It’s The Endgame For Phishing

Editor’s Note: Elastic joined forces with Endgame in October 2019, and has migrated some of the Endgame blog content to See Elastic Security to learn more about our integrated security solutions.

With version 3.0 of the Endgame Protection Platform, Endgame has delivered the best prevention against document-based phishing attacks - the execution of malicious documents attached to email or delivered through social channels. Combined with existing layers of built-in protection, Endgame 3.0 eliminates this major vector of attack while continuing our commitment to transparency, and improving security for customers and the security community. Today, the machine learning component of this technology, the first of its kind, is running publicly in Google’s VirusTotal.

The Prevalence of Phishing for Payload Delivery

While there are two main strategies for phishing, phishing for credentials and phishing for payload delivery and access, the latter has been the initial attack vector in this year’s high profile attacks on the World Cup, Pyeongchang Winter Olympics, financial, chemical and biological threat prevention labs, and election interference. Research by Verizon makes it clear that document-based phishing remains a prevalent and extremely successful tactic by both criminal groups and nation-states to achieve a range of objectives, from financial gain to espionage to destruction. Targets include not only heads of organizations and individuals with obvious access to the most sensitive information, but people across an organization who can be used as a means to an end.

Phishing for payload delivery and access is the most direct and reliable way to get attacker code on a user’s machine inside a target of interest. From that position in a network, an adversary can perform reconnaissance, move laterally, and take desired actions on objectives ranging from data theft to destruction. Damage from attacks can be accrued over months and even years, with severe losses as a result.

Defenses against phishing for payload delivery have focused on user training, mail and web filtering, or knowledge of specific malware or attack infrastructure protecting against what is known of previous attacks. As the success of recent attacks shows, this isn’t working. More must be done to cut off this vector of initial access. Reimagining phishing protection requires a shift. We need to assume that despite best efforts to filter messages and train users, messages will get through and users will click. To eliminate this access vector, we must more reliably prevent unknown malicious payloads sent to users.

The Endgame Approach to Document-Based Phishing

Phishing protection has been a cat and mouse game which defenders are losing, with attackers reliably finding ways around approaches focused on filtering, knowledge of infrastructure, and looking for specific malware payloads. Robust and resilient phishing prevention should not focus only on the delivery and the click, but also on stopping the payload. Current approaches do not effectively prevent novel payloads from running. Endgame revolutionizes payload prevention, protecting customers against both macro-based and non-macro based phishing attacks designed to gain initial access to a computer or network.


Macro-based phishing attacks are those that deceive victims into downloading a malicious document and enabling malicious embedded scripts to run, usually by clicking on an “Enable Macros” button within a Microsoft Office document. To counter these attacks, Endgame has enhanced its machine learning technology MalwareScore™ to prevent execution of documents carrying malicious MS Office macros. Following on the heels of Endgame’s other machine learning based MalwareScore protections - Windows PE files and Mac executable files - our latest innovation applies machine learning to protect against malicious macros, one of the most impactful security challenges.

MalwareScore combines the expertise of Endgame’s malware researchers and data scientists in a single, lightweight model which provides unparalleled protection against known and unknown macro-based attacks. Detecting malicious macros using machine learning introduced numerous unique challenges, which we discuss further here. Confident in our approach to macro-detection, Endgame has also released this enhancement into VirusTotal as part of our commitment to transparency and growing the community.


There are other ways to deliver a malicious payload via a document. Weaponized software vulnerabilities pop up regularly, and attackers can attempt to gain access through exploitation. Endgame provides great exploitation protection. There are also legitimate features beyond macros that are abused by attackers to execute code. For instance, the criminal group Fin7 has exploited legacy features in Microsoft applications such as Dynamic Data Exchange. To address these less common payloads, Endgame provides a broad and deep set of signatureless capabilities which provide unparalleled protection around applications commonly targeted by attackers. This set of protections also provides a layer of defense for the 1% of malicious macros which will get through MalwareScore. Effective endpoint defenses require layers operating together.

Making Clicking Safe Again

As long as phishing remains a lucrative, inexpensive, and high-return approach, criminals and nation-state attackers will continue to innovate, causing major financial, political, and potentially physical destruction. Endgame alters this risk calculus by protecting against those document-based phishing attacks with and without macros, stopping the attackers before data loss or destruction can occur. We’re excited to introduce this enhancement to our machine learning technology simultaneously making it available for public access in Google’s VirusTotal and to commercial customers as part of the launch of Endgame Release 3.0.

If you’ll be at Black Hat, swing by our booth #1328 for hourly demonstrations of our multilayer endpoint protection platform. We will show how Endgame stops attacks pre-execution, orchestrates the quarantine and clean up of all endpoints and removal from email servers, stopping all clickers, and future clickers.