Agent Tesla Malware Protection Guide

Attack Vectors to Block

Agent Tesla primarily spreads through phishing campaigns. Blocking these vectors requires a layered defense strategy.

Email Attachments: The malware is frequently distributed as malicious email attachments, often compressed (ZIP, RAR) to bypass basic filters. These archives contain executable files (.exe, .scr), Microsoft Office documents with macros (.docm, .xlsm), or shortcut files (.lnk). Implement email gateway policies to block or sandbox all executable attachments and archive files from untrusted sources. For necessary business files, enforce mandatory password protection on archives, which forces them into sandboxing queues.

Malicious URLs: Phishing emails contain links to external sites hosting the Agent Tesla payload. These URLs are often obfuscated using URL shorteners or embedded in button graphics. Deploy a secure web gateway or proxy to block access to newly registered domains, free web hosting services, and domains with low reputation scores. Integrate URL analysis with your email security gateway to rewrite and scan all links in incoming emails.

Macro-Enabled Documents: A common delivery method is a document prompting the user to “Enable Content” to execute a malicious VBA macro. Configure endpoint policies and group policy objects to block all macros from the internet. Only allow signed macros from trusted locations, a control best managed at the endpoint level.

Direct Execution: In some cases, users are socially engineered to download and run the malware directly. This vector is best countered by application allowlisting and next-generation antivirus with strong behavioral detection capabilities on endpoints.

Email Security Configuration

Configure your organization’s email security gateway with the following specific rules to intercept Agent Tesla.

Attachment Filtering Policy:

• Block the following attachment types outright, regardless of sender: .exe, .scr, .pif, .com, .bat, .cpl, .jar.
• Quarantine all .zip, .rar, .7z, .iso, and .img files for manual inspection or advanced sandbox analysis. Set rules to automatically password-protect archives sent internally for safe transit.
• Enable and configure dynamic file analysis (sandboxing) for all Microsoft Office files (.doc, .docm, .xls, .xlsm, .ppt, .pptm) received from external senders. Flag files that attempt to launch cmd.exe, powershell.exe, or download content from the web.

URL Defense Settings:

• Enable “time-of-click” URL protection. All links within emails should be rewritten through your security service and checked in real-time against threat intelligence feeds.
• Block URLs that point to IP addresses instead of domain names, a common tactic for Agent Tesla download sites.
• Implement impersonation protection rules to flag emails that spoof internal domains or closely resemble trusted external partners.

Content and Sender Policies:

• Reject or heavily scrutinize emails with subject lines common to Agent Tesla campaigns, such as “Invoice,” “Payment Details,” “Shipping Notice,” or “COVID-19 Information.”
• Enforce DMARC, DKIM, and SPF to reduce domain spoofing.
• Configure policies to tag external emails with a prominent banner, warning users to exercise caution with links and attachments.

Endpoint Protection Tuning

Endpoint security controls are critical for detecting and stopping Agent Tesla execution and data theft.

Behavioral Detection Rules: Configure your EDR solution to generate high-severity alerts for these sequences, which are hallmarks of Agent Tesla activity:

• Process chain: Office application (winword.exe, excel.exe) -> cmd.exe / powershell.exe -> wscript.exe / cscript.exe / mshta.exe -> new, suspicious process.
• Process injection into legitimate system processes like explorer.exe, svchost.exe, or regsvr32.exe.
• Attempts to disable security software via registry keys (HKLM\SOFTWARE\Policies\Microsoft\Windows Defender, HKLM\SOFTWARE\Microsoft\Security Center\Monitoring).
• Creation of files in suspicious locations like %AppData%, %Temp%, or %Public% followed by persistence attempts (scheduled tasks, registry run keys).

Application Control Policies:

• Implement application allowlisting. Only allow approved, signed applications to execute from standard program directories (C:\Program Files, C:\Program Files (x86)).
• Explicitly block execution from high-risk paths: %AppData%, %LocalAppData%, %Temp%, %Public%, and root of C:\.
• Restrict script execution. Use group policy to set the default script host for .js, .vbs, and .jse files to Notepad. Control PowerShell execution through Constrained Language Mode or by logging all script block activity.

Persistence Monitoring: Deploy scripts or use EDR capabilities to monitor for changes to common persistence mechanisms:

• Registry Run Keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• Scheduled Tasks: Look for tasks created with random names or masquerading as system updates.
• Startup Folder: C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Network-Level Defenses

Blocking Command and Control (C2) communication and payload downloads is essential to mitigate the impact of an infection.

DNS Filtering:

• Configure internal DNS resolvers or a DNS security service to block queries to domains associated with free dynamic DNS providers (like duckdns.org, no-ip.com), which Agent Tesla actors frequently use.
• Sinkhole known-bad domains associated with Agent Tesla campaigns. Subscribe to threat intelligence feeds that provide timely IOCs.
• Log and alert on DNS requests for domains with high entropy (random-looking names like xbvjkehw789[.]com), which are typical for malware C2.

Proxy/Firewall Rules:

• At the network perimeter, block outbound traffic on non-standard ports for common protocols (e.g., SMTP on ports other than 25, 465, 587; FTP on ports other than 21).
• Agent Tesla often uses SMTP, FTP, or HTTP POST to exfiltrate stolen data. Implement SSL/TLS inspection where possible to detect data theft over HTTPS. Pay attention to anomalous volumes of SMTP traffic from non-mail servers.
• Use a next-generation firewall or web proxy to block traffic to IP addresses and domains categorized as “Malware,” “Newly Seen,” or “Uncategorized.”
• Restrict outbound connections from workstations to only necessary services and ports, denying direct internet access where possible.

User Awareness Training Points

Training should focus on the specific social engineering hooks used by Agent Tesla distributors.

Spotting the Phishing Email:

• Urgency and Fear: Emails creating a false urgency about an invoice, missed delivery, or legal notice are common. Train users to verify via a separate channel.
• Sender Address: Instruct users to check the full email address, not just the display name. Hover over the sender name to see the actual address.
• Generic Greetings: Emails starting with “Dear User” or “Dear Customer” instead of a real name should raise suspicion.

Handling Attachments and Links:

• Unexpected Files: Never open unexpected attachments, especially compressed archives (.zip) or executable files. If in doubt, contact the sender through a known-good method (phone, internal chat) to confirm.
• “Enable Content”: Drill the message: “Never click ‘Enable Content’ on a document that came from an email. This is a primary method for installing malware.” Direct them to report such documents to IT.
• Hover Before You Click: Consistently train users to hover their mouse over any link to preview the actual destination URL in the status bar. Look for misspellings of legitimate sites or strange domains.

Post-Execution Red Flags:

• Inform users about potential signs of infection they might see, such as sudden computer slowdown, unexpected pop-ups, or their mouse moving on its own. Emphasize the critical action: immediately disconnect the device from the network (unplug Ethernet/Wi-Fi) and contact the IT security team.

For detailed information on how this malware spreads, refer to the Distribution Methods. For specific technical indicators, see the Current IOCs. A general overview is available on the Agent Tesla Overview page.