Trickbot Now Passes Through Email Spam Filters via Google URL Redirection

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Trend Micro researchers have discovered a new variant of the Trickbot banking trojan that is now better at passing through spam filters. More specifically, the new variant uses a Google redirection URL in the fake email, which leads to the malicious URL in the next step. Using a Google URL is a solid practice to help create an image of legitimacy, and when combined with a well-written email, embedded social media icons, and a complete email signature, the end result is pretty convincing for the recipient. The message that is currently used by the actors concerns a supposed order that is ready for shipping, offering links to the tracking number and the payment receipt.

trickbot email message

Image source: blog.trendmicro.com

People who will click on the link will be met with a redirection notice, but this could be easy to miss. The main point of the Google URL is to minimize the chances of the message ending up in the spam folder, and the trick seems to be working. While the user is waiting for three seconds for their order status to load, what actually happens is that they’re getting a .zip file containing a Trickbot downloader.

trickbot landing page

Image source: blog.trendmicro.com

Through a module analysis, the researchers have figured out that the Trickbot that is used in this 'URL-redirection' campaign is already known. However, that is not to say that Trickbot isn’t dangerous or capable of a series of nasty functions. Here are its main capabilities as supported by Trickbot's individual modules:

What is important about this story is the fact that messages that pass through our spam filters should not be trusted. You should always check the address of the sender and consider whether you were waiting for a message from them or not, read the message carefully and look for grammar errors, and not accept any redirections whatsoever. If you have downloaded a file from such a message by mistake, do not ever attempt to execute it, as this is where Pandora’s box opens.

Care to share your thoughts on the above? Feel free to do so in the comments down below, or on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: