Tuesday, May 6, 2025
HomeCyber Security NewsHackers Evade Outlook Spam Filters to Deliver Malicious ISO Files

Hackers Evade Outlook Spam Filters to Deliver Malicious ISO Files

Published on

SIEM as a Service

Follow Us on Google News

A newly discovered technique allows threat actors to circumvent Microsoft Outlook’s spam filters to deliver malicious ISO files, exposing organizations to sophisticated phishing campaigns.

The bypass leverages hyperlink obfuscation to disguise malicious links as benign URLs, enabling attackers to distribute malware-laden disk image files directly to victims’ inboxes.

As per a report by Afine, Security researchers warn that this method undermines email security defenses, particularly for organizations reliant on Outlook’s native spam filtering.

- Advertisement - Google News

Evolving ISO File Exploitation Tactics

This development follows recent revelations about attackers exploiting ISO files to bypass Microsoft Defender SmartScreen, a security feature designed to block untrusted executables.

In earlier campaigns, threat actors used social engineering to trick users into extracting and running malware from ISO files after they were downloaded.

However, the newly identified method focuses on evading email-level defenses, allowing malicious files to reach users’ primary inboxes undetected.

Researchers highlight that ISO files remain attractive to attackers due to their ability to bypass traditional endpoint detection mechanisms.

Unlike executable (.exe) files, disk images are not inherently flagged as malicious, enabling threat actors to embed scripts, ransomware, or spyware within them.

How the Bypass Works

Outlook’s spam filtering system typically quarantines emails containing direct links to high-risk file extensions like .iso or .exe.

Bypass Works
Bypass Works

For example, an email with a visible link to https://malicious[.]com/update.iso would almost always be flagged and routed to the junk folder.

However, attackers now embed malicious URLs under seemingly harmless hyperlinks using HTML obfuscation:

<a href="https://malicious[.]com/update.iso">https://trusted[.]com/security-update</a>

Here, the visible text appears to link to a legitimate security update, but clicking it triggers the download of update.iso, a disk image containing malware.

Proof-of-concept testing confirmed that Outlook’s filters fail to analyze the underlying href attribute, allowing such emails to bypass spam detection.

Spam Filtering Mechanism in Outlook did not block such links
Spam Filtering Mechanism in Outlook did not block such links

Widening the Attack Surface

This vulnerability significantly lowers the barrier for phishing campaigns, as attackers no longer need to rely on compromised websites or secondary payloads.

By delivering ISO files directly via email, threat actors can:

  1. Bypass Real-Time URL Reputation Checks: Many email security tools scan linked domains for known malicious activity but ignore the file path or extension.
  2. Exploit User Trust: Disguised links mimic legitimate software updates or document-sharing portals, increasing the likelihood of user interaction.
  3. Evade Post-Download Protections: As demonstrated in prior attacks, ISO files can bypass SmartScreen warnings when users manually extract and execute contained files.

Organizations without advanced email security infrastructure—particularly small and medium-sized businesses—are disproportionately at risk.

Microsoft has yet to comment on whether it will update Outlook’s spam filtering logic.

Independent researchers argue that the solution requires parsing href attributes and cross-referencing file extensions with threat intelligence feeds.

Until then, organizations must assume heightened risk and prioritize endpoint detection and response (EDR) tools to identify malicious ISO file activity.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Popular Instagram Blogger’s Account Hacked to Phish Users and Steal Banking Credentials

A high-profile Russian Instagram blogger recently fell victim to a sophisticated cyberattack, where scammers...

Ransomware Attacks on Food & Agriculture Industry Surge 100% – 84 Attacks in Just 3 Months

The food and agriculture industry is facing an unprecedented wave of cybersecurity threats in...

Microsoft 365 Copilot and Office Apps Now Protected by SafeLinks at Click Time

Microsoft announced a major update aimed at bolstering the cybersecurity of its flagship AI-powered...

Hackers Targeting Schools and Universities in New Mexico with Cyber Attacks

A major cyberattack on the Coweta County School System's computer network occurred late Friday night, which is a worrying development for New Mexico's educational institutions. The unauthorized intrusion, detected around 7:00 p.m., prompted immediate action from the school...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Popular Instagram Blogger’s Account Hacked to Phish Users and Steal Banking Credentials

A high-profile Russian Instagram blogger recently fell victim to a sophisticated cyberattack, where scammers...

Ransomware Attacks on Food & Agriculture Industry Surge 100% – 84 Attacks in Just 3 Months

The food and agriculture industry is facing an unprecedented wave of cybersecurity threats in...

Microsoft 365 Copilot and Office Apps Now Protected by SafeLinks at Click Time

Microsoft announced a major update aimed at bolstering the cybersecurity of its flagship AI-powered...