came to phishing, the tests involved accessing selected phishing links across different environments, such as via in-app browsers, dedicated browsers such as Chrome for Android users and Safari for iOS users or through a URL checker provided by the app. Network detection used the simulation of attacks to test whether the app can detect and alert the user, while device integrity tests focused on unauthorized rooting and jailbreaking modifications.
While CSA admits that no app alone can guarantee “absolute”cybersecurity and “users should be vigilant, practice good cyber hygiene, and stay updated on anti-scam advice,” it recommends the six security apps to “boost mobile device protection against prevalent malware attacks and phishing scams.”
CSA recommended phishing protection apps.
Google has been building new protections to protect billions of Gmail users from all kinds of cyberattack, including the type of phishing and malware threats exampled by the HP Wolf researchers. In 2024, Gmail’s senior director of product management, Andy Wen, said, “we developed several ground-breaking AI models that significantly strengthened Gmail cyber-defenses, including a new large language model that we trained on phishing, malware and spam.” This helped to block 20% more spam than previous protections by identifying malicious patterns more accurately. Another AI model, Wen said, “acts like a supervisor for our existing AI defenses by instantly evaluating hundreds of threat signals when a risky message is flagged and deploying the appropriate protection.”
Microsoft, meanwhile, said that “all Outlook.com users benefit from spam and malware filtering. For Microsoft 365 Family and Microsoft 365 Personal subscribers, Outlook.com performs extra screening of the attachments and links in messages you receive.” These premium security features are automatically activated for all Microsoft 365 Family and Microsoft 365 Personal subscribers who have email accounts ending in @outlook.com, @hotmail.com, @live.com, and @msn.com.
the hacking of Donald Trump’s nude photos</a> to <a class="color-link" href=https://www.forbes.com/sites/daveywinder/2025/01/20/critical-hidden-email-hack-warning-issued-for-gmail-and-outlook-users/"https://www.forbes.com/sites/daveywinder/2024/07/31/record-breaking-75-million-ransom-paid-to-dark-angels-gang/">a record-breaking ransomware payment of $75 million</a>. With 35 years of real-world consultancy experience, Davey is a three-time winner of the Information Security Journalist of the Year award and a previous winner of Technology Journalist of the Year. <a class="color-link" href=https://www.forbes.com/sites/daveywinder/2025/01/20/critical-hidden-email-hack-warning-issued-for-gmail-and-outlook-users/"https://x.com/happygeek" rel="nofollow noopener">Follow Davey on X</a> for cybersecurity chat and news.</p>">
