CanSecWest2025_newtype

The HP Q3 2023 Threat Report [2] highlights that 80% of malware is delivered via email, with 12% bypassing detection technologies to reach endpoints. The 2023 Verizon Data Breach Report also indicates that 35% of ransomware infections originated from email. Two primary factors contribute to evasion: the volume and cost challenges of sandbox scanning, which lead to selective scanning and inadvertent bypasses, and the limitations of detection technologies like signature-based methods, sandbox[1] and machine learning, which rely on the final malicious payload for decision-making. However, evasive multi-stage malware and phishing URLs often lack malicious payload when analyzed by these technologies. Additionally, generative AI tools like FraudGPT and WormGPT facilitate the creation of new malicious payloads and phishing pages, further enabling malware to evade defenses and reach endpoints.

 
To address the challenge of detecting evasive malware and malicious URLs without requiring the final malicious payload, we will share the detailed design of an Neural Analysis and Correlation Engine (NACE) specifically designed to detect malicious attachments by understanding the semantics of the email and leveraging them as features instead of relying on the final malicious payload for its decision making. The NACE harnesses a layered approach employing supervised and unsupervised AI-based models leveraging transformer-based architecture to derive deeper meaning embedded within the email's body, text in the attachment, and subject.

 
We will first dive into the details of the semantics commonly used by threat actors to deliver malicious attachments, which lays the foundation of our approach. These details were derived from the analysis of a dataset of malicious emails. The text from the body of the email was extracted to create embeddings. UMAP aided in dimensionality reduction, and clusters were generated based on their density in the high-dimensional embedding space. These clusters represent different types of semantics employed by threat actors to deliver malicious attachments.
In the presentation we will share the details of our approach in which every incoming email undergoes zero-shot semantic analysis, similarity analysis using LLM to determine if it contains semantics typically used by the threat actors to deliver malicious attachments. Additionally, email's body is further analyzed for secondary semantics, including tone, sentiment, and other nuanced elements. Once semantics are identified, hierarchical topic, phrase topic modeling is then applied to uncover the relationships between various topics.

 
Primary and secondary semantics from the email, along with results from phrase hierarchical topic modeling, deep file parsing results of attachments, and email headers, are sent to the expert system. Contextual relationship between the features is used to derive the verdict of malicious and benign attachment without needing malicious payload. This comprehensive approach identifies malicious content without depending on the final payload, which is crucial for any detection technology.

Our presentation will show how LLM models can effectively detect evasive malicious attachments without depending on the analysis of the malicious payload, which typically occurs in the later stages of attachment analysis. Our approach is exemplified by our success in defending against real-world threats, in actual production traffic including HTML smuggling campaigns, Obfuscated SVG , Phishing Links behind CDN, CAPTCHA, Downloaders, Redirectors.
The presentation will conclude with results observed from the production traffic.

References:

[1] Abhishek Singh, Zheng Bu, "Hot Knives Through Butter: Evading File-based Sandboxes.", Black Hat 2013.https://media.blackhat.com/us-13/US-13-Singh-Hot-Knives-Through-Butter-Evading-File-based-San dboxes-WP.pdf 
[2] HP 2023, Q3 Threat Insights Report, HP Wolf Security Threat Insights Report Q3 2023

The rapid deployment of frontier large language models (LLMs) agents across applications, impacting sectors projected by McKinsey to potentially add $4.4 trillion to the global economy, has mandated the implementation of sophisticated safety protocols and content moderation rules. However, documented attack success rates (ASR) reaching as high as 0.99 against models like ChatGPT and GPT-4 using universal adversarial triggers (Shen et al., 2023) underscore a critical vulnerability: the safety mechanisms themselves. While significant effort is invested in patching vulnerabilities, this presentation argues that the rules, filters, and patched protocols often become primary targets, creating a persistent and evolving threat landscape. This risk is amplified by a lowered barrier to entry for adversarial actors and the emergence of new attack vectors inherent to LLM reasoning capabilities. 
This presentation focuses on showcasing documented instances where security protocols and moderation rules, specifically designed to counter known LLM vulnerabilities, are paradoxically turned into attack vectors. Moving beyond theoretical exploits, we will present real-world examples derived from extensive participation in AI safety competitions and red-teaming engagements spanning multiple well-known frontier and legacy models, illustrating systemic challenges, including how novel attacks can render older or open-source models vulnerable long after release. We will detail methodologies used to systematically probe, reverse-engineer, and bypass these safety guards, revealing predictable and often comical flaws in their logic and implementation. 
Furthermore, we critically examine why many mitigation efforts fall short. This involves analyzing the limitations of static rule-based systems against adaptive adversarial attacks, illustrated by severe vulnerabilities such as data poisoning where merely ~100 poisoned examples can significantly distort outputs (Wan et al., 2023) and memorization risks where models reproduce sensitive training data (Nasr et al., 2023). We explore the challenges of anticipating bypass methods, the inherent tension between safety and utility, alignment risks like sycophancy (Perez et al., 2022b), and how the complexity of rule sets creates exploitable edge cases. Specific, sometimes counter-intuitive, examples will demonstrate how moderation rules were successfully reversed or neutralized. 
This presentation aims to provide attendees with a deeper understanding of the attack surface presented by AI safety mechanisms. Key takeaways will include: 
Identification of common patterns and failure modes in current LLM moderation strategies, supported by evidence from real-world bypasses. 
Demonstration of practical techniques for exploiting safety protocols, including those targeting patched vulnerabilities. 
Analysis of the systemic reasons (technical and procedural) behind the fragility of current safety implementations. 
Presentation concludes by discussing the implications for AI developers, security practitioners, and organizations deploying LLMs, advocating for a paradigm shift towards Mitigation methods that could be used to lower risk that is inherently unavoidable.

References:Nasr, M., et al. (2023). Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks. https://arxiv.org/abs/1812.00910 

Perez, E., et al. (2022b). Red Teaming Language Models to Reduce Harms: Methods, Scaling Behaviors, and Lessons Learned https://arxiv.org/abs/2209.07858

   
1. cs384.stanford.edu  

 
Shen, X., et al. (2023). Jailbreaking Large Language Models with Universal Adversarial Triggers. https://arxiv.org/abs/2307.15043

 
Wan, X., et al. (2023). Data Poisoning Attacks on Large Language Models. https://arxiv.org/abs/2305.00944

McKinsey Digital. https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/the-economic-potential-of-generative-ai-the-next-productivity-frontier