InQuest Newsletter #69

InQuest Document ML models excel at detecting malicious Office documents, spreadsheets, and presentations, whether they contain VBA macros or not, and across both OLE and OOXML formats. Our rigorous evaluation of these models shows outstanding results.

The F1 score, the harmonic mean of precision and recall, is an impressive 0.9989. This complex metric indicates how well our model balances identifying true positives and minimizing false positives. Our accuracy, which measures the correctness of the model’s predictions, is 0.9986, signifying that nearly all predictions are accurate.

In terms of precision, which shows the percentage of correctly identified malicious samples out of all samples flagged as malicious, our models achieved a remarkable 0.9992. This means that our models almost always correctly identify malicious documents. The recall, indicating how many actual malicious samples were correctly identified, stands at 0.9985, demonstrating the models' effectiveness in catching nearly every malicious document.

To contextualize these metrics, our models correctly identified 32,894 benign documents and 51,782 malicious ones, missing only 76 malicious documents (false negatives) and incorrectly flagging just 39 benign documents as malicious (false positives). These results highlight the robustness and reliability of our models in defending against threats posed by malicious documents.

In summary, the InQuest Document ML models deliver exceptional accuracy, precision, and recall in detecting malicious Office files, ensuring your organization's data remains secure without sacrificing performance.

InQuest Email Attack Simulation

This month we harvested 121 samples from the wild capable of bypassing either Microsoft or Google. Of those, Microsoft missed 68 (56%), and Google missed 76 (63%). InQuest, MailTAC for reference, missed 7 (6%). The distribution of misses by file type is depicted below:

InQuest EAS includes samples sourced from 50+ industry leading blogs. This month, we sourced 43 samples from these blogs for inclusion in attack simulation.

Want to validate the efficacy of your email security stack? InQuire here for a one-month free email attack simulation.

Detecting New Threats: The Heuristic Approach with DFI

Posted on 2024-05-31 by Nick Chalard

In today’s market of information security products, cutting-edge proprietary solutions tend to dominate show floors and presentation halls worldwide. Many vendors have invested heavily into the arms race that is AI to detect malicious files in the vast threat landscape. Machine learning-driven efforts continue to show massive potential for lightening defenders' workload, but where do the features come from to train these ML models? Specialized dissection and signature driven detection is essential to produce the most effective model for various file types. In this blog we will explore the traditional heuristic approach to detecting new vulnerabilities in the wild such as the Foxit PDF exploit covered by various outlets earlier this month.

InQuest Labs Research Spotlight

WTF Snapshot fuzzing of macOS targets

Cisco Talos has developed a fuzzer that enables us to test macOS software on commodity hardware. The fuzzer utilizes a snapshot-based fuzzing approach and is based on WhatTheFuzz framework.

RansomLord Anti-Ransomware exploit tool.

Proof-of-concept tool that automates the creation of PE files, used to exploit ransomware pre-encryption.

Fabric

Fabric is an open-source framework for augmenting humans using AI.

Global Security Events

Dell warns of data breach, 49 million customers allegedly affected

Dell is warning customers of a data breach after a threat actor claimed to have stolen information for approximately 49 million customers. The computer maker began emailing data breach notifications to customers , stating that a Dell portal containing customer information related to purchases was breached.

Disrupting FlyingYeti's campaign targeting Ukraine

Cloudforce One is publishing the results of their investigation and real-time effort to detect, deny, degrade, disrupt, and delay threat activity by the Russia-aligned threat actor FlyingYeti during their latest phishing campaign targeting Ukraine.

911 Proxy Service Implodes After Disclosing Breach

911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is shutting down in the wake of a data breach that destroyed key components of its business operations. The abrupt closure comes ten days after KrebsOnSecurity published an in-depth look at 911 and its connections to shady pay-per-install affiliate programs that secretly bundled 911’s proxy software with other titles, including “free” utilities and pirated software.

Useful Links

Support

Social

X.com

GitHub

InQuest Insider - Your monthly resource for the latest in cyber security news, trends, tips, and tools. Subscribe here.

Unsubscribe here.